Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Poweliks?


  • This topic is locked This topic is locked
13 replies to this topic

#1 bwv848

bwv848

    Bleepin' Owl


  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 03 November 2016 - 04:47 PM

Greetings, MRT,

Today, I decided to scan with RogueKiller, just to make sure everything on my system was fine. Apparently, RogueKiller found 24 threats, but during the scan, it was mysteriously terminated. (Some of the threats were false positives, related to my stupid Lexmark pirnter.) I tried three more times, and on the final time, I realized that Microsoft Security Essentials had detected and quarantined three instances of Behavior:Win32/Powessere.D. That led me to think that RogueKiller found Powessere.D on the system, and Microsoft Security Essentials ended its process because it started opening Powessere.D-related registry keys.

I, after daily reading of the Malware Removal logs section, recognized it as Poweliks immediately. Obviously, that was very concerning, and I went to download ESET's Poweliks Cleaner. It did in fact find Poweliks on my system as you can see in the the ESET log attached.

My FRST logs are below. Some things to note: all those HKLM Group Policy restriction on software are caused by CryptoPrevent, and this task was created by me after disabling vssadmin.exe:
 

Task: {C3628E35-847E-4CB2-8A02-660DDDA41E74} - System32\Tasks\WMIC Restore Point Creation => C:\Windows\System32\wbem\WMIC.exe [2009-07-13] (Microsoft Corporation) <==== ATTENTION

If anyone could take a look at my FRST logs, that would be great.

Thanks!

P.S. FRST somehow went in an endless loop of closing and updating and closing and updating and closing and updating, so I used GlassWire to block it from accessing the internet. So really it's up to date.

P.P.S. Here's Speccy.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 03-11-2016
Ran by penguins (administrator) on TIGER (03-11-2016 17:29:04)
Running from C:\Users\bears\Desktop
Loaded Profiles: bears & penguins (Available Profiles: bears & cats & penguins)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
() C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
( ) C:\Windows\System32\lxdxcoms.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Ransomware\MB3Service.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Panda Security) C:\Program Files (x86)\Panda USB Vaccine\USBVaccine.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
(TomTom) C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe
(Ruiware LLC) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GlassWire.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TabletUser.exe
(Wacom Technology) C:\Program Files\Tablet\Pen\WacomHost.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\Pen_Tablet.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 5.5\EMET_Service.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA HDD SSD Alert\TosSENotify.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 5.5\EMET_Agent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TECO\TecoService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [590256 2011-09-23] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710560 2011-11-25] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38824 2011-06-28] (TOSHIBA Corporation)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597936 2011-07-27] (TOSHIBA Corporation)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1548208 2011-11-24] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [989056 2011-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2867984 2011-12-22] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [12446824 2012-01-31] (Realtek Semiconductor)
HKLM\...\Run: [lxdxmon.exe] => C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe [672424 2010-02-04] ()
HKLM\...\Run: [Malwarebytes Anti-Ransomware] => C:\Program Files\Malwarebytes\Anti-Ransomware\mbarw.exe [722896 2016-08-26] (Malwarebytes)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1354712 2016-08-30] (Microsoft Corporation)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9099440 2016-10-27] (AVAST Software)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-05] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKLM\...\RunOnce: [*CryptoPrevent Test] => cmd /c start "" "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPrevent.exe" /test
HKLM-x32\...\RunOnce: [20161024] => "C:\Program Files\AVAST Software\Avast\aswRunDll.exe" "C:\Program Files\AVAST Software\Avast\2fe8fa08-7b9a-40d0-8ff5-95cf14dd98ab\87770b16-8666-43ec-bd9d-90da433358b2.dll",_stage2@16
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.js <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.bat <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\ilinker\iupdate.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\ilinker\iupdate.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\ilinker\iupdate.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\ilinker\iupdate.exe <====== ATTENTION
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\...\Run: [OpenDNS Updater] => C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe [839680 2010-06-16] ()
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\...\Run: [TomTomHOME.exe] => C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe [255224 2016-07-14] (TomTom)
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1163264 2015-03-30] (Ruiware LLC)
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\GlassWire.exe [5738960 2016-08-31] (SecureMix LLC)
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\...\MountPoints2: {4125f45e-304d-11e6-b636-00266c179037} - F:\iLinker.exe
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Ribbons.scr [241664 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-21-1931112885-1466219482-269765937-1034\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1163264 2015-03-30] (Ruiware LLC)
HKU\S-1-5-21-1931112885-1466219482-269765937-1034\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [5738960 2016-08-31] (SecureMix LLC)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-08-31] (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{8E5F9E3C-DFC6-4767-99B9-15ACC3A5105A}: [NameServer] 208.67.222.222,208.67.220.220
Tcpip\..\Interfaces\{8E5F9E3C-DFC6-4767-99B9-15ACC3A5105A}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.ixquick.com
HKU\S-1-5-21-1931112885-1466219482-269765937-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://start.toshiba.com
HKU\S-1-5-21-1931112885-1466219482-269765937-1034\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE12&ocid=UE12DHP
HKU\S-1-5-21-1931112885-1466219482-269765937-1034\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://start.toshiba.com
SearchScopes: HKLM -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNP
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNP
SearchScopes: HKU\S-1-5-21-1931112885-1466219482-269765937-1000 -> {A8E319AF-72A8-4198-BCBE-1E85BA89BC5B} URL = hxxp://www.youtube.com/results?search_query={searchTerms}
SearchScopes: HKU\S-1-5-21-1931112885-1466219482-269765937-1000 -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL =
SearchScopes: HKU\S-1-5-21-1931112885-1466219482-269765937-1034 -> {80BDF40A-3E65-4CF4-A77B-B0F5961A9807} URL = hxxp://www.google.com/search?sourceid=ie9&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNP
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-10-24] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-29] (Microsoft Corp.)
BHO: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\x64\TOSHIBAMediaControllerIE.dll [2012-08-24] (TOSHIBA Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2013-08-13] (Adblock Plus)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-10-18] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-10-24] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-10-18] (Oracle Corporation)
BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll [2012-08-24] (TOSHIBA Corporation)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2013-08-13] (Adblock Plus)
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL [1999-02-03] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-07-22] (Skype Technologies)

FireFox:
========
FF DefaultProfile: iip8d43w.default
FF ProfilePath: C:\Users\penguins\AppData\Roaming\Mozilla\Firefox\Profiles\iip8d43w.default [2016-10-31]
FF Homepage: Mozilla\Firefox\Profiles\iip8d43w.default -> ixquick.eu
FF Extension: (Self-Destructing Cookies) - C:\Users\penguins\AppData\Roaming\Mozilla\Firefox\Profiles\iip8d43w.default\Extensions\jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack.xpi [2016-08-10]
FF Extension: (Private Tab) - C:\Users\penguins\AppData\Roaming\Mozilla\Firefox\Profiles\iip8d43w.default\Extensions\privateTab@infocatcher.xpi [2016-08-10]
FF Extension: (Adblock Plus) - C:\Users\penguins\AppData\Roaming\Mozilla\Firefox\Profiles\iip8d43w.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-09]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-08-31]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_23_0_0_205.dll [2016-10-26] ()
FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\windows\system32\npDeployJava1.dll [2013-10-08] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.3 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2012-12-24] (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_205.dll [2016-10-26] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2014-01-06] (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-01-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-18] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-18] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.3 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2012-12-24] (Wacom)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1931112885-1466219482-269765937-1034: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2012-12-24] (Wacom)

