Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Service Host suddenly using 25% CPU/lots of memory


  • This topic is locked This topic is locked
50 replies to this topic

#1 ireallyhateviruses

ireallyhateviruses

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 30 June 2016 - 04:20 PM

Hi everyone,

 

My laptop has been acting a little funny recently and I'm wondering why.

 

On Monday when I booted up my laptop (Samsung using Windows 8), I suddenly had a BSOD due to an error called "PAGE_FAULT_IN_NONPAGED_AREA." As soon as my computer restarted, it was fine. I did notice that there were two new notification icons in the lower right-hand area of my taskbar: the little Windows action centre flag with a red X, and AVG's icon, also with a red X.

 

Yesterday I noticed that my laptop had been warmer than usual and the fan's noise was more noticeable than usual. I shut down the laptop to give it time to cool down. However, when it went to shut down, the screen was black but the power light stayed on and the fan was still running. I had to press the power button to make it shut down.

 

Once it booted back up, I checked Task Manager for anything unusual. AVG had been taking up about 5% disk usage and various Service Host: Local Systems were occasionally using ~25% CPU. I ran a MalwareBytes scan, which came back clean, so I uninstalled AVG (since I never use it anyway) and shut down for the night.

 

Today, my laptop is still warmer/louder than usual and every now and then, a service host will hog 25% of my CPU and 59.3 MB of memory. I did some Googling and found a few threads on here from people who have had the same problem. They were directed to use some antiviruses and other programs which fixed the problem.

 

--------------------

 

I did a FRST scan this afternoon.

 

FRST.txt log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-06-2016
Ran by Ashley (administrator) on SAMMY (30-06-2016 15:11:13)
Running from C:\Users\Ashley\Desktop
Loaded Profiles: Ashley (Available Profiles: Ashley & Heather)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccsvchst.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccsvchst.exe
() C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Settings\sSettings.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Qualcomm Atheros) C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Lexmark International Inc.) C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe
(Spotify Ltd) C:\Users\Ashley\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Samsung Electronics CO., LTD.) C:\Program Files\Samsung\S Agent\CommonAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
Failed to access process -> chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13219984 2012-11-06] (Realtek Semiconductor)
HKLM\...\Run: [BtTray] => C:\Program Files (x86)\Bluetooth Suite\BtTray.exe [766080 2012-10-31] (Qualcomm Atheros)
HKLM\...\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [127616 2012-10-31] (Qualcomm Atheros Commnucations)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [557984 2014-08-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Bitcasa] => C:\Program Files\Bitcasa\Bitcasa.exe [3952128 2012-11-26] (Bitcasa, Inc)
HKLM\...\Run: [lxdxmon.exe] => C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe [672424 2010-02-04] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe [107176 2010-02-04] (Lexmark International Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3940040 2015-06-12] (Synaptics Incorporated)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [97392 2012-08-15] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-12] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40312 2013-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-13] (Intel Corporation)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2994880 2012-08-14] (Symantec Corporation)
HKLM-x32\...\Run: [vProt] => "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\Ashley\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [Spotify Web Helper] => C:\Users\Ashley\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-06-02] (Spotify Ltd)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\scrnsave.scr [11776 2014-10-28] (Microsoft Corporation)
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\SysWow64\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [1EldosIconOverlay] -> {9F9E650E-C824-40F4-B91C-2CEA9F2B283B} => C:\windows\SYSTEM32\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\system32\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [1EldosIconOverlay] -> {9F9E650E-C824-40F4-B91C-2CEA9F2B283B} => C:\windows\SysWOW64\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\SysWow64\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 64.59.176.14 64.59.177.228
Tcpip\..\Interfaces\{F80B304C-FF08-402F-94C4-8B0CE051BC2B}: [DhcpNameServer] 64.59.176.14 64.59.177.228
 
Internet Explorer:
==================
HKU\S-1-5-21-275444049-347170542-1178166326-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung13.msn.com
SearchScopes: HKU\S-1-5-21-275444049-347170542-1178166326-1001 -> {952512B4-6CE1-4E79-8ED3-59D6D9596A1D} URL = 
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-10-31] (Qualcomm Atheros Commnucations)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\coIEPlg.dll [2014-11-28] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\IPS\IPSBHO.DLL [2013-04-08] (Symantec Corporation)
BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
Handler-x32: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - C:\Program Files (x86)\TurboTax 2013\ic2013pp.dll [2014-04-02] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2014 - {97BB39CB-9ABA-4513-81E7-1D6FDA0854B8} - C:\Program Files (x86)\TurboTax 2014\ic2014pp.dll [2014-11-22] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2015 - {5A676D6A-A3EF-4FAA-8DAC-F55CA235F67C} - C:\Program Files (x86)\TurboTax 2015\ic2015pp.dll [2015-11-23] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\19.4.0\ViProtocol.dll [2016-04-17] (AVG Secure Search)
 
FireFox:
========
FF ProfilePath: C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\0x6uh9d7.default
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\19.4.0\\npsitesafety.dll [No File]
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-12-18] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\coFFPlgn [2016-06-30] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\IPSFFPlgn
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\IPSFFPlgn [2013-08-05] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://google.ca/
CHR StartupUrls: Default -> "hxxp://www.google.ca/"
CHR Plugin: (Shockwave Flash) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\PepperFlash\11.9.900.117\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll (AVG Technologies)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Profile: C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (uBlock Origin) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-06-26]
CHR Extension: (Google Search) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Stylish) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2016-04-05]
CHR Extension: (Google Docs Offline) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Last.fm Scrobbler) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhinaapppaileiechjoiifaancjggfjm [2016-05-24]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-03-17]
CHR Extension: (Ghostery) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-02-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Weather Underground) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjejbgheonogbpfkkjigbmahaljipoej [2015-05-12]
CHR Extension: (Gmail) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR HKLM\...\Chrome\Extension: [bejnhdlplbjhffionohbdnpcbobfejcc] - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\Exts\Chrome.crx [2014-12-09]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bejnhdlplbjhffionohbdnpcbobfejcc] - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\Exts\Chrome.crx [2014-12-09]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeActiveFileMonitor11.0; C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171664 2012-11-05] (Adobe Systems Incorporated)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [231040 2012-10-31] (Qualcomm Atheros Commnucations) [File not signed]
R2 Easy Launcher; C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe [1591176 2012-11-30] (Samsung Electronics CO., LTD.) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-17] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
S2 lxdxCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-14] (Symantec Corporation)
R2 SWUpdateService; C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe [2878152 2012-12-21] (Samsung Electronics CO., LTD.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246464 2015-06-12] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1784248 2015-07-06] (Microsoft Corporation)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2012-10-31] (Atheros) [File not signed]
S2 vToolbarUpdater19.4.0; "C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.4.0\ToolbarUpdater.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [1525848 2013-09-23] (Symantec Corporation)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-10-31] (Qualcomm Atheros)
R1 cbfs3; C:\windows\system32\drivers\cbfs3.sys [352456 2012-08-05] (EldoS Corporation)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
R3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1406000.01B\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-24] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-27] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-27] (Symantec Corporation)
R3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20131004.001\IDSvia64.sys [520280 2013-08-20] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20131004.035\ENG64.SYS [126040 2013-08-28] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20131004.035\EX64.SYS [2099288 2013-08-28] (Symantec Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-09] (Corel Corporation)
R3 RadioHIDMini; C:\Windows\System32\drivers\RadioHIDMini.sys [23408 2012-07-27] (Windows ® Win 7 DDK provider)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1406000.01B\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
R3 SRTSPX; C:\Windows\system32\drivers\NISx64\1406000.01B\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
R3 SymDS; C:\Windows\system32\drivers\NISx64\1406000.01B\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
R3 SymEFA; C:\Windows\system32\drivers\NISx64\1406000.01B\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
S4 SymELAM; C:\Windows\system32\drivers\NISx64\1406000.01B\SymELAM.sys [23448 2012-06-20] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-08-06] (Symantec Corporation)
R3 SymIRON; C:\Windows\system32\drivers\NISx64\1406000.01B\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)
R3 SymNetS; C:\Windows\System32\Drivers\NISx64\1406000.01B\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-30 15:11 - 2016-06-30 15:11 - 00023508 _____ C:\Users\Ashley\Desktop\FRST.txt
2016-06-30 15:11 - 2016-06-30 15:11 - 00000000 ____D C:\FRST
2016-06-30 15:10 - 2016-06-30 15:10 - 02390016 _____ (Farbar) C:\Users\Ashley\Desktop\FRST64.exe
2016-06-30 15:09 - 2016-06-30 15:09 - 02390016 _____ (Farbar) C:\Users\Ashley\Downloads\C19E.tmp
2016-06-30 00:49 - 2016-06-30 00:52 - 00000000 ____D C:\AVG_Remover
2016-06-30 00:48 - 2016-06-30 00:48 - 08111408 _____ ( ) C:\Users\Ashley\Desktop\AVG_Remover.exe
2016-06-27 13:34 - 2016-06-27 13:34 - 00085321 _____ C:\Users\Ashley\Desktop\ClvhyRgUkAAykYg.jpg-large
2016-06-27 13:31 - 2016-06-27 13:31 - 00085321 _____ C:\Users\Ashley\Downloads\23CE.tmp
2016-06-27 09:52 - 2016-06-27 09:52 - 00285888 _____ C:\WINDOWS\Minidump\062716-99859-01.dmp
2016-06-22 22:59 - 2016-06-22 22:59 - 00118137 _____ C:\Users\Ashley\AppData\Local\recently-used.xbel
2016-06-21 17:54 - 2016-06-21 17:54 - 00193920 _____ C:\Users\Ashley\Downloads\CDCE.tmp
2016-06-10 20:05 - 2016-06-10 20:05 - 00048108 _____ C:\Users\Ashley\Downloads\95F5.tmp
2016-06-07 15:22 - 2016-06-22 22:59 - 00000000 ____D C:\Users\Ashley\Desktop\grim
2016-06-07 15:20 - 2016-06-07 15:20 - 00000000 ____D C:\Users\Ashley\Desktop\warf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-06-30 11:53 - 2013-08-05 15:41 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-275444049-347170542-1178166326-1001
2016-06-30 11:13 - 2013-08-05 19:32 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-30 10:27 - 2015-06-16 10:18 - 00000000 ____D C:\Users\Ashley\AppData\Local\ElevatedDiagnostics
2016-06-30 10:07 - 2013-01-09 17:46 - 00000000 ____D C:\ProgramData\WinClon
2016-06-30 10:06 - 2015-07-31 09:28 - 00000000 ____D C:\WINDOWS\System32\Tasks\Remediation
2016-06-30 10:04 - 2013-08-05 19:32 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-30 00:52 - 2015-05-21 10:01 - 00000000 ____D C:\Users\Ashley\AppData\Local\Avg
2016-06-30 00:51 - 2013-08-22 08:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-30 00:49 - 2012-07-26 02:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2016-06-29 23:56 - 2014-09-02 22:53 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-29 23:37 - 2014-09-24 01:15 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-29 23:37 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\Inf
2016-06-29 23:35 - 2014-10-15 00:16 - 00000000 ____D C:\Users\Heather
2016-06-29 23:34 - 2013-08-05 15:36 - 00000000 ____D C:\Users\Ashley\AppData\Local\Adobe
2016-06-28 14:53 - 2014-01-28 20:13 - 00000000 ____D C:\Users\Ashley\AppData\Roaming\Apple Computer
2016-06-28 14:52 - 2014-01-28 20:13 - 00000000 ____D C:\Users\Ashley\AppData\Local\Apple Computer
2016-06-28 01:15 - 2014-10-15 00:16 - 00000000 ____D C:\Users\Ashley
2016-06-27 09:58 - 2013-08-22 07:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-06-27 09:52 - 2015-10-22 11:57 - 00000000 ____D C:\WINDOWS\Minidump
2016-06-27 09:51 - 2015-10-22 11:57 - 774349267 _____ C:\WINDOWS\MEMORY.DMP
2016-06-25 16:39 - 2013-01-09 17:44 - 00000000 ____D C:\ProgramData\Norton
2016-06-25 16:39 - 2013-01-09 17:43 - 00000000 ____D C:\Program Files (x86)\NortonInstaller
2016-06-25 11:54 - 2016-03-29 21:14 - 00000000 ____D C:\Users\Ashley\Desktop\Desktop Crap 2k16
2016-06-23 01:08 - 2016-05-23 21:14 - 00000000 ____D C:\Users\Ashley\AppData\Local\Last.fm
2016-06-22 23:00 - 2015-01-09 21:29 - 00000000 ____D C:\Users\Ashley\.gimp-2.8
2016-06-22 22:59 - 2015-01-09 22:30 - 00000000 ____D C:\Users\Ashley\AppData\Local\gtk-2.0
2016-06-21 14:24 - 2013-08-23 17:30 - 00000000 ____D C:\Users\Ashley\AppData\Local\CrashDumps
2016-06-20 22:30 - 2014-11-26 18:33 - 00018436 ____H C:\Users\Ashley\.DS_Store
2016-06-19 12:06 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-18 14:20 - 2013-08-22 09:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-17 19:17 - 2013-08-05 19:33 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-17 19:17 - 2013-08-05 19:33 - 00002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-06 23:20 - 2015-01-27 20:53 - 00000000 ____D C:\Users\Ashley\AppData\Local\Spotify
2016-06-06 22:37 - 2015-01-27 20:52 - 00000000 ____D C:\Users\Ashley\AppData\Roaming\Spotify
2016-06-05 15:31 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\NDF
 
