Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Email link opened - roguekiller found hj.name


  • This topic is locked This topic is locked
19 replies to this topic

#1 runclub

runclub

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 10 November 2016 - 04:42 PM

Hello,

 

We had an email that was sent to us that had a link to it.  the email looked suspicious and the link was accidently clicked on.

 

I have scanned with a whole variety of software (malware, rootkit scans, rootkit killers, virus) almost all come up clean.  But, I ran roguekiller and it found hj.name that may be a virus.  Also, we have disconnected it from our home network but when I was doing Housecall Virus scan it was connected to the internet and I received a message on another computer of ours that a TCP/IP port attack was occurring.  ESET identified it as being possibly malicious and I blocked it.

 

I just want to make sure the computer is clean before we go ahead and connect it again.

 

Thanks

Runclub



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:21 AM

Posted 15 November 2016 - 04:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/631943 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 runclub

runclub
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 16 November 2016 - 02:12 PM

Thanks.  I do not have a Windows CD/DVD.  Computer came with OEM.

 

I ran roguekiller and it found hj.name that may be a virus.  Also, we have disconnected it from our home network but when I was doing Housecall Virus scan it was connected to the internet and I received a message on another computer of ours that a TCP/IP port attack was occurring.  ESET identified it as being possibly malicious and I blocked it.

 

FRST Log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 16-11-2016
Ran by Lesley (administrator) on L-ALLON13 (16-11-2016 11:08:25)
Running from C:\aaa
Loaded Profiles: Lesley (Available Profiles: Lesley & dxunrrahjx)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(iolo technologies, LLC) C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe
() C:\Program Files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
(Novatel Wireless Inc.) C:\Program Files (x86)\Novatel Wireless\Drivers\NWHelper.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(TOSHIBA Corporation) C:\Program Files\Toshiba\TECO\TecoService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.427\SSScheduler.exe
(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Sync.com Inc.) C:\Program Files (x86)\Sync\sync-taskbar.exe
() C:\Program Files (x86)\Sync\sync-worker.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\Toshiba\widimon\widimon.exe
(Intel Corporation) C:\Windows\System32\igfxext.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe
(Microsoft Corporation.) C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Windows\winsxs\amd64_microsoft-windows-wlan-extension_31bf3856ad364e35_6.1.7600.16385_none_55d820d53d0a8fa3\wlanext.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_23_0_0_207_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [] => [X]
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11663976 2010-12-09] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [IntelWireless] => C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe [1933584 2010-12-07] (Intel® Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Trend Micro RUBotted V2.0 Beta] => C:\Program Files (x86)\Trend Micro\RUBotted\RUBottedGUI.exe [1102872 2013-07-25] (Trend Micro Inc.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-01-04] (Google Inc.)
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\MountPoints2: {1234a1ab-25de-11e1-9b21-8ca9822dd5b0} - E:\AutoLaunch.exe
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->
ShellIconOverlayIdentifiers: [   AAASyncNo] -> {CD0DD5EC-23D2-4AE0-A111-C7B89038E695} => C:\Program Files (x86)\Sync\ASyncOverlay64.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers: [   AAASyncProg] -> {9A1FA446-6778-4A02-883B-3100549CF193} => C:\Program Files (x86)\Sync\ASyncOverlay64.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers: [   AAASyncRoot] -> {B57A832B-F40A-4A9D-A0F5-49E7D17B8EE4} => C:\Program Files (x86)\Sync\ASyncOverlay64.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers: [   AAASyncSkip] -> {AFE40DBB-AB20-4979-B0D2-483B6866C8C9} => C:\Program Files (x86)\Sync\ASyncOverlay64.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers: [   AAASyncYes] -> {9C569020-57C0-4CE0-9605-8AD42F4B1C7F} => C:\Program Files (x86)\Sync\ASyncOverlay64.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [   AAASyncNo] -> {CD0DD5EC-23D2-4AE0-A111-C7B89038E695} => C:\Program Files (x86)\Sync\ASyncOverlay32.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers-x32: [   AAASyncProg] -> {9A1FA446-6778-4A02-883B-3100549CF193} => C:\Program Files (x86)\Sync\ASyncOverlay32.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers-x32: [   AAASyncRoot] -> {B57A832B-F40A-4A9D-A0F5-49E7D17B8EE4} => C:\Program Files (x86)\Sync\ASyncOverlay32.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers-x32: [   AAASyncSkip] -> {AFE40DBB-AB20-4979-B0D2-483B6866C8C9} => C:\Program Files (x86)\Sync\ASyncOverlay32.dll [2016-10-20] (TODO: <Company name>)
ShellIconOverlayIdentifiers-x32: [   AAASyncYes] -> {9C569020-57C0-4CE0-9605-8AD42F4B1C7F} => C:\Program Files (x86)\Sync\ASyncOverlay32.dll [2016-10-20] (TODO: <Company name>)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2016-11-02]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.427\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk [2012-06-05]
ShortcutTarget: vpngui.exe.lnk -> C:\Windows\Installer\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}\Icon09DB8A851.exe ()
Startup: C:\Users\Lesley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sync.LNK [2016-10-26]
ShortcutTarget: Sync.LNK -> C:\Program Files (x86)\Sync\sync-taskbar.exe (Sync.com Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: 0.0.0.1 mssplus.mcafee.com
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{1F475802-1616-446B-A4EC-F5820A2A2671}: [DhcpNameServer] 184.151.118.254
Tcpip\..\Interfaces\{5E1657D1-F4D4-4CC0-88EA-8FB7E44F5DE9}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{E2234C5B-8830-49D5-84E3-7C7A39633534}: [DhcpNameServer] 70.28.245.255 204.101.237.136
Tcpip\..\Interfaces\{F22F7CAB-4CE7-4574-BD25-90AADB2B5830}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ca/
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKLM -> DefaultScope {FADE6F64-1A4B-43F9-9C13-807C38AC1E01} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {FADE6F64-1A4B-43F9-9C13-807C38AC1E01} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKLM-x32 -> DefaultScope {ACE676A2-DEB9-4FE5-AAD4-E7D20A291A17} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKLM-x32 -> {ACE676A2-DEB9-4FE5-AAD4-E7D20A291A17} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF
SearchScopes: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> DefaultScope {D3A36BAC-30AD-4AA5-B21B-2E1F60A6FE7F} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF_en
SearchScopes: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> {6945FE14-5F76-4F81-AB72-932CB703E826} URL =
SearchScopes: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> {D3A36BAC-30AD-4AA5-B21B-2E1F60A6FE7F} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNF_en
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2013-06-22] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-22] (Google Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-12-18] (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BingExt.dll [2012-02-13] (Microsoft Corporation.)
BHO-x32: TOSHIBA Media Controller Plug-in -> {F3C88694-EFFA-4d78-B409-54B7B2535B14} -> C:\Program Files (x86)\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll [2010-11-09] (<TOSHIBA>)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-12-18] (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-04-22] (Google Inc.)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2012-12-18] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\BingExt.dll [2012-02-13] (Microsoft Corporation.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-04-22] (Google Inc.)
Toolbar: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {86A88967-7A20-11D2-8EDA-00600818EDB1} hxxp://www.closetcad.net/cortona/cortvrml42.cab
DPF: HKLM-x32 {CC679CB8-DC4B-458B-B817-D447B3B6AC31} hxxps://96.49.128.100:8446/CACHE/stc/1/binaries/vpnweb.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP28-11263/webex/ieatgpc1.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