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-08-31] (AVAST Software)
R2 EMET_Service; C:\Program Files (x86)\EMET 5.5\EMET_Service.exe [33960 2016-01-29] (Microsoft Corporation)
S3 fussvc; C:\Program Files (x86)\Windows Kits\8.1\App Certification Kit\fussvc.exe [143872 2014-10-24] (Microsoft Corporation) [File not signed]
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [4366288 2016-08-31] (SecureMix LLC)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-01-20] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-01-20] (Intel Corporation)
S3 lxdxCATSCustConnectService; C:\windows\system32\spool\DRIVERS\x64\3\\lxdxserv.exe [29184 2009-10-16] (Lexmark International, Inc.)
R2 lxdx_device; C:\windows\system32\lxdxcoms.exe [1039872 2009-10-16] ( )
R2 lxdx_device; C:\windows\SysWOW64\lxdxcoms.exe [589824 2009-10-16] ( )
R2 MB3Service; C:\Program Files\Malwarebytes\Anti-Ransomware\MB3Service.exe [3291088 2016-08-26] (Malwarebytes)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [120888 2016-08-30] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-08-30] (Microsoft Corporation)
S3 Te.Service; C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [122368 2015-02-26] (Microsoft Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 WTabletServiceCon; C:\Program Files\Tablet\Pen\WTabletServiceCon.exe [627992 2014-01-13] (Wacom Technology, Corp.)
S4 OAcat; "C:\Program Files (x86)\Online Armor\OAcat.exe" [X]
S3 SvcOnlineArmor; C:\Program Files (x86)\Online Armor\oasrv.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 aswHwid; C:\windows\system32\drivers\aswHwid.sys [37656 2016-08-31] (AVAST Software)
R1 aswKbd; C:\windows\system32\drivers\aswKbd.sys [37144 2016-08-31] (AVAST Software)
R2 aswMonFlt; C:\windows\system32\drivers\aswMonFlt.sys [108816 2016-08-31] (AVAST Software)
R1 aswRdr; C:\windows\system32\drivers\aswRdr2.sys [103064 2016-08-31] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-08-31] (AVAST Software)
R1 aswSnx; C:\windows\system32\drivers\aswSnx.sys [969184 2016-09-13] (AVAST Software)
R1 aswSP; C:\windows\system32\drivers\aswSP.sys [513632 2016-09-22] (AVAST Software)
R2 aswStm; C:\windows\system32\drivers\aswStm.sys [163416 2016-08-31] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [293352 2016-10-13] (AVAST Software)
S3 ebdrv; C:\windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 epp; C:\EEK\bin64\epp.sys [116944 2016-06-30] (Emsisoft Ltd)
R1 gwdrv; C:\windows\System32\DRIVERS\gwdrv.sys [33248 2015-05-29] (SecureMix LLC)
R0 MB3SwissArmy; C:\windows\System32\drivers\MB3SwissArmy.sys [228800 2016-11-03] (Malwarebytes)
S3 mbamchameleon; C:\windows\system32\drivers\mbamchameleon.sys [140672 2016-10-05] (Malwarebytes)
R3 MBAMFarflt; C:\windows\system32\drivers\farflt.sys [91072 2016-11-03] (Malwarebytes)
R0 MBRFilter; C:\windows\System32\DRIVERS\MBRFilter.sys [19600 2016-10-20] ()
R0 MpFilter; C:\windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
S3 NisDrv; C:\windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
R1 OADevice; C:\windows\SysWow64\Drivers\OADriver.sys [64720 2013-10-16] ()
R1 oahlpXX; C:\windows\syswow64\drivers\oahlp64.sys [62008 2013-10-16] ()
R1 OAmon; C:\windows\SysWOW64\Drivers\OAmon.sys [52360 2013-10-16] (Emsisoft)
R3 OAnet; C:\windows\System32\DRIVERS\oanet.sys [35368 2013-10-16] (Emsisoft)
R3 RTWlanE; C:\windows\System32\DRIVERS\rtwlane.sys [1514568 2013-05-02] (Realtek Semiconductor Corporation                           )
R3 SmbDrv; C:\windows\System32\DRIVERS\Smb_driver.sys [21264 2011-12-22] (Synaptics Incorporated)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2016-11-03] ()
S3 USBTINSP; C:\windows\System32\DRIVERS\tinspusb.sys [142848 2016-07-21] (Texas Instruments)
R3 WirelessKeyboardFilter; C:\windows\System32\DRIVERS\WirelessKeyboardFilter.sys [49896 2016-07-22] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-03 17:29 - 2016-11-03 17:29 - 00049325 _____ C:\Users\bears\Desktop\FRST.txt
2016-11-03 17:17 - 2016-11-03 17:29 - 00000000 ____D C:\FRST
2016-11-03 17:17 - 2016-11-03 17:28 - 02409984 _____ (Farbar) C:\Users\bears\Desktop\FRST64.exe
2016-11-03 17:17 - 2016-11-03 17:28 - 00000000 ____D C:\Users\bears\Desktop\FRST-OlderVersion
2016-11-03 16:42 - 2016-11-03 16:42 - 00000022 _____ C:\Users\bears\Downloads\ESETPoweliksCleaner.exe_20161103.164230.6076.zip
2016-11-03 16:42 - 2016-11-03 16:42 - 00000022 _____ C:\Users\bears\Downloads\ESETPoweliksCleaner.exe_20161103.164224.3724.zip
2016-11-03 16:40 - 2016-11-03 16:36 - 00000022 _____ C:\Users\bears\Desktop\ESETPoweliksCleaner.exe_20161103.163625.6556 - Copy.zip
2016-11-03 16:36 - 2016-11-03 16:36 - 00000022 _____ C:\Users\bears\Downloads\ESETPoweliksCleaner.exe_20161103.163625.6556.zip
2016-11-03 16:34 - 2016-11-03 16:35 - 00224968 _____ (ESET) C:\Users\bears\Downloads\ESETPoweliksCleaner.exe
2016-11-03 14:47 - 2016-11-03 15:42 - 00028272 _____ C:\windows\system32\Drivers\TrueSight.sys
2016-11-03 14:46 - 2016-11-03 14:46 - 00000000 ____D C:\ProgramData\RogueKiller
2016-11-03 14:46 - 2016-11-03 14:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-11-03 14:46 - 2016-11-03 14:46 - 00000000 ____D C:\Program Files\RogueKiller
2016-11-02 22:44 - 2016-11-02 22:45 - 00218108 _____ C:\TDSSKiller.3.1.0.11_02.11.2016_22.44.55_log.txt
2016-11-02 22:33 - 2016-11-02 22:33 - 00000000 ____D C:\Users\bears\Downloads\TCPView
2016-11-02 19:08 - 2016-11-02 19:08 - 04934543 _____ C:\Users\bears\Downloads\IMSLP69595-PMLP01489-Opus_111.pdf
2016-11-02 10:13 - 2016-11-02 10:13 - 00002782 _____ C:\windows\System32\Tasks\CCleanerSkipUAC
2016-11-01 15:36 - 2016-11-01 15:36 - 01109135 _____ C:\Users\bears\Downloads\Lecon 5.pptx
2016-11-01 09:29 - 2016-11-03 11:17 - 00000000 ____D C:\EEK
2016-10-31 21:31 - 2016-10-31 21:31 - 00724479 _____ C:\Users\bears\Downloads\tufts_hmo_2016.pdf
2016-10-31 16:26 - 2016-10-31 16:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-10-31 16:25 - 2016-10-31 16:26 - 00000000 ____D C:\Program Files\iTunes
2016-10-31 16:25 - 2016-10-31 16:25 - 00000000 ____D C:\Program Files\iPod
2016-10-27 23:04 - 2016-10-27 23:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foolish IT
2016-10-27 23:04 - 2016-10-27 23:04 - 00000000 ____D C:\Program Files (x86)\Foolish IT
2016-10-27 22:44 - 2016-10-27 23:04 - 00000000 ____D C:\ProgramData\Foolish IT
2016-10-27 22:44 - 2016-10-27 22:44 - 00053248 _____ C:\windows\SysWOW64\zlib.dll
2016-10-27 14:10 - 2016-10-27 14:10 - 00000000 ____D C:\Users\bears\AppData\Local\AvastSupport
2016-10-26 12:03 - 2016-10-26 12:03 - 00226215 _____ C:\Users\bears\Downloads\TempDoc923885525.pdf
2016-10-26 11:19 - 2016-10-26 11:19 - 00297201 _____ C:\Users\bears\Downloads\ALG2_Chapter_2_and_3_Exam.pdf
2016-10-25 19:28 - 2016-10-25 19:28 - 00772281 _____ C:\Users\bears\Downloads\16_Altus_Tufts-HMO-PediBenefit-MA.pdf
2016-10-24 22:42 - 2016-10-24 22:42 - 00006038 _____ C:\Users\bears\Downloads\my-ublock-backup_10_24_2016,_10_42_08_PM.txt
2016-10-23 19:07 - 2016-10-23 19:07 - 00000793 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-10-23 19:07 - 2016-10-23 19:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-10-23 19:07 - 2016-10-23 19:07 - 00000000 ____D C:\Program Files\CCleaner
2016-10-22 21:09 - 2016-10-22 21:09 - 00000000 ____D C:\Users\penguins\AppData\Roaming\abelhadigital.com
2016-10-22 18:15 - 2016-10-22 18:15 - 00457557 _____ C:\Users\bears\Downloads\CONTRACT_FOR_THE_VOTER.pdf
2016-10-21 14:37 - 2016-10-21 14:37 - 00000034 ____H C:\Users\bears\Downloads\.picasa.ini
2016-10-20 21:39 - 2016-10-23 19:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-10-19 17:37 - 2016-10-19 17:37 - 03910208 _____ C:\Users\bears\Downloads\adwcleaner_6.030.exe
2016-10-19 10:23 - 2016-09-15 10:56 - 00041984 _____ (Microsoft Corporation) C:\windows\system32\UtcResources.dll
2016-10-19 10:23 - 2016-09-13 11:37 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2016-10-19 10:23 - 2016-09-13 11:11 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2016-10-19 10:23 - 2016-09-09 14:20 - 00756736 _____ (Microsoft Corporation) C:\windows\system32\win32spl.dll
2016-10-19 10:23 - 2016-09-09 14:00 - 00497152 _____ (Microsoft Corporation) C:\windows\SysWOW64\win32spl.dll
2016-10-19 10:23 - 2016-08-22 12:19 - 01386496 _____ (Microsoft Corporation) C:\windows\system32\diagtrack.dll
2016-10-19 09:28 - 2016-10-19 09:28 - 00000000 ___RD C:\Users\bears\Documents\Scanned Documents
2016-10-19 09:28 - 2016-10-19 09:28 - 00000000 ____D C:\Users\bears\Documents\Fax
2016-10-18 17:16 - 2016-10-18 17:16 - 00000254 _____ C:\Users\penguins\Desktop\output.txt
2016-10-18 14:57 - 2016-10-18 14:57 - 00000000 ____D C:\Users\penguins\AppData\Roaming\WTablet
2016-10-17 18:52 - 2016-10-17 18:52 - 00000000 ____D C:\Users\penguins\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MathType 4
2016-10-17 18:45 - 2016-10-17 18:45 - 00000000 ____D C:\Users\bears\AppData\Roaming\Design Science
2016-10-17 18:42 - 2016-10-17 18:52 - 00000000 ____D C:\Program Files (x86)\MathType
2016-10-16 22:10 - 2016-10-16 22:10 - 00000000 ____D C:\Users\cats\AppData\Roaming\Opera Software
2016-10-16 22:10 - 2016-10-16 22:10 - 00000000 ____D C:\Users\cats\AppData\Local\Opera Software
2016-10-16 22:09 - 2016-10-16 22:09 - 00000000 ____D C:\Users\cats\AppData\Roaming\WTablet
2016-10-16 17:36 - 2016-10-16 17:36 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wacom
2016-10-16 17:36 - 2016-10-16 17:36 - 00000000 ____D C:\Users\bears\AppData\Roaming\WTablet
2016-10-16 17:36 - 2016-10-16 17:36 - 00000000 ____D C:\Program Files\TabletPlugins
2016-10-16 17:36 - 2016-10-16 17:36 - 00000000 ____D C:\Program Files (x86)\TabletPlugins
2016-10-16 17:36 - 2014-01-13 12:24 - 01913624 _____ (Wacom Technology, Corp.) C:\windows\system32\Pen_Tablet.dll
2016-10-16 17:36 - 2014-01-13 12:24 - 01906968 _____ (Wacom Technology, Corp.) C:\windows\system32\Pen_Touch_Tablet.dll
2016-10-16 17:36 - 2014-01-13 12:24 - 01780504 _____ (Wacom Technology, Corp.) C:\windows\system32\WacomMT.dll
2016-10-16 17:36 - 2014-01-13 12:24 - 01778968 _____ (Wacom Technology, Corp.) C:\windows\system32\Wintab32.dll
2016-10-16 17:36 - 2014-01-13 12:24 - 01551640 _____ (Wacom Technology, Corp.) C:\windows\SysWOW64\Pen_Tablet.dll
2016-10-16 17:36 - 2014-01-13 12:24 - 01544472 _____ (Wacom Technology, Corp.) C:\windows\SysWOW64\Pen_Touch_Tablet.dll
2016-10-16 17:36 - 2014-01-13 12:24 - 01432344 _____ (Wacom Technology, Corp.) C:\windows\SysWOW64\WacomMT.dll
2016-10-16 17:36 - 2014-01-13 12:24 - 01428248 _____ (Wacom Technology, Corp.) C:\windows\SysWOW64\Wintab32.dll
2016-10-16 17:36 - 2013-11-11 20:16 - 00090424 _____ (Wacom Technology) C:\windows\system32\Drivers\wachidrouter.sys
2016-10-16 17:36 - 2013-11-11 20:16 - 00015160 _____ (Wacom Technology) C:\windows\system32\Drivers\wacomrouterfilter.sys
2016-10-15 19:19 - 2016-10-15 19:19 - 00001091 _____ C:\Users\bears\Desktop\MBAM.lnk
2016-10-15 18:57 - 2016-10-15 18:57 - 00000000 ____D C:\ProgramData\MindGems
2016-10-15 18:57 - 2016-10-15 18:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Folder Size
2016-10-15 18:57 - 2016-10-15 18:57 - 00000000 ____D C:\Program Files (x86)\Folder Size
2016-10-13 12:19 - 2016-10-13 12:19 - 00000000 ____D C:\SymCache
2016-10-13 11:53 - 2016-10-13 11:53 - 00000000 ____D C:\ProgramData\WindowsPerformanceRecorder
2016-10-13 11:28 - 2016-10-13 12:20 - 00000000 ____D C:\Users\bears\AppData\Local\Windows Performance Analyzer
2016-10-13 11:28 - 2016-10-13 11:52 - 00000000 ____D C:\Users\bears\Documents\WPA Files
2016-10-13 11:27 - 2016-10-13 11:27 - 00000000 ____D C:\ProgramData\Windows App Certification Kit
2016-10-13 11:26 - 2016-10-13 11:26 - 00000000 ____D C:\Program Files (x86)\Microsoft SDKs
2016-10-13 11:25 - 2016-10-13 11:25 - 00000000 ____D C:\Program Files\Application Verifier
2016-10-13 11:25 - 2016-10-13 11:25 - 00000000 ____D C:\Program Files (x86)\Application Verifier
2016-10-13 11:23 - 2016-10-13 11:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Kits
2016-10-13 11:21 - 2016-10-13 11:21 - 00000000 ____D C:\Program Files (x86)\Windows Kits
2016-10-12 10:06 - 2016-10-12 10:06 - 00000218 _____ C:\Users\bears\AppData\Local\recently-used.xbel
2016-10-12 09:40 - 2016-09-30 11:37 - 05548264 _____ (Microsoft Corporation) C:\windows\system32\ntoskrnl.exe
2016-10-12 09:40 - 2016-09-30 03:55 - 25765376 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2016-10-12 09:40 - 2016-09-30 02:25 - 02895360 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2016-10-12 09:40 - 2016-09-30 02:09 - 06048256 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2016-10-12 09:40 - 2016-09-30 01:47 - 20306944 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2016-10-12 09:40 - 2016-09-30 01:38 - 02286592 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2016-10-12 09:40 - 2016-09-30 01:21 - 15257088 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2016-10-12 09:40 - 2016-09-30 01:17 - 02920960 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2016-10-12 09:40 - 2016-09-30 01:12 - 04608512 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2016-10-12 09:40 - 2016-09-30 01:05 - 01544192 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2016-10-12 09:40 - 2016-09-30 01:03 - 13653504 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2016-10-12 09:40 - 2016-09-30 00:46 - 02444288 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2016-10-12 09:40 - 2016-09-30 00:43 - 01312768 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2016-10-12 09:40 - 2016-09-10 12:19 - 03649536 _____ (Microsoft Corporation) C:\windows\system32\MSVidCtl.dll
2016-10-12 09:39 - 2016-09-30 16:13 - 00394448 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2016-10-12 09:39 - 2016-09-30 15:28 - 00346312 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2016-10-12 09:39 - 2016-09-30 11:20 - 04000488 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntkrnlpa.exe
2016-10-12 09:39 - 2016-09-30 11:20 - 03944680 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntoskrnl.exe
2016-10-12 09:39 - 2016-09-30 02:41 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2016-10-12 09:39 - 2016-09-30 02:40 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2016-10-12 09:39 - 2016-09-30 02:26 - 00066560 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2016-10-12 09:39 - 2016-09-30 02:25 - 00576000 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2016-10-12 09:39 - 2016-09-30 02:25 - 00417792 _____ (Microsoft Corporation) C:\windows\system32\html.iec
2016-10-12 09:39 - 2016-09-30 02:25 - 00088064 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2016-10-12 09:39 - 2016-09-30 02:25 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2016-10-12 09:39 - 2016-09-30 02:18 - 00054784 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2016-10-12 09:39 - 2016-09-30 02:17 - 00034304 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2016-10-12 09:39 - 2016-09-30 02:14 - 00615936 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2016-10-12 09:39 - 2016-09-30 02:13 - 00144384 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2016-10-12 09:39 - 2016-09-30 02:13 - 00114688 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2016-10-12 09:39 - 2016-09-30 02:12 - 00817664 _____ (Microsoft Corporation) C:\windows\system32\jscript.dll
2016-10-12 09:39 - 2016-09-30 02:12 - 00814080 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2016-10-12 09:39 - 2016-09-30 02:05 - 00968704 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2016-10-12 09:39 - 2016-09-30 02:02 - 00489984 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2016-10-12 09:39 - 2016-09-30 01:55 - 00077824 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2016-10-12 09:39 - 2016-09-30 01:54 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2016-10-12 09:39 - 2016-09-30 01:54 - 00107520 _____ (Microsoft Corporation) C:\windows\system32\inseng.dll
2016-10-12 09:39 - 2016-09-30 01:51 - 00199680 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2016-10-12 09:39 - 2016-09-30 01:50 - 00092160 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2016-10-12 09:39 - 2016-09-30 01:47 - 00315392 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2016-10-12 09:39 - 2016-09-30 01:46 - 00152064 _____ (Microsoft Corporation) C:\windows\system32\occache.dll
2016-10-12 09:39 - 2016-09-30 01:42 - 00498688 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2016-10-12 09:39 - 2016-09-30 01:42 - 00341504 _____ (Microsoft Corporation) C:\windows\SysWOW64\html.iec
2016-10-12 09:39 - 2016-09-30 01:42 - 00062464 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2016-10-12 09:39 - 2016-09-30 01:42 - 00047616 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2016-10-12 09:39 - 2016-09-30 01:41 - 00064000 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2016-10-12 09:39 - 2016-09-30 01:36 - 00047104 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2016-10-12 09:39 - 2016-09-30 01:35 - 00262144 _____ (Microsoft Corporation) C:\windows\system32\webcheck.dll
