Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC Speedup, MaxDrive, System Healer, etc......how can I remove?


  • This topic is locked This topic is locked
32 replies to this topic

#1 tempsc

tempsc

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 16 August 2016 - 09:50 AM

Got problems with programs which were unintentionally downloaded. Seems as though they are but are stubborn and don't allow me to download Malwarebytes for example to try and resolve. Numerous windows being opened and new tabs on the browser for all sorts of things. 

 

Any assistance would be appreciated.

 

Tks.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 16 August 2016 - 11:04 AM

Hi tempsc :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Let's start by getting a set of FRST logs. Follow the instructions below please.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 03:16 AM

Hi Yoan. Thanks for the raid response and willingness to assist. I appreciate it.

 

I don't see an executable in yr message at all. Just to be certain I right clicked on the icon and all text but no option to run as administrator appeared.

 

Am I doing something wrong here?

 

Tks.

Tempsc



#4 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 03:42 AM

Hi Yoan. That earlier msg was stupid of me. Also took a look in the tutorials and found the link.

 

Thanks again.

 

 

FRST follows;

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-08-2016 01
Ran by itadminsco (administrator) on PKLAPTOP15 (17-08-2016 09:33:53)
Running from C:\Users\paul.watkins\Desktop
Loaded Profiles: itadminsco & Paul.Watkins (Available Profiles: itadminsco & Paul.Watkins & User & Administrator)
Platform: Windows 8.1 Pro with Media Center (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe
(IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
(Microsoft Corporation) C:\Windows\CCM\RemCtrl\CmRcService.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
(Foxit Software Inc.) C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitReader.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(20) C:\Program Files\SpaceSoundPro\idscservice.exe
(20) C:\Program Files (x86)\Max Driver Updater\idscservice.exe
() C:\ProgramData\Logic Handler\set.exe
() C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\knsn17DB.tmpfs
() C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\jnsz4140.tmp
() C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\hnsk5BCE.tmp
() C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332\qnsd363B.tmp
(8p) C:\Program Files (x86)\DPower\wemoservice.exe
() C:\Program Files (x86)\DPower\3YLRSC9H4W.exe
() C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b\333bdc398b68b23342e4dddca708edd1.exe
(8p) C:\Program Files (x86)\DPower\wemoservice.exe
(DotC United Inc) C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe
(20) C:\Program Files (x86)\host\idscservice.exe
() C:\Program Files (x86)\DPower\4SO5PN0GCP.exe
(HHJJKd) C:\Program Files (x86)\host\wizzcaster.exe
(HHJJKd) C:\Program Files (x86)\host\wizzcaster.exe
(Search Module Ltd.) C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe
(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(                                                            ) C:\Users\ITADMINSCO\AppData\Local\Temp\QVTD537QW7\win.exe
() C:\Users\ITADMINSCO\AppData\Local\Temp\is-N3EG5.tmp\win.tmp
(                                                            ) C:\Users\ITADMINSCO\AppData\Local\Temp\3KZRD3DRW4\win.exe
() C:\Users\ITADMINSCO\AppData\Local\Temp\is-26IFK.tmp\win.tmp

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7634648 2014-08-07] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1393520 2014-07-28] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-11-21] (Intel Corporation)
HKLM\...\Run: [QuickSet] => c:\Program Files\Dell\QuickSet\QuickSet.exe [3859968 2014-10-08] (Dell Inc.)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2015-06-15] (LogMeIn, Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1332328 2015-06-03] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [SpaceSoundPro] => C:\Program Files\SpaceSoundPro\SpaceSoundPro.exe [4203520 2015-08-03] (Space Sound Pro)
HKLM-x32\...\Run: [DropboxOEM] => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [462160 2014-09-02] ()
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] => C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [407904 2015-04-08] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153952 2015-04-08] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [DiskPower] => C:\Program Files (x86)\DPower\DiskPower.exe [210432 2016-07-21] ()
HKLM-x32\...\Run: [win_en_77] => C:\Program Files (x86)\win_en_77\win_en_77.exe [4065792 2016-07-22] ()
HKLM\...\RunOnce: [IDSCPRODUCT] => C:\Program Files (x86)\host\idscservice.exe [436224 2016-08-16] (20)
HKLM\...\RunOnce: [OMEWPRODUCT_NHNJU] => C:\Program Files (x86)\DPower\wemoservice.exe [322048 2016-08-16] (8p)
HKLM-x32\...\RunOnce: [Update] => C:\Users\ITADMINSCO\AppData\Roaming\ASPackage\ASPackage.exe [615693 2016-08-16] ()
HKLM-x32\...\RunOnce: [GrpConv] => grpconv -o
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [134784 2014-08-14] (Qualcomm®Atheros®)
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [Caster] => C:\Program Files (x86)\host\wizzcaster.exe [179200 2016-08-16] (HHJJKd)
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [YONB935EXP] => C:\Program Files (x86)\DPower\3YLRSC9H4W.exe [369664 2016-08-16] ()
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [9B31BTPQIF] => C:\Program Files (x86)\DPower\4SO5PN0GCP.exe [369664 2016-08-16] ()
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\Run: [] => [X]
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\Run: [Lync] => C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe [22733512 2016-08-08] (Microsoft Corporation)
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\MountPoints2: {f9e0c4f3-7ef3-11e5-8265-4cbb587f9ee0} - "D:\HTC_Sync_Manager_PC.exe"
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => No File
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => No File
ShellIconOverlayIdentifiers: [DBARFileBackuped] -> {831cebdd-6baf-4432-be76-9e0989c14aef} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [DBARFileNotBackuped] -> {275e4fd7-21ef-45cf-a836-832e5d2cc1b3} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconNotBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [DBRShellOverlayBackupFile] -> {831CEBDD-6BAF-4432-BE76-9E0989C14AEF} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [DBRShellOverlayModifiedBackupFile] -> {275E4FD7-21EF-45CF-A836-832E5D2CC1B3} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconNotBackuped.dll [2015-12-07] (SoftThinks SAS)
Startup: C:\Users\paul.watkins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-06-14]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (No File)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{7B248990-55D0-470C-8DAA-FD35DC85320F}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www-searching.com/?pid=s&s=G8Gztutbl11AU,b6b7c8ca-4dda-4cb1-82d0-674610ffa513,&vp=ch&prd=set_ie
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.google.co.uk/
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-20419 -> {80088DC4-C53C-4DCA-A84E-5D2ED0EC00FE} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-20419 -> {DA4712A9-9845-46B5-B6FE-A537EAD6C954} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=G8Gztutbl11AU,b6b7c8ca-4dda-4cb1-82d0-674610ffa513,
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485 -> DefaultScope {9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10} URL =
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485 -> {9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10} URL =
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-08-08] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll => No File
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-08-08] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll => No File
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2016-08-08] (Microsoft Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2016-08-08] (Microsoft Corporation)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll No File
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-08-08] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-08-08] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-08-08] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-08-08] (Microsoft Corporation)
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2015-04-08] (Citrix Systems, Inc.)

FireFox:
========
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2015-04-08] (Citrix Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2013-12-04] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2013-12-04] (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-08-08] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-08-08] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-10-23] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll [2015-07-31] (Microsoft Corporation)
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2015-04-15] [not signed]