FireFox:
========
FF ProfilePath: C:\Users\Lesley\AppData\Roaming\Mozilla\Firefox\Profiles\mqqf0ujn.default [2016-11-16]
FF Homepage: Mozilla\Firefox\Profiles\mqqf0ujn.default -> google.ca
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_23_0_0_207.dll [2016-11-08] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_207.dll [2016-11-08] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\windows\SysWOW64\npDeployJava1.dll [2013-06-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.25.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2013-06-22] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-29] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-04] (VideoLAN)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll [2013-02-15] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2011-09-05] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3650914020-3955857237-3003940392-1000: @nsroblox.roblox.com/launcher -> C:\Users\Lesley\AppData\Local\Roblox\Versions\version-fe88b67aa44a44d9\\NPRobloxProxy.dll [2012-12-31] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-3650914020-3955857237-3003940392-1000: @nsroblox.roblox.com/launcher64 -> C:\Users\Lesley\AppData\Local\Roblox\Versions\version-fe88b67aa44a44d9\\NPRobloxProxy64.dll [2012-12-31] ( ROBLOX Corporation)
FF Plugin ProgramFiles/Appdata: C:\Users\Lesley\AppData\Roaming\mozilla\plugins\npatgpc.dll [2012-04-02] (Cisco WebEx LLC)