2016-10-12 09:39 - 2016-09-30 01:35 - 00030720 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2016-10-12 09:39 - 2016-09-30 01:33 - 00724992 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2016-10-12 09:39 - 2016-09-30 01:33 - 00476160 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2016-10-12 09:39 - 2016-09-30 01:32 - 00806912 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2016-10-12 09:39 - 2016-09-30 01:32 - 00663552 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript.dll
2016-10-12 09:39 - 2016-09-30 01:32 - 00620032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2016-10-12 09:39 - 2016-09-30 01:32 - 00115712 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2016-10-12 09:39 - 2016-09-30 01:31 - 02131456 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2016-10-12 09:39 - 2016-09-30 01:31 - 01359360 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2016-10-12 09:39 - 2016-09-30 01:24 - 00416256 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2016-10-12 09:39 - 2016-09-30 01:19 - 00091136 _____ (Microsoft Corporation) C:\windows\SysWOW64\inseng.dll
2016-10-12 09:39 - 2016-09-30 01:19 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2016-10-12 09:39 - 2016-09-30 01:17 - 00168960 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2016-10-12 09:39 - 2016-09-30 01:15 - 00076288 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2016-10-12 09:39 - 2016-09-30 01:14 - 00279040 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2016-10-12 09:39 - 2016-09-30 01:13 - 00130048 _____ (Microsoft Corporation) C:\windows\SysWOW64\occache.dll
2016-10-12 09:39 - 2016-09-30 01:07 - 00230400 _____ (Microsoft Corporation) C:\windows\SysWOW64\webcheck.dll
2016-10-12 09:39 - 2016-09-30 01:05 - 02055680 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2016-10-12 09:39 - 2016-09-30 01:05 - 01155072 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2016-10-12 09:39 - 2016-09-30 01:05 - 00693248 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2016-10-12 09:39 - 2016-09-30 00:54 - 00800768 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2016-10-12 09:39 - 2016-09-30 00:42 - 00710144 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2016-10-12 09:39 - 2016-09-15 11:30 - 00976896 _____ (Microsoft Corporation) C:\windows\system32\inetcomm.dll
2016-10-12 09:39 - 2016-09-15 11:30 - 00084480 _____ (Microsoft Corporation) C:\windows\system32\INETRES.dll
2016-10-12 09:39 - 2016-09-15 11:15 - 00741888 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcomm.dll
2016-10-12 09:39 - 2016-09-15 11:15 - 00084480 _____ (Microsoft Corporation) C:\windows\SysWOW64\INETRES.dll
2016-10-12 09:39 - 2016-09-12 17:13 - 00154856 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecpkg.sys
2016-10-12 09:39 - 2016-09-12 17:13 - 00095464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ksecdd.sys
2016-10-12 09:39 - 2016-09-12 17:08 - 01465344 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 01212928 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00730624 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00690688 _____ (Microsoft Corporation) C:\windows\system32\adtschema.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00463872 _____ (Microsoft Corporation) C:\windows\system32\certcli.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00345600 _____ (Microsoft Corporation) C:\windows\system32\schannel.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00316416 _____ (Microsoft Corporation) C:\windows\system32\msv1_0.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00312320 _____ (Microsoft Corporation) C:\windows\system32\ncrypt.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00210432 _____ (Microsoft Corporation) C:\windows\system32\wdigest.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00190464 _____ (Microsoft Corporation) C:\windows\system32\rpchttp.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00146432 _____ (Microsoft Corporation) C:\windows\system32\msaudite.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00135680 _____ (Microsoft Corporation) C:\windows\system32\sspicli.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00107520 _____ (Microsoft Corporation) C:\windows\system32\adsmsext.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00086528 _____ (Microsoft Corporation) C:\windows\system32\TSpkg.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00060416 _____ (Microsoft Corporation) C:\windows\system32\msobjs.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00043520 _____ (Microsoft Corporation) C:\windows\system32\cryptbase.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00028672 _____ (Microsoft Corporation) C:\windows\system32\sspisrv.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00028160 _____ (Microsoft Corporation) C:\windows\system32\secur32.dll
2016-10-12 09:39 - 2016-09-12 17:08 - 00022016 _____ (Microsoft Corporation) C:\windows\system32\credssp.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00690688 _____ (Microsoft Corporation) C:\windows\SysWOW64\adtschema.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00666112 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00553472 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00342528 _____ (Microsoft Corporation) C:\windows\SysWOW64\certcli.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00260608 _____ (Microsoft Corporation) C:\windows\SysWOW64\msv1_0.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00254464 _____ (Microsoft Corporation) C:\windows\SysWOW64\schannel.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00223232 _____ (Microsoft Corporation) C:\windows\SysWOW64\ncrypt.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00172032 _____ (Microsoft Corporation) C:\windows\SysWOW64\wdigest.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00146432 _____ (Microsoft Corporation) C:\windows\SysWOW64\msaudite.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00141312 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpchttp.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00076800 _____ (Microsoft Corporation) C:\windows\SysWOW64\adsmsext.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSpkg.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\msobjs.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2016-10-12 09:39 - 2016-09-12 16:49 - 00017408 _____ (Microsoft Corporation) C:\windows\SysWOW64\credssp.dll
2016-10-12 09:39 - 2016-09-12 16:39 - 00064000 _____ (Microsoft Corporation) C:\windows\system32\auditpol.exe
2016-10-12 09:39 - 2016-09-12 16:37 - 03218944 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys
2016-10-12 09:39 - 2016-09-12 16:32 - 00291328 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb10.sys
2016-10-12 09:39 - 2016-09-12 16:32 - 00159744 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb.sys
2016-10-12 09:39 - 2016-09-12 16:32 - 00129536 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxsmb20.sys
2016-10-12 09:39 - 2016-09-12 16:31 - 00030720 _____ (Microsoft Corporation) C:\windows\system32\lsass.exe
2016-10-12 09:39 - 2016-09-12 16:29 - 00050176 _____ (Microsoft Corporation) C:\windows\SysWOW64\auditpol.exe
2016-10-12 09:39 - 2016-09-12 16:25 - 00036352 _____ (Microsoft Corporation) C:\windows\SysWOW64\cryptbase.dll
2016-10-12 09:39 - 2016-09-12 15:08 - 01251328 _____ (Microsoft Corporation) C:\windows\SysWOW64\DWrite.dll
2016-10-12 09:39 - 2016-09-12 14:43 - 01648128 _____ (Microsoft Corporation) C:\windows\system32\DWrite.dll
2016-10-12 09:39 - 2016-09-12 14:43 - 01180160 _____ (Microsoft Corporation) C:\windows\system32\FntCache.dll
2016-10-12 09:39 - 2016-09-10 11:53 - 02291712 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSVidCtl.dll
2016-10-12 09:39 - 2016-09-09 14:29 - 00631176 _____ (Microsoft Corporation) C:\windows\system32\winresume.efi
2016-10-12 09:39 - 2016-09-09 14:26 - 00706280 _____ (Microsoft Corporation) C:\windows\system32\winload.efi
2016-10-12 09:39 - 2016-09-09 14:23 - 01732864 _____ (Microsoft Corporation) C:\windows\system32\ntdll.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 01163264 _____ (Microsoft Corporation) C:\windows\system32\kernel32.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00880640 _____ (Microsoft Corporation) C:\windows\system32\advapi32.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00503808 _____ (Microsoft Corporation) C:\windows\system32\srcore.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00419840 _____ (Microsoft Corporation) C:\windows\system32\KernelBase.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00362496 _____ (Microsoft Corporation) C:\windows\system32\wow64win.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00243712 _____ (Microsoft Corporation) C:\windows\system32\wow64.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00215552 _____ (Microsoft Corporation) C:\windows\system32\winsrv.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00063488 _____ (Microsoft Corporation) C:\windows\system32\setbcdlocale.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00059904 _____ (Microsoft Corporation) C:\windows\system32\appidapi.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00050176 _____ (Microsoft Corporation) C:\windows\system32\srclient.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00044032 _____ (Microsoft Corporation) C:\windows\system32\csrsrv.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00034816 _____ (Microsoft Corporation) C:\windows\system32\appidsvc.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00016384 _____ (Microsoft Corporation) C:\windows\system32\ntvdm64.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00013312 _____ (Microsoft Corporation) C:\windows\system32\wow64cpu.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00006656 _____ (Microsoft Corporation) C:\windows\system32\apisetschema.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00006144 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00005120 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00004608 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00004096 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-misc-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003584 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-io-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:20 - 00003072 ____H (Microsoft Corporation) C:\windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 14:01 - 01314112 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntdll.dll
2016-10-12 09:39 - 2016-09-09 14:00 - 01114112 _____ (Microsoft Corporation) C:\windows\SysWOW64\kernel32.dll
2016-10-12 09:39 - 2016-09-09 14:00 - 00275456 _____ (Microsoft Corporation) C:\windows\SysWOW64\KernelBase.dll
2016-10-12 09:39 - 2016-09-09 14:00 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\srclient.dll
2016-10-12 09:39 - 2016-09-09 14:00 - 00005120 _____ (Microsoft Corporation) C:\windows\SysWOW64\wow32.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00644096 _____ (Microsoft Corporation) C:\windows\SysWOW64\advapi32.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00050688 _____ (Microsoft Corporation) C:\windows\SysWOW64\appidapi.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00006656 _____ (Microsoft Corporation) C:\windows\SysWOW64\apisetschema.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00005120 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00004096 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:59 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:51 - 00148480 _____ (Microsoft Corporation) C:\windows\system32\appidpolicyconverter.exe
2016-10-12 09:39 - 2016-09-09 13:51 - 00062464 _____ (Microsoft Corporation) C:\windows\system32\Drivers\appid.sys
2016-10-12 09:39 - 2016-09-09 13:51 - 00017920 _____ (Microsoft Corporation) C:\windows\system32\appidcertstorecheck.exe
2016-10-12 09:39 - 2016-09-09 13:48 - 00338432 _____ (Microsoft Corporation) C:\windows\system32\conhost.exe
2016-10-12 09:39 - 2016-09-09 13:47 - 00296960 _____ (Microsoft Corporation) C:\windows\system32\rstrui.exe
2016-10-12 09:39 - 2016-09-09 13:43 - 00112640 _____ (Microsoft Corporation) C:\windows\system32\smss.exe
2016-10-12 09:39 - 2016-09-09 13:38 - 00025600 _____ (Microsoft Corporation) C:\windows\SysWOW64\setup16.exe
2016-10-12 09:39 - 2016-09-09 13:38 - 00014336 _____ (Microsoft Corporation) C:\windows\SysWOW64\ntvdm64.dll
2016-10-12 09:39 - 2016-09-09 13:38 - 00007680 _____ (Microsoft Corporation) C:\windows\SysWOW64\instnm.exe
2016-10-12 09:39 - 2016-09-09 13:38 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\user.exe
2016-10-12 09:39 - 2016-09-09 13:37 - 00006144 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:37 - 00004608 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:37 - 00003584 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2016-10-12 09:39 - 2016-09-09 13:37 - 00003072 ____H (Microsoft Corporation) C:\windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2016-10-12 09:39 - 2016-09-08 16:34 - 00263680 _____ (Microsoft Corporation) C:\windows\system32\WebClnt.dll
2016-10-12 09:39 - 2016-09-08 16:34 - 00208896 _____ (Microsoft Corporation) C:\windows\SysWOW64\WebClnt.dll
2016-10-12 09:39 - 2016-09-08 16:34 - 00108544 _____ (Microsoft Corporation) C:\windows\system32\davclnt.dll
2016-10-12 09:39 - 2016-09-08 16:34 - 00087040 _____ (Microsoft Corporation) C:\windows\SysWOW64\davclnt.dll
2016-10-12 09:39 - 2016-09-08 10:55 - 00142336 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2016-10-12 09:39 - 2016-09-08 10:55 - 00106496 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dfsc.sys
2016-10-11 22:23 - 2016-10-11 22:25 - 00003004 _____ C:\Users\bears\Downloads\FSS.txt
2016-10-10 18:16 - 2016-10-10 18:16 - 00001004 _____ C:\Users\bears\Downloads\howto.txt
2016-10-09 18:34 - 2016-10-09 18:34 - 00000000 ____D C:\Users\bears\AppData\Local\fontconfig
2016-10-09 18:29 - 2016-10-09 18:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inkscape 0.91
2016-10-09 18:29 - 2016-10-09 18:30 - 00000000 ____D C:\Program Files\Inkscape
2016-10-08 22:16 - 2016-07-22 10:58 - 00142336 _____ (Microsoft Corporation) C:\windows\system32\poqexec.exe
2016-10-08 22:16 - 2016-07-22 10:51 - 00123904 _____ (Microsoft Corporation) C:\windows\SysWOW64\poqexec.exe
2016-10-08 22:01 - 2016-09-12 17:17 - 00077032 _____ (Microsoft Corporation) C:\windows\system32\CompatTelRunner.exe
2016-10-08 22:01 - 2016-09-12 17:08 - 01226752 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2016-10-08 22:01 - 2016-09-09 11:54 - 01629184 _____ (Microsoft Corporation) C:\windows\system32\appraiser.dll
2016-10-08 22:01 - 2016-09-09 11:54 - 00586752 _____ (Microsoft Corporation) C:\windows\system32\generaltel.dll
2016-10-08 22:01 - 2016-09-09 11:54 - 00575488 _____ (Microsoft Corporation) C:\windows\system32\devinv.dll
2016-10-08 22:01 - 2016-09-09 11:54 - 00314368 _____ (Microsoft Corporation) C:\windows\system32\invagent.dll
2016-10-08 22:01 - 2016-09-09 11:54 - 00273408 _____ (Microsoft Corporation) C:\windows\system32\centel.dll
2016-10-08 22:01 - 2016-09-09 11:54 - 00224256 _____ (Microsoft Corporation) C:\windows\system32\aepic.dll
2016-10-08 22:01 - 2016-09-09 11:54 - 00129024 _____ (Microsoft Corporation) C:\windows\system32\acmigration.dll
2016-10-07 10:46 - 2016-10-07 10:46 - 00001872 _____ C:\Users\Public\Desktop\GlassWire.lnk
2016-10-07 10:46 - 2016-10-07 10:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GlassWire
2016-10-07 10:46 - 2015-05-29 00:30 - 00008657 _____ C:\windows\system32\Drivers\gwdrv.cat
2016-10-07 10:46 - 2015-05-29 00:15 - 00033248 _____ (SecureMix LLC) C:\windows\system32\Drivers\gwdrv.sys
2016-10-07 10:45 - 2016-10-07 10:46 - 00000000 ____D C:\Program Files (x86)\GlassWire
2016-10-07 09:45 - 2016-10-07 09:45 - 00001458 _____ C:\Users\bears\Documents\post.txt
2016-10-06 17:28 - 2016-10-06 18:40 - 00000000 ____D C:\Users\bears\AppData\Roaming\ImgBurn
2016-10-06 17:08 - 2016-10-06 17:08 - 00001848 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn.lnk
2016-10-06 17:08 - 2016-10-06 17:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn
2016-10-06 17:08 - 2016-10-06 17:08 - 00000000 ____D C:\Program Files (x86)\ImgBurn
2016-10-06 17:04 - 2016-10-06 17:04 - 03101913 _____ (LIGHTNING UK!) C:\Users\bears\Downloads\SetupImgBurn_2.5.8.0.exe
2016-10-06 13:04 - 2016-10-07 13:38 - 03037003 _____ C:\Users\bears\Downloads\Lecon 4.pptx
2016-10-05 17:01 - 2016-10-20 20:39 - 00019600 _____ C:\windows\system32\Drivers\MBRFilter.sys
2016-10-04 23:00 - 2016-11-02 22:11 - 00043305 _____ C:\Users\bears\Downloads\Addition.txt
2016-10-04 21:56 - 2016-10-04 21:56 - 00000008 _____ C:\Users\bears\Documents\hotmail.txt
2016-10-04 12:35 - 2016-10-04 12:35 - 00000000 ____D C:\Users\penguins\AppData\Local\Apple Computer
2016-10-04 12:28 - 2016-11-03 17:02 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2016-10-04 12:28 - 2016-10-26 07:02 - 00003768 _____ C:\windows\System32\Tasks\Adobe Flash Player Updater