Chrome:
=======
CHR HomePage: Default -> hxxp://www-searching.com/?pid=s&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?site=shdefault1&prd=smw&pid=s&shr=d&q={searchTerms}&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Profile: C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-10-29]
CHR Extension: (Google Docs) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-10-29]
CHR Extension: (Google Drive) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-29]
CHR Extension: (Rapport) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbjllphbppobebmjpjcijfbakobcheof [2016-08-16]
CHR Extension: (YouTube) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-29]
CHR Extension: (Google Search) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-29]
CHR Extension: (Google Sheets) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-10-29]
CHR Extension: (Google Docs Offline) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-08-16]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-10-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-08-16]
CHR Extension: (Gmail) - C:\Users\ITADMINSCO\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-10-29]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 4f8b56a88e2ba99e877afe20bb5faf2b; C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b\333bdc398b68b23342e4dddca708edd1.exe [4836864 2016-08-15] () [File not signed]
S4 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [322176 2014-08-14] (Windows ® Win 7 DDK provider) [File not signed]
R2 backlh; C:\ProgramData\Logic Handler\set.exe [2089472 2016-05-15] () [File not signed]
R2 CcmExec; C:\WINDOWS\CCM\CcmExec.exe [1775288 2015-10-27] (Microsoft Corporation)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2854640 2016-07-03] (Microsoft Corporation)
S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [872960 2016-08-16] () [File not signed]
R2 CmRcService; C:\WINDOWS\CCM\RemCtrl\CmRcService.exe [672440 2015-10-27] (Microsoft Corporation)
S4 Dell Data Services; C:\Program Files\Dell\Dell Data Services\DDSSvc.exe [45936 2014-11-13] (Dell)
S4 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [75120 2015-03-04] (Dell)
S4 DellProdRegManager; C:\Program Files (x86)\Dell Product Registration\regmgrsvc.exe [293440 2014-04-01] (Aviata, Inc.)
S4 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [211320 2015-02-11] (Dell Inc.)
R2 dowidoly; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\jnsz4140.tmp [244224 2016-08-16] () [File not signed]
S4 DptfParticipantProcessorService; C:\Windows\system32\DptfParticipantProcessorService.exe [115656 2014-05-16] (Intel Corporation)
S4 DptfPolicyCriticalService; C:\Windows\system32\DptfPolicyCriticalService.exe [148160 2014-05-16] (Intel Corporation)
S2 Holdtam; C:\ProgramData\\Holdtam\\Holdtam.exe [872960 2016-08-16] () [File not signed]
S4 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-11-21] (Intel Corporation)
S4 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [318568 2014-10-01] (Intel Corporation)
S4 Intel® Capability Licensing Service Interface; c:\Program Files\Intel\iCLS Client\HeciServer.exe [747520 2013-08-27] (Intel® Corporation) [File not signed]
S4 Intel® Capability Licensing Service TCP IP Interface; c:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [828376 2013-08-27] (Intel® Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [169432 2013-12-04] (Intel Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [419336 2016-08-09] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [509448 2016-08-09] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2015-06-15] (LogMeIn, Inc.)
S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50352 2015-09-25] (Microsoft Corporation)
S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50352 2015-09-25] (Microsoft Corporation)
R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [350688 2016-08-16] (DotC United Inc)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-06-03] (Microsoft Corporation)
S2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [50688 2012-07-31] (Hewlett-Packard) [File not signed]
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-06-03] (Microsoft Corporation)
S2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [66048 2012-07-31] (Hewlett-Packard) [File not signed]
R2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2383344 2016-05-30] (IBM Corp.)
R2 rijufoze; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\hnsk5BCE.tmp [138240 2016-08-16] () [File not signed]
S4 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [291032 2014-07-22] (Realtek Semiconductor)
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [2065808 2016-01-04] (SoftThinks SAS)
S3 smstsmgr; C:\WINDOWS\CCM\TSManager.exe [317624 2015-10-27] (Microsoft Corporation)
R2 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe [3109888 2016-08-16] (Search Module Ltd.) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5702416 2015-09-11] (TeamViewer GmbH)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-04] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-04] (Microsoft Corporation)
R2 zigipyro; C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332\qnsd363B.tmp [158720 2015-12-26] () [File not signed]
S4 0270031429081847mcinstcleanup; C:\WINDOWS\TEMP\027003~1.EXE -cleanup -nolog [X]
R2 deciqyguzbt; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\knsn17DB.tmpfs [X]
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 swi_filter; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3903488 2014-07-12] (Qualcomm Atheros Communications, Inc.)
S3 AX88179; C:\Windows\system32\DRIVERS\ax88179_178a.sys [69120 2015-02-05] (ASIX Electronics Corp.)
R1 b20db80117eb466dbd73f8ca5ea62fa2; C:\WINDOWS\system32\drivers\b20db80117eb466dbd73f8ca5ea62fa2.sys [85088 2016-08-15] (HGEGTZ)
R3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2014-08-14] (Qualcomm Atheros)
R3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-25] (OSR Open Systems Resources, Inc.)
S3 DptfDevDisplay; C:\Windows\System32\drivers\DptfDevDisplay.sys [70752 2014-05-16] (Intel Corporation)
S3 DptfDevDram; C:\Windows\System32\drivers\DptfDevDram.sys [145640 2014-05-16] (Intel Corporation)
S3 DptfDevFan; C:\Windows\System32\drivers\DptfDevFan.sys [50640 2014-05-16] (Intel Corporation)
R3 DptfDevGen; C:\Windows\System32\drivers\DptfDevGen.sys [78504 2014-05-16] (Intel Corporation)
R3 DptfDevPch; C:\Windows\System32\drivers\DptfDevPch.sys [116752 2014-05-16] (Intel Corporation)
S3 DptfDevPower; C:\Windows\System32\drivers\DptfDevPower.sys [71808 2014-05-16] (Intel Corporation)
R3 DptfDevProc; C:\Windows\System32\drivers\DptfDevProc.sys [290256 2014-05-16] (Intel Corporation)
R3 DptfManager; C:\Windows\System32\drivers\DptfManager.sys [494808 2014-05-16] (Intel Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-08-09] (Intel Corporation)
R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [99320 2013-08-09] (Intel Corporation)
S3 iaLPSS_SPI; C:\Windows\System32\drivers\iaLPSS_SPI.sys [83960 2013-08-09] (Intel Corporation)
S3 iaLPSS_UART2; C:\Windows\System32\drivers\iaLPSS_UART2.sys [129528 2013-08-09] (Intel Corporation)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2015-06-15] (LogMeIn, Inc.)
S4 LMIRfsClientNP; no ImagePath
R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100824 2013-12-04] (Intel Corporation)
S0 MpBoot; C:\Windows\System32\DRIVERS\MpBoot.sys [43088 2015-02-25] (Microsoft Corporation)
R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [60136 2016-08-16] (DotC United Inc)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [274696 2015-02-25] (Microsoft Corporation)
S1 mpngokpr; C:\WINDOWS\system32\drivers\mpngokpr.sys [55168 2016-08-16] (Microsoft Corporation)
S3 NisDrv; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [124560 2015-02-25] (Microsoft Corporation)
R3 prepdrvr; C:\Windows\system32\DRIVERS\prepdrv.sys [26984 2015-04-14] (Microsoft Corporation)
S1 qxcutfjm; C:\WINDOWS\system32\drivers\qxcutfjm.sys [55168 2016-08-16] (Microsoft Corporation)
R1 RapportCerberus_1609041; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1609041.sys [1157864 2016-07-15] (IBM Corp.)
R1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [544360 2016-05-30] (IBM Corp.)
R0 RapportHades64; C:\Windows\System32\Drivers\RapportHades64.sys [215560 2016-05-30] (IBM Corp.)
R0 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [470056 2016-05-30] (IBM Corp.)
R1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [525992 2016-05-30] (IBM Corp.)
S3 RTLU3E8023-W8-64; C:\Windows\system32\DRIVERS\rtu30x64w8.sys [92376 2013-10-10] (Realtek                                            )
S3 SDICLx64; C:\Windows\system32\DRIVERS\SDICLx64.sys [115456 2016-03-15] (Identiv)
S3 SDISCx64; C:\Windows\system32\DRIVERS\SDISCx64.SYS [86912 2016-03-15] (Identiv)
R3 SensorsServiceDriver; C:\Windows\system32\DRIVERS\WUDFRd.sys [226304 2014-11-21] (Microsoft Corporation)
R3 SMUpdd; C:\Program Files\Common Files\Noobzo\GNUpdate\smw.sys [52992 2016-08-16] ()
R1 swi_callout; C:\Windows\system32\DRIVERS\swi_callout.sys [32512 2015-04-15] (Sophos Limited)
R3 VirtualButtons; C:\Windows\System32\drivers\VirtualButtons.sys [32024 2013-10-04] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44024 2015-02-04] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [264000 2015-02-04] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-04] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-17 09:33 - 2016-08-17 09:35 - 00031500 _____ C:\Users\paul.watkins\Desktop\FRST.txt
2016-08-17 09:33 - 2016-08-17 09:33 - 00000000 ____D C:\FRST
2016-08-17 09:31 - 2016-08-17 09:31 - 02394624 _____ (Farbar) C:\Users\paul.watkins\Desktop\FRST64.exe
2016-08-17 08:54 - 2016-08-17 09:08 - 00000000 ____D C:\Program Files (x86)\win_en_77
2016-08-16 15:41 - 2016-08-17 09:35 - 00000000 ____D C:\Users\ITADMINSCO\AppData\Local\CrashDumps
2016-08-16 15:34 - 2016-08-16 15:34 - 00004266 _____ C:\WINDOWS\System32\Tasks\SMW_UpdateTask_Time_323035383730323331352d415b343437414545785a5a6c
2016-08-16 15:34 - 2016-08-16 15:34 - 00000000 ____D C:\ProgramData\SearchModule
2016-08-16 15:34 - 2016-08-16 15:34 - 00000000 ____D C:\Program Files\Common Files\Noobzo
2016-08-16 15:33 - 2016-08-16 15:33 - 00394752 _____ C:\ProgramData\smp2.exe
2016-08-16 15:33 - 2016-08-16 15:33 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mpngokpr.sys
2016-08-16 15:33 - 2016-08-16 15:33 - 00004168 _____ C:\WINDOWS\System32\Tasks\SMW_P
2016-08-16 15:31 - 2016-08-16 15:31 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\qxcutfjm.sys
2016-08-16 15:30 - 2016-08-16 15:32 - 00000986 _____ C:\Users\ITADMINSCO\Desktop\host.lnk
2016-08-16 15:29 - 2016-08-16 15:32 - 00000000 ____D C:\Program Files (x86)\host
2016-08-16 15:27 - 2016-08-16 15:27 - 00060136 _____ (DotC United Inc) C:\WINDOWS\system32\Drivers\MPCKpt.sys
2016-08-16 15:27 - 2016-08-16 15:27 - 00000000 ____D C:\Program Files (x86)\MPC Cleaner
2016-08-16 15:26 - 2016-08-16 15:32 - 00000000 ____D C:\WINDOWS\system32\SSL
2016-08-16 15:26 - 2016-08-16 15:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer
2016-08-16 15:26 - 2016-08-16 15:26 - 00031443 _____ C:\WINDOWS\985e9dbcf040fb87870be4f1249a70cf.ps1
2016-08-16 15:26 - 2016-08-16 15:26 - 00003598 _____ C:\WINDOWS\System32\Tasks\985e9dbcf040fb87870be4f1249a70cf
2016-08-16 15:26 - 2016-08-16 15:26 - 00000000 ____D C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b
2016-08-16 15:25 - 2016-08-16 15:32 - 00003266 _____ C:\WINDOWS\System32\Tasks\runTask
2016-08-16 15:22 - 2016-08-16 15:30 - 00000000 ____D C:\Program Files (x86)\DPower
2016-08-16 15:22 - 2016-08-16 15:22 - 00000000 ____D C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332
2016-08-16 15:22 - 2016-08-16 15:22 - 00000000 ____D C:\Program Files (x86)\CleanBrowser
2016-08-16 15:18 - 2016-08-16 15:14 - 00001006 _____ C:\WINDOWS\system32\Drivers\etc\hp.bak
2016-08-16 15:17 - 2016-08-17 08:32 - 00000000 ____D C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332
2016-08-16 15:17 - 2016-08-16 15:18 - 00000000 ____D C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASPackage
2016-08-16 15:17 - 2016-08-16 15:17 - 00003056 _____ C:\WINDOWS\System32\Tasks\MAXDriverUpdater_UPDATES
2016-08-16 15:17 - 2016-08-16 15:17 - 00000318 _____ C:\WINDOWS\Tasks\MAXDriverUpdater_UPDATES.job
2016-08-16 15:17 - 2016-08-16 15:17 - 00000000 ____D C:\Users\ITADMINSCO\AppData\Roaming\ASPackage
2016-08-16 15:16 - 2016-08-16 15:16 - 02279413 _____ C:\Users\ITADMINSCO\AppData\Roaming\Zamdom.bin
2016-08-16 15:16 - 2016-08-16 15:16 - 00003150 _____ C:\WINDOWS\System32\Tasks\MAXDriverUpdaterRunAtStartup
2016-08-16 15:16 - 2016-08-16 15:16 - 00000000 ____D C:\ProgramData\Logic Handler
2016-08-16 15:15 - 2016-08-16 15:15 - 07118336 _____ C:\Users\ITADMINSCO\AppData\Roaming\agent.dat
2016-08-16 15:15 - 2016-08-16 15:15 - 01900137 _____ C:\Users\ITADMINSCO\AppData\Roaming\Unolax.tst
2016-08-16 15:15 - 2016-08-16 15:15 - 00126464 _____ C:\Users\ITADMINSCO\AppData\Roaming\noah.dat
2016-08-16 15:15 - 2016-08-16 15:15 - 00070704 _____ C:\Users\ITADMINSCO\AppData\Roaming\Config.xml
2016-08-16 15:15 - 2016-08-16 15:15 - 00018432 _____ C:\Users\ITADMINSCO\AppData\Roaming\Main.dat
2016-08-16 15:15 - 2016-08-16 15:15 - 00002866 _____ C:\WINDOWS\System32\Tasks\System HealerPeriod
2016-08-16 15:15 - 2016-08-16 15:15 - 00002570 _____ C:\WINDOWS\System32\Tasks\System HealerStartUp
2016-08-16 15:15 - 2016-08-16 15:15 - 00001076 _____ C:\Users\Public\Desktop\Max Driver Updater.lnk
2016-08-16 15:15 - 2016-08-16 15:15 - 00000886 _____ C:\Users\ITADMINSCO\Desktop\SpaceSoundPro.lnk
2016-08-16 15:15 - 2016-08-16 15:15 - 00000306 _____ C:\WINDOWS\Tasks\System HealerStartUp.job
2016-08-16 15:15 - 2016-08-16 15:15 - 00000306 _____ C:\WINDOWS\Tasks\System HealerPeriod.job
2016-08-16 15:15 - 2016-08-16 15:15 - 00000000 ____D C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpaceSoundPro 1.0
2016-08-16 15:15 - 2016-08-16 15:15 - 00000000 ____D C:\Users\ITADMINSCO\AppData\Roaming\csdimedia
2016-08-16 15:15 - 2016-08-16 15:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Driver Updater
2016-08-16 15:15 - 2016-08-16 15:15 - 00000000 ____D C:\ProgramData\Holdtam
2016-08-16 15:14 - 2016-08-16 15:16 - 00000000 ____D C:\Program Files\SpaceSoundPro
2016-08-16 15:14 - 2016-08-16 15:16 - 00000000 ____D C:\Program Files (x86)\Max Driver Updater
2016-08-16 15:14 - 2016-08-16 15:15 - 00005568 _____ C:\Users\ITADMINSCO\AppData\Roaming\md.xml
2016-08-16 15:14 - 2016-08-16 15:15 - 00000000 ____D C:\Program Files (x86)\SystemHealer
2016-08-16 15:14 - 2016-08-16 15:14 - 00848437 _____ C:\Users\ITADMINSCO\AppData\Roaming\OzerFax.bin
2016-08-16 15:14 - 2016-08-16 15:14 - 00126464 _____ C:\Users\ITADMINSCO\AppData\Roaming\lobby.dat
2016-08-16 15:14 - 2016-08-16 15:14 - 00072793 _____ C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.tst
2016-08-16 15:14 - 2016-08-16 15:14 - 00054272 _____ C:\Users\ITADMINSCO\AppData\Roaming\ApplicationHosting.dat
2016-08-16 15:14 - 2016-08-16 15:14 - 00024306 _____ C:\WINDOWS\System32\Tasks\{7E0A7E47-0A0B-7D05-7D11-7D097979117F}
2016-08-16 15:14 - 2016-08-16 15:14 - 00003578 _____ C:\WINDOWS\System32\Tasks\System Healer Task
2016-08-16 15:14 - 2016-08-16 15:14 - 00003332 _____ C:\WINDOWS\System32\Tasks\SystemHealer Run Delay
2016-08-16 15:14 - 2016-08-16 15:14 - 00003266 _____ C:\WINDOWS\System32\Tasks\SystemHealer Monitor
2016-08-16 15:14 - 2016-08-16 15:14 - 00001073 _____ C:\Users\Public\Desktop\Launch System Healer.lnk
2016-08-16 15:14 - 2016-08-16 15:14 - 00000000 ____D C:\Users\ITADMINSCO\AppData\Roaming\System Healer
2016-08-16 15:14 - 2016-08-16 15:14 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer
2016-08-16 15:14 - 2016-08-16 15:14 - 00000000 ____D C:\ProgramData\CloudPrinter
2016-08-16 15:14 - 2016-08-16 15:14 - 00000000 ____D C:\ProgramData\5fc53bb7-5ba7-1
2016-08-16 15:14 - 2016-08-16 15:14 - 00000000 ____D C:\Program Files\Caster
2016-08-16 15:14 - 2016-08-16 15:13 - 00872960 _____ C:\Users\ITADMINSCO\AppData\Roaming\Unolax.exe
2016-08-16 15:14 - 2016-08-16 15:13 - 00872960 _____ C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.exe
2016-08-16 15:13 - 2016-08-16 15:13 - 00138240 _____ C:\Users\ITADMINSCO\AppData\Roaming\Installer.dat
2016-08-16 15:13 - 2016-08-16 15:13 - 00018432 _____ C:\Users\ITADMINSCO\AppData\Roaming\InstallationConfiguration.xml
2016-08-16 15:07 - 2016-08-16 15:08 - 04784128 _____ C:\Users\paul.watkins\Downloads\Petter_diesel_engine_manual.iso
2016-08-15 12:45 - 2016-08-15 12:45 - 00085088 _____ (HGEGTZ) C:\WINDOWS\system32\Drivers\b20db80117eb466dbd73f8ca5ea62fa2.sys
2016-08-12 14:26 - 2016-08-12 14:26 - 00086885 _____ C:\Users\paul.watkins\Downloads\20151028_Viking_1_6Tonne_Circ1392_MSC320_89.pdf
2016-08-11 12:05 - 2016-08-11 12:05 - 08583448 _____ C:\Users\paul.watkins\Desktop\Teekay Contract Review Survitec Version 2016 - Rev 2. - PW amend 110816.pptx
2016-08-10 15:59 - 2016-08-10 15:59 - 00712755 _____ C:\Users\paul.watkins\Downloads\BCS_Panama_Authorization_rev1.pdf
2016-08-10 08:13 - 2016-08-10 08:13 - 00002325 _____ C:\Users\paul.watkins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2016-08-09 10:23 - 2016-08-09 10:23 - 00118485 _____ C:\Users\paul.watkins\Desktop\ID card sample.pdf
2016-08-09 10:10 - 2016-08-09 10:12 - 00000000 ____D C:\ProgramData\ZXPS3
2016-08-09 09:45 - 2016-08-09 09:45 - 00000000 ____D C:\Users\paul.watkins\AppData\Roaming\Skype
2016-08-08 15:47 - 2016-08-10 08:13 - 00003200 _____ C:\WINDOWS\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-1486891537-2021946215-1446339652-35485
2016-08-08 15:47 - 2016-08-08 15:47 - 00000000 ___RD C:\Users\paul.watkins\OneDrive
2016-08-08 15:46 - 2016-08-08 15:46 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2016-08-08 15:36 - 2016-08-08 15:36 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-08-08 10:18 - 2016-08-08 10:18 - 00000000 ____D C:\Users\paul.watkins\Desktop\Expenses
2016-08-08 10:15 - 2016-08-16 15:38 - 00000000 ____D C:\Users\paul.watkins\Desktop\Approvals
2016-08-08 10:04 - 2016-08-08 10:04 - 00000000 ___RD C:\Users\paul.watkins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2016-07-29 14:56 - 2016-07-29 14:56 - 00406924 _____ C:\Users\paul.watkins\Downloads\Copy of 2016 Marquee RA.pdf
2016-07-26 14:58 - 2016-07-26 14:58 - 00309815 _____ C:\Users\paul.watkins\Desktop\SSC Scope of Work - Stena.pdf
2016-07-19 11:44 - 2016-07-19 11:44 - 01696968 _____ C:\Users\paul.watkins\Downloads\UKHO+Chart.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-17 09:23 - 2015-04-28 10:37 - 00000932 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-17 08:56 - 2015-11-01 11:35 - 00000000 ____D C:\Users\paul.watkins\AppData\Local\CrashDumps
2016-08-17 08:37 - 2013-08-22 16:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-08-17 08:26 - 2015-10-01 09:04 - 00000000 ____D C:\ProgramData\LogMeIn
2016-08-16 15:40 - 2015-10-30 09:49 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1486891537-2021946215-1446339652-35485
2016-08-16 15:38 - 2015-11-25 13:44 - 00000000 ____D C:\Users\paul.watkins\Desktop\SCI
2016-08-16 15:37 - 2015-04-28 10:38 - 00002423 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-08-16 15:36 - 2015-04-28 10:38 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-08-16 15:35 - 2015-10-30 09:43 - 00001636 _____ C:\Users\paul.watkins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-08-16 15:19 - 2013-08-22 14:36 - 00000000 ____D C:\WINDOWS\Inf
2016-08-16 15:12 - 2015-10-29 16:52 - 00001646 _____ C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-08-16 12:37 - 2015-03-16 13:20 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2016-08-15 16:48 - 2015-10-30 09:43 - 00000000 ____D C:\Users\paul.watkins\AppData\Local\Packages
2016-08-12 10:16 - 2015-03-16 13:22 - 00000000 ____D C:\Temp
2016-08-10 09:35 - 2014-11-21 05:42 - 00867944 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-08-10 08:19 - 2013-08-22 16:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-08-09 15:07 - 2015-04-15 09:23 - 00000864 _____ C:\WINDOWS\system32\config\netlogon.ftl
2016-08-09 14:35 - 2015-11-17 18:58 - 00000000 ____D C:\Users\paul.watkins\AppData\Local\Microsoft Help
2016-08-09 10:02 - 2015-10-01 09:06 - 00001006 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2016-08-09 10:02 - 2015-10-01 09:04 - 00000000 ____D C:\Program Files (x86)\LogMeIn
2016-08-09 10:01 - 2015-10-01 09:06 - 00122400 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIRfsClientNP.dll
2016-08-09 10:01 - 2015-10-01 09:04 - 00107520 _____ (LogMeIn, Inc.) C:\WINDOWS\system32\LMIinit.dll
2016-08-09 07:12 - 2015-04-28 10:28 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-08-08 15:47 - 2015-10-30 09:43 - 00000000 ____D C:\Users\paul.watkins
2016-08-08 15:46 - 2013-08-22 16:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-08-08 15:37 - 2016-03-24 11:09 - 00002479 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002443 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002438 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002437 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002401 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002400 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002394 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002388 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00002380 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk
2016-08-08 15:37 - 2016-03-24 11:09 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2016-08-08 15:35 - 2015-04-28 10:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2016-08-08 10:59 - 2013-08-22 15:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-08-08 10:22 - 2013-08-22 16:36 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-08-08 10:16 - 2015-10-30 15:41 - 00000000 ____D C:\Users\paul.watkins\Desktop\ILAMA
2016-08-08 10:15 - 2016-06-10 11:10 - 00000000 ____D C:\Users\paul.watkins\Desktop\New folder
2016-08-08 10:05 - 2015-04-15 09:26 - 00000000 ____D C:\WINDOWS\Automation
2016-08-08 10:04 - 2015-04-15 09:26 - 00083568 _____ C:\WINDOWS\RemComSvc80.exe
2016-08-08 10:03 - 2015-10-30 09:35 - 00000570 _____ C:\WINDOWS\SMSCFG.ini
2016-08-08 10:01 - 2015-10-30 09:57 - 00045240 _____ C:\output.txt
2016-07-29 17:11 - 2016-07-01 15:11 - 00000000 ____D C:\Users\paul.watkins\Desktop\Flagship Stage 2 Biz Case
2016-07-28 10:18 - 2016-02-03 17:40 - 00003668 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2016-07-28 10:18 - 2015-04-28 10:37 - 00003904 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2016-07-28 10:18 - 2015-04-28 10:37 - 00000928 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-27 20:25 - 2015-10-30 10:43 - 00504488 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-07-18 11:54 - 2015-10-29 19:58 - 00000000 ____D C:\WINDOWS\ccmsetup