==================== Files in the root of some directories =======
 
2015-08-25 14:13 - 2016-01-03 22:15 - 0009728 _____ () C:\Users\Ashley\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-06-22 22:59 - 2016-06-22 22:59 - 0118137 _____ () C:\Users\Ashley\AppData\Local\recently-used.xbel
2014-10-27 20:39 - 2014-10-27 20:39 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-08-13 18:50 - 2014-03-05 21:52 - 0000756 _____ () C:\ProgramData\FastPics.log
2013-08-26 11:20 - 2016-06-30 10:39 - 0068085 _____ () C:\ProgramData\lxdx.log
2013-08-13 18:49 - 2013-08-13 20:46 - 0000492 _____ () C:\ProgramData\lxdxDiagnostics.log
2013-01-09 17:38 - 2012-08-07 22:07 - 2258432 _____ (Samsung Electronics) C:\ProgramData\MakeMarkerFile.exe
2013-01-09 17:38 - 2012-08-07 04:11 - 0003196 _____ () C:\ProgramData\MakeMarkerFile.xml
2013-08-13 18:48 - 2013-08-13 18:48 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt
 
Files to move or delete:
====================
C:\Users\Ashley\jobq.dat
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-30 11:53
 
==================== End of FRST.txt ============================

Edited by ireallyhateviruses, 30 June 2016 - 08:03 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:26 AM

Posted 05 July 2016 - 04:25 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/618680 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 ireallyhateviruses

ireallyhateviruses
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 05 July 2016 - 09:12 PM

I just came back from a 5 day camping trip and my laptop is still having the same problems I described in my first post. As of right now, Service Host: Local System (16) is using 22.2 MB of memory, Service Host: Local System (Network Restricted) (10) is using 76.7 MB of memory, and Service Host: Local System (No Network) (4) is using 16.4 MB of memory. The laptop is warmer than it should be and the fan is louder than usual (it isn't very loud normally).

 

I am using Windows 8.1. I don't know what edition it is. It is a 64-bit system.

 

I don't have a Windows 8 CD/DVD as it came pre-installed on my laptop. I would prefer to keep Windows 8.

 

New FRST logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 02-07-2016
Ran by Ashley (administrator) on SAMMY (05-07-2016 20:04:59)
Running from C:\Users\Ashley\Desktop
Loaded Profiles: Ashley (Available Profiles: Ashley & Heather)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccsvchst.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
Failed to access process -> chrome.exe
() C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccsvchst.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Settings\sSettings.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Qualcomm Atheros) C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Lexmark International Inc.) C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Spotify Ltd) C:\Users\Ashley\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Samsung Electronics CO., LTD.) C:\Program Files\Samsung\S Agent\CommonAgent.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13219984 2012-11-06] (Realtek Semiconductor)
HKLM\...\Run: [BtTray] => C:\Program Files (x86)\Bluetooth Suite\BtTray.exe [766080 2012-10-31] (Qualcomm Atheros)
HKLM\...\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [127616 2012-10-31] (Qualcomm Atheros Commnucations)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [557984 2014-08-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Bitcasa] => C:\Program Files\Bitcasa\Bitcasa.exe [3952128 2012-11-26] (Bitcasa, Inc)
HKLM\...\Run: [lxdxmon.exe] => C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe [672424 2010-02-04] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe [107176 2010-02-04] (Lexmark International Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3940040 2015-06-12] (Synaptics Incorporated)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [97392 2012-08-15] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-12] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40312 2013-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-13] (Intel Corporation)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [2994880 2012-08-14] (Symantec Corporation)
HKLM-x32\...\Run: [vProt] => "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\Ashley\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [Spotify Web Helper] => C:\Users\Ashley\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-06-02] (Spotify Ltd)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\scrnsave.scr [11776 2014-10-28] (Microsoft Corporation)
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\SysWow64\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [1EldosIconOverlay] -> {9F9E650E-C824-40F4-B91C-2CEA9F2B283B} => C:\windows\SYSTEM32\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\system32\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [1EldosIconOverlay] -> {9F9E650E-C824-40F4-B91C-2CEA9F2B283B} => C:\windows\SysWOW64\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\SysWow64\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 64.59.176.14 64.59.177.228
Tcpip\..\Interfaces\{F80B304C-FF08-402F-94C4-8B0CE051BC2B}: [DhcpNameServer] 64.59.176.14 64.59.177.228
 
Internet Explorer:
==================
HKU\S-1-5-21-275444049-347170542-1178166326-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung13.msn.com
SearchScopes: HKU\S-1-5-21-275444049-347170542-1178166326-1001 -> {952512B4-6CE1-4E79-8ED3-59D6D9596A1D} URL = 
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-10-31] (Qualcomm Atheros Commnucations)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\coIEPlg.dll [2014-11-28] (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\IPS\IPSBHO.DLL [2013-04-08] (Symantec Corporation)
BHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File
Handler-x32: intu-tt2013 - {9FF5EC07-1645-43BF-828F-C73CFA7BC1AF} - C:\Program Files (x86)\TurboTax 2013\ic2013pp.dll [2014-04-02] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2014 - {97BB39CB-9ABA-4513-81E7-1D6FDA0854B8} - C:\Program Files (x86)\TurboTax 2014\ic2014pp.dll [2014-11-22] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: intu-tt2015 - {5A676D6A-A3EF-4FAA-8DAC-F55CA235F67C} - C:\Program Files (x86)\TurboTax 2015\ic2015pp.dll [2015-11-23] (Intuit Canada, a general partnership/une société en nom collectif.)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\19.4.0\ViProtocol.dll [2016-04-17] (AVG Secure Search)
 
FireFox:
========
FF ProfilePath: C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\0x6uh9d7.default
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\19.4.0\\npsitesafety.dll [No File]
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-12-18] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\coFFPlgn [2016-06-30] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\IPSFFPlgn
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\IPSFFPlgn [2013-08-05] [not signed]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://google.ca/
CHR StartupUrls: Default -> "hxxp://www.google.ca/"
CHR Plugin: (Shockwave Flash) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\PepperFlash\11.9.900.117\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll (AVG Technologies)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Profile: C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (uBlock Origin) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-06-26]
CHR Extension: (Google Search) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Stylish) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2016-04-05]
CHR Extension: (Google Docs Offline) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Last.fm Scrobbler) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhinaapppaileiechjoiifaancjggfjm [2016-05-24]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-03-17]
CHR Extension: (Ghostery) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-02-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Weather Underground) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjejbgheonogbpfkkjigbmahaljipoej [2015-05-12]
CHR Extension: (Gmail) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR HKLM\...\Chrome\Extension: [bejnhdlplbjhffionohbdnpcbobfejcc] - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\Exts\Chrome.crx [2014-12-09]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bejnhdlplbjhffionohbdnpcbobfejcc] - C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\Exts\Chrome.crx [2014-12-09]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeActiveFileMonitor11.0; C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171664 2012-11-05] (Adobe Systems Incorporated)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [231040 2012-10-31] (Qualcomm Atheros Commnucations) [File not signed]
R2 Easy Launcher; C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe [1591176 2012-11-30] (Samsung Electronics CO., LTD.) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-17] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
S2 lxdxCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.6.0.27\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [3943104 2012-08-14] (Symantec Corporation)
R2 SWUpdateService; C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe [2878152 2012-12-21] (Samsung Electronics CO., LTD.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246464 2015-06-12] (Synaptics Incorporated)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1784248 2015-07-06] (Microsoft Corporation)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2012-10-31] (Atheros) [File not signed]
S2 vToolbarUpdater19.4.0; "C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.4.0\ToolbarUpdater.exe" [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [1525848 2013-09-23] (Symantec Corporation)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-10-31] (Qualcomm Atheros)
R1 cbfs3; C:\windows\system32\drivers\cbfs3.sys [352456 2012-08-05] (EldoS Corporation)
R1 ccSet_NARA; C:\Windows\system32\drivers\NARAx64\0401000.00E\ccSetx64.sys [168608 2012-05-25] (Symantec Corporation)
R3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1406000.01B\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-24] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-08-27] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-27] (Symantec Corporation)
R3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\IPSDefs\20131004.001\IDSvia64.sys [520280 2013-08-20] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20131004.035\ENG64.SYS [126040 2013-08-28] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.1.0.24\Definitions\VirusDefs\20131004.035\EX64.SYS [2099288 2013-08-28] (Symantec Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-09] (Corel Corporation)
R3 RadioHIDMini; C:\Windows\System32\drivers\RadioHIDMini.sys [23408 2012-07-27] (Windows ® Win 7 DDK provider)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1406000.01B\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
R3 SRTSPX; C:\Windows\system32\drivers\NISx64\1406000.01B\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
R3 SymDS; C:\Windows\system32\drivers\NISx64\1406000.01B\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
R3 SymEFA; C:\Windows\system32\drivers\NISx64\1406000.01B\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
S4 SymELAM; C:\Windows\system32\drivers\NISx64\1406000.01B\SymELAM.sys [23448 2012-06-20] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-08-06] (Symantec Corporation)
R3 SymIRON; C:\Windows\system32\drivers\NISx64\1406000.01B\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)
R3 SymNetS; C:\Windows\System32\Drivers\NISx64\1406000.01B\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-05 20:02 - 2016-07-05 20:02 - 00000000 ____D C:\Users\Ashley\Desktop\FRST-OlderVersion
2016-06-30 15:11 - 2016-07-05 20:05 - 00024145 _____ C:\Users\Ashley\Desktop\FRST.txt
2016-06-30 15:11 - 2016-07-05 20:04 - 00000000 ____D C:\FRST
2016-06-30 15:10 - 2016-07-05 20:02 - 02390016 _____ (Farbar) C:\Users\Ashley\Desktop\FRST64.exe
2016-06-30 15:09 - 2016-06-30 15:09 - 02390016 _____ (Farbar) C:\Users\Ashley\Downloads\C19E.tmp
2016-06-30 00:49 - 2016-06-30 00:52 - 00000000 ____D C:\AVG_Remover
2016-06-30 00:48 - 2016-06-30 00:48 - 08111408 _____ ( ) C:\Users\Ashley\Desktop\AVG_Remover.exe
2016-06-27 13:34 - 2016-06-27 13:34 - 00085321 _____ C:\Users\Ashley\Desktop\ClvhyRgUkAAykYg.jpg-large
2016-06-27 13:31 - 2016-06-27 13:31 - 00085321 _____ C:\Users\Ashley\Downloads\23CE.tmp
2016-06-27 09:52 - 2016-06-27 09:52 - 00285888 _____ C:\WINDOWS\Minidump\062716-99859-01.dmp
2016-06-22 22:59 - 2016-06-22 22:59 - 00118137 _____ C:\Users\Ashley\AppData\Local\recently-used.xbel
2016-06-21 17:54 - 2016-06-21 17:54 - 00193920 _____ C:\Users\Ashley\Downloads\CDCE.tmp
2016-06-10 20:05 - 2016-06-10 20:05 - 00048108 _____ C:\Users\Ashley\Downloads\95F5.tmp
2016-06-07 15:22 - 2016-06-22 22:59 - 00000000 ____D C:\Users\Ashley\Desktop\grim
2016-06-07 15:20 - 2016-06-07 15:20 - 00000000 ____D C:\Users\Ashley\Desktop\warf
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-05 19:13 - 2013-08-05 19:32 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-05 18:50 - 2013-08-05 15:36 - 00000000 ____D C:\Users\Ashley\AppData\Local\Adobe
2016-07-05 18:50 - 2013-01-09 17:46 - 00000000 ____D C:\ProgramData\WinClon
2016-07-05 18:48 - 2013-08-05 19:32 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-30 18:06 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-30 11:53 - 2013-08-05 15:41 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-275444049-347170542-1178166326-1001
2016-06-30 10:27 - 2015-06-16 10:18 - 00000000 ____D C:\Users\Ashley\AppData\Local\ElevatedDiagnostics
2016-06-30 10:06 - 2015-07-31 09:28 - 00000000 ____D C:\WINDOWS\System32\Tasks\Remediation
2016-06-30 00:52 - 2015-05-21 10:01 - 00000000 ____D C:\Users\Ashley\AppData\Local\Avg
2016-06-30 00:51 - 2013-08-22 08:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-06-30 00:49 - 2012-07-26 02:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2016-06-29 23:56 - 2014-09-02 22:53 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-06-29 23:37 - 2014-09-24 01:15 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-06-29 23:37 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\Inf
2016-06-29 23:35 - 2014-10-15 00:16 - 00000000 ____D C:\Users\Heather
2016-06-28 14:53 - 2014-01-28 20:13 - 00000000 ____D C:\Users\Ashley\AppData\Roaming\Apple Computer
2016-06-28 14:52 - 2014-01-28 20:13 - 00000000 ____D C:\Users\Ashley\AppData\Local\Apple Computer
2016-06-28 01:15 - 2014-10-15 00:16 - 00000000 ____D C:\Users\Ashley
2016-06-27 09:58 - 2013-08-22 07:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-06-27 09:52 - 2015-10-22 11:57 - 00000000 ____D C:\WINDOWS\Minidump
2016-06-27 09:51 - 2015-10-22 11:57 - 774349267 _____ C:\WINDOWS\MEMORY.DMP
2016-06-25 16:39 - 2013-01-09 17:44 - 00000000 ____D C:\ProgramData\Norton
2016-06-25 16:39 - 2013-01-09 17:43 - 00000000 ____D C:\Program Files (x86)\NortonInstaller
2016-06-25 11:54 - 2016-03-29 21:14 - 00000000 ____D C:\Users\Ashley\Desktop\Desktop Crap 2k16
2016-06-23 01:08 - 2016-05-23 21:14 - 00000000 ____D C:\Users\Ashley\AppData\Local\Last.fm
2016-06-22 23:00 - 2015-01-09 21:29 - 00000000 ____D C:\Users\Ashley\.gimp-2.8
2016-06-22 22:59 - 2015-01-09 22:30 - 00000000 ____D C:\Users\Ashley\AppData\Local\gtk-2.0
2016-06-21 14:24 - 2013-08-23 17:30 - 00000000 ____D C:\Users\Ashley\AppData\Local\CrashDumps
2016-06-20 22:30 - 2014-11-26 18:33 - 00018436 ____H C:\Users\Ashley\.DS_Store
2016-06-18 14:20 - 2013-08-22 09:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-17 19:17 - 2013-08-05 19:33 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-17 19:17 - 2013-08-05 19:33 - 00002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-06 23:20 - 2015-01-27 20:53 - 00000000 ____D C:\Users\Ashley\AppData\Local\Spotify
2016-06-06 22:37 - 2015-01-27 20:52 - 00000000 ____D C:\Users\Ashley\AppData\Roaming\Spotify
2016-06-05 15:31 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\system32\NDF
 