Chrome:
=======
CHR DefaultProfile: Default
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (ActiveTouch General Plugin Container) - C:\Users\Lesley\AppData\Roaming\Mozilla\plugins\npatgpc.dll (Cisco WebEx LLC)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 6 U31) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Windows Live Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
CHR Profile: C:\Users\Lesley\AppData\Local\Google\Chrome\User Data\Default [2016-11-16]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Lesley\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-28]
CHR Extension: (Chrome Media Router) - C:\Users\Lesley\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-25]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2016-05-16] (SUPERAntiSpyware.com)
S4 BellCanadaRcAppSvc; C:\Program Files (x86)\Bell\Mobile Connect\RcAppSvc.exe [120344 2011-05-31] (SmithMicro Inc.)
S4 CABellCanada; C:\Program Files (x86)\Bell\Mobile Connect\ConAppsSvc.exe [124440 2011-05-31] (SmithMicro Inc.)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2011-11-15] (Macrovision Europe Ltd.) [File not signed]
R2 ioloSystemService; C:\Program Files (x86)\iolo\Common\Lib\ioloServiceManager.exe [1072664 2013-05-29] (iolo technologies, LLC)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.427\McCHSvc.exe [329480 2016-10-13] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [340240 2010-12-07] ()
R2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\SymcPCCULaunchSvc.exe [135608 2011-12-07] (Symantec Corporation)
R2 NvtlService; C:\Program Files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe [92504 2011-02-18] ()
R2 NWHelper; C:\Program Files (x86)\Novatel Wireless\Drivers\NWHelper.exe [270336 2010-10-07] (Novatel Wireless Inc.) [File not signed]
R2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.6.22\ccSvcHst.exe [126392 2009-08-24] (Symantec Corporation)
S4 ProfileImpSvc; C:\Program Files (x86)\Bell\Mobile Connect\ProfileImpSvc.exe [169496 2011-05-31] (SmithMicro Inc.)
S4 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [118520 2013-02-28] (Riverbed Technology, Inc.)
R2 RUBotSrv; C:\Program Files (x86)\Trend Micro\RUBotted\RUBotSrv.exe [443416 2013-07-25] (Trend Micro Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
S2 ZAMSvc; "C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe" /service [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 CVPNDRVA; C:\windows\system32\Drivers\CVPNDRVA.sys [306536 2011-03-04] ()
S3 ebdrv; C:\windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 ElRawDisk; C:\windows\system32\drivers\ElRawDsk.sys [31432 2012-04-17] (EldoS Corporation)
U4 EpfwLWF; C:\windows\System32\DRIVERS\EpfwLWF.sys [44120 2013-09-17] (ESET)
U5 ew_hwusbdev; C:\Windows\System32\Drivers\ew_hwusbdev.sys [117248 2011-05-24] (Huawei Technologies Co., Ltd.)
R2 NPF; C:\windows\System32\drivers\npf.sys [36600 2013-02-28] (Riverbed Technology, Inc.)
S3 NWRmNet; C:\windows\System32\DRIVERS\NWRmNet.sys [295424 2010-10-27] (Novatel Wireless Inc.)
S3 PCTINDIS5X64; C:\windows\system32\PCTINDIS5X64.SYS [43032 2010-08-05] (Smith Micro Inc.)
S3 RimUsb; C:\windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R4 eamonm; system32\DRIVERS\eamonm.sys [X]
R4 ehdrv; system32\DRIVERS\ehdrv.sys [X]
R4 epfw; system32\DRIVERS\epfw.sys [X]
S1 ZAM; \??\C:\windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\windows\System32\drivers\zamguard64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-16 11:08 - 2016-11-16 11:08 - 00000000 ____D C:\FRST
2016-11-16 11:07 - 2016-11-16 11:08 - 00000000 ____D C:\aaa
2016-11-16 08:34 - 2016-11-16 08:34 - 00524211 _____ C:\Users\Lesley\Downloads\Womens+PJ-Lounge+pants+pattern+xxs-xxl+from+Nap-Time+Creations.pdf
2016-11-10 11:14 - 2016-11-10 11:24 - 00218834 _____ C:\TDSSKiller.3.1.0.12_10.11.2016_11.14.17_log.txt
2016-11-10 10:55 - 2016-11-10 10:55 - 00002952 _____ C:\Users\Lesley\Desktop\JRT.txt
2016-11-10 10:00 - 2016-11-10 12:03 - 00028272 _____ C:\windows\system32\Drivers\TrueSight.sys
2016-11-10 10:00 - 2016-11-10 10:00 - 00000869 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-11-10 10:00 - 2016-11-10 10:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-11-10 10:00 - 2016-11-10 10:00 - 00000000 ____D C:\Program Files\RogueKiller
2016-11-10 09:59 - 2016-11-10 13:35 - 00000000 ____D C:\ProgramData\RogueKiller
2016-11-09 14:24 - 2016-11-09 14:24 - 00895574 _____ C:\Users\Lesley\AppData\Local\census.cache
2016-11-09 14:22 - 2016-11-09 14:22 - 01075827 _____ C:\Users\Lesley\AppData\Local\ars.cache
2016-11-09 14:04 - 2016-11-09 14:33 - 00429252 _____ C:\TDSSKiller.3.1.0.12_09.11.2016_14.04.22_log.txt
2016-11-09 14:02 - 2016-11-09 14:02 - 00000000 ____D C:\ProgramData\Trend Micro
2016-11-09 14:01 - 2016-11-09 14:01 - 00000000 ____D C:\windows\Trend Micro
2016-11-09 13:04 - 2016-11-09 13:04 - 00000036 _____ C:\Users\Lesley\AppData\Local\housecall.guid.cache
2016-11-09 13:04 - 2016-08-22 11:20 - 00332512 _____ (Trend Micro Inc.) C:\windows\system32\Drivers\tmcomm.sys
2016-11-09 11:01 - 2016-11-09 11:35 - 00000000 ____D C:\Users\Lesley\Desktop\mbar
2016-11-09 11:01 - 2016-11-09 11:01 - 00001788 _____ C:\Users\Lesley\Desktop\Rkill.txt
2016-11-02 09:31 - 2016-11-02 09:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
2016-10-27 07:59 - 2016-10-27 07:59 - 00000000 _____ C:\Users\Lesley\Desktop\New Bitmap Image.bmp
2016-10-26 10:44 - 2016-10-26 10:44 - 03918472 _____ C:\Users\Lesley\Downloads\sync-installer (1).exe
2016-10-26 10:43 - 2016-10-26 10:43 - 00000000 ____D C:\Users\Lesley\Documents\Sync
2016-10-26 10:30 - 2016-11-16 11:07 - 00000000 ____D C:\Users\Lesley\AppData\Local\Sync.Logs
2016-10-26 10:30 - 2016-10-26 10:43 - 00000000 ____D C:\Users\Lesley\AppData\Local\Sync.Config
2016-10-26 10:30 - 2016-10-26 10:30 - 00000000 ____D C:\ProgramData\Sync
2016-10-26 10:30 - 2016-10-26 10:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sync
2016-10-26 10:30 - 2016-10-26 10:30 - 00000000 ____D C:\Program Files (x86)\Sync
2016-10-26 10:29 - 2016-10-26 10:29 - 11743232 _____ C:\Users\Lesley\AppData\Local\Sync-1477506546.msi
2016-10-26 10:24 - 2016-10-26 10:24 - 03918472 _____ C:\Users\Lesley\Downloads\sync-installer.exe
2016-10-25 11:25 - 2016-10-25 11:25 - 00243407 _____ C:\Users\Lesley\Downloads\PDF_528121620_2_2016-10-09_0000000000.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-11-16 10:56 - 2015-12-03 11:45 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d12e0322fb5505.job
2016-11-16 10:54 - 2011-03-29 00:16 - 00000000 ____D C:\Users\Lesley\Documents\Outlook Files
2016-11-16 10:53 - 2009-07-13 21:13 - 00788704 _____ C:\windows\system32\PerfStringBackup.INI
2016-11-16 10:53 - 2009-07-13 19:20 - 00000000 ____D C:\windows\inf
2016-11-16 10:50 - 2015-09-16 08:45 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0f09ff46f62e.job
2016-11-16 10:50 - 2015-08-29 02:39 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0e247d734538.job
2016-11-16 10:44 - 2015-07-15 14:33 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0bf4e44e76f8e.job
2016-11-16 10:38 - 2016-02-01 16:51 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d15d53e1629406.job
2016-11-16 10:38 - 2015-05-15 12:33 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d08f4e6f9d5e0d.job
2016-11-16 10:38 - 2015-02-03 19:27 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0402a73c96ae7.job
2016-11-16 10:37 - 2016-05-10 14:33 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1d1ab0c71464b5.job
2016-11-16 10:37 - 2015-12-03 11:45 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1d12e03222c3d4d.job
2016-11-16 10:32 - 2014-06-19 19:31 - 00000898 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA1cf8c382c9411b0.job
2016-11-16 10:31 - 2012-04-04 21:21 - 00000830 _____ C:\windows\Tasks\Adobe Flash Player Updater.job
2016-11-16 09:50 - 2015-08-29 02:39 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1d0e247ccf0645.job
2016-11-16 03:44 - 2015-07-15 14:33 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1d0bf4e4439ab1a.job
2016-11-15 21:30 - 2009-07-13 20:45 - 00015792 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-11-15 21:30 - 2009-07-13 20:45 - 00015792 ____H C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-11-15 15:38 - 2015-05-15 12:33 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1d08f4e6efa191e.job
2016-11-15 13:38 - 2014-02-16 21:14 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1cf2b9f2e26c015.job
2016-11-15 11:50 - 2015-09-16 08:45 - 00000894 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore1d0f09fec40a7f.job
2016-11-15 01:59 - 2014-09-14 08:35 - 00002194 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-11-15 01:59 - 2011-01-04 19:12 - 00002206 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-14 11:02 - 2009-07-13 21:08 - 00000006 ____H C:\windows\Tasks\SA.DAT
2016-11-10 11:24 - 2016-05-15 19:39 - 00192216 _____ (Malwarebytes) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2016-11-10 10:50 - 2016-05-15 19:41 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-11-10 10:08 - 2016-05-15 19:41 - 00045664 _____ C:\windows\ZAM_Guard.krnl.trace
2016-11-09 13:00 - 2016-05-15 19:41 - 00007543 _____ C:\windows\ZAM.krnl.trace
2016-11-09 12:56 - 2016-05-15 21:07 - 00000000 ____D C:\AdwCleaner
2016-11-09 11:40 - 2015-07-26 20:10 - 00687140 _____ C:\windows\ntbtlog.txt
2016-11-09 11:35 - 2013-11-11 22:28 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2016-11-09 11:02 - 2013-11-11 22:28 - 00109272 _____ (Malwarebytes) C:\windows\system32\Drivers\mbamchameleon.sys
2016-11-09 10:14 - 2011-05-03 10:22 - 00000000 ____D C:\Users\Lesley\AppData\Local\Google
2016-11-08 13:31 - 2012-04-04 21:31 - 00000000 ____D C:\windows\system32\Macromed
2016-11-08 13:31 - 2012-04-04 21:21 - 00796352 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2016-11-08 13:31 - 2012-04-04 21:21 - 00003768 _____ C:\windows\System32\Tasks\Adobe Flash Player Updater
2016-11-08 13:31 - 2011-06-29 09:24 - 00142528 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-11-08 13:31 - 2011-01-04 19:05 - 00000000 ____D C:\windows\SysWOW64\Macromed
2016-11-08 10:31 - 2015-09-21 01:59 - 00003348 _____ C:\windows\System32\Tasks\ESET Windows 10 upgrade – Refresh settings
2016-11-07 11:01 - 2011-05-03 09:45 - 00000000 ____D C:\Users\Lesley\AppData\Local\CrashDumps
2016-11-02 09:31 - 2016-04-01 15:21 - 00001975 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2016-11-02 09:31 - 2015-11-18 10:30 - 00000000 ____D C:\Program Files\McAfee Security Scan