==================== Files in the root of some directories =======

2016-08-16 15:15 - 2016-08-16 15:15 - 7118336 _____ () C:\Users\ITADMINSCO\AppData\Roaming\agent.dat
2016-08-16 15:14 - 2016-08-16 15:14 - 0054272 _____ () C:\Users\ITADMINSCO\AppData\Roaming\ApplicationHosting.dat
2016-08-16 15:15 - 2016-08-16 15:15 - 0070704 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Config.xml
2016-08-16 15:14 - 2016-08-16 15:13 - 0872960 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.exe
2016-08-16 15:14 - 2016-08-16 15:14 - 0072793 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.tst
2016-08-16 15:13 - 2016-08-16 15:13 - 0018432 _____ () C:\Users\ITADMINSCO\AppData\Roaming\InstallationConfiguration.xml
2016-08-16 15:13 - 2016-08-16 15:13 - 0138240 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Installer.dat
2016-08-16 15:14 - 2016-08-16 15:14 - 0126464 _____ () C:\Users\ITADMINSCO\AppData\Roaming\lobby.dat
2016-08-16 15:15 - 2016-08-16 15:15 - 0018432 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Main.dat
2016-08-16 15:14 - 2016-08-16 15:15 - 0005568 _____ () C:\Users\ITADMINSCO\AppData\Roaming\md.xml
2016-08-16 15:15 - 2016-08-16 15:15 - 0126464 _____ () C:\Users\ITADMINSCO\AppData\Roaming\noah.dat
2016-08-16 15:14 - 2016-08-16 15:14 - 0848437 _____ () C:\Users\ITADMINSCO\AppData\Roaming\OzerFax.bin
2016-08-16 15:16 - 2016-08-16 15:16 - 0032038 _____ () C:\Users\ITADMINSCO\AppData\Roaming\uninstall_temp.ico
2016-08-16 15:14 - 2016-08-16 15:13 - 0872960 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Unolax.exe
2016-08-16 15:15 - 2016-08-16 15:15 - 1900137 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Unolax.tst
2016-08-16 15:16 - 2016-08-16 15:16 - 2279413 _____ () C:\Users\ITADMINSCO\AppData\Roaming\Zamdom.bin
2015-03-16 12:57 - 2015-03-16 12:57 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2016-08-16 15:33 - 2016-08-16 15:33 - 0394752 _____ () C:\ProgramData\smp2.exe

Files to move or delete:
====================
C:\ProgramData\smp2.exe

Some files in TEMP:
====================
C:\Users\ITADMINSCO\AppData\Local\Temp\1C2A.tmp.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\29U59EMTIZ.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\59MR23KMHZ.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\6CGZB21ZSQ.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\6YYHDB4QBN.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\709QGf6lXs.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\AC1B.tmp.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\bd7cw88x13.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\BrGabCRqe6.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\CB5OS366W9.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\CX0AoHwlTD.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\F2BKP3DHWS.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\fsd459B.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\FTRU11RAM1.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\IhWgT6eQQH.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\MLHLVPK52T.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\nsw5C48.tmp.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\sdf6A50.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\sdfC3CF.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\UE8Z5uschM.exe
C:\Users\ITADMINSCO\AppData\Local\Temp\Y9CI6AARO6.exe
C:\Users\PaulKennedy\AppData\Local\Temp\ARCompanionForSession1.exe
C:\Users\PaulKennedy\AppData\Local\Temp\ARCompanionForSession2.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-08-10 15:31

==================== End of FRST.txt ============================

 

Addition follows;

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-08-2016 01
Ran by itadminsco (17-08-2016 09:35:53)
Running from C:\Users\paul.watkins\Desktop
Windows 8.1 Pro with Media Center (Update) (X64) (2015-04-14 11:52:09)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2050406394-4178630720-2461931060-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-2050406394-4178630720-2461931060-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2050406394-4178630720-2461931060-1003 - Limited - Enabled)
SophosSAUDBLAPTOP150 (S-1-5-21-2050406394-4178630720-2461931060-1005 - Limited - Enabled)
User (S-1-5-21-2050406394-4178630720-2461931060-1001 - Administrator - Enabled) => C:\Users\User