==================== Files in the root of some directories =======
 
2015-08-25 14:13 - 2016-01-03 22:15 - 0009728 _____ () C:\Users\Ashley\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-06-22 22:59 - 2016-06-22 22:59 - 0118137 _____ () C:\Users\Ashley\AppData\Local\recently-used.xbel
2014-10-27 20:39 - 2014-10-27 20:39 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-08-13 18:50 - 2014-03-05 21:52 - 0000756 _____ () C:\ProgramData\FastPics.log
2013-08-26 11:20 - 2016-07-05 19:22 - 0068174 _____ () C:\ProgramData\lxdx.log
2013-08-13 18:49 - 2013-08-13 20:46 - 0000492 _____ () C:\ProgramData\lxdxDiagnostics.log
2013-01-09 17:38 - 2012-08-07 22:07 - 2258432 _____ (Samsung Electronics) C:\ProgramData\MakeMarkerFile.exe
2013-01-09 17:38 - 2012-08-07 04:11 - 0003196 _____ () C:\ProgramData\MakeMarkerFile.xml
2013-08-13 18:48 - 2013-08-13 18:48 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt
 
Files to move or delete:
====================
C:\Users\Ashley\jobq.dat
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-30 11:53
 
==================== End of FRST.txt ============================

Edited by ireallyhateviruses, 05 July 2016 - 09:15 PM.


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,626 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 10 July 2016 - 05:13 AM

ireallyhateviruses:

:welcome: to the Bleeping Computer Virus, Trojans, Spyware, and Malware Removal Logs Forum. My name is Phil and I am a trainee in the Bleeping Computer Malware Removal Study Hall. I would like to address you by your first name, if that is alright with you since we will be working together.

I will be assisting you with your computer issues. All of my proposed fixes and suggestions must be approved by a fully-qualified Malware Removal Instructor. This will delay response times somewhat, but I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

 

I apologize that there has been a delay in responding to your issue.  This Forum is very busy, as I am sure you can understand.

I will need some time to review your FRST logs and consult with the Malware Response Instructor (MRI) who will be assigned to supervise this topic. That could take a few days. Once I have reviewed my proposed response with the assigned MRI, I will reply to you with initial instructions.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues. It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,626 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 11 July 2016 - 11:53 AM

ireallyhateviruses:

Thank you for your patience while I analyzed your FRST logs and consulted with the Malware Response Instructor assigned to supervise me while I deal with your issues.

The good news is that I have not detected any active malware on your computer. :thumbup2: There are some issues with your computer that could be slowing it down and are also leaving it very vulnerable to malware. I would like to address your issues in stages, so that you are not overwhelmed and so that we can also assess the progress we are making as we move forward.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

  • I am a Bleeping Computer volunteer, so I ask you to be patient. I know it is frustrating when your computer is not working properly, but malware removal takes time.
  • Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
  • If I have not responded to you within 48 hours, please send me a personal message. Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
  • If I have not heard from you in three days, I will "bump" your post. After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
  • Logs can take a while to research, so please be patient.
  • Some issues just cannot be solved so you must be prepared for this.
  • Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
  • Please print or copy and save the instructions.
  • Back up all your data and important files on another (external) drive before starting to run malware removal tools.
  • You should try to limit your browsing with this computer until you are given the "All Clear." Some malware applications steal passwords.
  • Please do not install or uninstall any applications, unless directed. Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
  • Please use only that tools you have been instructed to use.
  • If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware. It can be turned off with Defogger and then turned back on when you get the "All Clear."
  • Please copy and paste the requested log files inside your post, unless otherwise instructed.
  • There are no silly questions. Ask for clarification, if you have any questions or concerns.
  • Bleeping Computer does not support any piracy. Evidence of illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended. Uninstall such software before proceeding!
  • Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled. P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
  • Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
  • I am volunteering my time to help you, and I will need you to help me. Together, we can, hopefully, disinfect your computer and get if functioning properly again. That is my only aim.

.

OK, let's get started.

:step1: Your computer does not show any active anti-virus or anti-spyware applications. That is a serious security vulnerability. Both Norton Internet Security and Windows Defender are reporting that they are disabled. Windows Defender is reporting that its definitions are up-to-date, whereas Norton Internet Security (NIS) is both disabled and out-of-date. It is strongly recommended to have only one, and only one, anti-virus application running at any one time to avoid resource conflicts and other seemingly bizarre computer issues. Please see this topic written by Quietman7, one of Bleeping Computer's most knowledgeable security experts.

So, you have a decision to make: activate either NIS or Windows Defender. If you opt for activating Windows Defender, then NIS should be uninstalled and removed; please see the instructions to uninstall NIS, here.
If you decide to keep NIS, then please update and activate it. It will automatically ensure that Windows Defender remains disabled to avoid conflicts. Please let me know what you decide.
Just as an aside, Windows Defender for Windows 8.1 is a very robust anti-virus and anti-spyware application, as well as having the advantage of being free. Please make sure that Windows Updates are set to "automatic" to facilitate Windows Defender definitions updates, if you choose to activate Windows Defender and uninstall NIS.

.

:step2: There are also multiple remnants of AVG still remaining on your computer, which can cause conflicts as well. Please use the Control Panel, Add/Remove Programs, to uninstall the AVG Security Toolbar, which is still showing as installed.

.

:step3: Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to: C:\Users\Ashley\Desktop. I am going to do some cleanup of your computer.

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Run FRST64.exe and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.
 

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

Failed to access process -> chrome.exe
HKLM-x32\...\Run: [vProt] => "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
"C:\Program Files (x86)\AVG Secure Search"
HKLM-x32\...\Run: [] => [X]
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\19.4.0\ViProtocol.dll [2016-04-17] (AVG Secure Search)
"C:\Program Files (x86)\Common Files\AVG Secure Search"
SearchScopes: HKU\S-1-5-21-275444049-347170542-1178166326-1001 -> {952512B4-6CE1-4E79-8ED3-59D6D9596A1D} URL =
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\19.4.0\\npsitesafety.dll [No File]
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll (AVG Technologies)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => No File
S2 vToolbarUpdater19.4.0; "C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.4.0\ToolbarUpdater.exe" [X]
2016-06-30 00:52 - 2015-05-21 10:01 - 00000000 ____D C:\Users\Ashley\AppData\Local\Avg
C:\Users\Ashley\jobq.dat
Task: {73260E9E-6714-4A1A-AA7E-D0C0124327CD} - System32\Tasks\0116wtUpdateInfo => C:\ProgramData\Avg_Update_0116wt\0116wt_{C69EF75C-8206-46C2-9FBB-5CDC72B717AE}.exe
Task: C:\WINDOWS\Tasks\0116wtUpdateInfo.job => C:\ProgramData\Avg_Update_0116wt\0116wt_{C69EF75C-8206-46C2-9FBB-5CDC72B717AE}.exe

Please then reboot your computer, if it did not reboot itself.

.

:step4: Please upload the following files to VirusTotal, here, and have them analyzed:

  • C:\Users\Ashley\Downloads\C19E.tmp
  • C:\Users\Ashley\Desktop\ClvhyRgUkAAykYg.jpg-large
  • C:\Users\Ashley\Downloads\23CE.tmp
  • C:\Users\Ashley\Downloads\CDCE.tmp
  • C:\Users\Ashley\Downloads\95F5.tmp

Please report the details of any positive hits.

.

:step5: Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

.

:step6: So, I would like you to please follow the steps above, in order, and then:

  • To inform me of your decision as to whether you kept, or uninstalled, Norton Internet Security;
  • To inform me whether you were able to successfully uninstall the AVG Security Toolbar;
  • To copy and paste the contents of the fixlog.txt file into your next response;
  • To report any positive VirusTotal hits;
  • To copy and paste the AdwCleaner scan log into your next reply; and,
  • To provide an update on how your computer is running now.

.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#6 ireallyhateviruses

ireallyhateviruses
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 11 July 2016 - 04:10 PM

Hello Phil,

 

Thank you very much for the help.

 

Here are the results of my steps:

 

1. I uninstalled Norton Security and tried to remove the rest of the AVG files (not sure if that worked, lol). Norton came pre-installed on my laptop and I never really used it. I then turned on Windows Defender.

 

2. When I went to uninstall the AVG Toolbar, a window popped up which said, "An error occurred while trying to uninstall AVG Security Toolbar. It may have already been uninstalled. Would you like to remove AVG Security Toolbar from the Programs and Features list?" (I pressed Yes.)

 

3. fixlog.txt file:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 10-07-2016 01
Ran by Ashley (2016-07-11 14:11:28) Run:1
Running from C:\Users\Ashley\Desktop
Loaded Profiles: Ashley (Available Profiles: Ashley & Heather)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
Failed to access process -> chrome.exe
HKLM-x32\...\Run: [vProt] => "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
"C:\Program Files (x86)\AVG Secure Search"
HKLM-x32\...\Run: [] => [X]
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\19.4.0\ViProtocol.dll [2016-04-17] (AVG Secure Search)
"C:\Program Files (x86)\Common Files\AVG Secure Search"
SearchScopes: HKU\S-1-5-21-275444049-347170542-1178166326-1001 -> {952512B4-6CE1-4E79-8ED3-59D6D9596A1D} URL =
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\19.4.0\\npsitesafety.dll [No File]
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll (AVG Technologies)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => No File
S2 vToolbarUpdater19.4.0; "C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.4.0\ToolbarUpdater.exe" [X]
2016-06-30 00:52 - 2015-05-21 10:01 - 00000000 ____D C:\Users\Ashley\AppData\Local\Avg
C:\Users\Ashley\jobq.dat
Task: {73260E9E-6714-4A1A-AA7E-D0C0124327CD} - System32\Tasks\0116wtUpdateInfo => C:\ProgramData\Avg_Update_0116wt\0116wt_{C69EF75C-8206-46C2-9FBB-5CDC72B717AE}.exe
Task: C:\WINDOWS\Tasks\0116wtUpdateInfo.job => C:\ProgramData\Avg_Update_0116wt\0116wt_{C69EF75C-8206-46C2-9FBB-5CDC72B717AE}.exe
*****************
 
Restore point was successfully created.
Processes closed successfully.
Failed to access process -> chrome.exe => Error: No automatic fix found for this entry.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\vProt => value removed successfully
"C:\Program Files (x86)\AVG Secure Search" => not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKCR\Wow6432Node\PROTOCOLS\Handler\viprotocol" => key removed successfully
"HKCR\Wow6432Node\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}" => key removed successfully
C:\Program Files (x86)\Common Files\AVG Secure Search => moved successfully
"HKU\S-1-5-21-275444049-347170542-1178166326-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{952512B4-6CE1-4E79-8ED3-59D6D9596A1D}" => key removed successfully
HKCR\CLSID\{952512B4-6CE1-4E79-8ED3-59D6D9596A1D} => key not found. 
"HKLM\Software\Wow6432Node\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin" => key removed successfully
C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => not found.
C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => not found.
vToolbarUpdater19.4.0 => service removed successfully
C:\Users\Ashley\AppData\Local\Avg => moved successfully
C:\Users\Ashley\jobq.dat => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73260E9E-6714-4A1A-AA7E-D0C0124327CD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73260E9E-6714-4A1A-AA7E-D0C0124327CD}" => key removed successfully
C:\WINDOWS\System32\Tasks\0116wtUpdateInfo => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0116wtUpdateInfo" => key removed successfully
C:\WINDOWS\Tasks\0116wtUpdateInfo.job => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 16367109 B
Java, Flash, Steam htmlcache => 4039 B
Windows/system/drivers => 1164696022 B
Edge => 0 B
Chrome => 1047059423 B
Firefox => 35926168 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 972088 B
NetworkService => 3640 B
Ashley => 1733650834 B
Heather => 183630582 B
 
RecycleBin => 3997711912 B
EmptyTemp: => 7.6 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 14:17:18 ====
 

4. VirusTotal hits:

 

C193.tmp came back with this:

 

Antiy-AVL - Trojan/Generic.ASVCS3S.1E5
Bkav - W32.HfsAtITA.506B
Fortinet - W32/Generic.AC.3370492
 
Everything else came back clean.
 