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-03 17:23 - 2016-09-29 14:27 - 00228800 _____ (Malwarebytes) C:\windows\system32\Drivers\MB3SwissArmy.sys
2016-11-03 17:23 - 2016-09-29 14:27 - 00091072 _____ (Malwarebytes) C:\windows\system32\Drivers\farflt.sys
2016-11-03 17:22 - 2012-05-21 14:59 - 00000828 _____ C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job
2016-11-03 17:22 - 2009-07-14 01:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-11-03 16:56 - 2016-10-01 18:58 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-11-03 16:47 - 2009-07-14 00:45 - 00024608 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-11-03 16:47 - 2009-07-14 00:45 - 00024608 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-11-03 16:31 - 2016-08-17 10:59 - 00000000 ____D C:\Users\bears\Desktop\Physics_2016
2016-11-03 10:30 - 2012-05-21 14:59 - 00000830 _____ C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job
2016-11-03 09:18 - 2016-08-31 15:54 - 00007651 _____ C:\Users\penguins\AppData\Local\Resmon.ResmonCfg
2016-11-03 06:49 - 2016-05-29 18:40 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-11-02 23:32 - 2009-07-14 01:13 - 00782470 _____ C:\windows\system32\PerfStringBackup.INI
2016-11-02 23:32 - 2009-07-13 23:20 - 00000000 ____D C:\windows\inf
2016-11-02 17:20 - 2014-04-03 20:28 - 00000000 ____D C:\Users\bears\Desktop\Justin's
2016-11-02 17:18 - 2013-04-01 20:19 - 00000000 ____D C:\ProgramData\Lx_cats
2016-11-02 17:09 - 2016-08-17 11:00 - 00000000 ____D C:\Users\bears\Desktop\French_2016
2016-11-02 17:05 - 2016-08-16 16:08 - 00000000 ____D C:\AdwCleaner
2016-11-02 15:09 - 2016-08-19 14:05 - 00000000 ____D C:\Program Files (x86)\SpeedFan
2016-11-02 12:50 - 2016-08-17 11:00 - 00000000 ____D C:\Users\bears\Desktop\Algebra II
2016-11-02 10:12 - 2016-09-30 18:33 - 00003484 _____ C:\windows\System32\Tasks\WMIC Restore Point Creation
2016-11-01 18:26 - 2012-08-12 14:38 - 00000000 ___RD C:\Users\bears
2016-10-31 16:25 - 2012-08-12 21:26 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-10-31 10:05 - 2013-12-04 00:01 - 00000000 ____D C:\Users\penguins
2016-10-31 06:50 - 2013-10-01 22:08 - 00004180 _____ C:\windows\System32\Tasks\avast! Emergency Update
2016-10-29 19:32 - 2016-09-20 22:46 - 00000892 _____ C:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-10-27 21:22 - 2010-11-20 23:27 - 00485032 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2016-10-27 19:25 - 2012-08-13 20:36 - 00000000 ____D C:\Users\bears\AppData\Local\CrashDumps
2016-10-27 16:32 - 2016-05-19 20:27 - 00000000 ____D C:\windows\pss
2016-10-27 11:28 - 2014-09-17 22:35 - 00003840 _____ C:\windows\System32\Tasks\Opera scheduled Autoupdate 1381534773
2016-10-27 11:28 - 2013-10-11 19:39 - 00000000 ____D C:\Program Files (x86)\Opera
2016-10-26 10:00 - 2016-05-12 11:38 - 00000000 ____D C:\Users\bears\Desktop\MISC
2016-10-26 07:02 - 2016-09-20 22:46 - 00003880 _____ C:\windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2016-10-26 07:02 - 2012-05-21 16:00 - 00796352 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2016-10-26 07:02 - 2012-03-22 17:34 - 00142528 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-10-26 07:02 - 2012-03-22 17:34 - 00000000 ____D C:\windows\SysWOW64\Macromed
2016-10-26 07:02 - 2012-03-22 17:34 - 00000000 ____D C:\windows\system32\Macromed
2016-10-25 22:50 - 2012-08-13 19:08 - 00000376 _____ C:\windows\ODBC.INI
2016-10-25 22:50 - 2012-08-13 19:07 - 00002673 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Outlook.lnk
2016-10-25 22:50 - 2012-08-13 19:07 - 00002657 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Excel.lnk
2016-10-25 22:50 - 2012-08-13 19:07 - 00002655 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Word.lnk
2016-10-25 22:50 - 2012-08-13 19:07 - 00002609 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Open Office Document.lnk
2016-10-25 22:50 - 2012-08-13 19:07 - 00002599 _____ C:\ProgramData\Microsoft\Windows\Start Menu\New Office Document.lnk
2016-10-25 22:50 - 2012-08-13 19:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2016-10-25 22:50 - 2010-11-21 03:16 - 00000000 ____D C:\windows\ShellNew
2016-10-25 10:55 - 2013-12-04 00:08 - 00000000 ___RD C:\Users\cats
2016-10-23 20:05 - 2012-08-12 14:52 - 00000000 ____D C:\Users\bears\AppData\Local\Google
2016-10-23 19:02 - 2012-08-12 18:56 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-10-19 14:08 - 2009-07-13 23:20 - 00000000 ____D C:\windows\rescache
2016-10-19 10:48 - 2009-07-14 00:45 - 00407968 _____ C:\windows\system32\FNTCACHE.DAT
2016-10-18 17:12 - 2012-08-12 14:43 - 00084384 _____ C:\Users\bears\AppData\Local\GDIPFONTCACHEV1.DAT
2016-10-18 15:14 - 2016-05-29 18:41 - 00004476 _____ C:\windows\System32\Tasks\Adobe Acrobat Update Task
2016-10-18 15:12 - 2013-10-08 21:48 - 00000000 ____D C:\ProgramData\Oracle
2016-10-18 15:11 - 2013-10-08 21:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-10-18 15:11 - 2012-03-22 17:35 - 00000000 ____D C:\Program Files (x86)\Java
2016-10-18 15:09 - 2015-01-20 20:55 - 00097856 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll
2016-10-18 15:08 - 2013-12-04 00:01 - 00000000 ____D C:\Users\penguins\AppData\Local\TOSHIBA
2016-10-18 15:03 - 2012-03-22 17:40 - 00000000 ____D C:\Program Files (x86)\Toshiba
2016-10-18 15:03 - 2012-03-22 17:35 - 00000000 ____D C:\Program Files\Toshiba
2016-10-18 14:59 - 2016-10-01 09:13 - 00000000 ____D C:\Users\penguins\AppData\Roaming\WinPatrol
2016-10-18 14:58 - 2013-12-04 00:01 - 00084384 _____ C:\Users\penguins\AppData\Local\GDIPFONTCACHEV1.DAT
2016-10-16 17:36 - 2016-08-18 13:18 - 00000000 ____D C:\Program Files\Tablet
2016-10-15 19:05 - 2013-12-04 00:08 - 00080264 _____ C:\Users\cats\AppData\Local\GDIPFONTCACHEV1.DAT
2016-10-15 19:05 - 2013-12-04 00:08 - 00001384 _____ C:\Users\cats\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-10-13 12:22 - 2013-10-01 22:08 - 00293352 _____ (AVAST Software) C:\windows\system32\Drivers\aswvmm.sys
2016-10-13 11:20 - 2013-08-14 20:08 - 00000000 ____D C:\ProgramData\Package Cache
2016-10-12 10:09 - 2012-10-09 20:06 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-10-12 10:09 - 2012-10-09 20:06 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-10-12 10:04 - 2016-08-09 13:18 - 00000000 ____D C:\Users\penguins\AppData\Roaming\inkscape
2016-10-12 10:03 - 2016-08-30 13:52 - 00000000 ____D C:\windows\system32\MRT
2016-10-12 09:45 - 2012-10-18 22:18 - 143495576 ____C (Microsoft Corporation) C:\windows\system32\MRT.exe
2016-10-12 09:44 - 2012-10-09 20:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-10-11 23:07 - 2014-08-18 20:38 - 00000000 ____D C:\Users\bears\AppData\Local\Adobe
2016-10-11 23:06 - 2016-08-31 10:17 - 00000000 ____D C:\Users\penguins\AppData\Local\Adobe
2016-10-08 22:05 - 2016-08-30 16:11 - 00000000 ___SD C:\windows\system32\CompatTel
2016-10-08 22:05 - 2016-08-30 16:11 - 00000000 ____D C:\windows\system32\appraiser
2016-10-08 22:03 - 2012-08-12 19:56 - 00002088 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2016-10-08 22:03 - 2012-08-12 19:56 - 00002057 _____ C:\windows\epplauncher.mif
2016-10-08 22:03 - 2012-08-12 19:55 - 00000000 ____D C:\Program Files\Microsoft Security Client
2016-10-08 22:03 - 2012-08-12 19:55 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2016-10-08 20:52 - 2013-08-14 20:08 - 00000000 ____D C:\Users\bears\AppData\LocalLow\Adblock Plus for IE
2016-10-05 17:11 - 2016-10-01 18:57 - 00140672 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2016-10-04 17:40 - 2012-03-22 17:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Toshiba
2016-10-04 12:39 - 2013-12-04 00:02 - 00000000 ____D C:\Users\penguins\AppData\Roaming\Apple Computer