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: System Center Endpoint Protection (Enabled - Up to date) {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: System Center Endpoint Protection (Enabled - Up to date) {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

64 Bit HP CIO Components Installer (Version: 13.2.1 - Hewlett-Packard) Hidden
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20077 - Adobe Systems Incorporated)
Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon) <==== ATTENTION
AnySend (HKLM-x32\...\ASPackage) (Version:  - CMI Limited) <==== ATTENTION
Apple Application Support (64-bit) (HKLM\...\{0DE0A178-AC7B-4650-806C-CF226DE03766}) (Version: 4.1 - Apple Inc.)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Body Text Feathering (HKLM-x32\...\PopupProduct) (Version: 1.0.0.0 - Body Text Feathering) <==== ATTENTION
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Caster (HKLM\...\{d35e5e88-e5b8-447f-b6f4-66bc7aa638d1}) (Version: 1.0 - Caster) <==== ATTENTION
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.2.100.14 - Citrix Systems, Inc.)
CleanBrowser (HKLM-x32\...\CleanBrowser) (Version:  - ) <==== ATTENTION
Configuration Manager Client (Version: 5.00.8325.1000 - Microsoft Corporation) Hidden
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.9.2.8 - Dell Inc.)
Dell Data Services (HKLM\...\{90F9BFC9-A2A9-403F-9A40-1063FAD035BA}) (Version: 1.1.6.0 - Dell Inc.)
Dell Digital Delivery (HKLM-x32\...\{BC8233D8-59BA-4D40-92B9-4FDE7452AA8B}) (Version: 3.0.3999.0 - Dell Products, LP)
Dell Foundation Services (HKLM\...\{76966FD2-4189-41F1-9CF6-9D177B4DEC97}) (Version: 2.0.42.1 - Dell Inc.)
Dell Product Registration (HKLM-x32\...\{17FFE63C-6734-4950-B488-134B5A2505F7}) (Version: 2.04.0280 - Aviata Inc.)
Dell Update (HKLM-x32\...\{D9E0A33F-19D6-45A7-83BB-535C7B5F699B}) (Version: 1.5.3000.0 - Dell Inc.)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
DPower version 1.0 (HKLM-x32\...\DPower_is1) (Version: 1.0 - WeMonetize) <==== ATTENTION
Dropbox 20 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 0.9.0 - Dropbox, Inc.)
DSC/AA Factory Installer (Version: 3.5.6426.22 - PC-Doctor, Inc.) Hidden
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.3.0.118 - Foxit Software Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 52.0.2743.116 - Google Inc.)
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
Herramientas de corrección de Microsoft Office 2016: español (x32 Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
host version 1.1 (HKLM-x32\...\host_is1) (Version: 1.1 - Wizzlabs) <==== ATTENTION
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.22.1760 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3945 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.9.0.1001 - Intel Corporation)
Intel® Virtual Buttons (HKLM-x32\...\1992736F-C90A-481C-B21B-EE34CAD07387) (Version: 1.0.0.14 - Intel Corporation)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
LogMeIn (HKLM-x32\...\{1BC47D02-4412-4127-947E-A4A1DA060663}) (Version: 4.1.5704 - LogMeIn, Inc.)
LogMeIn Client (HKLM-x32\...\{D2300C4F-CC9B-4D00-BC53-B4C806A6C7AB}) (Version: 1.3.1675 - LogMeIn, Inc.)
Max Driver Updater (HKLM-x32\...\Max Driver Updater_is1) (Version: 2.7.1086.16649 - csmedia.com) <==== ATTENTION
Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 16.0.6741.2056 - Microsoft Corporation)
Microsoft Office Professional Plus 2016 (HKLM-x32\...\Office16.PROPLUS) (Version: 16.0.4266.1001 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\OneDriveSetup.exe) (Version: 17.3.6390.0509 - Microsoft Corporation)
Microsoft Project Standard 2013 (HKLM-x32\...\Office15.PRJSTD) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6701.1034 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.6701.1034 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6701.1034 - Microsoft Corporation) Hidden
Online Plug-in (x32 Version: 14.2.100.14 - Citrix Systems, Inc.) Hidden
Outils de vérification linguistique 2013 de Microsoft Office - Français (x32 Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
Outils de vérification linguistique 2016 de Microsoft Office - Français (x32 Version: 16.0.4266.1001 - Microsoft Corporation) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.328 - Qualcomm Atheros Communications)
QuickSet64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 11.1.26 - Dell Inc.)
Rapport (x32 Version: 3.5.1609.65 - Trusteer) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7312 - Realtek Semiconductor Corp.)
SafeFinder (HKLM-x32\...\{BCF1FD8A-B851-49D2-9DC1-68BA212F6E4D}) (Version: 1.0.0.0 - Linkury) <==== ATTENTION
Search module (HKLM-x32\...\Search module) (Version:  - Goobzo) <==== ATTENTION
Self-service Plug-in (x32 Version: 4.2.100.5943 - Citrix Systems, Inc.) Hidden
Social2Search (HKLM\...\4f8b56a88e2ba99e877afe20bb5faf2b) (Version: 11.6.1.124 (i1.0) - Social2Search) <==== ATTENTION
Sophos Anti-Virus (HKLM-x32\...\{D929B3B5-56C6-46CC-B3A3-A1A784CBB8E4}) (Version: 10.3.15 - Sophos Limited)
Sophos AutoUpdate (HKLM-x32\...\{7CD26A0C-9B59-4E84-B5EE-B386B2F7AA16}) (Version: 4.3.10.27 - Sophos Limited)
SpaceSoundPro (HKLM\...\SpaceSoundPro) (Version: 1.0 - ) <==== ATTENTION
ST Microelectronics 3 Axis Digital Accelerometer Solution (HKLM-x32\...\{9C24F411-9CA7-4A8A-91F3-F08A4A38EB31}) (Version: 4.13.0054 - ST Microelectronics)
System Center Endpoint Protection (HKLM\...\Microsoft Security Client) (Version: 4.7.214.0 - Microsoft Corporation)
System Healer (HKLM-x32\...\SystemHealer) (Version: 4.3.0.1 - SystemHealer) <==== ATTENTION
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.47484 - TeamViewer)
Trusteer Endpoint Protection (HKLM-x32\...\Rapport_msi) (Version: 3.5.1609.65 - Trusteer)
WIN (HKLM-x32\...\win_en_77_is1) (Version:  - ) <==== ATTENTION
Windows Firewall Configuration Provider (HKLM\...\{109A5A16-E09E-4B82-A784-D1780F1190D6}) (Version: 1.2.3412.0 - Microsoft Corporation)
WinRAR 5.31 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\paul.watkins\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileCoAuthLib64.dll ()
CustomCLSID: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\paul.watkins\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileCoAuth.exe (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0493BCB2-AC88-45B7-9C9F-7CE5D1A61FEC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-04-28] (Google Inc.)
Task: {06B65F72-50B7-4D23-84A2-9E55CE4610AA} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office16\OLicenseHeartbeat.exe
Task: {11B0D6E4-A6C0-4D25-8C6A-BB9A8E73CB98} - System32\Tasks\runTask => C:\Users\ITADMINSCO\AppData\Local\Temp/Updater.exe
Task: {15701C90-014E-4036-8E13-841F418AB258} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}
Task: {1D65B44A-9EEE-4A9D-BCD8-5B0C4A182DA3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {22922FFB-A804-4475-9717-64F9766AF618} - System32\Tasks\Dell\Dell Product Registration => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {354F80EC-8530-49DC-A4F3-DC2CE7F5A23A} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Maintenance
Task: {3904DF4C-8E7A-4902-9740-84A659223993} - System32\Tasks\Dell\Dell Product Registration Update => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {4AD70F53-94E3-4CD0-B029-F2FAEB00EC86} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-08-08] (Microsoft Corporation)
Task: {4C83242C-7CDA-4982-BAA0-C8A52BB5470B} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => schtasks [Argument = /run /TN "\Microsoft\Windows\Setup\gwx\refreshgwxconfig"]
Task: {4C8F23D2-E7DC-49A0-A424-22A0695AC52C} - System32\Tasks\MAXDriverUpdater_UPDATES => C:\Program Files (x86)\Max Driver Updater\maxdu.exe [2015-07-06] (csdimedia.com) <==== ATTENTION
Task: {4E977BB8-1383-4F83-97B7-34F857C85D94} - System32\Tasks\System Healer Task => C:\Program Files (x86)\SystemHealer\RescueMonitor.exe [2016-06-28] () <==== ATTENTION
Task: {57A5CF6E-9189-4F21-AFEC-D94205F7D329} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {5ED860E5-F1E1-4851-8D4B-04234649697F} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-07-03] (Microsoft Corporation)
Task: {660DBC11-6610-4A7A-AF9F-DAC23FF483D5} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-07-03] (Microsoft Corporation)
Task: {67371A6A-C44F-402C-B40F-A02663E3D0A0} - System32\Tasks\985e9dbcf040fb87870be4f1249a70cf => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File C:\WINDOWS\985e9dbcf040fb87870be4f1249a70cf.ps1 <==== ATTENTION
Task: {6B6E2EBA-F3CC-4DA8-ADDE-F03DCE369585} - System32\Tasks\{7E0A7E47-0A0B-7D05-7D11-7D097979117F} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwA7ACAAOwAgADsAOwA7ACAAOwA7ACAAOwAgACAAIAAgACAAOwA7ADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4A (the data entry has 9988 more characters). <==== ATTENTION
Task: {6F23C6D0-DAF3-47D7-B004-690B5F290BC7} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2014-01-10] (PC-Doctor, Inc.)
Task: {709233C9-3D32-447C-8FF4-79F8977CC0FF} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Idle Detection
Task: {71B216BA-1E77-45B6-8388-346E2C1CF743} - System32\Tasks\SystemHealer Run Delay => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
Task: {7B9DC352-B6AA-4C09-BB61-6418E01BD757} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2016-08-08] (Microsoft Corporation)
Task: {7F13E8AA-B6BD-43FD-99F5-C35C2779C7FC} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-10] (PC-Doctor, Inc.)
Task: {8772CFF3-E8BB-4362-946B-6A1ABF6E094D} - System32\Tasks\SystemHealer Monitor => C:\Program Files (x86)\SystemHealer\HealerConsole.exe [2016-06-28] () <==== ATTENTION
Task: {88A1E047-5667-487A-8E1C-44B9E89FDF81} - System32\Tasks\Aviata\PowerRegister\Dell Reminder (Administrator) => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {89603125-CCA6-42A5-99B7-FC15300D2228} - \updateTask -> No File <==== ATTENTION
Task: {8CBCC0A9-C3AB-4ED0-9F3A-017E8F7F90A6} - System32\Tasks\System HealerStartUp => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
Task: {8D530F62-812F-4958-8AA4-06E043DE562B} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2016-08-16] () <==== ATTENTION
Task: {9AB41BD0-B4B2-4185-9A49-9650C25F1BB0} - System32\Tasks\RtHDVBg_PushButton => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2014-07-28] (Realtek Semiconductor)
Task: {9B6344CC-00F8-48D1-B564-BA88D1801A4D} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-1486891537-2021946215-1446339652-35485 => C:\Users\ITADMINSCO\AppData\Local\Microsoft\OneDrive\OneDrive.exe
Task: {B93E88BB-403D-4982-B015-0209D8E2AD8F} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}
Task: {B9ED3E09-0CF7-49E6-9FB3-33C0DB2BF9C7} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Health Evaluation => C:\WINDOWS\CCM\ccmeval.exe [2015-10-27] (Microsoft Corporation)
Task: {BDC7F999-5B70-403A-83AF-6480FAC565EE} - System32\Tasks\MAXDriverUpdaterRunAtStartup => C:\Program Files (x86)\Max Driver Updater\maxdu.exe [2015-07-06] (csdimedia.com) <==== ATTENTION
Task: {C5FDB3DF-F736-4766-96B6-8250BD7DE196} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-04-28] (Google Inc.)
Task: {D29CF350-1D07-4CB1-B54F-C148A316AD57} - System32\Tasks\System HealerPeriod => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
Task: {DB4341F4-491C-4C1F-92CE-75998626FFB0} - System32\Tasks\SMW_UpdateTask_Time_323035383730323331352d415b343437414545785a5a6c => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {EEFC089B-D568-4686-BF68-B0D266656BCF} - System32\Tasks\Aviata\PowerRegister\Dell Reminder (User) => C:\Program Files (x86)\Dell Product Registration\prodreg.exe [2014-04-01] (Aviata Inc)
Task: {F9349247-EB09-4A9A-BA27-0D6264DC510E} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2016-08-08] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\MAXDriverUpdater_UPDATES.job => C:\Program Files (x86)\Max Driver Updater\maxdu.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\System HealerPeriod.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\System HealerStartUp.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a"
ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a" --disable-quic
ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a" --disable-quic
ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b, --disable-quic
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b, --disable-quic