5. AdwCleaner results:

 

# AdwCleaner v5.201 - Logfile created 11/07/2016 at 14:41:28
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-10.3 [Server]
# Operating system : Windows 8.1  (X64)
# Username : Ashley - SAMMY
# Running from : C:\Users\Ashley\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
Folder Found : C:\ProgramData\Avg_Update_0116av
Folder Found : C:\ProgramData\Avg_Update_0814tb
Folder Found : C:\ProgramData\Avg_Update_1215av
Folder Found : C:\ProgramData\Application Data\Avg_Update_0116av
Folder Found : C:\ProgramData\Application Data\Avg_Update_0814tb
Folder Found : C:\ProgramData\Application Data\Avg_Update_1215av
Folder Found : C:\Program Files (x86)\AVG Security Toolbar
Folder Found : C:\WINDOWS\SysWOW64\config\systemprofile\AppData\LocalLow\AVG Secure Search
Folder Found : C:\Users\Ashley\AppData\Local\AVG Secure Search
Folder Found : C:\Users\Heather\AppData\Local\AVG Secure Search
Folder Found : C:\Users\Heather\AppData\LocalLow\AVG Secure Search
Folder Found : C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall
 
***** [ Files ] *****
 
File Found : C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chphlpgkkbolifaimnlloiipkdnihall_0.localstorage
File Found : C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_chphlpgkkbolifaimnlloiipkdnihall_0.localstorage-journal
 
***** [ DLL ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Value Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [vProt]
 
***** [ Web browsers ] *****
 
[C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : chphlpgkkbolifaimnlloiipkdnihall
[C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com
 
*************************
 
C:\AdwCleaner\AdwCleaner[S1].txt - [3426 bytes] - [11/07/2016 14:41:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [3499 bytes] ##########
 
6. A few days ago (it may have been on July 5th or 6th) I followed the steps in this video. When I went to the Task Manager to see if the weird service host usage was still happening, there seemed to be fewer service hosts that were hogging memory (though right now, service host: local system (14) is using 10-11% CPU and 43.8 MB of memory. Also, Chrome is using a lot of memory, but I've heard that's normal for Chrome). Then when I opened the service hosts, I accidentally "stopped" one of them... I think it was the one that contained superfetch or something with a similar name.
 
Anyway, I have since noticed that when I turn on my computer for the day and after the Samsung logo appears, the screen will stay black for maybe 30 seconds before going into the user sign in screen. I'm assuming this is a result of the steps I took after watching that YouTube video.
 
Other things I noticed:
 
On July 7th when I turned on my computer, a big banner popped up on my desktop which said, "Your PC has been unprotected for 560 days." with some more text and two buttons to either renew Norton or turn on Windows Defender. This had never happened before.
 
Then either that same day or the next day, a smaller window popped up which said, "Uninstall conflicting antimalware apps."
 
And today after I restarted my computer while following step one, another window popped up that said "S Agent" by Samsung Electronics wanted to make changes to my computer. I didn't know why it popped up, so I pressed No. (I haven't restarted my computer since I finished step three.)
 
My laptop still gets warm quicker than usual, but there's really nothing else to complain about (other than the fact my Google Chrome history is gone and I have to re-sign in to Facebook and some of my other sites! lol). I haven't had another PAGE_FAULT_IN_NONPAGED_AREA error since the one I mentioned in my first post.
 
Thanks again!

Edited by ireallyhateviruses, 11 July 2016 - 04:16 PM.


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,626 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 12 July 2016 - 04:35 PM

ireallyhateviruses:

Thank you for your post and logs. F‏irst class job! We are making forward progress. :thumbup2:

First of all, I should caution you about trusting all Google Search results and YouTube videos. The information is only as good as the authors. One of the key components of Bleeping Computer Study Hall training is to instruct the trainees as to how to differentiate between "good" and "not so good", and sometimes downright wrong, and dangerous, search results.

I fully understand that you were doing what you could to fix your computer, but I would ask that you make no further changes to it, until we have finished with the scans and utilities that I want to run to eliminate the more common causes of poor performance. Disabling Windows services can have unintended consequences. If it was my computer, I would restore those services to their default state, but that is ENTIRELY your choice, because it is YOUR computer.

AdwCleaner did find some unwanted "junk" on your computer, which can consume CPU power, so I think that we should run a few more scans, after we get AdwCleaner to actually "clean" out what it found. There may well be more PUPs (potentially unwanted programs) and PUMs (potentially unwanted modifications) that we should rid your computer of.

I was not surprised that the AVG Search Toolbar did not successfully uninstall. I took out a number of components with the FRST fixlist.txt file, and AdwCleaner found some more.

.

:step1: Please submit the the following two files to VirusTotal (I know that you already submitted C19E.tmp), but both my instructor and I would like to have you post the VirusTotal links to the VirusTotal file upload findings so that both we, and possibly the FRST developer, can examine the results. It is odd that both files would have the same size. We don't think that this is serious, but it might be something that that the developer of FRST might want to know about. The hits you got on the C19E.tmp file are probably "false positives", because the file is probably the FRST program itself, and because of its nature, some lesser known anti-virus applications might flag FRST as malware. What is interesting is that somehow the FRST program might have been duplicated itself as a .tmp file, which would not be an intended behaviour that I am familiar with. So you have discovered something that neither my supervisor or me have seen before.



C:\Users\Ashley\Desktop\FRST64.exe
C:\Users\Ashley\Downloads\C19E.tmp

.


:step2: I think you made a wise choice to remove Norton as well, although if you are still getting pop-ups from it, it is not all gone. There have been recent articles on its security vulnerabilities. Please go to the previous link, here, that I provided to you in my first post, and go to "Part 2" to download and run the Norton Removal Tool, if you have not already done so. It will hopefully remove the Norton remnants.

.

:step3: Double click on AdwCleaner.exe to run the tool again. Vista/Windows 7/8 users right-click and select Run As Administrator

  • The tool will start to update the database, please wait for the update to complete.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished...
  • Uncheck any PUP and adware applications that you want to keep.
  • Then this time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile into your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

 

 

:step4: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK
  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply

Don't forget to re-enable your Windows Defender when finished!

.


:step5: I see that you have Malwarebytes Anti-Malware already installed. Please go to "Settings", "Detection and Protection" and ENSURE that "Scan for rootkits" is enabled/checked. Also, check that the two "Non-Malware Protection" items (PUPs and PUMs) are set to "Treat Detections as Malware." Then click back to "Dashboard" and click "Scan Now".

  • When the scan is completed, click the down arrow on Export Log and select Text file (*.txt).
  • Save the file to your desktop as MBAM.txt.
  • Click Apply Actions, then restart your computer, if requested.
  • Please copy and paste the contents of MBAM.txt into your next reply.

.
 

 

:step6: Please download Junkware Removal Tool to your desktop.

  • Shut down your Windows Defender now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • Reactivate your Windows Defender!

.


:step7: Please run a fresh set of FRST logs (ensure that "Addition.txt" is checked - it is only checked by default on the first run).

.


:step8: After you have completed the seven previous steps, please:

  • Send me the VirusTotal links for the two files;
  • Copy and paste the AdwCleaner "Clean" log into your next reply;
  • Copy and paste the ESET online scan results in your next reply, if there were any detections;
  • Copy and paste the MBAM log into your next reply;
  • Copy and paste the JRT log into your next reply;
  • Copy and paste the new FRST.txt and Addition.txt logs into your next reply; and,
  • Provide me with an update as to how your computer is running now.

.

Thank you and have a great day.

Regards,
-Phil


Edited by garioch7, 12 July 2016 - 04:36 PM.

Member of the Unified Network of Instructors and Trusted Eliminators


#8 ireallyhateviruses

ireallyhateviruses
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 12 July 2016 - 08:55 PM

This just happened after turning on my computer (it was on sleep mode):

 

Two Internet Explorer windows were opened (I never use IE) with smaller windows that said:

 

Do you want to allow this website to open a program on your computer?

res://C:\Program%20Files%20(x86)\Hp\HP%20Software%20Update\HPWUCli.exe/136

 

I have never seen this before (I do have an HP printer but I have never seen a printer update like this). I was going to run the other scans in your last reply, but I don't know if this should be checked out first?

 

Thanks.


Edited by ireallyhateviruses, 12 July 2016 - 10:14 PM.


#9 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,626 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 13 July 2016 - 12:31 PM

ireallyhateviruses:

 

Thank you for your post.  I commend you for checking first before proceeding if you have concerns.    :thumbup2:

 

The file is an HP Client Update program and it should be legitimate.  If you want to, you could navigate to it, and upload it to VirusTotal just be one hundred percent sure that it is a legitimate program.  You can check this link for more information on the program.

 

For now I would prefer that you don't update any programs.  I would like to avoid changes being made to the computer until we have ascertained the cause of your issues.

 

Please proceed with the instructions in my previous post.  Thank you and have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#10 ireallyhateviruses

ireallyhateviruses
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 14 July 2016 - 11:21 AM

Hi again,
 
I agree about following a YouTube video. Normally I wouldn't have done something like that, to be honest.
 
Yesterday, I wanted to restore the changes I made from the video. When I pressed the Windows key + R to run services.msc, two more Internet Explorer windows opened, once again with smaller windows inside that asked me if I wanted to make changes to my computer, along with these address names:
 
"res://C:\\WINDOWS\system32\mmcndmgr.dll/views.htm"
"res://ieframe.dll/navcancl.htm#res://C:\WINDOWS\system32\mmcdnmgr.dll/views.htm"
 
and then the services.msc window was blank. There was the File/Action/View etc. tabs across the top, but there was no list of services.
 
The IE window popping up/asking me if I want to make changes is something that I had never experienced until two days ago. Should I be concerned about this?
 
1. VirusTotal
 
 
 
2. Oops, I should have added that I had also ran the Norton Removal Tool.
 
3. AdwCleaner:
 
# AdwCleaner v5.201 - Logfile created 13/07/2016 at 17:23:22
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-13.1 [Server]
# Operating system : Windows 8.1  (X64)
# Username : Ashley - SAMMY
# Running from : C:\Users\Ashley\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\ProgramData\Avg_Update_0116av
[-] Folder Deleted : C:\ProgramData\Avg_Update_0814tb
[-] Folder Deleted : C:\ProgramData\Avg_Update_1215av
[#] Folder Deleted : C:\ProgramData\Application Data\Avg_Update_0116av
[#] Folder Deleted : C:\ProgramData\Application Data\Avg_Update_0814tb
[#] Folder Deleted : C:\ProgramData\Application Data\Avg_Update_1215av
[-] Folder Deleted : C:\Program Files (x86)\AVG Security Toolbar
[-] Folder Deleted : C:\WINDOWS\SysWOW64\config\systemprofile\AppData\LocalLow\AVG Secure Search
[-] Folder Deleted : C:\Users\Ashley\AppData\Local\AVG Secure Search
[-] Folder Deleted : C:\Users\Heather\AppData\Local\AVG Secure Search
[-] Folder Deleted : C:\Users\Heather\AppData\LocalLow\AVG Secure Search
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi
[-] Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.NativeApi.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
[-] Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [vProt]
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Heather\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [3118 bytes] - [13/07/2016 17:23:22]
C:\AdwCleaner\AdwCleaner[S1].txt - [3582 bytes] - [11/07/2016 14:41:28]
C:\AdwCleaner\AdwCleaner[S2].txt - [3078 bytes] - [13/07/2016 17:18:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3337 bytes] ##########
 
4. ESET (I should add that I was in a rush when I did this step and forgot to disable Windows Defender. Hopefully that didn't effect the results.)