==================== Files in the root of some directories =======

2016-08-09 13:18 - 2016-08-09 13:18 - 0000218 _____ () C:\Users\penguins\AppData\Local\recently-used.xbel
2016-08-31 15:54 - 2016-11-03 09:18 - 0007651 _____ () C:\Users\penguins\AppData\Local\Resmon.ResmonCfg
2016-09-28 14:59 - 2016-09-28 14:59 - 0000057 _____ () C:\ProgramData\Ament.ini
2013-04-01 20:16 - 2013-04-01 20:16 - 0000252 _____ () C:\ProgramData\FastPics.log
2013-04-01 20:19 - 2016-09-02 23:50 - 0001603 _____ () C:\ProgramData\lxdx.log

Some files in TEMP:
====================
C:\Users\penguins\AppData\Local\Temp\dllnt_dump.dll
C:\Users\penguins\AppData\Local\Temp\sfamcc00001.dll
C:\Users\penguins\AppData\Local\Temp\sfareca00001.dll


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-10-25 18:40

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 03-11-2016
Ran by penguins (03-11-2016 17:30:11)
Running from C:\Users\bears\Desktop
Windows 7 Home Premium Service Pack 1 (X64) (2012-08-12 18:38:24)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1931112885-1466219482-269765937-500 - Administrator - Disabled)
bears (S-1-5-21-1931112885-1466219482-269765937-1000 - Limited - Enabled) => C:\Users\bears
cats (S-1-5-21-1931112885-1466219482-269765937-1033 - Administrator - Enabled) => C:\Users\cats
Guest (S-1-5-21-1931112885-1466219482-269765937-501 - Limited - Disabled)
penguins (S-1-5-21-1931112885-1466219482-269765937-1034 - Administrator - Enabled) => C:\Users\penguins