==================== Loaded Modules (Whitelisted) ==============

2015-07-02 16:12 - 2015-07-02 16:12 - 01927680 _____ () C:\Program Files\SpaceSoundPro\SpaceSoundPro.dll
2011-03-10 17:14 - 2012-12-27 23:23 - 00648704 _____ () C:\WINDOWS\system32\spool\DRIVERS\x64\3\KOAZ8J_O.DLL
2014-02-19 01:40 - 2015-06-29 09:01 - 00692736 _____ () C:\WINDOWS\system32\spool\DRIVERS\x64\3\KOAYTJ_O.DLL
2016-08-08 10:22 - 2016-07-03 07:04 - 00173248 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll
2016-08-16 15:16 - 2016-05-15 18:04 - 02089472 _____ () C:\ProgramData\Logic Handler\set.exe
2016-08-16 15:18 - 2016-08-16 15:18 - 00172032 _____ () C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\knsn17DB.tmpfs
2016-08-16 15:18 - 2016-08-16 15:18 - 00244224 _____ () C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\jnsz4140.tmp
2016-08-16 15:18 - 2016-08-16 15:18 - 00138240 _____ () C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\hnsk5BCE.tmp
2015-12-26 09:59 - 2015-12-26 09:59 - 00158720 _____ () C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332\qnsd363B.tmp
2016-08-16 15:23 - 2016-08-16 15:23 - 00369664 _____ () C:\Program Files (x86)\DPower\3YLRSC9H4W.exe
2016-08-15 12:51 - 2016-08-15 12:51 - 04836864 _____ () C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b\333bdc398b68b23342e4dddca708edd1.exe
2016-08-16 15:30 - 2016-08-16 15:30 - 00369664 _____ () C:\Program Files (x86)\DPower\4SO5PN0GCP.exe
2016-08-08 10:32 - 2016-08-08 10:32 - 08919232 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2016-08-17 08:54 - 2016-08-17 08:54 - 00707584 _____ () C:\Users\ITADMINSCO\AppData\Local\Temp\is-N3EG5.tmp\win.tmp
2016-08-17 09:08 - 2016-08-17 09:08 - 00707584 _____ () C:\Users\ITADMINSCO\AppData\Local\Temp\is-26IFK.tmp\win.tmp
2014-10-11 14:06 - 2014-10-11 14:06 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 14:05 - 2014-10-11 14:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2015-06-02 15:51 - 2015-06-02 15:51 - 00545792 _____ () C:\Program Files (x86)\Trusteer\Rapport\bin\js32.dll
2016-08-08 10:25 - 2016-08-08 10:28 - 01754296 _____ () C:\Program Files (x86)\Microsoft Office\Root\Office16\tmpod.dll
2016-08-08 10:25 - 2016-08-08 10:27 - 01073856 _____ () C:\Program Files (x86)\Microsoft Office\Root\Office16\ADDINS\UmOutlookAddin.dll
2016-08-08 10:33 - 2016-08-08 10:40 - 00467648 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\msfad.dll
2016-08-08 10:33 - 2016-08-08 10:33 - 08919232 _____ () C:\Program Files (x86)\Microsoft Office\Root\Office16\1033\GrooveIntlResource.dll
2016-03-13 16:15 - 2015-12-29 04:14 - 00566976 _____ () C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\CommentsSummary.fpi
2016-08-08 10:33 - 2016-08-08 10:33 - 08919232 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\1033\GrooveIntlResource.dll
2016-08-08 10:23 - 2016-08-08 10:23 - 00251072 _____ () C:\Program Files (x86)\Microsoft Office\root\Office16\IEAWSDC.DLL

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\WINDOWS\system32\Drivers\mpngokpr.sys:changelist [2882]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\qxcutfjm.sys:changelist [4546]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\sharepoint.com -> hxxps://survitecgroup-files.sharepoint.com

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 14:25 - 2016-08-16 15:14 - 00001006 ____A C:\WINDOWS\system32\Drivers\etc\hosts

127.0.0.1       down.baidu2016.com
127.0.0.1       123.sogou.com
127.0.0.1       www.czzsyzgm.com
127.0.0.1       www.czzsyzxl.com
127.0.0.1       union.baidu2019.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\dell\BlueLava_1112000xx_inspiron_wallpaper58095_16x9_72dpi_RGB.jpg
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\dell\BlueLava_1112000xx_inspiron_wallpaper58095_16x9_72dpi_RGB.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: 0270031429081847mcinstcleanup => 2
MSCONFIG\Services: AERTFilters => 2
MSCONFIG\Services: AtherosSvc => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: Dell Data Services => 2
MSCONFIG\Services: Dell Foundation Services => 2
MSCONFIG\Services: DellDigitalDelivery => 2
MSCONFIG\Services: DellProdRegManager => 3
MSCONFIG\Services: DellUpdate => 2
MSCONFIG\Services: DptfParticipantProcessorService => 2
MSCONFIG\Services: DptfPolicyCriticalService => 2
MSCONFIG\Services: IAStorDataMgrSvc => 2
MSCONFIG\Services: igfxCUIService1.0.0.0 => 2
MSCONFIG\Services: Intel® Capability Licensing Service Interface => 2
MSCONFIG\Services: Intel® Capability Licensing Service TCP IP Interface => 3
MSCONFIG\Services: jhi_service => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: McAfee SiteAdvisor Service => 2
MSCONFIG\Services: RtkAudioService => 2
MSCONFIG\Services: SftService => 2
HKLM\...\StartupApproved\Run: => "IAStorIcon"
HKLM\...\StartupApproved\Run: => "QuickSet"
HKLM\...\StartupApproved\Run32: => "DropboxOEM"
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\StartupApproved\Run: => "Lync"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{D823BE11-B8A0-4E96-B762-B8AC4E94DBD4}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{C979267E-E89D-4C56-9DE6-A337E4E2BD55}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exe
FirewallRules: [{A06152C0-3D09-434C-8F4E-96B2E7A78AAF}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{FD4B4B43-C7ED-442A-AECD-E114B8CC12A2}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [TCP Query User{4A3470E6-151B-4537-93B8-710BF8647CEB}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{7DB396B2-7AB0-4946-8F2F-5DB67D56FCB5}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{09F0F1F9-3CF2-4F5D-8FD1-1D25D25840FE}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [TCP Query User{64353313-A233-4335-A1B1-6BA513F4EF5A}C:\users\paulkennedy\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe] => (Block) C:\users\paulkennedy\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe
FirewallRules: [UDP Query User{61F383F7-AD14-4589-986F-0BDE923FC812}C:\users\paulkennedy\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe] => (Block) C:\users\paulkennedy\appdata\local\logmein rescue applet\lmir0001.tmp\lmi_rescue.exe
FirewallRules: [{D1B806C4-54BB-44A6-81B8-2217A8F81D0E}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{1AF237E3-5824-45C5-88E8-EB23101EC823}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{20E2C738-AA87-48E6-8466-27A6750CB35D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{92E4DCE4-8B02-40BE-990E-913B2FEB5FC0}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{0AD70BD5-75D0-4D8D-B398-506B7BD14576}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{646209FA-5F22-4EFD-ACDA-02B31E65D13C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{41C9826F-FBFE-4C0A-897F-60C9BA87C1F0}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{F65EBC68-5416-4C69-A3C3-C52CBE287655}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{AA689528-A480-40A7-B742-F8E39F7E2FD2}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exe
FirewallRules: [{1339A45C-9E61-4C1E-AA2F-C5C3894B60F3}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{2D613DC1-E0D6-490B-B613-D13DE0D7EC8A}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{203AD422-7F7E-495D-A2AF-73370E3325B5}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{F26F0C74-BA88-4AC3-8BBF-58316E2A9223}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{474E784C-CD7C-4BA5-903A-31913305FAA5}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [{3D4C39DC-B1C9-4302-825A-61DDFC72806F}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\lync.exe
FirewallRules: [{E737E47D-C2C1-4640-ADC5-A1C31C24E02B}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\lync.exe
FirewallRules: [{9924515F-4571-4868-9425-BBB6FA971A21}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe
FirewallRules: [{38E26E85-A772-431D-9432-99645F0CF189}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe
FirewallRules: [{1DABD1B3-8992-431A-83C0-C976DCF897B1}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\lync.exe
FirewallRules: [{A73D75C7-5024-4ABB-8FD9-8C68979ED57B}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\lync.exe
FirewallRules: [{DADE4552-F34B-41B7-9807-E488BA41787E}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe
FirewallRules: [{F67364A7-2797-4015-B93D-34E3ED59C1D4}] => (Allow) C:\Program Files (x86)\Microsoft Office\Office16\UcMapi.exe
FirewallRules: [{A5F3D932-9C78-4E37-A0BA-957487CBD34D}] => (Allow) C:\WINDOWS\CCM\RemCtrl\CmRcService.exe
FirewallRules: [{89C466EC-F784-4045-8814-544ECC65B449}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{77D0B2D6-FDB8-46F8-977F-2B4C65122233}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{69BB8E5D-8BF1-4E45-8C80-94B133B31E32}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{AEBDFEF1-B8CF-4854-83C1-BFF4D88FA4F7}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{95A1CDC9-78A5-4D4F-9EFD-22B09663F5BF}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{04D9E65F-91FA-4D86-BDBD-A5A49FA7D335}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [TCP Query User{0306A95C-CE1C-4FE9-BE45-8C0239C385BF}C:\program files (x86)\microsoft office\root\office16\lync.exe] => (Allow) C:\program files (x86)\microsoft office\root\office16\lync.exe
FirewallRules: [UDP Query User{2AE78655-55A2-4714-9018-63C0D20AA491}C:\program files (x86)\microsoft office\root\office16\lync.exe] => (Allow) C:\program files (x86)\microsoft office\root\office16\lync.exe

==================== Restore Points =========================

08-08-2016 10:00:12 Installed Rapport
16-08-2016 14:37:18 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/17/2016 09:35:32 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x64
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:33:37 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x18e8
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:28:02 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x19e0
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:25:30 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x1f58
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:23:35 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0xfa8
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:21:28 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x1e80
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:15:29 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x27cc
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:13:34 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x2fe4
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:08:02 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x1c80
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

Error: (08/17/2016 09:05:29 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 52.0.2743.116, time stamp: 0x57a128a8
Faulting module name: rooksdol.dll, version: 3.11.0.0, time stamp: 0x574c4601
Exception code: 0xc0000005
Fault offset: 0x000f52fb
Faulting process id: 0x26f8
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5

System errors:
=============
Error: (08/17/2016 08:53:53 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/17/2016 08:36:09 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/17/2016 08:27:27 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain RFDBEAUFORT due to the following:
%%1311 = There are currently no logon servers available to service the logon request.

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (08/16/2016 03:50:53 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/16/2016 03:27:48 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The MPC Core Protect Service service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (08/16/2016 02:17:53 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/16/2016 02:15:11 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: RFDBEAUFORT)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (08/16/2016 01:19:02 PM) (Source: DCOM) (EventID: 10010) (User: RFDBEAUFORT)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (08/16/2016 12:44:53 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/16/2016 12:26:10 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: RFDBEAUFORT)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
B) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

CodeIntegrity:
===================================
  Date: 2016-08-16 15:44:46.312
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:44:46.204
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:44:41.065
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:44:40.917
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:40:12.850
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:40:12.741
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:38:09.465
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:38:09.340
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:38:09.230
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-08-16 15:38:04.105
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume5\Program Files\SpaceSoundPro\SpaceSoundPro.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel® Core™ i3-4030U CPU @ 1.90GHz
Percentage of memory in use: 82%
Total physical RAM: 4020.27 MB
Available physical RAM: 720.12 MB
Total Virtual: 8884.27 MB
Available Virtual: 4083.77 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:457.02 GB) (Free:227.9 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: EB19DA08)

Partition: GPT.