==================== Files in the root of some directories =======

2016-11-09 14:22 - 2016-11-09 14:22 - 1075827 _____ () C:\Users\Lesley\AppData\Local\ars.cache
2016-11-09 14:24 - 2016-11-09 14:24 - 0895574 _____ () C:\Users\Lesley\AppData\Local\census.cache
2016-11-09 13:04 - 2016-11-09 13:04 - 0000036 _____ () C:\Users\Lesley\AppData\Local\housecall.guid.cache
2011-10-04 15:56 - 2011-10-04 15:56 - 0001565 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20111004.165603.txt
2012-03-09 21:07 - 2012-03-09 21:07 - 0001567 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120309.210751.txt
2012-03-09 21:08 - 2012-03-09 21:08 - 0001567 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120309.210837.txt
2012-03-09 21:12 - 2012-03-09 21:12 - 0001541 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120309.211218.txt
2012-03-09 21:13 - 2012-03-09 21:13 - 0001544 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120309.211331.txt
2012-03-09 21:13 - 2012-03-09 21:14 - 0001544 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120309.211358.txt
2012-03-09 21:14 - 2012-03-09 21:14 - 0001542 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120309.211420.txt
2012-04-16 20:46 - 2012-04-16 20:46 - 0001567 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120416.214607.txt
2012-04-16 20:46 - 2012-04-16 20:46 - 0001565 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120416.214641.txt
2012-06-02 19:15 - 2012-06-02 19:15 - 0001542 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20120602.201532.txt
2012-11-02 18:56 - 2012-11-02 18:56 - 0001543 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20121102.195627.txt
2012-11-02 18:56 - 2012-11-02 18:56 - 0001542 _____ () C:\Users\Lesley\AppData\Local\PDLSetup.20121102.195643.txt
2011-09-12 12:57 - 2011-09-12 12:57 - 0000600 _____ () C:\Users\Lesley\AppData\Local\PUTTY.RND
2012-04-23 06:13 - 2013-12-18 06:48 - 0007604 _____ () C:\Users\Lesley\AppData\Local\resmon.resmoncfg
2016-10-26 10:29 - 2016-10-26 10:29 - 11743232 _____ () C:\Users\Lesley\AppData\Local\Sync-1477506546.msi
2016-10-26 10:29 - 2016-10-26 10:30 - 0208026 _____ () C:\Users\Lesley\AppData\Local\Sync-1477506546.msi.log