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Disabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AV: Avast Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Microsoft Security Essentials (Disabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus (Disabled) {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{5CEBB0CE-1783-40C2-A7E1-02EE705820F0}) (Version: 1.0 - Eyeo GmbH)
Adblock Plus for IE (HKLM-x32\...\{1ce01891-839b-4ad1-b629-2e608ba0c6ba}) (Version: 1.0 - )
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.020.20042 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 23.0.0.257 - Adobe Systems Incorporated)
Adobe Connect 9 Add-in (HKU\S-1-5-21-1931112885-1466219482-269765937-1000\...\Adobe Connect 9 Add-in) (Version: 11,9,976,291 - Adobe Systems Incorporated)
Adobe Connect 9 Add-in (HKU\S-1-5-21-1931112885-1466219482-269765937-1034\...\Adobe Connect 9 Add-in) (Version: 11.9.976.299 - Adobe Systems Incorporated)
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.205 - Adobe Systems Incorporated)
Adobe Flash Player 23 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 23.0.0.205 - Adobe Systems Incorporated)
Adobe Flash Player 23 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 23.0.0.205 - Adobe Systems Incorporated)
Apple Application Support (32-bit) (HKLM-x32\...\{F2871C89-C8A5-42EE-8D45-0F02506385A6}) (Version: 5.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{9BC93467-75D1-4AA4-BD58-D9C51D88DFAB}) (Version: 5.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Application Verifier x64 External Package (Version: 8.100.26936 - Microsoft) Hidden
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.0.12.13 - Atheros Communications Inc.)
Avast Free Antivirus (HKLM-x32\...\avast) (Version: 12.3.2280 - AVAST Software)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Bullzip PDF Printer 9.3.0.1516 (HKLM\...\Bullzip PDF Printer_is1) (Version: 9.3.0.1516 - Bullzip)
CCleaner (HKLM\...\CCleaner) (Version: 5.12 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Concept2 Utility (HKLM-x32\...\{7645F752-5689-4466-91FE-6A0DCF5ECCDD}) (Version: 6.80 - Concept2 Inc.)
CryptoPrevent (HKLM-x32\...\{5C5B24E7-4694-4049-A222-CCE7D3FAC63F}_is1) (Version:  - Foolish IT LLC)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Do Not Track Me Add-on 2.2.9.515 (HKLM-x32\...\Do Not Track Me Add-on_is1) (Version: 2.2.9.515 - Abine Inc)
doPDF 7.2 printer (HKLM\...\doPDF 7 printer_is1) (Version:  - Softland)
EMET 5.5 (HKLM-x32\...\{E27E74F0-0EAD-4C5D-8F6F-1C9192D24AA5}) (Version: 5.5 - Microsoft Corporation)
FileZilla Client 3.21.0 (HKLM-x32\...\FileZilla Client) (Version: 3.21.0 - Tim Kosse)
Folder Size 3.4.0.0 (HKLM-x32\...\{2DFA85ED-588F-4CE3-A175-29E52C3804A8}_is1) (Version: 3.4.0.0 - MindGems, Inc.)
GlassWire 1.2 (remove only) (HKLM-x32\...\GlassWire 1.2) (Version: 1.2.74 - SecureMix LLC)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Inkscape 0.91 (HKLM\...\{81922150-317E-4BB0-A31D-FF1C14F707C5}) (Version: 0.91 - inkscape.org)
inSSIDer Home (HKLM-x32\...\{9E54E4AE-B67A-4925-8E92-0E1F9817FD73}) (Version: 3.1.2.1 - MetaGeek, LLC)
Intel Processor Diagnostic Tool 64bit (HKLM\...\{E8EB0A84-C19C-4520-8671-56D4D4123D37}) (Version: 3.0.0.25 - Intel Corporation)
Intel® Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{A6C48A9F-694A-4234-B3AA-62590B668927}) (Version: 1.0.0.35342 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.1.1399 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2639 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.1.209 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{538B98C3-773F-4F20-9C66-802D104DCBE2}) (Version: 1.23.219.2 - Intel Corporation)
iTunes (HKLM\...\{F11677B7-0D8E-4F34-BEBB-6869FE861CDF}) (Version: 12.5.2.36 - Apple Inc.)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kits Configuration Installer (x32 Version: 8.100.25984 - Microsoft) Hidden
Lexmark 3600-4600 Series (HKLM\...\Lexmark 3600-4600 Series) (Version:  - Lexmark International, Inc.)
LibreOffice 5.2.0.4 (HKLM-x32\...\{8FA59B7B-1D26-408F-A798-BD11A65A68B9}) (Version: 5.2.0.4 - The Document Foundation)
LogCard Utility Uninstaller 1.0 (HKLM-x32\...\LogCard Utility Uninstaller_is1) (Version:  - Concept2 Inc)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Malwarebytes Anti-Ransomware version 0.9.17.661 (HKLM\...\{6CA75021-FBB0-41A5-B95C-FC1C9E0421F0}_is1) (Version: 0.9.17.661 - Malwarebytes)
MathType 4 (HKLM-x32\...\DSMT4) (Version:  - )
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM-x32\...\{D1D37853-0004-3E36-A7AA-74F4EEA35F64}) (Version: 4.5.50930 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 SDK (HKLM-x32\...\{19A5926D-66E1-46FC-854D-163AA10A52D3}) (Version: 4.5.51641 - Microsoft Corporation)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 2000 Small Business (HKLM-x32\...\{00030409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.205.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 (HKLM-x32\...\{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}) (Version: 9.0.30411 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Mozilla Firefox 49.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 49.0.2 (x86 en-US)) (Version: 49.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 49.0.2.6136 - Mozilla)
MSI Development Tools (x32 Version: 8.100.26898 - Microsoft Corporation) Hidden
MuseScore 1.1 MuseScore score typesetter (HKLM-x32\...\MuseScore) (Version: 1.1.0 - Werner Schweer and Others)
NJStar Chinese Word Processor (HKLM-x32\...\NJStar Chinese Word Processor) (Version:  - )
OpenDNS Updater 2.2.1 (HKLM-x32\...\OpenDNS Updater) (Version: 2.2.1 - )
Opera Stable 41.0.2353.46 (HKLM-x32\...\Opera 41.0.2353.46) (Version: 41.0.2353.46 - Opera Software)
Panda USB Vaccine 1.0.1.16 (HKLM-x32\...\{55A41219-9B22-4098-BAE7-AE289B3C569A}_is1) (Version:  - Panda Security)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6559 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 6.1.7601.39013 - Realtek Semiconductor Corp.)
Realtek WLAN Driver (HKLM-x32\...\{9D3D8C60-A55F-4fed-B2B9-173001290E16}) (Version: 2.00.0016 - REALTEK Semiconductor Corp.)
Revo Uninstaller 2.0.1 (HKLM\...\{A28DBDA2-3CC7-4ADC-8BFE-66D7743C6C97}_is1) (Version: 2.0.1 - VS Revo Group, Ltd.)
RogueKiller version 12.7.5.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.7.5.0 - Adlice Software)
SafeZone Stable 1.51.2220.62 (x32 Version: 1.51.2220.62 - Avast Software) Hidden
Samsung i-Launcher 1.0.1.57 (HKLM-x32\...\Samsung i-Launcher) (Version: 1.0.1.57 - Samsung Electronics Co., Ltd.)
SDK Debuggers (x32 Version: 8.100.26936 - Microsoft Corporation) Hidden
SeaTools for Windows 1.4.0.4 (HKLM-x32\...\SeaTools for Windows) (Version: 1.4.0.4 - Seagate Technology)
Skype™ 7.28 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.28.101 - Skype Technologies S.A.)
Sophos Free Encryption 2.40.1 (HKLM-x32\...\{64C13A35-B44C-47E5-88DC-0916FCE1E7C1}) (Version: 2.40.1.1 - Sophos)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.39.0 - Synaptics Incorporated)
TomTom HOME (HKLM-x32\...\{B581E191-A2C1-4CE3-907E-9FE3C728750C}) (Version: 2.9.91 - TomTom)
TomTom HOME Visual Studio Merge Modules (HKLM-x32\...\{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}) (Version: 1.0.2 - TomTom International B.V.)
Toshiba App Place (HKLM-x32\...\{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}) (Version: 1.0.6.3 - Toshiba)
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.2 - TOSHIBA)
TOSHIBA Assist (HKLM-x32\...\{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}) (Version: 4.2.3.1 - TOSHIBA CORPORATION)
TOSHIBA Audio Enhancement (HKLM\...\{F2DE0088-CF05-4DAB-AC4D-9D2C4D657456}) (Version: 1.0.2.8 - TOSHIBA Corporation)
TOSHIBA Battery Check Utility (HKLM-x32\...\{5468E297-7EF8-4CB3-A091-F8714147793F}) (Version: 1.00.01.01 - Toshiba Corporation)
Toshiba Book Place (HKLM-x32\...\{C31337DE-0CDC-45A9-9A32-F099AC78D557}) (Version: 3.0.9490 - K-NFB Reading Technology, Inc.)
TOSHIBA Bulletin Board (HKLM-x32\...\InstallShield_{1C8C049A-145F-4A6E-8290-B5C245EBE39D}) (Version: 1.6.11.64 - TOSHIBA Corporation)
TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.1.0.2 for x64 - TOSHIBA Corporation)
TOSHIBA eco Utility (HKLM\...\{2C486987-D447-4E36-8D61-86E48E24199C}) (Version: 1.3.10.64 - TOSHIBA Corporation)
TOSHIBA Face Recognition (HKLM-x32\...\InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}) (Version: 3.1.18.64 - TOSHIBA Corporation)
TOSHIBA Hardware Setup (HKLM-x32\...\{97965331-BC5D-4D9F-B6DF-5C0A123E4AE0}) (Version: 2.1.0.8 - TOSHIBA Corporation)
TOSHIBA HDD/SSD Alert (HKLM\...\{D4322448-B6AF-4316-B859-D8A0E84DCB38}) (Version: 3.1.64.11 - TOSHIBA Corporation)
TOSHIBA Media Controller (HKLM-x32\...\{C7A4F26F-F9B0-41B2-8659-99181108CDE3}) (Version: 1.0.87.4 - TOSHIBA CORPORATION)
TOSHIBA Media Controller Plug-in (HKLM-x32\...\{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}) (Version: 1.0.8.0 - TOSHIBA CORPORATION)
Toshiba Online Backup (HKLM-x32\...\{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}) (Version: 2.0.0.31 - Toshiba)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.7.15.64 - TOSHIBA Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.4 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.1.6.52020009 - TOSHIBA CORPORATION)
TOSHIBA ReelTime (HKLM-x32\...\InstallShield_{24811C12-F4A9-4D0F-8494-A7B8FE46123C}) (Version: 1.7.21.64 - TOSHIBA Corporation)
TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.1.2004 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM-x32\...\{AC6569FA-6919-442A-8552-073BE69E247A}) (Version: 2.2.15.0 - TOSHIBA)
TOSHIBA Supervisor Password (HKLM-x32\...\{0AF17224-CF88-40B8-BB1A-D179369847B4}) (Version: 2.1.0.3 - TOSHIBA Corporation)
TOSHIBA User's Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.02 - TOSHIBA)
TOSHIBA Value Added Package (HKLM-x32\...\InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}) (Version: 1.6.0021.640203 - TOSHIBA Corporation)
TOSHIBA Web Camera Application (HKLM-x32\...\InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}) (Version: 2.0.3.33 - TOSHIBA Corporation)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.0.9 - TOSHIBA)
Wacom (HKLM\...\Pen Tablet Driver) (Version: 5.3.3-3 - Wacom Technology Corp.)
WebTablet FB Plugin 32 bit (HKLM-x32\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.3 - Wacom Technology Corp.)
WebTablet FB Plugin 64 bit (HKLM\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.3 - Wacom Technology Corp.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Software Development Kit for Windows 8.1 (HKLM-x32\...\{ed3a6e6d-9661-4357-abe4-fcc03dc57a07}) (Version: 8.100.26936 - Microsoft Corporation)
WinPatrol (HKLM-x32\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 33.1.2015.0 - Ruiware)
WPT Redistributables (x32 Version: 8.100.26936 - Microsoft) Hidden
WPTx64 (x32 Version: 8.100.26936 - Microsoft) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1931112885-1466219482-269765937-1034_Classes\CLSID\{092dfa86-5807-5a94-bf3b-5a53ba9e5308}\InprocServer32 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll (Wacom)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {03B29EC4-1DFD-4869-B9C3-C73F9C5B61F7} - System32\Tasks\Installation App Launcher => C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe [2010-02-04] (Lexmark International Inc.)
Task: {150E44B7-C1AA-491A-BE56-A824BDC62DBE} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {3D3DBC54-25DA-4364-929C-4E5957E9A133} - System32\Tasks\Opera scheduled Autoupdate 1381534773 => C:\Program Files (x86)\Opera\launcher.exe [2016-10-24] (Opera Software)
Task: {40055DD3-F749-4726-B14A-D1A2A7EE3A8D} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-11-16] (Piriform Ltd)
Task: {42411552-1B26-445F-8FFF-A19B028DC3AB} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-08-30] (Microsoft Corporation)
Task: {49731641-2D2D-4986-A156-B57B86D135B1} - System32\Tasks\SafeZone scheduled Autoupdate 1464577019 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-09-06] (Avast Software)
Task: {4BF68331-FF66-42E9-B060-05046B28A79D} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe [2011-11-25] (Intel Corporation)
Task: {4DE57CF6-87B6-4171-B825-8BD6600AED7C} - System32\Tasks\PandaUSBVaccine => C:\Program Files (x86)\Panda USB Vaccine\RunInteractiveWin.exe [2010-06-01] ()
Task: {57CAB925-8D79-43B3-8AEB-F82A5F462F05} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-06-02] (AVAST Software)
Task: {658DA603-0100-42A9-856C-CD4AEC0CEA57} - System32\Tasks\hpUtility.exe_{BF83BDCA-BD49-44FA-AE6F-388857077812} => C:\Program Files\HP\HP Officejet 6100\Bin\utils\hpUtility.exe
Task: {877F38C0-CB11-4BDE-AA3C-5CCC63770321} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-10-26] (Adobe Systems Incorporated)
Task: {9E5C0579-6781-4B5A-9C24-625EBFF4E1FA} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-09-16] (Adobe Systems Incorporated)
Task: {B3ACD72F-1ECA-480A-B5C5-598795195A48} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-08-31] (AVAST Software)
Task: {C3628E35-847E-4CB2-8A02-660DDDA41E74} - System32\Tasks\WMIC Restore Point Creation => C:\Windows\System32\wbem\WMIC.exe [2009-07-13] (Microsoft Corporation) <==== ATTENTION
Task: {CD9F793C-90B7-48E8-8A0F-4878E01C30A5} - System32\Tasks\Norton Anti-Theft\Norton Error Analyzer => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.2.0.29\SymErr.exe
Task: {EA9B3E06-5ACA-4F3E-89F4-EF8FF04C60CD} - System32\Tasks\Norton Anti-Theft\Norton Error Processor => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.2.0.29\SymErr.exe
Task: {F80BA995-13AF-44F0-A95E-F94F4ED47295} - System32\Tasks\Microsoft\Microsoft Antimalware\MpIdleTask => c:\Program Files\Microsoft Security Client\\MpCmdRun.exe [2016-08-30] (Microsoft Corporation)
Task: {F9E33DA9-4B86-47CB-80F7-5222A034E298} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_23_0_0_205_pepper.exe [2016-10-26] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\windows\SysWOW64\Macromed\Flash\FlashUtil32_23_0_0_205_pepper.exe
Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon.job => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe
Task: C:\windows\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d.job => C:\Program Files (x86)\Intel\Intel® ME FW Recovery Agent\bin\Bootstrap.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2013-04-01 20:17 - 2009-10-16 13:12 - 00177664 _____ () C:\windows\system32\spool\PRTPROCS\x64\lxdxdrpp.dll
2016-08-23 09:05 - 2016-08-23 09:05 - 00052400 _____ () C:\Program Files\FileZilla FTP Client\fzshellext_64.dll
2012-05-21 14:59 - 2012-01-20 14:45 - 00128280 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
2016-09-29 14:27 - 2016-08-26 09:37 - 01175504 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-RANSOMWARE\arwlib.dll
2013-04-01 20:16 - 2010-02-04 02:27 - 00672424 _____ () C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
2016-09-29 14:27 - 2016-04-14 18:38 - 00745984 _____ () C:\Program Files\Malwarebytes\Anti-Ransomware\QtQuick\Controls\qtquickcontrolsplugin.dll
2010-06-16 17:42 - 2010-06-16 17:42 - 00839680 _____ () C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
2016-10-16 17:36 - 2014-01-13 12:24 - 01356568 _____ () C:\Program Files\Tablet\Pen\libxml2.dll
2016-09-01 18:12 - 2016-09-01 18:12 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-10-05 18:17 - 2016-10-05 18:17 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2011-11-25 21:51 - 2011-11-25 21:51 - 00079784 _____ () C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosIPCWraper.dll
2016-08-31 14:59 - 2016-08-31 14:59 - 00169064 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-11-02 15:12 - 2016-11-02 15:12 - 03126672 _____ () C:\Program Files\AVAST Software\Avast\defs\16110201\algo.dll
2016-08-31 15:00 - 2016-08-31 15:00 - 00482928 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2013-04-01 20:16 - 2010-02-04 00:41 - 00380928 _____ () C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxscw.dll
2013-04-01 20:16 - 2010-02-04 00:28 - 00589824 _____ () C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxdatr.dll
2013-04-01 20:16 - 2009-10-16 13:00 - 00073728 _____ () C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxcats.dll
2013-04-01 20:16 - 2010-02-04 00:41 - 00782336 _____ () C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxDRS.dll
2013-04-01 20:16 - 2010-02-04 00:41 - 00081920 _____ () C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxcaps.dll
2013-04-01 20:16 - 2010-02-04 00:28 - 00069632 _____ () C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxcnv4.dll
2016-08-31 15:00 - 2016-08-31 15:00 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2012-05-21 14:59 - 2012-01-20 14:23 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\.scr: CryptoPreventSCR => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" "%1" /S %*