==================== End of Addition.txt ============================



#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 17 August 2016 - 07:21 AM

Sorry, I should have included a link to download FRST, my bad. Good job on finding out where it was :)

Is that computer yours, or does it belongs to a company? If it belongs to a company, do you have the authorization to seek assistance online like this with it?

You have 2 Antivirus installed, System Center Endpoint Protection and Sophos Anti-Virus. You'll need to uninstall one and keep the other. Since that computer is currently managed on a domain from what I can see, removing Sophos and keeping System Center Endpoint Protection (which is managed by SCCM) would be the best idea.

warning.gifMalicious Programs Warning!

I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up.
  • AnySend
  • Body Text Feathering
  • Caster
  • CleanBrowser
  • DPower version 1.0
  • host version 1.1
  • Max Driver Updater
  • SafeFinder
  • Search module
  • Social2Search
  • SpaceSoundPro
  • System Healer
  • WIN
If you have an issue when uninstalling a program, please let me know.

Once done, we'll run a first fix with FRST, and run a quick sweep using JRT and AdwCleaner. Since a lot of the infections are PUPs, Adware, Browser Hijacker, etc. they should be efficient here.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Right-click on your Desktop, select New and click on Text Document. Name it fixlist (make sure it's a .txt file) and press on Enter;
  • Open the file you just created and copy/paste the content below in it, then save it (Ctrl + S);
    CloseProcesses:
    CreateRestorePoint:
    
    HKLM\...\Run: [SpaceSoundPro] => C:\Program Files\SpaceSoundPro\SpaceSoundPro.exe [4203520 2015-08-03] (Space Sound Pro)
    HKLM-x32\...\Run: [DiskPower] => C:\Program Files (x86)\DPower\DiskPower.exe [210432 2016-07-21] ()
    HKLM-x32\...\Run: [win_en_77] => C:\Program Files (x86)\win_en_77\win_en_77.exe [4065792 2016-07-22] ()
    HKLM\...\RunOnce: [IDSCPRODUCT] => C:\Program Files (x86)\host\idscservice.exe [436224 2016-08-16] (20)
    HKLM\...\RunOnce: [OMEWPRODUCT_NHNJU] => C:\Program Files (x86)\DPower\wemoservice.exe [322048 2016-08-16] (8p)
    HKLM-x32\...\RunOnce: [Update] => C:\Users\ITADMINSCO\AppData\Roaming\ASPackage\ASPackage.exe [615693 2016-08-16] ()
    HKLM-x32\...\RunOnce: [GrpConv] => grpconv -o
    Winlogon\Notify\ScCertProp: wlnotify.dll [X]
    HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [Caster] => C:\Program Files (x86)\host\wizzcaster.exe [179200 2016-08-16] (HHJJKd)
    HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [YONB935EXP] => C:\Program Files (x86)\DPower\3YLRSC9H4W.exe [369664 2016-08-16] ()
    HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [9B31BTPQIF] => C:\Program Files (x86)\DPower\4SO5PN0GCP.exe [369664 2016-08-16] ()
    HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\Run: [] => [X]
    AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => No File
    AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => No File
    
    HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www-searching.com/?pid=s&s=G8Gztutbl11AU,b6b7c8ca-4dda-4cb1-82d0-674610ffa513,&vp=ch&prd=set_ie
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-20419 -> {80088DC4-C53C-4DCA-A84E-5D2ED0EC00FE} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
    SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-20419 -> {DA4712A9-9845-46B5-B6FE-A537EAD6C954} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=G8Gztutbl11AU,b6b7c8ca-4dda-4cb1-82d0-674610ffa513,
    SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485 -> DefaultScope {9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10} URL =
    SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485 -> {9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10} URL =
    
    CHR HomePage: Default -> hxxp://www-searching.com/?pid=s&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
    CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,"
    CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?site=shdefault1&prd=smw&pid=s&shr=d&q={searchTerms}&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
    CHR DefaultSearchKeyword: Default -> www-searching.com
    CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
    
    R2 4f8b56a88e2ba99e877afe20bb5faf2b; C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b\333bdc398b68b23342e4dddca708edd1.exe [4836864 2016-08-15] () [File not signed]
    R2 backlh; C:\ProgramData\Logic Handler\set.exe [2089472 2016-05-15] () [File not signed]
    S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [872960 2016-08-16] () [File not signed]
    R2 dowidoly; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\jnsz4140.tmp [244224 2016-08-16] () [File not signed]
    S2 Holdtam; C:\ProgramData\\Holdtam\\Holdtam.exe [872960 2016-08-16] () [File not signed]
    R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [350688 2016-08-16] (DotC United Inc)
    R2 rijufoze; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\hnsk5BCE.tmp [138240 2016-08-16] () [File not signed]
    R2 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe [3109888 2016-08-16] (Search Module Ltd.) [File not signed]
    R2 zigipyro; C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332\qnsd363B.tmp [158720 2015-12-26] () [File not signed]
    S4 0270031429081847mcinstcleanup; C:\WINDOWS\TEMP\027003~1.EXE -cleanup -nolog [X]
    R2 deciqyguzbt; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\knsn17DB.tmpfs [X]
    S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
    S4 swi_filter; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter.exe" [X]
    R1 b20db80117eb466dbd73f8ca5ea62fa2; C:\WINDOWS\system32\drivers\b20db80117eb466dbd73f8ca5ea62fa2.sys [85088 2016-08-15] (HGEGTZ)
    R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [60136 2016-08-16] (DotC United Inc)
    R3 SMUpdd; C:\Program Files\Common Files\Noobzo\GNUpdate\smw.sys [52992 2016-08-16] ()
    
    Task: {4C8F23D2-E7DC-49A0-A424-22A0695AC52C} - System32\Tasks\MAXDriverUpdater_UPDATES => C:\Program Files (x86)\Max Driver Updater\maxdu.exe [2015-07-06] (csdimedia.com) <==== ATTENTION
    Task: {4E977BB8-1383-4F83-97B7-34F857C85D94} - System32\Tasks\System Healer Task => C:\Program Files (x86)\SystemHealer\RescueMonitor.exe [2016-06-28] () <==== ATTENTION
    Task: {57A5CF6E-9189-4F21-AFEC-D94205F7D329} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
    Task: {67371A6A-C44F-402C-B40F-A02663E3D0A0} - System32\Tasks\985e9dbcf040fb87870be4f1249a70cf => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File C:\WINDOWS\985e9dbcf040fb87870be4f1249a70cf.ps1 <==== ATTENTION
    Task: {6B6E2EBA-F3CC-4DA8-ADDE-F03DCE369585} - System32\Tasks\{7E0A7E47-0A0B-7D05-7D11-7D097979117F} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwA7ACAAOwAgADsAOwA7ACAAOwA7ACAAOwAgACAAIAAgACAAOwA7ADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4A (the data entry has 9988 more characters). <==== ATTENTION
    Task: {71B216BA-1E77-45B6-8388-346E2C1CF743} - System32\Tasks\SystemHealer Run Delay => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
    Task: {8772CFF3-E8BB-4362-946B-6A1ABF6E094D} - System32\Tasks\SystemHealer Monitor => C:\Program Files (x86)\SystemHealer\HealerConsole.exe [2016-06-28] () <==== ATTENTION
    Task: {89603125-CCA6-42A5-99B7-FC15300D2228} - \updateTask -> No File <==== ATTENTION
    Task: {8CBCC0A9-C3AB-4ED0-9F3A-017E8F7F90A6} - System32\Tasks\System HealerStartUp => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
    Task: {8D530F62-812F-4958-8AA4-06E043DE562B} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2016-08-16] () <==== ATTENTION
    Task: {BDC7F999-5B70-403A-83AF-6480FAC565EE} - System32\Tasks\MAXDriverUpdaterRunAtStartup => C:\Program Files (x86)\Max Driver Updater\maxdu.exe [2015-07-06] (csdimedia.com) <==== ATTENTION
    Task: {D29CF350-1D07-4CB1-B54F-C148A316AD57} - System32\Tasks\System HealerPeriod => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
    Task: {DB4341F4-491C-4C1F-92CE-75998626FFB0} - System32\Tasks\SMW_UpdateTask_Time_323035383730323331352d415b343437414545785a5a6c => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
    Task: C:\WINDOWS\Tasks\MAXDriverUpdater_UPDATES.job => C:\Program Files (x86)\Max Driver Updater\maxdu.exe <==== ATTENTION
    Task: C:\WINDOWS\Tasks\System HealerPeriod.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION
    Task: C:\WINDOWS\Tasks\System HealerStartUp.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION
    
    ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a"
    ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a" --disable-quic
    ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a" --disable-quic
    ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a"
    ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b, --disable-quic
    ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b, --disable-quic
    
    AlternateDataStreams: C:\WINDOWS\system32\Drivers\mpngokpr.sys:changelist [2882]
    AlternateDataStreams: C:\WINDOWS\system32\Drivers\qxcutfjm.sys:changelist [4546]
    
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
    
    REG: REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\0270031429081847mcinstcleanup" /f
    
    C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b
    C:\Program Files\Caster
    C:\Program Files\SpaceSoundPro
    C:\Program Files\Common Files\Noobzo
    C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332
    C:\Program Files (x86)\CleanBrowser
    C:\Program Files (x86)\DPower
    C:\Program Files (x86)\host
    C:\Program Files (x86)\Max Driver Updater
    C:\Program Files (x86)\MPC Cleaner
    C:\Program Files (x86)\SystemHealer
    C:\Program Files (x86)\win_en_77
    C:\ProgramData\5fc53bb7-5ba7-1
    C:\ProgramData\CloudPrinter
    C:\ProgramData\Holdtam
    C:\ProgramData\Logic Handler
    C:\ProgramData\SearchModule
    C:\ProgramData\ZXPS3
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Driver Updater
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer
    C:\ProgramData\smp2.exe
    C:\Users\Public\Desktop\Max Driver Updater.lnk
    C:\Users\ITADMINSCO\Desktop\SpaceSoundPro.lnk
    C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332
    C:\Users\ITADMINSCO\AppData\Roaming\ASPackage
    C:\Users\ITADMINSCO\AppData\Roaming\csdimedia
    C:\Users\ITADMINSCO\AppData\Roaming\System Healer
    C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASPackage
    C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpaceSoundPro 1.0
    C:\Users\ITADMINSCO\AppData\Roaming\Zamdom.bin
    C:\Users\ITADMINSCO\AppData\Roaming\agent.dat
    C:\Users\ITADMINSCO\AppData\Roaming\Unolax.tst
    C:\Users\ITADMINSCO\AppData\Roaming\noah.dat
    C:\Users\ITADMINSCO\AppData\Roaming\Config.xml
    C:\Users\ITADMINSCO\AppData\Roaming\Main.dat
    C:\Users\ITADMINSCO\AppData\Roaming\md.xml
    C:\Users\ITADMINSCO\AppData\Roaming\OzerFax.bin
    C:\Users\ITADMINSCO\AppData\Roaming\lobby.dat
    C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.tst
    C:\Users\ITADMINSCO\AppData\Roaming\ApplicationHosting.dat
    C:\Users\ITADMINSCO\AppData\Roaming\Unolax.exe
    C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.exe
    C:\Users\ITADMINSCO\AppData\Roaming\Installer.dat
    C:\Users\ITADMINSCO\AppData\Roaming\InstallationConfiguration.xml
    C:\WINDOWS\985e9dbcf040fb87870be4f1249a70cf.ps1
    C:\WINDOWS\system32\drivers\b20db80117eb466dbd73f8ca5ea62fa2.sys
    C:\Windows\System32\DRIVERS\MPCKpt.sys
    
    EmptyTemp:
    
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
Your next reply(ies) should include:
  • Answer to my question about the ownership of the computer;
  • Confirmation that you uninstalled one Antivirus (Sophos Anti-Virus suggested) and kept the other;
  • Confirmation that you uninstalled the programs listed above (if not, let me know which ones);
  • Copy/pasted content of the FRST fixlog.txt;
  • Copy/pasted content of JRT.txt;
  • Copy/pasted content of the AdwCleaner clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 08:32 AM

Hi Yoan.