 

C:\Users\Ashley\Desktop\Desktop Pics\Font\DJ2540_188.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted

 

5. MalwareBytes

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 7/13/16
Scan Time: 10:22 PM
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.07.14.02
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Ashley
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 392805
Time Elapsed: 1 hr, 31 min, 35 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 

 

(end)
 
6. Junkware Removal Tool
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 8.1 x64 
Ran by Ashley (Administrator) on 07/14/16 at  9:33:26.30
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 3 
 
Successfully deleted: C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg (Folder) 
Successfully deleted: C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_klbibkeccnjlkjkiokjodocebajanakg_0.localstorage (File) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07/14/16 at  9:37:39.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
7. FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 13-07-2016 02
Ran by Ashley (administrator) on SAMMY (14-07-2016 09:59:28)
Running from C:\Users\Ashley\Desktop
Loaded Profiles: Ashley (Available Profiles: Ashley & Heather)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Samsung Electronics CO., LTD.) C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
() C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\ismagent.exe
() C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13219984 2012-11-06] (Realtek Semiconductor)
HKLM\...\Run: [BtTray] => C:\Program Files (x86)\Bluetooth Suite\BtTray.exe [766080 2012-10-31] (Qualcomm Atheros)
HKLM\...\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [127616 2012-10-31] (Qualcomm Atheros Commnucations)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [557984 2014-08-27] (Adobe Systems Incorporated)
HKLM\...\Run: [Bitcasa] => C:\Program Files\Bitcasa\Bitcasa.exe [3952128 2012-11-26] (Bitcasa, Inc)
HKLM\...\Run: [lxdxmon.exe] => C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe [672424 2010-02-04] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe [107176 2010-02-04] (Lexmark International Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3940040 2015-06-12] (Synaptics Incorporated)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [97392 2012-08-15] (CyberLink Corp.)
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-12] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [40312 2013-12-18] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Intel AppUp(SM) center] => C:\Program Files (x86)\Intel\IntelAppStore\bin\ismagent.exe [155488 2012-07-13] (Intel Corporation)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [Akamai NetSession Interface] => "C:\Users\Ashley\AppData\Local\Akamai\netsession_win.exe"
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [Spotify Web Helper] => C:\Users\Ashley\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-06-02] (Spotify Ltd)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-11-21] (Apple Inc.)
HKU\S-1-5-21-275444049-347170542-1178166326-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\scrnsave.scr [11776 2014-10-28] (Microsoft Corporation)
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
SSODL-x32: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\windows\SysWow64\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [1EldosIconOverlay] -> {9F9E650E-C824-40F4-B91C-2CEA9F2B283B} => C:\windows\SYSTEM32\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\system32\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [1EldosIconOverlay] -> {9F9E650E-C824-40F4-B91C-2CEA9F2B283B} => C:\windows\SysWOW64\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
ShellIconOverlayIdentifiers-x32: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\windows\SysWow64\CbFsMntNtf3.dll [2012-08-05] (EldoS Corporation)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 64.59.176.14 64.59.177.228
Tcpip\..\Interfaces\{F80B304C-FF08-402F-94C4-8B0CE051BC2B}: [DhcpNameServer] 64.59.176.14 64.59.177.228
 
Internet Explorer:
==================
HKU\S-1-5-21-275444049-347170542-1178166326-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://samsung13.msn.com
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2012-10-31] (Qualcomm Atheros Commnucations)
 
FireFox:
========
FF ProfilePath: C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\0x6uh9d7.default
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-12-18] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://google.ca/
CHR StartupUrls: Default -> "hxxp://www.google.ca/"
CHR Plugin: (Shockwave Flash) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\PepperFlash\11.9.900.117\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Profile: C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-04]
CHR Extension: (Google Drive) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-21]
CHR Extension: (YouTube) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-25]
CHR Extension: (OneTab) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall [2016-07-06]
CHR Extension: (uBlock Origin) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2016-06-26]
CHR Extension: (Google Search) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-26]
CHR Extension: (Stylish) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\fjnbnpbmkenffdnngjfgmeleoegfcffe [2016-04-05]
CHR Extension: (Google Docs Offline) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Last.fm Scrobbler) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhinaapppaileiechjoiifaancjggfjm [2016-05-24]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2016-03-17]
CHR Extension: (The Great Suspender) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg [2016-07-14]
CHR Extension: (Ghostery) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2016-02-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Weather Underground) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjejbgheonogbpfkkjigbmahaljipoej [2015-05-12]
CHR Extension: (Gmail) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdobeActiveFileMonitor11.0; C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171664 2012-11-05] (Adobe Systems Incorporated)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [231040 2012-10-31] (Qualcomm Atheros Commnucations) [File not signed]
R2 Easy Launcher; C:\Program Files (x86)\Samsung\Settings\CmdServer\EasyLauncher.exe [1591176 2012-11-30] (Samsung Electronics CO., LTD.) [File not signed]
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-17] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-17] (Intel Corporation)
S2 lxdxCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
R2 SWUpdateService; C:\Program Files (x86)\Samsung\SW Update\SWMAgent.exe [2878152 2012-12-21] (Samsung Electronics CO., LTD.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246464 2015-06-12] (Synaptics Incorporated)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1784248 2015-07-06] (Microsoft Corporation)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2012-10-31] (Atheros) [File not signed]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [76952 2012-10-31] (Qualcomm Atheros)
R1 cbfs3; C:\windows\system32\drivers\cbfs3.sys [352456 2012-08-05] (EldoS Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-24] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-09] (Corel Corporation)
R3 RadioHIDMini; C:\Windows\System32\drivers\RadioHIDMini.sys [23408 2012-07-27] (Windows ® Win 7 DDK provider)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-14 09:59 - 2016-07-14 10:00 - 00016826 _____ C:\Users\Ashley\Desktop\FRST.txt
2016-07-14 09:37 - 2016-07-14 09:37 - 00001031 _____ C:\Users\Ashley\Desktop\JRT.txt
2016-07-14 09:32 - 2016-07-14 09:32 - 01610560 _____ (Malwarebytes) C:\Users\Ashley\Desktop\JRT.exe
2016-07-13 23:56 - 2016-07-13 23:56 - 00001045 _____ C:\Users\Ashley\Desktop\MBAM.txt
2016-07-13 22:19 - 2016-07-13 22:19 - 00000258 _____ C:\Users\Ashley\Desktop\ESET.txt
2016-07-13 17:32 - 2016-07-13 17:32 - 02870984 _____ (ESET) C:\Users\Ashley\Desktop\esetsmartinstaller_enu.exe
2016-07-13 17:32 - 2016-07-13 17:32 - 00000000 ____D C:\Program Files (x86)\ESET
2016-07-13 17:28 - 2016-07-13 17:28 - 00003420 _____ C:\Users\Ashley\Desktop\AdwCleaner[C1].txt
2016-07-11 14:41 - 2016-07-13 17:23 - 00000000 ____D C:\AdwCleaner
2016-07-11 14:40 - 2016-07-11 14:40 - 03712064 _____ C:\Users\Ashley\Desktop\AdwCleaner.exe
2016-07-11 14:11 - 2016-07-11 14:17 - 00005114 _____ C:\Users\Ashley\Desktop\Fixlog.txt
2016-07-11 13:16 - 2016-07-11 13:20 - 00000000 ____D C:\WINDOWS\System32\Tasks\Norton Remove and Reinstall
2016-07-10 21:29 - 2016-07-10 21:29 - 00090809 _____ C:\Users\Ashley\AppData\Local\recently-used.xbel
2016-07-10 11:08 - 2016-07-10 11:08 - 01003601 _____ C:\Users\Ashley\Desktop\emanuel marriage.pdf
2016-07-10 10:56 - 2016-07-10 10:56 - 01269460 _____ C:\Users\Ashley\Desktop\richard gibson wills estates.pdf
2016-07-10 10:45 - 2016-07-10 10:45 - 00867506 _____ C:\Users\Ashley\Desktop\BL_0000677_19260308_004_0001 Norman article.pdf
2016-07-09 14:50 - 2016-07-09 14:50 - 01397483 _____ C:\Users\Ashley\Downloads\46A6.tmp
2016-07-09 14:48 - 2016-07-09 14:48 - 01397483 _____ C:\Users\Ashley\Downloads\8DDE.tmp
2016-07-05 20:02 - 2016-07-14 09:59 - 00000000 ____D C:\Users\Ashley\Desktop\FRST-OlderVersion
2016-06-30 15:11 - 2016-07-14 09:59 - 00000000 ____D C:\FRST
2016-06-30 15:10 - 2016-07-14 09:59 - 02390528 _____ (Farbar) C:\Users\Ashley\Desktop\FRST64.exe
2016-06-30 15:09 - 2016-06-30 15:09 - 02390016 _____ (Farbar) C:\Users\Ashley\Downloads\C19E.tmp
2016-06-30 00:49 - 2016-06-30 00:52 - 00000000 ____D C:\AVG_Remover
2016-06-30 00:48 - 2016-06-30 00:48 - 08111408 _____ ( ) C:\Users\Ashley\Desktop\AVG_Remover.exe
2016-06-27 13:34 - 2016-06-27 13:34 - 00085321 _____ C:\Users\Ashley\Desktop\ClvhyRgUkAAykYg.jpg-large
2016-06-27 13:31 - 2016-06-27 13:31 - 00085321 _____ C:\Users\Ashley\Downloads\23CE.tmp
2016-06-27 09:52 - 2016-06-27 09:52 - 00285888 _____ C:\WINDOWS\Minidump\062716-99859-01.dmp
2016-06-21 17:54 - 2016-06-21 17:54 - 00193920 _____ C:\Users\Ashley\Downloads\CDCE.tmp
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-14 09:30 - 2013-01-09 17:46 - 00000000 ____D C:\ProgramData\WinClon
2016-07-14 09:29 - 2013-08-05 15:36 - 00000000 ____D C:\Users\Ashley\AppData\Local\Adobe
2016-07-14 09:27 - 2013-08-05 19:32 - 00000914 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-14 00:13 - 2013-08-05 19:32 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-13 22:22 - 2014-09-02 22:53 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-07-13 17:25 - 2013-08-22 08:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-07-13 17:23 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\Inf
2016-07-12 19:50 - 2015-02-28 21:42 - 00000000 __SHD C:\Users\Ashley\AppData\LocalLow\EmieBrowserModeList
2016-07-12 19:50 - 2014-11-01 21:50 - 00000000 __SHD C:\Users\Ashley\AppData\LocalLow\EmieUserList
2016-07-12 19:50 - 2014-11-01 21:50 - 00000000 __SHD C:\Users\Ashley\AppData\LocalLow\EmieSiteList
2016-07-11 15:25 - 2013-08-05 15:41 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-275444049-347170542-1178166326-1001
2016-07-11 14:12 - 2014-10-15 00:16 - 00000000 ____D C:\Users\Ashley
2016-07-11 13:17 - 2013-01-09 17:44 - 00000000 ____D C:\ProgramData\Norton
2016-07-11 13:16 - 2013-08-22 07:25 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-07-11 13:13 - 2013-01-09 17:43 - 00000000 ____D C:\ProgramData\NortonInstaller
2016-07-11 13:12 - 2014-09-24 01:15 - 00863592 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-07-11 13:00 - 2015-07-31 09:28 - 00000000 ____D C:\WINDOWS\System32\Tasks\Remediation
2016-07-11 13:00 - 2013-08-22 07:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-07-11 13:00 - 2012-07-26 02:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2016-07-10 23:57 - 2015-01-27 20:52 - 00000000 ____D C:\Users\Ashley\AppData\Roaming\Spotify
2016-07-10 23:57 - 2013-08-23 17:30 - 00000000 ____D C:\Users\Ashley\AppData\Local\CrashDumps
2016-07-10 23:56 - 2015-01-27 20:53 - 00000000 ____D C:\Users\Ashley\AppData\Local\Spotify
2016-07-10 21:30 - 2015-01-09 21:29 - 00000000 ____D C:\Users\Ashley\.gimp-2.8
2016-07-10 21:29 - 2015-01-09 22:30 - 00000000 ____D C:\Users\Ashley\AppData\Local\gtk-2.0
2016-07-10 21:27 - 2014-01-28 20:13 - 00000000 ____D C:\Users\Ashley\AppData\Roaming\Apple Computer
2016-07-06 16:48 - 2013-08-05 19:33 - 00002215 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-07-06 16:48 - 2013-08-05 19:33 - 00002203 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-30 18:06 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-06-30 10:27 - 2015-06-16 10:18 - 00000000 ____D C:\Users\Ashley\AppData\Local\ElevatedDiagnostics
2016-06-29 23:35 - 2014-10-15 00:16 - 00000000 ____D C:\Users\Heather
2016-06-28 14:52 - 2014-01-28 20:13 - 00000000 ____D C:\Users\Ashley\AppData\Local\Apple Computer
2016-06-27 09:52 - 2015-10-22 11:57 - 00000000 ____D C:\WINDOWS\Minidump
2016-06-27 09:51 - 2015-10-22 11:57 - 774349267 _____ C:\WINDOWS\MEMORY.DMP
2016-06-25 11:54 - 2016-03-29 21:14 - 00000000 ____D C:\Users\Ashley\Desktop\Desktop Crap 2k16
2016-06-23 01:08 - 2016-05-23 21:14 - 00000000 ____D C:\Users\Ashley\AppData\Local\Last.fm
2016-06-22 22:59 - 2016-06-07 15:22 - 00000000 ____D C:\Users\Ashley\Desktop\grim
2016-06-20 22:30 - 2014-11-26 18:33 - 00018436 ____H C:\Users\Ashley\.DS_Store
2016-06-18 14:20 - 2013-08-22 09:36 - 00000000 ___HD C:\Program Files\WindowsApps
 