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2016-11-03 09:17 - 00000826 ____A C:\windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1931112885-1466219482-269765937-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\bears\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-1931112885-1466219482-269765937-1034\Control Panel\Desktop\\Wallpaper -> C:\Users\penguins\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 208.67.222.222 - 208.67.220.220
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk => C:\windows\pss\Microsoft Office.lnk.CommonStartup
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: EzPrint => "C:\Program Files (x86)\Lexmark 3600-4600 Series\ezprint.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: ToshibaServiceStation => "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{02875F00-95C4-4D95-BE95-ED26A14EF109}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{F66A7671-53A6-4AC1-82D7-893F1DB8A080}] => (Allow) LPort=2869
FirewallRules: [{D1D7D49B-E8B7-4B11-B725-48F9856990DD}] => (Allow) LPort=1900
FirewallRules: [{B8AD7746-AE99-47D7-825D-11008F4407A3}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{D1246B1E-D820-419D-9BE8-AE284CE5311F}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{0DA0D8DC-9952-4D15-9CAC-54B7BAD97F28}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{5CA74315-856D-46BB-96E3-692006B20C74}] => (Allow) C:\Windows\SysWOW64\lxdxcoms.exe
FirewallRules: [{ECAC2568-7DB5-48DE-A92A-11F7CCE8ADF5}] => (Allow) C:\Windows\SysWOW64\lxdxcoms.exe
FirewallRules: [{63CEBD6E-6288-406E-A668-D498994AA530}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
FirewallRules: [{165456FE-6467-4CA6-8E91-F7EA9E60DA4E}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxmon.exe
FirewallRules: [{0FDCE876-8303-4261-91AA-6E5D807C1FA7}] => (Allow) C:\Windows\System32\lxdxcfg.exe
FirewallRules: [{9E208BD9-0268-4750-8B13-90E0FBCE6CA3}] => (Allow) C:\Windows\System32\lxdxcfg.exe
FirewallRules: [{DEE9465B-DFF1-419C-B4BD-8A156FCEB175}] => (Allow) C:\Windows\System32\lxdxcoms.exe
FirewallRules: [{247E68B3-FDC9-4BC8-9DEC-136EB5FFE407}] => (Allow) C:\Windows\System32\lxdxcoms.exe
FirewallRules: [{8807C33B-F2AD-48D7-A041-332AF9F9F5E3}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxpswx.exe
FirewallRules: [{C70DF11B-FE11-47C0-90C6-EBAF0F976D27}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxpswx.exe
FirewallRules: [{B8AC126E-B1CB-481D-9A27-080FA0CC7111}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxtime.exe
FirewallRules: [{BFF4F18B-7D37-4C67-ABA0-C18A423B877B}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxtime.exe
FirewallRules: [{E5D59EF5-A45C-4AEB-B627-ED0E30C9BF37}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\Wireless\lxdxwpss.exe
FirewallRules: [{94C20E8F-4150-4EB9-9943-6C6C5852572A}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\Wireless\lxdxwpss.exe
FirewallRules: [{B80D2B5F-7E05-4578-B19B-9E9784CB9C22}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{0B3D03A9-2433-47AF-953D-A1CC031DC2B7}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{78B7DCB7-F8CC-444E-8B90-2388F7E8ADC4}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{0919C474-D619-4642-90D3-E64090581679}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{9B6DDD5B-0229-4F09-8E2B-DCD5A651A27E}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{7E4350D4-653F-4732-8A7C-041D4BF9C74D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{13B6E73F-8208-4F32-A0AD-1D04C258C334}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{81B825F4-6B77-4409-B770-50CD7A3C6B29}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{8BC662D6-A5AF-4E58-B734-0CF4491E5B85}] => (Allow) C:\Users\bears\AppData\Local\Temp\lxdx\wireless\lxdxwpss.exe
FirewallRules: [{DEAB9F29-EBEF-4FDD-AAF1-E60C1E0590D8}] => (Allow) C:\Users\bears\AppData\Local\Temp\lxdx\wireless\lxdxwpss.exe
FirewallRules: [{32A3A075-12FE-4574-B15D-16095257F8EC}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{173E82FC-8727-4D82-B27C-705B832C93A8}] => (Allow) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
FirewallRules: [{D6EA9E7E-ECCE-48A5-86B7-C3851B3E848B}] => (Allow) C:\Windows\System32\lxdxcoms.exe
FirewallRules: [{7FB2831C-DDE6-40B2-B087-10FEBA4BD472}] => (Allow) C:\Windows\System32\lxdxcoms.exe
FirewallRules: [{170167B5-3213-4013-B15E-C1FE643ADE62}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxpswx.exe
FirewallRules: [{105B2656-EE2D-4365-9EC8-C721C4A5946D}] => (Allow) C:\Windows\System32\spool\drivers\x64\3\lxdxpswx.exe
FirewallRules: [{632152FE-E3A1-4419-94A7-93A2974CF42A}] => (Allow) C:\Users\cats\AppData\Local\Temp\lxdx\wireless\lxdxwpss.exe
FirewallRules: [{CBE62E59-093D-4F11-ACBE-D82AC31A5097}] => (Allow) C:\Users\cats\AppData\Local\Temp\lxdx\wireless\lxdxwpss.exe
FirewallRules: [TCP Query User{CCFDB61E-CAC2-4FEC-8ECD-82270F46930E}C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe] => (Block) C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe
FirewallRules: [UDP Query User{7E140EB1-6493-4F54-A5F6-DB1BB4B15DF4}C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe] => (Block) C:\program files (x86)\lexmark 3600-4600 series\lxdxmon.exe
FirewallRules: [{84BB9BF0-5984-442C-BC31-E813423FD17A}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxlscn.exe
FirewallRules: [{6775A659-B73C-40A6-838A-55BF045CBC62}] => (Allow) C:\Program Files (x86)\Lexmark 3600-4600 Series\lxdxlscn.exe
FirewallRules: [{8175978D-4599-4DC0-BE81-66486293C4E8}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{35BB4422-5961-4B6E-B253-E89185503FFC}] => (Block) c:\users\bears\desktop\frst64.exe
FirewallRules: [{AFAAFC42-D064-48F7-BAB9-F065B3B87D08}] => (Block) c:\users\bears\desktop\frst64.exe

==================== Restore Points =========================

31-10-2016 23:14:36 Revo Uninstaller's restore point - Emsisoft Anti-Malware
01-11-2016 15:00:01 %DATE%
02-11-2016 21:30:20 Windows Update
03-11-2016 15:00:02 %DATE%

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/03/2016 05:23:29 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/03/2016 04:50:22 PM) (Source: MsiInstaller) (EventID: 11719) (User: )
Description: Product: Skype™ 7.29 -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (11/03/2016 04:50:04 PM) (Source: MsiInstaller) (EventID: 1041) (User: NT AUTHORITY)
Description: Failed to begin a Windows Installer transaction ASU_MSI_TRAN. Error 1603 occurred while beginning the transaction.

Error: (11/03/2016 04:39:27 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (11/02/2016 03:19:23 PM) (Source: MsiInstaller) (EventID: 11719) (User: )
Description: Product: Skype™ 7.29 -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (11/02/2016 03:19:04 PM) (Source: MsiInstaller) (EventID: 1041) (User: NT AUTHORITY)
Description: Failed to begin a Windows Installer transaction ASU_MSI_TRAN. Error 1603 occurred while beginning the transaction.

Error: (11/02/2016 03:14:26 PM) (Source: MsiInstaller) (EventID: 11719) (User: )
Description: Product: Skype™ 7.29 -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (11/02/2016 03:13:36 PM) (Source: MsiInstaller) (EventID: 1041) (User: NT AUTHORITY)
Description: Failed to begin a Windows Installer transaction ASU_MSI_TRAN. Error 1603 occurred while beginning the transaction.

Error: (11/02/2016 07:12:11 AM) (Source: MsiInstaller) (EventID: 11719) (User: )
Description: Product: Skype™ 7.29 -- Error 1719. The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

Error: (11/02/2016 07:11:50 AM) (Source: MsiInstaller) (EventID: 1041) (User: NT AUTHORITY)
Description: Failed to begin a Windows Installer transaction ASU_MSI_TRAN. Error 1603 occurred while beginning the transaction.


System errors:
=============
Error: (11/03/2016 05:22:24 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\windows\system32\Rtlihvs.dll
Error Code: 126

Error: (11/03/2016 04:38:27 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\windows\system32\Rtlihvs.dll
Error Code: 126

Error: (11/03/2016 10:39:19 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Microsoft Security Essentials - KB2310138 (Definition 1.231.1097.0).

Error: (11/03/2016 10:38:27 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.231.1088.0

    Update Source: Microsoft Malware Protection Center

    Update Stage: Search

    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

    Signature Type: AntiSpyware

    Update Type: Full

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version:

    Previous Engine Version: 1.1.13202.0

    Error code: 0x80070005

    Error description: Access is denied.

Error: (11/03/2016 10:38:27 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.231.1088.0

    Update Source: Microsoft Malware Protection Center

    Update Stage: Search

    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

    Signature Type: AntiVirus

    Update Type: Full

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version:

    Previous Engine Version: 1.1.13202.0

    Error code: 0x80070005

    Error description: Access is denied.

Error: (11/03/2016 10:38:25 AM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.231.1088.0

    Update Source: Microsoft Update Server

    Update Stage: Install

    Source Path: http://www.microsoft.com

    Signature Type: AntiVirus

    Update Type: Full

    User: NT AUTHORITY\SYSTEM

    Current Engine Version:

    Previous Engine Version: 1.1.13202.0

    Error code: 0x80070643

    Error description: Fatal error during installation.

Error: (11/01/2016 06:58:00 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\windows\system32\Rtlihvs.dll
Error Code: 126

Error: (10/31/2016 11:33:48 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 116.29.0.0

    Update Source: Microsoft Malware Protection Center

    Update Stage: Search

    Source Path: http://go.microsoft.com/fwlink/?LinkID=260974&clcid=0x409&NRI=true&arch=x64&eng=2.1.12706.0&sig=116.29.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

    Signature Type: Network Inspection System

    Update Type: Full

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version:

    Previous Engine Version: 2.1.12706.0

    Error code: 0x80072ee7

    Error description: The server name or address could not be resolved

Error: (10/31/2016 11:33:48 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.231.814.0

    Update Source: Microsoft Malware Protection Center

    Update Stage: Search

    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.13202.0&avdelta=1.231.814.0&asdelta=1.231.814.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

    Signature Type: AntiSpyware

    Update Type: Full

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version:

    Previous Engine Version: 1.1.13202.0

    Error code: 0x80072ee7

    Error description: The server name or address could not be resolved

Error: (10/31/2016 11:33:48 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Microsoft Antimalware has encountered an error trying to update signatures.

    New Signature Version:

    Previous Signature Version: 1.231.814.0

    Update Source: Microsoft Malware Protection Center

    Update Stage: Search

    Source Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x64&eng=1.1.13202.0&avdelta=1.231.814.0&asdelta=1.231.814.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

    Signature Type: AntiVirus

    Update Type: Full

    User: NT AUTHORITY\NETWORK SERVICE

    Current Engine Version:

    Previous Engine Version: 1.1.13202.0

    Error code: 0x80072ee7

    Error description: The server name or address could not be resolved


CodeIntegrity:
===================================
  Date: 2016-10-31 23:12:48.077
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-10-31 22:10:13.172
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-10-31 21:58:03.544
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-10-31 21:41:37.032
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-10-31 21:11:52.885
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-10-31 20:47:15.077
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2016-10-31 20:27:03.514
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel® Pentium® CPU B970 @ 2.30GHz
Percentage of memory in use: 30%
Total physical RAM: 6068.8 MB
Available physical RAM: 4200.19 MB
Total Virtual: 12135.79 MB
Available Virtual: 10234.92 MB

==================== Drives ================================

Drive c: (TI106401W0D) (Fixed) (Total:581.42 GB) (Free:417.17 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596.2 GB) (Disk ID: 4537E8B6)
Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Not Active) - (Size=581.4 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=13.3 GB) - (Type=17)

==================== End of Addition.txt ============================

Attached Files


Edited by bwv848, 04 November 2016 - 10:47 AM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 06 November 2016 - 10:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S4 OAcat; "C:\Program Files (x86)\Online Armor\OAcat.exe" [X]
S3 SvcOnlineArmor; C:\Program Files (x86)\Online Armor\oasrv.exe [X]
Task: {C3628E35-847E-4CB2-8A02-660DDDA41E74} - System32\Tasks\WMIC Restore Point Creation => C:\Windows\System32\wbem\WMIC.exe [2009-07-13] (Microsoft Corporation) <==== ATTENTION
C:\Users\penguins\AppData\Local\Temp\dllnt_dump.dll
C:\Users\penguins\AppData\Local\Temp\sfamcc00001.dll
C:\Users\penguins\AppData\Local\Temp\sfareca00001.dll

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know of any issues with this computer.

#3 bwv848

bwv848

    Bleepin' Owl

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 06 November 2016 - 05:59 PM

Hello, nasdaq,

 

Thank you for helping me.