Some files in TEMP:
====================
C:\Users\Lesley\AppData\Local\Temp\DefaultPack.EXE
C:\Users\Lesley\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Lesley\AppData\Local\Temp\libeay32.dll
C:\Users\Lesley\AppData\Local\Temp\msvcr120.dll
C:\Users\Lesley\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\windows\system32\winlogon.exe => File is digitally signed
C:\windows\system32\wininit.exe => File is digitally signed
C:\windows\SysWOW64\wininit.exe => File is digitally signed
C:\windows\explorer.exe => File is digitally signed
C:\windows\SysWOW64\explorer.exe => File is digitally signed
C:\windows\system32\svchost.exe => File is digitally signed
C:\windows\SysWOW64\svchost.exe => File is digitally signed
C:\windows\system32\services.exe => File is digitally signed
C:\windows\system32\User32.dll => File is digitally signed
C:\windows\SysWOW64\User32.dll => File is digitally signed
C:\windows\system32\userinit.exe => File is digitally signed
C:\windows\SysWOW64\userinit.exe => File is digitally signed
C:\windows\system32\rpcss.dll => File is digitally signed
C:\windows\system32\dnsapi.dll => File is digitally signed
C:\windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-11-10 11:12

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 16-11-2016
Ran by Lesley (16-11-2016 11:09:20)
Running from C:\aaa
Windows 7 Home Premium Service Pack 1 (X64) (2011-05-03 16:38:44)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3650914020-3955857237-3003940392-500 - Administrator - Disabled)
dxunrrahjx (S-1-5-21-3650914020-3955857237-3003940392-1007 - Limited - Enabled) => C:\Users\dxunrrahjx
Guest (S-1-5-21-3650914020-3955857237-3003940392-501 - Limited - Disabled)
jlskngfbnu (S-1-5-21-3650914020-3955857237-3003940392-1008 - Limited - Disabled)
Lesley (S-1-5-21-3650914020-3955857237-3003940392-1000 - Administrator - Enabled) => C:\Users\Lesley