==================== Files in the root of some directories =======
 
2015-08-25 14:13 - 2016-01-03 22:15 - 0009728 _____ () C:\Users\Ashley\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-07-10 21:29 - 2016-07-10 21:29 - 0090809 _____ () C:\Users\Ashley\AppData\Local\recently-used.xbel
2014-10-27 20:39 - 2014-10-27 20:39 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-08-13 18:50 - 2014-03-05 21:52 - 0000756 _____ () C:\ProgramData\FastPics.log
2013-08-26 11:20 - 2016-07-13 18:00 - 0069153 _____ () C:\ProgramData\lxdx.log
2013-08-13 18:49 - 2013-08-13 20:46 - 0000492 _____ () C:\ProgramData\lxdxDiagnostics.log
2013-01-09 17:38 - 2012-08-07 22:07 - 2258432 _____ (Samsung Electronics) C:\ProgramData\MakeMarkerFile.exe
2013-01-09 17:38 - 2012-08-07 04:11 - 0003196 _____ () C:\ProgramData\MakeMarkerFile.xml
2013-08-13 18:48 - 2013-08-13 18:48 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt
 
Some files in TEMP:
====================
C:\Users\Ashley\AppData\Local\Temp\libeay32.dll
C:\Users\Ashley\AppData\Local\Temp\msvcr120.dll
C:\Users\Ashley\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-07-13 17:40
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-07-2016 02
Ran by Ashley (2016-07-14 10:01:03)
Running from C:\Users\Ashley\Desktop
Windows 8.1 (Update) (X64) (2014-10-15 06:51:58)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-275444049-347170542-1178166326-500 - Administrator - Disabled)
Ashley (S-1-5-21-275444049-347170542-1178166326-1001 - Administrator - Enabled) => C:\Users\Ashley
Guest (S-1-5-21-275444049-347170542-1178166326-501 - Limited - Disabled)
Heather (S-1-5-21-275444049-347170542-1178166326-1004 - Limited - Enabled) => C:\Users\Heather
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Photoshop Elements 11 (HKLM-x32\...\Adobe Photoshop Elements 11) (Version: 11.0 - Adobe Systems Incorporated)
Adobe Reader X (10.1.9) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.9 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Bitcasa version 0.9.20.4133 (HKLM\...\{EDA09459-AD7D-4434-BA0C-647F6703EA12}_is1) (Version: 0.9.20.4133 - Bitcasa Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.0.1912 - CyberLink Corp.)
CyberLink PowerDVD 10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.4421.02 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
D-Fend Reloaded 1.3.3 (deinstall) (HKLM-x32\...\D-Fend Reloaded) (Version: 1.3.3 - Alexander Herzog)
Easy File Share (HKLM-x32\...\{A7C37D4B-F37A-42E8-9B6A-B28C18AD4C12}) (Version: 1.3.6 - Samsung Electronics CO.,LTD.)
Elements 11 Organizer (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
E-POP (HKLM-x32\...\{F06DD8D9-9DC8-430C-835C-C9BF21E05CC1}) (Version: 1.0.1 - Samsung Electronics CO., LTD.)
FamilySearch Indexing 3.19.3 (HKLM-x32\...\0591-8077-9297-0833) (Version: 3.19.3 - FamilySearch)
Galería de fotos (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Galerie de photos (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
GIMP 2.8.14 (HKLM\...\GIMP-2_is1) (Version: 2.8.14 - The GIMP Team)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.106 - Google Inc.)
Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
GrampsAIO64 (HKLM-x32\...\GrampsAIO64) (Version: 3.4.5-2 - The GRAMPS project)
Help Desk (HKLM\...\{3D85CD3F-00E0-4E14-82D6-1F9397DDD09B}) (Version: 1.0.8 - Samsung Electronics CO., LTD.)
HP Deskjet 2540 series Basic Device Software (HKLM\...\{6A79CD11-0C1C-4E24-A8C6-46A02F680346}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
HP Deskjet 2540 series Help (HKLM-x32\...\{4539575D-C09D-4E71-B207-0F2D6BD74DA2}) (Version: 30.0.0 - Hewlett Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
iCloud (HKLM\...\{309768A4-A2BB-4930-A5A2-8169678C9B4C}) (Version: 4.0.6.28 - Apple Inc.)
Intel AppUp(SM) center (HKLM-x32\...\Intel AppUp(SM) center 33070) (Version: 3.6.1.33070.11 - Intel)
Intel® Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{A6C48A9F-694A-4234-B3AA-62590B668927}) (Version: 1.0.0.36702 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3368 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.5.2.1001 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Last.fm Scrobbler 2.1.37 (HKLM-x32\...\LastFM_is1) (Version:  - Last.fm)
Lexmark 3600-4600 Series (HKLM\...\Lexmark 3600-4600 Series) (Version:  - Lexmark International, Inc.)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Office (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.6120.5004 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (HKLM-x32\...\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}) (Version: 3.0.5305.0 - Microsoft Corp.)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 40.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 40.0.3 (x86 en-US)) (Version: 40.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 40.0.3 - Mozilla)
Pinnacle Studio 14 (HKLM-x32\...\{AADD1C8F-D59F-4D55-A726-768C71A205A8}) (Version: 14.0.0.7255 - Pinnacle Systems)
Pinnacle Video Driver (HKLM\...\{6DE721A5-5E89-4D74-994C-652BB3C0672E}) (Version: 12.1.0.030 - Pinnacle Systems)
PixelHobby Designer (HKLM-x32\...\PixelHobby Designer) (Version: 2.0 - HobbyWare)
Plants vs. Zombies (HKLM-x32\...\Plants vs. Zombies) (Version:  - PopCap Games)
Potplayer (HKLM-x32\...\PotPlayer) (Version:  - Kakao Corp.)
Product Improvement Study for HP Deskjet 2540 series (HKLM\...\{DF34643B-A745-430C-B27B-A48F853C81E4}) (Version: 32.2.188.47710 - Hewlett-Packard Co.)
PSE11 STI Installer (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.214 - Qualcomm Atheros Communications)
Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.4.907.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6772 - Realtek Semiconductor Corp.)
Recovery (HKLM-x32\...\{145DE957-0679-4A2A-BB5C-1D3E9808FAB2}) (Version: 6.0.7.2 - Samsung Electronics CO., LTD.)
S Agent (Version: 1.0.9 - Samsung Electronics CO., LTD.) Hidden
Settings (HKLM-x32\...\{8CB5C357-12E5-41B1-A024-D57D4E6F32D9}) (Version: 2.0.1 - Samsung Electronics CO., LTD.)
Spotify (HKU\S-1-5-21-275444049-347170542-1178166326-1001\...\Spotify) (Version: 1.0.29.92.g67727800 - Spotify AB)
Stellarium 0.12.2 (HKLM\...\Stellarium_is1) (Version: 0.12.2 - Stellarium team)
Support Center FAQ (x32 Version: 1.0.6 - Samsung Electronics CO., LTD.) Hidden
SW Update (HKLM-x32\...\{F5B5BA56-8FEB-494B-84E6-C8DA9C2BEE50}) (Version: 2.1.6 - Samsung Electronics CO., LTD.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.11.1 - Synaptics Incorporated)
The Sims™ 3 (HKLM-x32\...\{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}) (Version: 1.0.631 - Electronic Arts)
Transcribe! 8.40 (HKLM-x32\...\Transcribe!_is1) (Version: 8.40 - Seventh String Software)
Trillian (HKLM-x32\...\Trillian) (Version:  - Cerulean Studios, LLC)
TurboTax 2013 (HKLM-x32\...\{1E0FF98D-4AE4-46CC-B624-E771ABD5EA11}) (Version: 1.00.0000 - Intuit Canada)
TurboTax 2014 (HKLM-x32\...\{0B69B187-4F9F-41C2-B850-735D1A323571}) (Version: 1.00.0000 - Intuit Canada)
TurboTax 2015 (HKLM-x32\...\{2A42456E-B15D-492F-B99A-53C5ABD77EC0}) (Version: 1.00.0000 - Intuit Canada)
User Guide (HKLM-x32\...\{087EB114-ACEF-44D3-8C0A-27AE0CC8A8BB}) (Version: 1.2.00 - Samsung Electronics CO., LTD.)
VLC media player 2.0.8 (HKLM-x32\...\VLC media player) (Version: 2.0.8 - VideoLAN)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
Zip Motion Block Video codec (Remove Only) (HKLM-x32\...\ZMBV) (Version:  - DOSBox Team)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {2FCBCF3C-EB48-4B97-8BEE-7CBED941FA5B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {573DEF9A-E345-4FCF-9302-3D2FD40F0170} - System32\Tasks\Installation App Launcher => C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe [2010-02-04] (Lexmark International Inc.)
Task: {5A1214CA-E37D-4D68-B83C-0A75F897AE91} - System32\Tasks\SAgent => C:\Program Files\Samsung\S Agent\CommonAgent.exe [2012-10-24] (Samsung Electronics CO., LTD.)
Task: {5D1EC6C3-8955-45D0-B265-3ECD4D8214B5} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {76A9B415-0DBE-47B0-802E-2CCE0CDB947D} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [2015-07-27] (Symantec Corporation)
Task: {884B479F-2A10-476E-9ED8-304052E9CEA9} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2012-06-13] (Intel Corporation)
Task: {9209F2E5-FAE1-4297-A85F-BE4CA06B6E12} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {9FB6C2DB-D390-4C2E-8D20-D48F943145C8} - System32\Tasks\Synaptics TouchPad Enhancements => Program Files\Synaptics\SynTP\SynTPEnh.exe
Task: {A58B1DEA-84DE-4722-8CCA-395B185EB772} - System32\Tasks\HPCustParticipation HP Deskjet 2540 series => C:\Program Files\HP\HP Deskjet 2540 series\Bin\HPCustPartic.exe [2014-03-06] (Hewlett-Packard Co.)
Task: {A5D68961-8FE8-4EF5-8C56-8C7A2073195F} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2012-06-13] (Intel Corporation)
Task: {AF63D4FC-91C2-4405-A95A-2DE6302DDD65} - System32\Tasks\HP AR Program Upload - ee2d426742104847be601b5d3d07eb49e576b368dbd847f7a204d125bfa37536 => C:\Program Files\HP\HP Deskjet 2540 series\bin\HPRewards.exe [2014-03-06] (TODO: <Company name>)
Task: {BED5261D-5931-4BD5-BC63-1B1072943AA3} - System32\Tasks\advRecovery => C:\Program Files\Samsung\Recovery\WCScheduler.exe [2012-10-15] (SEC)
Task: {FDD0644A-49CC-4DD6-A928-9ACD60AAF503} - System32\Tasks\AdobeAAMUpdater-1.0-Sammy-Ashley => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2014-08-27] (Adobe Systems Incorporated)
Task: {FF6D5BA6-2C7C-461E-AFE2-B0DB5B29D030} - System32\Tasks\Settings => C:\Program Files (x86)\Samsung\Settings\sSettings.exe [2012-11-30] (Samsung Electronics CO., LTD.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Synaptics TouchPad Enhancements.job => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2013-08-12 22:41 - 2009-10-16 18:12 - 00177664 _____ () C:\WINDOWS\system32\spool\PRTPROCS\x64\lxdxdrpp.dll
2012-11-30 01:26 - 2012-11-30 01:26 - 00082312 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdServer.exe
2012-07-23 21:06 - 2012-07-23 21:06 - 00119808 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\updateui.exe
2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-01-09 17:33 - 2012-06-25 12:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2012-11-30 01:26 - 2012-11-30 01:26 - 00028792 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmdWrapper.dll
2012-11-30 01:26 - 2012-11-30 01:26 - 01068664 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsCmd.dll
2012-11-30 01:26 - 2012-11-30 01:26 - 00110712 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\EasySettingsBase.dll
2012-11-30 01:26 - 2012-11-30 01:26 - 00056440 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\HookDllPS2.dll
2012-11-30 01:26 - 2012-11-30 01:26 - 00211064 _____ () C:\Program Files (x86)\Samsung\Settings\CmdServer\WinCRT.dll
2011-08-15 05:12 - 2011-08-15 05:12 - 02603520 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\QtCore4.dll
2012-06-13 20:57 - 2012-06-13 20:57 - 00015872 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\featureController.dll
2011-08-15 05:12 - 2011-08-15 05:12 - 01006592 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\QtNetwork4.dll
2011-08-15 05:15 - 2011-08-15 05:15 - 00382464 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\QtXml4.dll
2011-08-17 01:41 - 2011-08-17 01:41 - 00400384 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\sqlite3.dll
2011-08-17 01:48 - 2011-08-17 01:48 - 00322048 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\log4cplus.dll
2011-08-17 01:48 - 2011-08-17 01:48 - 00195584 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\libgsoap.dll
2011-08-15 04:23 - 2011-08-15 04:23 - 00062464 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\zlib1.dll
2012-06-13 20:56 - 2012-06-13 20:56 - 00481792 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\DeviceProfile.dll
2012-06-13 21:06 - 2012-06-13 21:06 - 00500064 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\plugin\PServerPlugin.dll
2012-06-13 20:55 - 2012-06-13 20:55 - 00013824 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\eventsSender.dll
2011-07-19 01:05 - 2011-07-19 01:05 - 14978048 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\QtWebKit4.dll
2011-08-15 05:17 - 2011-08-15 05:17 - 09224704 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\QtGui4.dll
2011-07-19 01:04 - 2011-07-19 01:04 - 00317952 _____ () C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\phonon4.dll
2015-10-18 09:19 - 2014-02-10 12:44 - 04592128 _____ () C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libglesv2.dll