 

Have uninstalled all progs you listed - apart from;

 

Caster

DPower

Maxdrive updater

Spacesound

WIN

 

If I attempt to uninstall any of these, a further popup appears with....Please wait until the current program is finished uninstalling or being changed.

 

This doesn't seem to complete.

 

A further browser window also opened with a warning that Zeus was on the hard drive and inviting me to call a number within five minutes to ensure the drive wasn't deleted. I have ignored this.

 

Therefore, for now, I haven't completed the other steps or removed Sophos for now.

 

Thanks in anticipation.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 17 August 2016 - 08:34 AM

If you can't uninstall these programs, leave them be for now. We'll take care of them later on. You can continue with the next set of instructions :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 09:17 AM

Hi. Did this and following yr above, got so far..(sending this from alternative PC)

 

  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

 

 

After which a window opened and advise the computer will now be restarted. Its still just advising 'restarting' but not going any further.

 

Shall I force it to shutdown and restart. or remain patiently and allow it to 'restart'? How long shall I wait though?

 

Thanks.



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 17 August 2016 - 09:57 AM

I would give it all the time it needs. Reason being you don't want to shutdown a computer while there's activity on the hard drive (I/O operation) since you could damage your disk and render Windows unbootable. Even more when there's a lot of deletions being done in the background right now by FRST.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 10:03 AM

Hi. Computer restarted. Started fine too. Not sure if I should re-run FRST again or not. In the meantime, I've downloaded the adwcleaner and jrt in readiness.

 

Tks.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:40 AM

Posted 17 August 2016 - 10:04 AM

There's no need to run FRST again. Simply provide me the content of the fixlog.txt that appeared on your desktop when you get there in the instructions :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 10:05 AM

I also tried to uninstall Sophos but wasn't able. It hasn't been updated since July 2015 and is 'redundant' so to  speak.

 

By the way. I should clarify/confirm that yes, this laptop is mine.

 

Tks again.



#13 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 10:07 AM

There was no fixlog. The popup just stated the laptop would restart and it did - eventually! :)

 

 No sign of any log or .txt files. 



#14 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 10:22 AM

Just running ADW. Found the fixlog. Hadn't realized it had saved it to my desktop. :)



#15 tempsc

tempsc
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:04:40 AM

Posted 17 August 2016 - 11:05 AM

Hi Yoan.

 

OK. Here's the logs...

 

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 8.1 Pro with Media Center x64
Ran by itadminsco (Administrator) on Wed 08/17/2016 at 16:40:18.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 2

Failed to delete: C:\Program Files (x86)\mpc cleaner (Folder)
Successfully deleted: C:\ProgramData\Start Menu\Programs\mpc (Folder)

 

Registry: 1

Failed to delete: HKLM\SYSTEM\CurrentControlSet\services\MPCKpt (Registry Key)

 

 

FixLog

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-08-2016 01
Ran by itadminsco (17-08-2016 14:56:58) Run:1
Running from C:\Users\paul.watkins\Desktop
Loaded Profiles: itadminsco & Paul.Watkins (Available Profiles: itadminsco & Paul.Watkins & User & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

HKLM\...\Run: [SpaceSoundPro] => C:\Program Files\SpaceSoundPro\SpaceSoundPro.exe [4203520 2015-08-03] (Space Sound Pro)
HKLM-x32\...\Run: [DiskPower] => C:\Program Files (x86)\DPower\DiskPower.exe [210432 2016-07-21] ()
HKLM-x32\...\Run: [win_en_77] => C:\Program Files (x86)\win_en_77\win_en_77.exe [4065792 2016-07-22] ()
HKLM\...\RunOnce: [IDSCPRODUCT] => C:\Program Files (x86)\host\idscservice.exe [436224 2016-08-16] (20)
HKLM\...\RunOnce: [OMEWPRODUCT_NHNJU] => C:\Program Files (x86)\DPower\wemoservice.exe [322048 2016-08-16] (8p)
HKLM-x32\...\RunOnce: [Update] => C:\Users\ITADMINSCO\AppData\Roaming\ASPackage\ASPackage.exe [615693 2016-08-16] ()
HKLM-x32\...\RunOnce: [GrpConv] => grpconv -o
Winlogon\Notify\ScCertProp: wlnotify.dll [X]
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [Caster] => C:\Program Files (x86)\host\wizzcaster.exe [179200 2016-08-16] (HHJJKd)
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [YONB935EXP] => C:\Program Files (x86)\DPower\3YLRSC9H4W.exe [369664 2016-08-16] ()
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\...\Run: [9B31BTPQIF] => C:\Program Files (x86)\DPower\4SO5PN0GCP.exe [369664 2016-08-16] ()
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\...\Run: [] => [X]
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL => No File
AppInit_DLLs-x32: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL => No File

HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www-searching.com/?pid=s&s=G8Gztutbl11AU,b6b7c8ca-4dda-4cb1-82d0-674610ffa513,&vp=ch&prd=set_ie
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-20419 -> {80088DC4-C53C-4DCA-A84E-5D2ED0EC00FE} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-20419 -> {DA4712A9-9845-46B5-B6FE-A537EAD6C954} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=G8Gztutbl11AU,b6b7c8ca-4dda-4cb1-82d0-674610ffa513,
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485 -> DefaultScope {9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10} URL =
SearchScopes: HKU\S-1-5-21-1486891537-2021946215-1446339652-35485 -> {9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10} URL =

CHR HomePage: Default -> hxxp://www-searching.com/?pid=s&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
CHR StartupUrls: Default -> "hxxp://www-searching.com/?pid=s&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?site=shdefault1&prd=smw&pid=s&shr=d&q={searchTerms}&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b,
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}

R2 4f8b56a88e2ba99e877afe20bb5faf2b; C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b\333bdc398b68b23342e4dddca708edd1.exe [4836864 2016-08-15] () [File not signed]
R2 backlh; C:\ProgramData\Logic Handler\set.exe [2089472 2016-05-15] () [File not signed]
S2 CloudPrinter; C:\ProgramData\\CloudPrinter\\CloudPrinter.exe [872960 2016-08-16] () [File not signed]
R2 dowidoly; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\jnsz4140.tmp [244224 2016-08-16] () [File not signed]
S2 Holdtam; C:\ProgramData\\Holdtam\\Holdtam.exe [872960 2016-08-16] () [File not signed]
R2 MPCProtectService; C:\Program Files (x86)\MPC Cleaner\MPCProtectService.exe [350688 2016-08-16] (DotC United Inc)
R2 rijufoze; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\hnsk5BCE.tmp [138240 2016-08-16] () [File not signed]
R2 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe [3109888 2016-08-16] (Search Module Ltd.) [File not signed]
R2 zigipyro; C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332\qnsd363B.tmp [158720 2015-12-26] () [File not signed]
S4 0270031429081847mcinstcleanup; C:\WINDOWS\TEMP\027003~1.EXE -cleanup -nolog [X]
R2 deciqyguzbt; C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332\knsn17DB.tmpfs [X]
S4 McMPFSvc; "C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
S4 swi_filter; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_filter.exe" [X]
R1 b20db80117eb466dbd73f8ca5ea62fa2; C:\WINDOWS\system32\drivers\b20db80117eb466dbd73f8ca5ea62fa2.sys [85088 2016-08-15] (HGEGTZ)
R1 MPCKpt; C:\Windows\System32\DRIVERS\MPCKpt.sys [60136 2016-08-16] (DotC United Inc)
R3 SMUpdd; C:\Program Files\Common Files\Noobzo\GNUpdate\smw.sys [52992 2016-08-16] ()

Task: {4C8F23D2-E7DC-49A0-A424-22A0695AC52C} - System32\Tasks\MAXDriverUpdater_UPDATES => C:\Program Files (x86)\Max Driver Updater\maxdu.exe [2015-07-06] (csdimedia.com) <==== ATTENTION
Task: {4E977BB8-1383-4F83-97B7-34F857C85D94} - System32\Tasks\System Healer Task => C:\Program Files (x86)\SystemHealer\RescueMonitor.exe [2016-06-28] () <==== ATTENTION
Task: {57A5CF6E-9189-4F21-AFEC-D94205F7D329} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {67371A6A-C44F-402C-B40F-A02663E3D0A0} - System32\Tasks\985e9dbcf040fb87870be4f1249a70cf => powershell.exe -NoProfile -NoLogo -NonInteractive -ExecutionPolicy Bypass -File C:\WINDOWS\985e9dbcf040fb87870be4f1249a70cf.ps1 <==== ATTENTION
Task: {6B6E2EBA-F3CC-4DA8-ADDE-F03DCE369585} - System32\Tasks\{7E0A7E47-0A0B-7D05-7D11-7D097979117F} => powershell.exe -nologo -executionpolicy bypass -noninteractive -windowstyle hidden -EncodedCommand OwA7ACAAOwAgADsAOwA7ACAAOwA7ACAAOwAgACAAIAAgACAAOwA7ADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQA9ACIAcwB0AG8AcAAiADsAJABzAGMAPQAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAVwBhAHIAbgBpAG4A (the data entry has 9988 more characters). <==== ATTENTION
Task: {71B216BA-1E77-45B6-8388-346E2C1CF743} - System32\Tasks\SystemHealer Run Delay => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
Task: {8772CFF3-E8BB-4362-946B-6A1ABF6E094D} - System32\Tasks\SystemHealer Monitor => C:\Program Files (x86)\SystemHealer\HealerConsole.exe [2016-06-28] () <==== ATTENTION
Task: {89603125-CCA6-42A5-99B7-FC15300D2228} - \updateTask -> No File <==== ATTENTION
Task: {8CBCC0A9-C3AB-4ED0-9F3A-017E8F7F90A6} - System32\Tasks\System HealerStartUp => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
Task: {8D530F62-812F-4958-8AA4-06E043DE562B} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2016-08-16] () <==== ATTENTION
Task: {BDC7F999-5B70-403A-83AF-6480FAC565EE} - System32\Tasks\MAXDriverUpdaterRunAtStartup => C:\Program Files (x86)\Max Driver Updater\maxdu.exe [2015-07-06] (csdimedia.com) <==== ATTENTION
Task: {D29CF350-1D07-4CB1-B54F-C148A316AD57} - System32\Tasks\System HealerPeriod => C:\Program Files (x86)\SystemHealer\SystemHealer.exe [2016-06-28] () <==== ATTENTION
Task: {DB4341F4-491C-4C1F-92CE-75998626FFB0} - System32\Tasks\SMW_UpdateTask_Time_323035383730323331352d415b343437414545785a5a6c => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: C:\WINDOWS\Tasks\MAXDriverUpdater_UPDATES.job => C:\Program Files (x86)\Max Driver Updater\maxdu.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\System HealerPeriod.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\System HealerStartUp.job => C:\Program Files (x86)\SystemHealer\SystemHealer.exe <==== ATTENTION

ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a"
ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a" --disable-quic
ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a" --disable-quic
ShortcutWithArgument: C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://safesurfs.net/?ssid=1471356562&a=1065788&src=sh&uuid=faec6250-8f21-4348-8c9a-4bb6ad541c9a"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b, --disable-quic
ShortcutWithArgument: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> hxxp://www%2dsearching.com/?prd=set_epc&s=G8Gztutbl10AU,df375322-78a9-49c0-8845-1edadfdc769b, --disable-quic

AlternateDataStreams: C:\WINDOWS\system32\Drivers\mpngokpr.sys:changelist [2882]
AlternateDataStreams: C:\WINDOWS\system32\Drivers\qxcutfjm.sys:changelist [4546]

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

REG: REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\0270031429081847mcinstcleanup" /f