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

20419332_MUU_U998D_BELL_FW2.15_BMC_PRI (HKLM-x32\...\20419332_MUU_U998D_BELL_FW2.15_BMC_PRI) (Version:  - )
9: The Dark Side (HKLM-x32\...\BFG-9 - The Dark Side) (Version:  - )
9: The Dark Side Of Notre Dame Collector's Edition (HKLM-x32\...\BFG-9 - The Dark Side Of Notre Dame Collector's Edition) (Version:  - )
AceMoney (HKLM-x32\...\AceMoney_is1) (Version:  - MechCAD Software)
Adobe Acrobat  9 Standard (HKLM-x32\...\{AC76BA86-1033-0000-BA7E-000000000004}{AC76BA86-1033-0000-BA7E-000000000004}) (Version: 9.5.4 - Adobe Systems)
Adobe Acrobat 9.5.4 - CPSID_83708 (HKLM-x32\...\{AC76BA86-1033-0000-BA7E-000000000004}_954) (Version:  - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.7.1.19610 - Adobe Systems Incorporated)
Adobe Digital Editions (HKLM-x32\...\Digital Editions) (Version:  - )
Adobe Flash Player 23 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Flash Player 23 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 23.0.0.207 - Adobe Systems Incorporated)
Adobe Reader X (10.1.1) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.1 - Adobe Systems Incorporated)
Amazon Links (HKLM-x32\...\{3135D885-9D9A-4B4D-8D45-9DB05DA115CA}) (Version: 2.02 - TOSHIBA Corporation)
Applied Clinical Trials - August 2011 (x32 Version: 1.0.7 - Nxtbook Media, LLC) Hidden
Awakening: Moonfell Wood (HKLM-x32\...\BFG-Awakening - Moonfell Wood) (Version:  - )
Awakening: The Dreamless Castle (HKLM-x32\...\BFG-Awakening - The Dreamless Castle) (Version:  - )
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Big Fish: Game Manager (HKLM-x32\...\BFGC) (Version: 3.3.0.2 - )
Bing Bar (HKLM-x32\...\{16793295-2366-40F7-A045-A3E42A81365E}) (Version: 7.1.362.0 - Microsoft Corporation)
Cake Mania - Lights, Camera, Action!™ (x32 Version: 2.2.0.95 - WildTangent) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 4.07 - Piriform)
Chicken Invaders 4: Ultimate Omelette (HKLM-x32\...\BFG-Chicken Invaders 4 - Ultimate Omelette) (Version:  - )
Christmas Stories: Nutcracker Collector's Edition (HKLM-x32\...\BFG-Christmas Stories - Nutcracker Collector's Edition) (Version:  - )
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cisco AnyConnect Secure Mobility Client  (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.0.4235 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (x32 Version: 3.0.4235 - Cisco Systems, Inc.) Hidden
Cisco DART (HKLM-x32\...\{A39CDBD7-E9F4-4F2B-A7AB-7878E3A97BE3}) (Version: 2.5.0 - Cisco Systems, Inc.)
Cisco Systems VPN Client 5.0.07.0440 (HKLM\...\{5FDC06BF-3D3D-4367-8FFB-4FAFCB61972D}) (Version: 5.0.7 - Cisco Systems, Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dark Parables: Curse of Briar Rose Collector's Edition (HKLM-x32\...\BFG-Dark Parables - Curse of Briar Rose Collector's Edition) (Version:  - )
Dark Parables: Rise of the Snow Queen (HKLM-x32\...\BFG-Dark Parables - Rise of the Snow Queen) (Version:  - )
Dark Parables: The Little Mermaid and the Purple Tide Collector's Edition (HKLM-x32\...\BFG-Dark Parables - The Little Mermaid and the Purple Tide Collectors Edition) (Version:  - )
Dark Parables: The Red Riding Hood Sisters (HKLM-x32\...\BFG-Dark Parables - The Red Riding Hood Sisters) (Version:  - )
Detective Quest: The Crystal Slipper Collector's Edition (HKLM-x32\...\BFG-Detective Quest - The Crystal Slipper Collector's Edition) (Version:  - )
Echoes of the Past: The Revenge of the Witch Collector's Edition (HKLM-x32\...\BFG-Echoes of the Past - The Revenge of the Witch Collector's Edition) (Version:  - )
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Eternal Journey: New Atlantis (HKLM-x32\...\BFG-Eternal Journey - New Atlantis) (Version:  - )
FATE - The Traitor Soul (x32 Version: 2.2.0.95 - WildTangent) Hidden
Gardenscapes: Mansion Makeover™ (HKLM-x32\...\BFG-Gardenscapes - Mansion Makeover) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 54.0.2840.99 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7619.1252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.31.5 - Google Inc.) Hidden
GoToMeeting 5.1.0.880 (HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\GoToMeeting) (Version: 5.1.0.880 - CitrixOnline)
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Grim Tales: Bloody Mary Collector's Edition (HKLM-x32\...\BFG-Grim Tales - Bloody Mary Collectors Edition) (Version:  - )
Grim Tales: The Bride Collector's Edition (HKLM-x32\...\BFG-Grim Tales - The Bride Collector's Edition) (Version:  - )
Hidden Expedition: Smithsonian Castle Collector's Edition (HKLM-x32\...\BFG-Hidden Expedition - Smithsonian Castle Collector's Edition) (Version:  - )
InstallVC90Support (x32 Version: 1.01.0000 - Novatel Wireless) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2291 - Intel Corporation)
Intel® PROSet/Wireless WiFi Software (HKLM\...\{290D4DB2-F1B4-4B8E-918D-D71EF29A001B}) (Version: 14.00.1000 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
Intel® Wireless Display (HKLM-x32\...\{626663EE-B9E6-4982-995F-02C31E84F8FC}) (Version: 2.0.29.0 - Intel Corporation)
iolo technologies' System Mechanic (HKLM-x32\...\{55FD1D5A-7AEF-4DA3-8FAF-A71B2A52FFC7}_is1) (Version: 11.7.1 - iolo technologies, LLC)
Java 7 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.250 - Oracle)
Java™ 6 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216031FF}) (Version: 6.0.310 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Jewel Quest - Heritage (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Living Legends - Wrath of the Beast Collector's Edition (HKLM-x32\...\BFG-Living Legends - Wrath of the Beast Collectors Edition) (Version:  - )
Lost Lands: The Four Horsemen Collector's Edition (HKLM-x32\...\BFG-Lost Lands - The Four Horsemen Collectors Edition) (Version:  - )
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Mayan Prophecies: Ship of Spirits (HKLM-x32\...\BFG-Mayan Prophecies - Ship of Spirits) (Version:  - )