2015-10-18 09:19 - 2014-02-10 12:44 - 00112128 _____ () C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\SwiftShader\3.2.6.45159\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\Users\Ashley\#3:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\01 (I'm The One) Doctor Love.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\02 Keep It Healthy.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\02 Shy Boy.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\03 What A Shambles.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\04 Really Saying Something.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\05 Cheers Then.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\06 Na Na Hey Hey Kiss Him Goodbye.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\06 Young At Heart.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\08 Hey Young London.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\09 Boy Trouble.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\10 Wish You Were Here.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananarama:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananarama - Link.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananarama - Push.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananarama - Robert De Niro's Waiting.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananarama - Venus Club Mix.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananarama - Venus Dub Mix.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananarama - White Train.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Bananstuff:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Crisis:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Deep Sea Skiving:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Dive:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Exquisite Corpse:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Gemini:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Hormonally Yours:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\No Way Out _ I'll Start Believing:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Sacred Heart:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Sacred Heart (Original Mix).m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\sacred heart (original) fixed.m4a:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\TC:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Warpaint:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\wow:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Downloads\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Ashley\Documents\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Heather\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Heather\Documents\.DS_Store:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:AFP_AfpInfo [122]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatacom_yazsoft_speeddownload_DLSize [23]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatacom_yazsoft_speeddownload_EndDate [102]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatacom_yazsoft_speeddownload_FromSD [88]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatacom_yazsoft_speeddownload_name [114]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatacom_yazsoft_speeddownload_StartDate [102]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatacom_yazsoft_speeddownload_url [204]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatakMDItemFinderComment [204]
AlternateDataStreams: C:\Users\Heather\Documents\cj4600en64.exe:com.apple.metadatakMDItemWhereFroms [924]
AlternateDataStreams: C:\Users\Heather\Documents\Sweetheart Afghans to Crochet.pdf:com.apple.Preview.UIstate.v1 [518]
AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo [122]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 07:25 - 2013-08-22 07:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-275444049-347170542-1178166326-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Ashley\Desktop\Desktop Pics\EtacarinaeSGL_gendler.jpg
DNS Servers: 64.59.176.14 - 64.59.177.228
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{15A4B62B-515C-4315-A8E4-6FBACF8BAB2B}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 14\Programs\umi.exe
FirewallRules: [{9C36C386-0406-4007-B7F1-8B2FF4AB185E}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 14\Programs\umi.exe
FirewallRules: [{43FAA0E0-D5B9-433C-A51B-83C6C30CA794}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 14\Programs\Studio.exe
FirewallRules: [{38C1458E-BE3E-4E1E-A503-0A32559ACF72}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 14\Programs\Studio.exe
FirewallRules: [{DC77B4B2-7FC7-43E3-98FD-BCCEB88368AE}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 14\Programs\RM.exe
FirewallRules: [{15D4AA28-7FA5-4CB3-B6D5-5B5482E77476}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 14\Programs\RM.exe
FirewallRules: [UDP Query User{DF317B5A-44C4-4D1E-B782-F80791B33103}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [TCP Query User{F5D288F5-28CB-414F-9533-DF8B179D26CD}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [UDP Query User{9CC39C24-32DD-4631-9CA2-2B2CAFD5235A}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [TCP Query User{C9F13C58-9A1D-4D02-80D4-F20232A934C3}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [{045FF93E-0C83-483F-9F62-3AB85844921B}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{EF6CF937-1D8E-4BBA-82D1-2D21E2685435}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{094EA1FE-9ADF-4302-B35A-EE18FF54928E}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{CEC547E1-A2BF-4959-8FCC-BC451E6789F3}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{206FAAA0-3FB4-45C6-BFD7-2EB028D491EE}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxjswx.exe
FirewallRules: [{36B1CB8B-6029-48F0-8927-08288AEC48CD}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxjswx.exe
FirewallRules: [UDP Query User{83780497-C29E-456A-B1FA-96CF5E4E8FA8}C:\program files (x86)\lexmark 3600-4600 series\lxdxlscn.exe] => (Block) C:\program files (x86)\lexmark 3600-4600 series\lxdxlscn.exe
FirewallRules: [TCP Query User{C0EB0183-EF91-44C9-8DB8-68FD0962F656}C:\program files (x86)\lexmark 3600-4600 series\lxdxlscn.exe] => (Block) C:\program files (x86)\lexmark 3600-4600 series\lxdxlscn.exe
FirewallRules: [UDP Query User{662D7C6A-516A-4D87-872B-52C3074D51C6}C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe] => (Block) C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe
FirewallRules: [TCP Query User{2F577D00-162A-41E4-934F-DB8A04A109B8}C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe] => (Block) C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe
FirewallRules: [{441B0E6E-6BD1-45A2-A29F-3981FA2B7492}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\Wireless\lxdxwpss.exe
FirewallRules: [{EED170F3-485D-4DA6-ABF9-AAE229FD28BD}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\Wireless\lxdxwpss.exe
FirewallRules: [{19105019-7EA7-4CBF-B363-4DD3678C09C9}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
FirewallRules: [{65C4AA10-6C03-49B1-8022-002A1123298B}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
FirewallRules: [{0480C859-67E3-4D80-80D2-45778D944F27}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxtime.exe
FirewallRules: [{5D9AEB71-693D-45B7-8FC2-EB42E48C7E69}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxtime.exe
FirewallRules: [{1651743C-20E7-4607-A03D-8E5506AEBC40}] => (Allow) C:\Windows\System32\lxdxcfg.exe
FirewallRules: [{32A0CD0D-FC50-4E40-9E9B-41F37C7FBD19}] => (Allow) C:\Windows\System32\lxdxcfg.exe
FirewallRules: [{AB8006EF-5AAF-4A0F-891F-5629A6CAC66E}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxpswx.exe
FirewallRules: [{34E26634-E9F4-49D4-BB4F-7D987690A4C3}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxpswx.exe
FirewallRules: [{B68ECA66-7893-4186-A3CF-E29D058C72E0}] => (Allow) C:\Windows\System32\lxdxcoms.exe
FirewallRules: [{C595FA57-D35B-4ED7-B266-84D4F4118B97}] => (Allow) C:\Windows\System32\lxdxcoms.exe
FirewallRules: [{77768231-28AB-45A4-BECF-84EE122BBFFB}] => (Allow) C:\Windows\SysWOW64\lxdxcoms.exe
FirewallRules: [{76E6716A-2EAC-4AF1-A3FB-CA6E80294630}] => (Allow) C:\Windows\SysWOW64\lxdxcoms.exe
FirewallRules: [{20AF1BA3-3DB3-41D3-BD9F-2F2913ED192D}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD10.EXE
FirewallRules: [{3B23F024-544E-4A86-96DB-A7DE24B3C2AF}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD10\PowerDVD Cinema\PowerDVDCinema10.exe
FirewallRules: [{2114B388-324F-40F9-9251-2C126EF82921}] => (Allow) C:\Program Files\HP\HP Deskjet 2540 series\Bin\DeviceSetup.exe
FirewallRules: [{88EA5827-D053-4EED-9C90-AE667E624C4A}] => (Allow) LPort=5357
FirewallRules: [{65213E41-D423-43CA-9349-7002088F335A}] => (Allow) C:\Program Files\HP\HP Deskjet 2540 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{BD5E5114-8580-4EF7-BC77-0CF74A900D03}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [{9806D921-C6F5-4A20-9831-96541E7E86A1}] => (Allow) C:\Users\Ashley\AppData\Local\Temp\nsx5437.tmp\CnetInstaller-10659939.exe
FirewallRules: [{DCDC6A97-CE19-4411-9EA3-1EF8A1B7C226}] => (Allow) C:\Users\Ashley\AppData\Local\Temp\nsx5437.tmp\CnetInstaller-10659939.exe
FirewallRules: [TCP Query User{E0D18076-2E4B-4490-91D8-78D243C08173}C:\users\ashley\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\ashley\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{B9AF8D83-8A71-4709-9AB3-44431BB07C89}C:\users\ashley\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\ashley\appdata\local\akamai\netsession_win.exe
FirewallRules: [TCP Query User{410A8CBE-E78C-4BE0-864F-CC36051C25E8}C:\users\ashley\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\ashley\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{C9FF0EF6-4BE0-4A13-9BD4-E558224E95AA}C:\users\ashley\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\ashley\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{AEE1E31A-84A6-41A4-9575-07A47FEC009F}C:\users\ashley\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\ashley\appdata\roaming\spotify\spotify.exe
FirewallRules: [UDP Query User{B07C910A-FE61-4336-8E32-5AE3F4AA1851}C:\users\ashley\appdata\roaming\spotify\spotify.exe] => (Block) C:\users\ashley\appdata\roaming\spotify\spotify.exe
FirewallRules: [{8FBE7AB3-D906-4A6E-AC93-D1EE622E1974}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{D185AD3D-08D0-4FFF-BE8B-BB0727619BD9}] => (Allow) LPort=2869
FirewallRules: [{4CED6CCF-8BE7-44BE-B623-3994F32C3A21}] => (Allow) LPort=1900
FirewallRules: [{526D36EC-0CFF-4ADA-97BE-E410073EE598}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{F3F543E4-AAC3-4C84-891F-C72981B4FDE9}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{BC0ADF5B-AD4B-4FF9-A586-EB7E105A43EE}D:\cfg\ieembed.exe] => (Block) D:\cfg\ieembed.exe
FirewallRules: [UDP Query User{599DCA8C-7FE7-4F43-9DEE-4641DE83902C}D:\cfg\ieembed.exe] => (Block) D:\cfg\ieembed.exe
FirewallRules: [{C755BA24-1275-40A6-AE57-602EFFD03F0A}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{475FE8F5-020D-4412-AB13-A49229AC6986}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{82C213F1-E42F-4F9F-9304-69CD901C55FF}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{1E3F4867-1D68-48DE-B529-64AE0B8ECE43}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{10DFBE25-61B4-46DD-86A0-E018EDBA9C76}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
05-07-2016 19:13:54 Scheduled Checkpoint
11-07-2016 13:12:05 Removed Norton Online Backup
11-07-2016 14:11:34 Restore Point Created by FRST
14-07-2016 09:33:27 JRT Pre-Junkware Removal
 
==================== Faulty Device Manager Devices =============
 
Name: Qualcomm Atheros AR3012 Bluetooth 4.0 + HS
Description: Qualcomm Atheros AR3012 Bluetooth 4.0 + HS
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: Qualcomm Atheros Communications
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/14/2016 09:51:21 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0.manifest.
 
Error: (07/13/2016 05:32:36 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0.manifest.
 
Error: (07/13/2016 05:32:33 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0.manifest.
 
Error: (07/13/2016 05:32:28 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0.manifest.
 
Error: (07/13/2016 05:32:28 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0.manifest.
 
Error: (07/13/2016 05:32:16 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest1".Error in manifest or policy file "C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest2" on line C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_a9edf09f013934e0.manifest.
 