RogueKiller's process was again ended by Microsoft Security Essentials. MSE detected it as — Behavior:Win32/Powessere.D. Did you have a chance to look at the ESET log attached in my original post? It claims it found Poweliks on the system. Should I run ESET Poweliks cleaner again?

 

Fixlog is below:

Fix result of Farbar Recovery Scan Tool (x64) Version: 03-11-2016
Ran by penguins (06-11-2016 17:26:44) Run:1
Running from C:\Users\bears\Desktop
Loaded Profiles: bears & penguins (Available Profiles: bears & cats & penguins)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
S4 OAcat; "C:\Program Files (x86)\Online Armor\OAcat.exe" [X]
S3 SvcOnlineArmor; C:\Program Files (x86)\Online Armor\oasrv.exe [X]
Task: {C3628E35-847E-4CB2-8A02-660DDDA41E74} - System32\Tasks\WMIC Restore Point Creation => C:\Windows\System32\wbem\WMIC.exe [2009-07-13] (Microsoft Corporation) <==== ATTENTION
C:\Users\penguins\AppData\Local\Temp\dllnt_dump.dll
C:\Users\penguins\AppData\Local\Temp\sfamcc00001.dll
C:\Users\penguins\AppData\Local\Temp\sfareca00001.dll

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
OAcat => service removed successfully
SvcOnlineArmor => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C3628E35-847E-4CB2-8A02-660DDDA41E74}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C3628E35-847E-4CB2-8A02-660DDDA41E74}" => key removed successfully
C:\windows\System32\Tasks\WMIC Restore Point Creation => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WMIC Restore Point Creation" => key removed successfully
C:\Users\penguins\AppData\Local\Temp\dllnt_dump.dll => moved successfully
C:\Users\penguins\AppData\Local\Temp\sfamcc00001.dll => moved successfully
C:\Users\penguins\AppData\Local\Temp\sfareca00001.dll => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 2439434 B
Java, Flash, Steam htmlcache => 492 B
Windows/system/drivers => 44600869 B
Edge => 0 B
Chrome => 0 B
Firefox => 13081071 B
Opera => 112640 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 101151 B
systemprofile32 => 98996 B
LocalService => 440 B
NetworkService => 7447850 B
bears => 122882382 B
cats => 14573318 B
penguins => 137173378 B

RecycleBin => 25448280 B
EmptyTemp: => 358.9 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:27:53 ====

Edited by bwv848, 06 November 2016 - 06:36 PM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 07 November 2016 - 09:49 AM



Win32/Poweliks found
[2016.11.03 16:36:38.633] - INFO: process: dllhost.exe, pid 5808, parent 912
[2016.11.03 16:36:38.633] - INFO: Terminated process pid = 5808
[2016.11.03 16:36:38.633] - INFO: process: dllhost.exe, pid 616, parent 912
[2016.11.03 16:36:38.633] - INFO: Terminated process pid = 616


This file is not normally a problem.
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

Lets check the version and the properties.

===

Please run the Farbar Recovery Scan Tool. Enter dllhost.exe in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>


Lets see what we can find in the Registry.

Please run the Farbar Recovery Scan Tool. Enter dllhost.exe in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

Other than this possible false positive do you have any issues withd this computer?

#5 bwv848

bwv848

    Bleepin' Owl

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 07 November 2016 - 10:35 AM

Hi, nasdaq,

If my understanding is correct, Poweliks is a "fileless" malware that hides in the registry.

I found this article stating how rundll32.exe is executed.


When it infects a system, Poweliks creates a startup registry entry that executes the legitimate rundll32.exe Windows file followed by some encoded JavaScript code. This triggers a process similar in concept to a Matryoshka Russian nesting doll, said Paul Rascagnères, senior threat researcher at G Data, in a blog post.

 


What's so weird is that ESET Poweliks cleaner reported that it found Poweliks on the system again.

 

I tried Symantec's Trojan.Poweliks Removal Tool but that didn't find anything.

 

I am not experiencing any other problems, just perplexed by the situation. :)

 

File search.txt is below:
 

Farbar Recovery Scan Tool (x64) Version: 04-11-2016
Ran by penguins (07-11-2016 10:04:42)
Running from C:\Users\bears\Desktop
Boot Mode: Normal

================== Search Files: "dllhost.exe" =============

C:\Windows\winsxs\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7\dllhost.exe
[2009-07-13 18:43][2009-07-13 20:14] 0007168 ____A (Microsoft Corporation) A63DC5C2EA944E6657203E0C8EDEAF61 [File is digitally signed]

C:\Windows\winsxs\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d\dllhost.exe
[2009-07-13 18:59][2009-07-13 20:39] 0009728 ____A (Microsoft Corporation) A8EDB86FC2A4D6D1285E4C70384AC35A [File is digitally signed]

C:\Windows\SysWOW64\dllhost.exe
[2009-07-13 18:43][2009-07-13 20:14] 0007168 ____A (Microsoft Corporation) A63DC5C2EA944E6657203E0C8EDEAF61 [File is digitally signed]

C:\Windows\System32\dllhost.exe
[2009-07-13 18:59][2009-07-13 20:39] 0009728 ____A (Microsoft Corporation) A8EDB86FC2A4D6D1285E4C70384AC35A [File is digitally signed]

====== End of Search ======

Registry search is below:

Farbar Recovery Scan Tool (x64) Version: 04-11-2016
Ran by penguins (07-11-2016 10:12:57)
Running from C:\Users\bears\Desktop
Boot Mode: Normal

================== Search Registry: "dllhost.exe" ===========

[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\amd64_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_a018e05d0d33081d]
"f!dllhost.exe"="0x64006C006C0068006F00730074002E00650078006500"
[HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-com-surrogate_31bf3856ad364e35_6.1.7600.16385_none_43fa44d954d596e7]
"f!dllhost.exe"="0x64006C006C0068006F00730074002E00650078006500"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unsecapp.exe:wbemtest.exe:winmgmt.exe:wmic.exe:bfsvc.exe:Twunk_16.exe:Twunk_32.exe:wuauclt.exe:wsqmcons.exe:sapisvr.exe:WinSAT.exe:p2phost.exe:SearchProtocolHost.exe:WerFault.exe:drvinst.exe:ehshell.exe:UI0Detect.exe:ehtray.exe:HelpPane.exe:mrt.exe:SearchFilterHost.exe:mobsync.exe:Narrator.exe:SLUI.exe:taskmgr.exe:PresentationSettings.exe:vds.exe:sdclt.exe:irftp.exe:DFDWiz.exe:SndVol.exe:makecab.exe:msfeedssync.exe:unregmp2.exe:DeviceProperties.exe:rstrui.exe:MdRes.exe:netsh.exe:printui.exe:mcupdate.exe:4mmdat.sys:61883.sys:ACPI.sys:amdk7.sys:amdk8.sys:ASYNCMAC.SYS:atapi.sys:AVC.SYS:cdfs.sys:cdrom.sys:circlass.sys:cmbatt.sys:crusoe.sys:CSC.Sys:dc21x4vm.sys:disk.sys:dot4.sys:dot4usb.sys:drmkaud.sys:ecache.sys:fdc.sys:floppy.sys:hdaudbus.sys:HDAudio.sys:HIDBTH.SYS:HIDIR.SYS:i8042prt.sys:intelppm.sys:irenum.SYS:IRSIR.SYS:kbdclass.sys:kbdhid.sys:LOOP.SYS:mf.sys:monitor.sys:mouclass.sys:mouhid.sys:msisadrv.sys:msiscsi.sys:NDISWAN.SYS:nsiproxy.sys:ohci1394.sys:pci.sys:pciide.sys:powerfil.sys:processr.sys:rasl2tp.sys:raspppoe.sys:RASPPTP.SYS:RDPCDD.SYS:rfcomm.sys:sbp2port.sys:sdbus.sys:serenum.sys:serial.sys:sermouse.sys:sffdisk.sys:sffp_mmc.sys:smbios.sys:swenum.sys:tdx.sys:termdd.sys:tpm.sys:tunmp.sys:tunnel.sys:umbus.sys:update.sys:usb8023.sys:USBAudio.sys:USBCCGP.SYS:usbcir.sys:USBEHCI.sys:usbhub.sys:USBOHCI.sys:usbprint.sys:USBUHCI.sys:viac7.sys:wacompen.sys:wceusbsh.sys:winusb.sys:ws2ifsl.sys:xnacc.sys"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FileAssociation]
"HostApps"="RUNDLL32.EXE;MSHTA.EXE;DLLHOST.EXE;APPLAUNCH.EXE;HH.EXE;WINHLP32.EXE;MMC.EXE;"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\COMSysApp]
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
[HKEY_USERS\S-1-5-21-1931112885-1466219482-269765937-1000\Software\BillP Studios\Detected\Services]
"C:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"="09/30/2016 10:46 PM"
[HKEY_USERS\S-1-5-21-1931112885-1466219482-269765937-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList]
"e"="DllHost.exe"
[HKEY_USERS\S-1-5-21-1931112885-1466219482-269765937-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList]
"a"="DllHost.exe"
[HKEY_USERS\S-1-5-21-1931112885-1466219482-269765937-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\OpenWithList]
"g"="DllHost.exe"
[HKEY_USERS\S-1-5-21-1931112885-1466219482-269765937-1034\Software\BillP Studios\Detected\Services]
"C:\windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"="10/01/2016 9:13 AM"

====== End of Search ======

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#6 bwv848

bwv848

    Bleepin' Owl

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 07 November 2016 - 11:26 AM

Hello again, nasdaq,

 

I looked in regedit, and these were the "suspicious" keys that ESET found. Please see the photos. :)

 

The only thing that looks funny is the word apartment. But there are A LOT of topics online about this key...

 

https://www.google.com/?gws_rd=ssl#q=HKEY_USERS%5C.DEFAULT%5CSoftware%5CClasses%5CCLSID%5C%7BAB8902B4-09CA-4bb6-B78D-A8F59079A8D5

 

Thank you!

Attached Files


Edited by bwv848, 07 November 2016 - 11:50 AM.

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 08 November 2016 - 09:40 AM


Please run the Farbar Recovery Scan Tool. Enter AB8902B4-09CA-4bb6-B78D-A8F59079A8D5 in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

I should be able to give you a fix once I have reviewed the search.txt file.

#8 bwv848

bwv848

    Bleepin' Owl

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 08 November 2016 - 09:52 AM

Here you go. :)

 

Thanks much!

Farbar Recovery Scan Tool (x64) Version: 04-11-2016
Ran by penguins (08-11-2016 09:51:02)
Running from C:\Users\bears\Desktop
Boot Mode: Normal

================== Search Registry: "AB8902B4-09CA-4bb6-B78D-A8F59079A8D5" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
"AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
"AppID"="{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"

====== End of Search ======

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 08 November 2016 - 10:37 AM



Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:

DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Post the log and let me know if the problem persists.

#10 bwv848

bwv848

    Bleepin' Owl

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 08 November 2016 - 10:53 AM

:)

Fix result of Farbar Recovery Scan Tool (x64) Version: 04-11-2016
Ran by penguins (08-11-2016 10:48:25) Run:2
Running from C:\Users\bears\Desktop
Loaded Profiles: bears & cats & penguins (Available Profiles: bears & cats & penguins)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start


CreateRestorePoint:
CloseProcesses:

DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => could not remove key. ErrorCode: 0xC0000033
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => could not remove key. ErrorCode: 0xC0000033


The system needed a reboot.

==== End of Fixlog 10:49:21 ====

If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 09 November 2016 - 09:31 AM

Any remaining issues?

#12 bwv848

bwv848

    Bleepin' Owl

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 09 November 2016 - 10:58 AM

Nope. :) I think it was a false positive in the first place.

 

Thank you very much for your help, nasdaq! I really appreciate it!


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,554 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:49 PM

Posted 09 November 2016 - 11:05 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#14 bwv848

bwv848

    Bleepin' Owl

  • Topic Starter

  • BSOD Kernel Dump Expert
  • 3,024 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:92.96 million miles away from the sun
  • Local time:01:49 PM

Posted 09 November 2016 - 11:19 AM

Thanks again! :)


If I do not reply in three days, please message me.
 
BC BSOD Posting Instructions | Carrona BSOD Index | Driver Reference Table (DRT)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users