C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b
C:\Program Files\Caster
C:\Program Files\SpaceSoundPro
C:\Program Files\Common Files\Noobzo
C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332
C:\Program Files (x86)\CleanBrowser
C:\Program Files (x86)\DPower
C:\Program Files (x86)\host
C:\Program Files (x86)\Max Driver Updater
C:\Program Files (x86)\MPC Cleaner
C:\Program Files (x86)\SystemHealer
C:\Program Files (x86)\win_en_77
C:\ProgramData\5fc53bb7-5ba7-1
C:\ProgramData\CloudPrinter
C:\ProgramData\Holdtam
C:\ProgramData\Logic Handler
C:\ProgramData\SearchModule
C:\ProgramData\ZXPS3
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Driver Updater
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer
C:\ProgramData\smp2.exe
C:\Users\Public\Desktop\Max Driver Updater.lnk
C:\Users\ITADMINSCO\Desktop\SpaceSoundPro.lnk
C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332
C:\Users\ITADMINSCO\AppData\Roaming\ASPackage
C:\Users\ITADMINSCO\AppData\Roaming\csdimedia
C:\Users\ITADMINSCO\AppData\Roaming\System Healer
C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASPackage
C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpaceSoundPro 1.0
C:\Users\ITADMINSCO\AppData\Roaming\Zamdom.bin
C:\Users\ITADMINSCO\AppData\Roaming\agent.dat
C:\Users\ITADMINSCO\AppData\Roaming\Unolax.tst
C:\Users\ITADMINSCO\AppData\Roaming\noah.dat
C:\Users\ITADMINSCO\AppData\Roaming\Config.xml
C:\Users\ITADMINSCO\AppData\Roaming\Main.dat
C:\Users\ITADMINSCO\AppData\Roaming\md.xml
C:\Users\ITADMINSCO\AppData\Roaming\OzerFax.bin
C:\Users\ITADMINSCO\AppData\Roaming\lobby.dat
C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.tst
C:\Users\ITADMINSCO\AppData\Roaming\ApplicationHosting.dat
C:\Users\ITADMINSCO\AppData\Roaming\Unolax.exe
C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.exe
C:\Users\ITADMINSCO\AppData\Roaming\Installer.dat
C:\Users\ITADMINSCO\AppData\Roaming\InstallationConfiguration.xml
C:\WINDOWS\985e9dbcf040fb87870be4f1249a70cf.ps1
C:\WINDOWS\system32\drivers\b20db80117eb466dbd73f8ca5ea62fa2.sys
C:\Windows\System32\DRIVERS\MPCKpt.sys

EmptyTemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SpaceSoundPro => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\DiskPower => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\win_en_77 => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\IDSCPRODUCT => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\\OMEWPRODUCT_NHNJU => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Update => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\GrpConv => value removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp" => key removed successfully
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Windows\CurrentVersion\Run\\Caster => value removed successfully
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Windows\CurrentVersion\Run\\YONB935EXP => value removed successfully
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Windows\CurrentVersion\Run\\9B31BTPQIF => value removed successfully
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL" => Value data removed successfully.
"C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL" => Value data removed successfully.
HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{80088DC4-C53C-4DCA-A84E-5D2ED0EC00FE}" => key removed successfully
HKCR\CLSID\{80088DC4-C53C-4DCA-A84E-5D2ED0EC00FE} => key not found.
"HKU\S-1-5-21-1486891537-2021946215-1446339652-20419\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DA4712A9-9845-46B5-B6FE-A537EAD6C954}" => key removed successfully
HKCR\CLSID\{DA4712A9-9845-46B5-B6FE-A537EAD6C954} => key not found.
HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-1486891537-2021946215-1446339652-35485\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10}" => key removed successfully
HKCR\CLSID\{9808A4C3-81A0-4AF9-A8EF-B7D32ED49D10} => key not found.
Chrome HomePage => not found.
Chrome StartupUrls => not found.
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
Chrome DefaultSuggestURL => not found.
4f8b56a88e2ba99e877afe20bb5faf2b => service not found.
backlh => service removed successfully
CloudPrinter => service removed successfully
dowidoly => service removed successfully
Holdtam => service not found.
MPCProtectService => Unable to stop service.
MPCProtectService => service could not remove
rijufoze => service removed successfully
SMUpd => service not found.
zigipyro => service not found.
0270031429081847mcinstcleanup => service removed successfully
deciqyguzbt => service removed successfully
McMPFSvc => service removed successfully
swi_filter => service removed successfully
b20db80117eb466dbd73f8ca5ea62fa2 => service not found.
MPCKpt => Unable to stop service.
MPCKpt => service could not remove
SMUpdd => service not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4C8F23D2-E7DC-49A0-A424-22A0695AC52C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C8F23D2-E7DC-49A0-A424-22A0695AC52C}" => key removed successfully
C:\WINDOWS\System32\Tasks\MAXDriverUpdater_UPDATES => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MAXDriverUpdater_UPDATES" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4E977BB8-1383-4F83-97B7-34F857C85D94}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4E977BB8-1383-4F83-97B7-34F857C85D94}" => key removed successfully
C:\WINDOWS\System32\Tasks\System Healer Task => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System Healer Task" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{57A5CF6E-9189-4F21-AFEC-D94205F7D329}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{57A5CF6E-9189-4F21-AFEC-D94205F7D329}" => key removed successfully
C:\WINDOWS\System32\Tasks\SystemToolsDailyTest => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemToolsDailyTest" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{67371A6A-C44F-402C-B40F-A02663E3D0A0} => key not found.
C:\WINDOWS\System32\Tasks\985e9dbcf040fb87870be4f1249a70cf => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\985e9dbcf040fb87870be4f1249a70cf => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6B6E2EBA-F3CC-4DA8-ADDE-F03DCE369585}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B6E2EBA-F3CC-4DA8-ADDE-F03DCE369585}" => key removed successfully
C:\WINDOWS\System32\Tasks\{7E0A7E47-0A0B-7D05-7D11-7D097979117F} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{7E0A7E47-0A0B-7D05-7D11-7D097979117F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{71B216BA-1E77-45B6-8388-346E2C1CF743}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{71B216BA-1E77-45B6-8388-346E2C1CF743}" => key removed successfully
C:\WINDOWS\System32\Tasks\SystemHealer Run Delay => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Run Delay" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8772CFF3-E8BB-4362-946B-6A1ABF6E094D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8772CFF3-E8BB-4362-946B-6A1ABF6E094D}" => key removed successfully
C:\WINDOWS\System32\Tasks\SystemHealer Monitor => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SystemHealer Monitor" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{89603125-CCA6-42A5-99B7-FC15300D2228}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{89603125-CCA6-42A5-99B7-FC15300D2228}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\updateTask" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8CBCC0A9-C3AB-4ED0-9F3A-017E8F7F90A6}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CBCC0A9-C3AB-4ED0-9F3A-017E8F7F90A6}" => key removed successfully
C:\WINDOWS\System32\Tasks\System HealerStartUp => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerStartUp" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8D530F62-812F-4958-8AA4-06E043DE562B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8D530F62-812F-4958-8AA4-06E043DE562B}" => key removed successfully
C:\WINDOWS\System32\Tasks\SMW_P => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_P" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BDC7F999-5B70-403A-83AF-6480FAC565EE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BDC7F999-5B70-403A-83AF-6480FAC565EE}" => key removed successfully
C:\WINDOWS\System32\Tasks\MAXDriverUpdaterRunAtStartup => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MAXDriverUpdaterRunAtStartup" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D29CF350-1D07-4CB1-B54F-C148A316AD57}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D29CF350-1D07-4CB1-B54F-C148A316AD57}" => key removed successfully
C:\WINDOWS\System32\Tasks\System HealerPeriod => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\System HealerPeriod" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DB4341F4-491C-4C1F-92CE-75998626FFB0} => key not found.
C:\WINDOWS\System32\Tasks\SMW_UpdateTask_Time_323035383730323331352d415b343437414545785a5a6c => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_UpdateTask_Time_323035383730323331352d415b343437414545785a5a6c => key not found.
C:\WINDOWS\Tasks\MAXDriverUpdater_UPDATES.job => moved successfully
C:\WINDOWS\Tasks\System HealerPeriod.job => moved successfully
C:\WINDOWS\Tasks\System HealerStartUp.job => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk => Shortcut argument removed successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk => Shortcut argument removed successfully.
C:\Users\Public\Desktop\Google Chrome.lnk => Shortcut argument removed successfully.
C:\WINDOWS\system32\Drivers\mpngokpr.sys => ":changelist" ADS removed successfully.
C:\WINDOWS\system32\Drivers\qxcutfjm.sys => ":changelist" ADS removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SAVService" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc" => key removed successfully
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc" => key removed successfully

========= REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\0270031429081847mcinstcleanup" /f =========

The operation completed successfully.

 

========= End of Reg: =========

"C:\Program Files\4f8b56a88e2ba99e877afe20bb5faf2b" => not found.
C:\Program Files\Caster => moved successfully
C:\Program Files\SpaceSoundPro => moved successfully
C:\Program Files\Common Files\Noobzo => moved successfully
C:\Program Files (x86)\4C4C4544-1471357073-4210-804B-B4C04F443332 => moved successfully
C:\Program Files (x86)\CleanBrowser => moved successfully
C:\Program Files (x86)\DPower => moved successfully
C:\Program Files (x86)\host => moved successfully
C:\Program Files (x86)\Max Driver Updater => moved successfully

"C:\Program Files (x86)\MPC Cleaner" folder move:

Could not move "C:\Program Files (x86)\MPC Cleaner" => Scheduled to move on reboot.

C:\Program Files (x86)\SystemHealer => moved successfully
C:\Program Files (x86)\win_en_77 => moved successfully
C:\ProgramData\5fc53bb7-5ba7-1 => moved successfully
C:\ProgramData\CloudPrinter => moved successfully
"C:\ProgramData\Holdtam" => not found.
C:\ProgramData\Logic Handler => moved successfully
C:\ProgramData\SearchModule => moved successfully
C:\ProgramData\ZXPS3 => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Max Driver Updater => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer" => not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Healer => moved successfully
C:\ProgramData\smp2.exe => moved successfully
C:\Users\Public\Desktop\Max Driver Updater.lnk => moved successfully
C:\Users\ITADMINSCO\Desktop\SpaceSoundPro.lnk => moved successfully
"C:\Users\ITADMINSCO\AppData\Local\4C4C4544-1471360955-4210-804B-B4C04F443332" => not found.
"C:\Users\ITADMINSCO\AppData\Roaming\ASPackage" => not found.
C:\Users\ITADMINSCO\AppData\Roaming\csdimedia => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\System Healer => moved successfully
"C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ASPackage" => not found.
C:\Users\ITADMINSCO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpaceSoundPro 1.0 => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Zamdom.bin => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\agent.dat => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Unolax.tst => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\noah.dat => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Config.xml => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Main.dat => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\md.xml => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\OzerFax.bin => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\lobby.dat => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.tst => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\ApplicationHosting.dat => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Unolax.exe => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Dentodox.exe => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\Installer.dat => moved successfully
C:\Users\ITADMINSCO\AppData\Roaming\InstallationConfiguration.xml => moved successfully
"C:\WINDOWS\985e9dbcf040fb87870be4f1249a70cf.ps1" => not found.
"C:\WINDOWS\system32\drivers\b20db80117eb466dbd73f8ca5ea62fa2.sys" => not found.
Could not move "C:\Windows\System32\DRIVERS\MPCKpt.sys" => Scheduled to move on reboot.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6330380 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 50442472 B
Edge => 0 B
Chrome => 21437270 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 173682 B
systemprofile32 => 0 B
LocalService => 877464 B
NetworkService => 4631203978 B
PaulKennedy => 126659036 B
Administrator.SURVIVALCRAFT => 8172327 B
ITADMINSCO => 94935090 B
paul.watkins => 1090929949 B
administrator.RFDBEAUFORT => 4167520 B
User => 21665489 B
Administrator => 1961 B

RecycleBin => 0 B
EmptyTemp: => 5.6 GB temporary data Removed.

================================

 

 

ADW

(For some reason or another I cant copy and paste the logs so have attached them as files for yr review) Hope that is OK.

 

 

Thanks again.

 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users