Error: (07/13/2016 02:31:24 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1047
 
Error: (07/13/2016 02:31:24 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1047
 
Error: (07/13/2016 02:31:24 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (07/12/2016 11:15:08 PM) (Source: SideBySide) (EventID: 59) (User: )
Description: Activation context generation failed for "1".Error in manifest or policy file "2" on line 3.
Invalid Xml syntax.
 
 
System errors:
=============
Error: (07/14/2016 09:43:15 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}
 
Error: (07/14/2016 09:42:45 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}
 
Error: (07/14/2016 12:48:01 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}
 
Error: (07/14/2016 12:48:01 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}
 
Error: (07/14/2016 12:48:01 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}
 
Error: (07/14/2016 12:48:01 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}
 
Error: (07/14/2016 12:48:01 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}
 
Error: (07/14/2016 12:48:01 AM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}
 
Error: (07/13/2016 05:41:32 PM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}
 
Error: (07/13/2016 05:41:02 PM) (Source: DCOM) (EventID: 10010) (User: Sammy)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}
 
 
CodeIntegrity:
===================================
  Date: 2016-07-13 22:18:24.101
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 22:18:23.250
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:47:11.511
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:47:11.011
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:46:42.970
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:46:42.548
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:46:35.423
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:46:34.985
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:15:11.866
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-13 20:15:11.349
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-3120M CPU @ 2.50GHz
Percentage of memory in use: 25%
Total physical RAM: 7893.53 MB
Available physical RAM: 5892.37 MB
Total Virtual: 15829.54 MB
Available Virtual: 13787.69 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:676.17 GB) (Free:291.12 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 87144B81)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

 

7. My computer is running the same as it did on July 11 (it still takes about 30 seconds to start up once the Samsung screen appears), except the addition of the Internet Explorer popup thing.



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,626 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 15 July 2016 - 12:01 PM

ireallyhateviruses:

Thank you for your post, the VirusTotal links, and for your logs. The VT "hits" are false positives. None of the major anti-virus applications are detecting any issues with the files, and FRST does have some coding that might "interest" an anti-virus application.  According to the VirusTotal "File Details" tab, both files are copies of the FRST program.

We are going to investigate the IE pop-ups that you described as well as do some more cleanup of your computer using FRST. Let's start with FRST.

.

:step1: Please copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the folder: C:\Users\Ashley\Desktop.

NOTE: It's important that both files, FRST64.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

Run FRST64.exe and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste it into your reply.
 

CreateRestorePoint:
CloseProcesses:

CHR Plugin: (Shockwave Flash) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\PepperFlash\11.9.900.117\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\pdf.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => No File
C:\Program Files (x86)\Common Files\AVG Secure Search
C:\AVG_Remover
C:\Users\Ashley\Desktop\AVG_Remover.exe
C:\ProgramData\Norton
C:\ProgramData\NortonInstaller
Task: {76A9B415-0DBE-47B0-802E-2CCE0CDB947D} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [2015-07-27] (Symantec Corporation)
FirewallRules: [UDP Query User{DF317B5A-44C4-4D1E-B782-F80791B33103}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [TCP Query User{F5D288F5-28CB-414F-9533-DF8B179D26CD}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [UDP Query User{9CC39C24-32DD-4631-9CA2-2B2CAFD5235A}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [TCP Query User{C9F13C58-9A1D-4D02-80D4-F20232A934C3}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
C:\program files (x86)\symantec
FirewallRules: [{C755BA24-1275-40A6-AE57-602EFFD03F0A}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{475FE8F5-020D-4412-AB13-A49229AC6986}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{82C213F1-E42F-4F9F-9304-69CD901C55FF}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{1E3F4867-1D68-48DE-B529-64AE0B8ECE43}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
C:\Program Files (x86)\AVG

.

:step2: Please run a System File Checker (SFC) scan to assess the integrity of the Windows 8.1 file system.

  • Click on the "Start" button.
  • In the "search" box at the bottom, type cmd.
  • Look for Cmd.exe to appear at the top of the menu.
  • Right-click on cmd.exe and choose Run As Administrator.
  • Type sfc /scannow. Ensure that there is a space between "sfc" and "/scannow".
  • The scan will start and may take from 20 minutes to an hour to run.
  • Please report the results from the System File Checker in your next post.
  • If the scan reports that there were errors that could not be repaired, please navigate to the folder: C:\Windows\Logs\CBS and COPY, not move , the file called CBS.log to your desktop for further analysis (hold down the Ctrl key while dragging the file to your Desktop with the mouse).

.

Please report any other strange events, messages, or errors, if they occur, with as much detail as possible.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#12 ireallyhateviruses

ireallyhateviruses
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 15 July 2016 - 07:17 PM

Good to know that they were just false positives.

 

1. FRST

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-07-2016 02
Ran by Ashley (2016-07-15 17:15:48) Run:2
Running from C:\Users\Ashley\Desktop
Loaded Profiles: Ashley (Available Profiles: Ashley & Heather)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
 
CHR Plugin: (Shockwave Flash) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\PepperFlash\11.9.900.117\pepflashplayer.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\pdf.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => No File
C:\Program Files (x86)\Common Files\AVG Secure Search
C:\AVG_Remover
C:\Users\Ashley\Desktop\AVG_Remover.exe
C:\ProgramData\Norton
C:\ProgramData\NortonInstaller
Task: {76A9B415-0DBE-47B0-802E-2CCE0CDB947D} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [2015-07-27] (Symantec Corporation)
FirewallRules: [UDP Query User{DF317B5A-44C4-4D1E-B782-F80791B33103}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [TCP Query User{F5D288F5-28CB-414F-9533-DF8B179D26CD}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [UDP Query User{9CC39C24-32DD-4631-9CA2-2B2CAFD5235A}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
FirewallRules: [TCP Query User{C9F13C58-9A1D-4D02-80D4-F20232A934C3}C:\program files (x86)\symantec\norton online backup\nobuclient.exe] => (Block) C:\program files (x86)\symantec\norton online backup\nobuclient.exe
C:\program files (x86)\symantec
FirewallRules: [{C755BA24-1275-40A6-AE57-602EFFD03F0A}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{475FE8F5-020D-4412-AB13-A49229AC6986}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{82C213F1-E42F-4F9F-9304-69CD901C55FF}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{1E3F4867-1D68-48DE-B529-64AE0B8ECE43}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
C:\Program Files (x86)\AVG
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\PepperFlash\11.9.900.117\pepflashplayer.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\pdf.dll => not found.
C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\17.0.12\\npsitesafety.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.165\npGoogleUpdate3.dll => not found.
"C:\Program Files (x86)\Common Files\AVG Secure Search" => not found.
C:\AVG_Remover => moved successfully
C:\Users\Ashley\Desktop\AVG_Remover.exe => moved successfully
C:\ProgramData\Norton => moved successfully
C:\ProgramData\NortonInstaller => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{76A9B415-0DBE-47B0-802E-2CCE0CDB947D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{76A9B415-0DBE-47B0-802E-2CCE0CDB947D}" => key removed successfully
C:\WINDOWS\System32\Tasks\Remediation\AntimalwareMigrationTask => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Remediation\AntimalwareMigrationTask" => key removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{DF317B5A-44C4-4D1E-B782-F80791B33103}C:\program files (x86)\symantec\norton online backup\nobuclient.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{F5D288F5-28CB-414F-9533-DF8B179D26CD}C:\program files (x86)\symantec\norton online backup\nobuclient.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9CC39C24-32DD-4631-9CA2-2B2CAFD5235A}C:\program files (x86)\symantec\norton online backup\nobuclient.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{C9F13C58-9A1D-4D02-80D4-F20232A934C3}C:\program files (x86)\symantec\norton online backup\nobuclient.exe => value removed successfully
"C:\program files (x86)\symantec" => not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C755BA24-1275-40A6-AE57-602EFFD03F0A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{475FE8F5-020D-4412-AB13-A49229AC6986} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{82C213F1-E42F-4F9F-9304-69CD901C55FF} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1E3F4867-1D68-48DE-B529-64AE0B8ECE43} => value removed successfully
"C:\Program Files (x86)\AVG" => not found.
 
 
The system needed a reboot.
 
==== End of Fixlog 17:16:45 ====
 
2. SFC - said there were errors that could not be repaired. Should I copy and paste the log into a new reply or attach it?
 
3. I have only used my laptop for about 2.5 hours today. Thankfully nothing odd has happened aside from the black screen upon turning on my laptop.
 
edit 7/16 - Laptop fan is being loud again and is quite warm. Not sure why because I'm only browsing Chrome with four tabs open. Also this morning, the black screen thing happened again when I turned it on. I should describe it better - when I turn my laptop on after it's been shut down, the Samsung screen pops up for a few seconds, then the screen turns black, but my cursor is still there. It stays like that for about 20 seconds, then the Windows log on screen shows up as normal.
 
No IE popups yet.

Edited by ireallyhateviruses, 16 July 2016 - 04:06 PM.


#13 ireallyhateviruses

ireallyhateviruses
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 17 July 2016 - 02:56 AM

New strange event:

 

I just tried shutting down my laptop about 5 minutes ago. The blue screen that says a program is running/do I want to stop the laptop from shutting down (sorry, I forget what it's called; it's very late here and I am tired) showed up, but before I could click on anything, the screen went black as if it was going to shut down. Instead of shutting down, the screen just went black, the power light was on, and the fan was still running. After about a minute, the normal Windows log in screen appeared. I tried shutting down and the same sequence happened (black screen, then log in screen).

 

The black screen thing has happened before and when it happens, I just press the power button until it turns off, but this log in screen popping up thing is new.



#14 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,626 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:05:26 AM

Posted 17 July 2016 - 02:13 PM

ireallyhateviruses:

Thank you for the fixlog.txt file and the update. I also thank you for patience while I consulted with the Malware Response Instructor who is supervising me as I deal with your issues.

As I suspected, your computer does have some issues with the integrity of the Windows 8.1 installation. Your second Addition.txt log file showed "manifest" errors, which can be indicative of some system file integrity issues.


:step1: The CBS.log file will be far too large to attach to a post on this Forum (250 KB maximum). In any event, I would prefer to directly access the original file for analysis purposes.

Please right-click the CBS.log file on your Desktop. Please select: "Send to", and select: "Compressed (zipped) folder." Almost instantly, a file called "CBS.zip" should appear on your Desktop. Please check the file size of that .zip file. If it is under 250 KB, you could attach it to your next response, providing that you delete all of your previous attachments. Please click the "down symbol" beside your login name at the top right of the screen when you are logged into Bleeping Computer. Navigate to "My Settings". Click that, and then click "Manage Attachments" on the left of the screen, and delete all of your previous attachments. I have kept copies of all of your attachments, so "we" won't lose anything. This will restore the full 250 KB download limit to your account.

If the CBS.zip file is larger than 250 KB, then please upload it to here. Please paste in the topic link, and also indicate that the file is being submitted for "garioch7". The "owner" of the channel will see to it that I get access to the file.

I will download the file and assess how serious the system integrity issues are, and then post back. In the majority of cases, these issues can resolved without having to reinstall the operating system, so there is no need to panic just yet! :)


:step2: Thank you for your report of the Shutdown issues you are experiencing. Please see this link and disable "Fast Startup", if it is not already disabled. I have it disabled on both of my computers, running Windows 10 x64 Pro. From what I have read, it causes a lot of issues because any "glitches" that occur just keep getting carried across into new boot sessions. By default, Windows enables "Fast Startup" on Windows 8/8.1/10.

After doing so, please do a cold boot. Completely shut down and unplug your computer. If it is a laptop, please remove the battery as well, then hold the power switch down for about 30 seconds, to ensure that all capacitors are discharged and volatile memory is completely cleared. Then, reinsert the battery, if it is a laptop, and then plug the computer back in. Turn it on as you would normally. Cold booting can resolve a large number of odd issues, and it is always my first recourse when I encounter "strange" computer behavior.

If you are still having issues with normal shutdown after disabling Fast Startup and doing a cold boot, then please run WhatIsHang by NirSoft For 64 bit Systems.

  • Download WhatIsHang for 64 bit systems and save it to your Desktop.
  • Unzip the folder to your Desktop.
  • Right click on the icon, select Run as Administrator (XP simply double click icon) and a WhatIsHang window will appear on the Desktop.
  • Attempt to shut down your computer.
  • If any error information is populated select Edit, then Copy Entire Report.
  • Please include that information in your reply.

.
 
Please let me know how you make out.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#15 ireallyhateviruses

ireallyhateviruses
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 17 July 2016 - 03:17 PM

The wait isn't an issue, as I know these things take time and other people need help, too. :)

 

The CBS log is a lot smaller than expected (Hopefully a good sign; smaller file means fewer issues?!), so I zipped it and will attach it to this post.

 

I will have to try step 2 later today or tomorrow, but I will let you know if it fixes the problem.

 

Thanks again for all your help!


Edited by ireallyhateviruses, 17 July 2016 - 03:17 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users