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.427.2 - McAfee, Inc.)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Home and Business 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Project Standard 2003 (HKLM-x32\...\{903A0409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{2C303EE0-A595-3543-A71A-931C7AC40EDE}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x64) ENU  (HKLM\...\{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x64) ENU  (HKLM\...\{03AC245F-4C64-425C-89CF-7783C1D3AB2C}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570 (HKLM\...\{8338783A-0968-3B85-AFC7-BAAE0A63DC50}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Mobile Broadband Generic Drivers (HKLM-x32\...\{333494BF-7B36-4681-896A-C7AB23D31E17}) (Version: 2.03.25.001.11 - Novatel Wireless)
Mobile Connect (HKLM\...\{B12E09C4-C55E-48BD-9732-C68AB92DE847}) (Version: 4.02.0031.0 - Smith Micro)
Mozilla Firefox 11.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 11.0 (x86 en-US)) (Version: 11.0 - Mozilla)
Mystery Case Files &reg;: 13th Skull ™ Collector's Edition (HKLM-x32\...\BFG-Mystery Case Files - 13th Skull Collector's Edition) (Version:  - )
Mystery P.I. - The London Caper (x32 Version: 2.2.0.95 - WildTangent) Hidden
Mystery Stories: Mountains of Madness (HKLM-x32\...\BFG-Mystery Stories - Mountains of Madness) (Version:  - )
Mystery Trackers: Black Isle Collector's Edition (HKLM-x32\...\BFG-Mystery Trackers - Black Isle Collector's Edition) (Version:  - )
Mystery Trackers: Raincliff Collector's Edition (HKLM-x32\...\BFG-Mystery Trackers - Raincliff Collector's Edition) (Version:  - )
NVIDIA GAME System Software 2.8.1 (HKLM-x32\...\{4F0C7CCF-5666-474B-B02E-AC514A95EC93}) (Version: 2.8.1 - NVIDIA Corporation)
NVIDIA PhysX (HKLM-x32\...\{64467D47-FFE4-4FBC-ABBA-A0DB829A17EB}) (Version: 9.12.0613 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
OverDrive Media Console (HKLM-x32\...\{D647F06F-2908-487E-9CDA-DE52148CBF49}) (Version: 3.2.10 - OverDrive, Inc.)
Phantasmat: Behind the Mask Collector's Edition (HKLM-x32\...\BFG-Phantasmat - Behind the Mask Collectors Edition) (Version:  - )
PL-2303 USB-to-Serial (HKLM-x32\...\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}) (Version: 1.3.0 - Prolific Technology INC)
PlanetSide 2 (HKLM-x32\...\Steam App 218230) (Version:  - Daybreak Games)
PlanetSide 2 (HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\DG0-PlanetSide 2) (Version:  - Sony Online Entertainment)
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Polar Bowler (x32 Version: 2.2.0.95 - WildTangent) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6265 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.30.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.30.0 - Renesas Electronics Corporation) Hidden
RICOH Media Driver v2.11.17.02 (HKLM-x32\...\{FE041B02-234C-4AAA-9511-80DF6482A458}) (Version: 2.11.17.02 - RICOH)
Ride! (HKLM-x32\...\BFG-Ride!) (Version:  - )
ROBLOX Player for Lesley (HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version:  - ROBLOX Corporation)
ROBLOX Studio for Lesley (HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\{2922D6F1-2865-4EFA-97A9-94EEAB3AFA14}) (Version:  - ROBLOX Corporation)
RogueKiller version 12.8.0.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.8.0.0 - Adlice Software)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Sherlock Holmes: The Awakened (HKLM-x32\...\BFG-Sherlock Holmes - The Awakened) (Version:  - )
Skype Launcher (HKLM-x32\...\{DA84ECBF-4B79-47F2-B34C-95C38484C058}) (Version: 2.01 - TOSHIBA Corporation)
Skype™ 7.13 (HKLM-x32\...\{6A0549A9-1B96-498C-ACBC-3943001FEB19}) (Version: 7.13.101 - Skype Technologies S.A.)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Spirits of Mystery: Song of the Phoenix Collector's Edition (HKLM-x32\...\BFG-Spirits of Mystery - Song of the Phoenix Collector's Edition) (Version:  - )
Star Stable (HKLM-x32\...\{2B03B553-4983-4005-99C4-31DFC25B4BB9}) (Version: 1.00.0000 - Star Stable Entertainment AB)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.0.1146 - SUPERAntiSpyware.com)
Surface: Mystery of Another World (HKLM-x32\...\BFG-Surface - Mystery of Another World) (Version:  - )
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.2.11.1 - Synaptics Incorporated)
Sync (HKLM-x32\...\{96855E80-23DA-11E2-BDFB-09006188709B}) (Version: 1.1.9.1134 - Sync)
SyncToy 2.1 (x64) (HKLM\...\{88DAAF05-5A72-46D2-A7C5-C3759697E943}) (Version: 2.1.0 - Microsoft)
Terraria (HKLM-x32\...\Steam App 105600) (Version:  - Re-Logic)
Tom Clancy's Ghost Recon Phantoms - NA (HKLM-x32\...\Steam App 243870) (Version:  - Ubisoft Singapore)
Toshiba App Place (HKLM-x32\...\{ED3CBA78-488F-4E8C-B33F-8E3BF4DDB4D2}) (Version: 1.0.6.3 - Toshiba)
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.1 - TOSHIBA)
TOSHIBA Assist (HKLM-x32\...\{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}) (Version: 4.01.00 - TOSHIBA CORPORATION)
Toshiba Book Place (HKLM-x32\...\{C31337DE-0CDC-45A9-9A32-F099AC78D557}) (Version: 2.1.5889 - K-NFB Reading Technology, Inc.)
TOSHIBA Bulletin Board (HKLM-x32\...\InstallShield_{229C190B-7690-40B7-8680-42530179F3E9}) (Version: 2.0.16.64 - TOSHIBA Corporation)
TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.1.0.4 for x64 - TOSHIBA Corporation)
TOSHIBA eco Utility (HKLM-x32\...\InstallShield_{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}) (Version: 1.2.21.64 - TOSHIBA Corporation)
TOSHIBA Face Recognition (HKLM-x32\...\InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}) (Version: 3.1.3.64 - TOSHIBA Corporation)
TOSHIBA HDD Protection (HKLM\...\{94A90C69-71C1-470A-88F5-AA47ECC96B40}) (Version: 2.2.0.8 - TOSHIBA Corporation)
TOSHIBA HDD/SSD Alert (HKLM-x32\...\InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}) (Version: 3.1.64.6 - TOSHIBA Corporation)
Toshiba Laptop Checkup (HKLM-x32\...\NortonPCCheckup) (Version: 2.0.6.22 - Symantec Corporation)
TOSHIBA Media Controller (HKLM-x32\...\{C7A4F26F-F9B0-41B2-8659-99181108CDE3}) (Version: 1.0.85.4 - TOSHIBA CORPORATION)
TOSHIBA Media Controller Plug-in (HKLM-x32\...\{F26FDF57-483E-42C8-A9C9-EEE1EDB256E0}) (Version: 1.0.5.13 - TOSHIBA CORPORATION)
Toshiba Online Backup (HKLM-x32\...\{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}) (Version: 2.0.0.25 - Toshiba)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.7.3.64 - TOSHIBA Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.3 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.1.0.5 for x64 - TOSHIBA Corporation)
TOSHIBA ReelTime (HKLM-x32\...\InstallShield_{24811C12-F4A9-4D0F-8494-A7B8FE46123C}) (Version: 1.7.16.64 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM-x32\...\{AC6569FA-6919-442A-8552-073BE69E247A}) (Version: 2.1.51 - TOSHIBA)
TOSHIBA Sleep Utility (HKLM-x32\...\{654F7484-88C5-46DC-AB32-C66BCB0E2102}) (Version: 1.4.1.7 - TOSHIBA Corporation)
TOSHIBA Speech System Applications (HKLM-x32\...\{EE033C1F-443E-41EC-A0E2-559B539A4E4D}) (Version: 1.00.2518 - )
TOSHIBA Speech System SR Engine(U.S.) Version1.0 (HKLM-x32\...\{008D69EB-70FF-46AB-9C75-924620DF191A}) (Version:  - )
TOSHIBA Speech System TTS Engine(U.S.) Version1.0 (HKLM-x32\...\{3FBF6F99-8EC6-41B4-8527-0A32241B5496}) (Version:  - )
TOSHIBA Value Added Package (HKLM-x32\...\InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}) (Version: 1.5.10.64 - TOSHIBA Corporation)
TOSHIBA VIDEO PLAYER (HKLM-x32\...\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}) (Version: 4.00.4.12-A - TOSHIBA Corporation)
TOSHIBA Web Camera Application (HKLM-x32\...\InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}) (Version: 1.1.5.7 - TOSHIBA Corporation)
TOSHIBA Wireless Display Monitor (HKLM-x32\...\{617773AE-ADBA-4479-BB04-65FE7758B35C}) (Version: 1.0.1 - TOSHIBA CORPORATION)
ToshibaRegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.0.4 - Toshiba)
Trend Micro RUBotted 2.0 Beta (HKLM-x32\...\{54D4EAF5-4C80-4878-B4AC-5AE454A02E3C}_is1) (Version: 2.0.0.1034 - Trend Micro, Inc.)
Unsolved Mystery Club &reg;: Ancient Astronauts &reg; (HKLM-x32\...\BFG-Unsolved Mystery Club - Ancient Astronauts) (Version:  - )
Virtual Families (HKLM-x32\...\BFG-Virtual Families) (Version:  - )
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
War Thunder (HKLM-x32\...\Steam App 236390) (Version:  - Gaijin Entertainment)
Warface (HKLM-x32\...\Steam App 291480) (Version:  - Crytek)
Web Launcher (HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\fc3ac04dc8eedef7) (Version: 1.0.0.20 - ShowMyPC)
WebEx (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
WildTangent Games (HKLM-x32\...\WildTangent toshiba Master Uninstall) (Version: 1.0.1.5 - WildTangent)
WildTangent ORB Game Console (x32 Version:  - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - Riverbed Technology, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files (x86)\Citrix\GoToMeeting\880\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {19C2F487-1566-4858-92F4-AC8EB666827A} - System32\Tasks\GoogleUpdateTaskMachineUA1d0f09ff46f62e => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {27A9FB1B-211B-4994-B1E4-8EF5EA3035C0} - System32\Tasks\{CC0D5650-BE97-440B-BA6A-0F67D8B6AE6D} => pcalua.exe -a "C:\Program Files (x86)\Babylon\Babylon-Pro\Utils\uninstbb.exe"
Task: {2ECAD90F-40C4-4215-BE35-ECA2E3E519F2} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-10-21] (Piriform Ltd)
Task: {37A9A18B-6667-40A9-AC5E-000A2AEFF35E} - System32\Tasks\GoogleUpdateTaskMachineCore1cf2b9f2e26c015 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {37EDFAA1-4445-4136-B0F3-4A14620D5905} - System32\Tasks\GoogleUpdateTaskMachineUA1d0e247d734538 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {3C18C5FD-2137-4CDA-996F-38DAF75E555F} - System32\Tasks\{ABC6C7F1-7C7A-47B6-A723-9565A1D98F48} => pcalua.exe -a C:\Users\Lesley\Downloads\StarStableSetup.exe -d C:\Users\Lesley\Desktop
Task: {46B9523A-3078-464E-9844-833DE5245D7A} - System32\Tasks\GoogleUpdateTaskMachineCore1d0bf4e4439ab1a => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {598965CA-1913-45FF-871E-2ED461C25149} - System32\Tasks\GoogleUpdateTaskMachineCore1d0f09fec40a7f => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {5C427C2C-0632-4466-96F8-8B64031209C1} - System32\Tasks\GoogleUpdateTaskMachineUA1cf8c382c9411b0 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {5D7EEF26-7C1D-4992-B07D-1DDF3DA5AC1E} - System32\Tasks\{A8EFF065-FC11-43B2-8D89-DC221593791A} => Chrome.exe hxxp://ui.skype.com/ui/0/7.13.0.101/en/abandoninstall?source=lightinstaller&amp;page=tsInstall
Task: {5DC9B5B2-C517-40E1-9772-AEA398FDDAD2} - System32\Tasks\GoogleUpdateTaskMachineUA1d08f4e6f9d5e0d => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {716D916B-670E-4BF2-AC9B-8B9C40927748} - System32\Tasks\GoogleUpdateTaskMachineUA1d0402a73c96ae7 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {721AEC55-9C1F-4BE4-A9F7-FA0F5A4DCC09} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-11-08] (Adobe Systems Incorporated)
Task: {77529BED-9838-45FE-9E4E-FD77D24341AB} - System32\Tasks\GoogleUpdateTaskMachineUA1d1ab0c71464b5 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {797765EC-B8DB-42A2-8864-37048069648D} - System32\Tasks\GoogleUpdateTaskMachineUA1d0bf4e44e76f8e => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {83C0ADF2-0602-41B5-A6AB-18AF2F672E9A} - System32\Tasks\GoogleUpdateTaskMachineUA1d15d53e1629406 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {98E0EAC2-9A51-480A-86AB-84C8730E88EE} - System32\Tasks\GoogleUpdateTaskMachineCore1d0e247ccf0645 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {A1951DBD-701C-4FAB-BBA7-602E9B64CEF6} - System32\Tasks\TOSHIBA Wireless Display Monitor => C:\Program Files (x86)\TOSHIBA\widimon\widimon.exe [2010-12-25] (TOSHIBA CORPORATION)
Task: {A3DEF141-436D-48D1-AF07-3AC69E599DED} - System32\Tasks\ESET Windows 10 upgrade – Refresh settings => C:\Program Files\Common Files\AV\ESET Smart Security 7.0\upgrade.exe [2015-11-23] (ESET)
Task: {A6D23421-1DDB-43A6-A483-5D4A052EF32B} - System32\Tasks\{D6313F04-51A9-4E1E-8143-4C721C6EEFEE} => pcalua.exe -a "C:\Users\Lesley\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M29M86XG\StarStableSetup_v921.exe" -d C:\Users\Lesley\Desktop
Task: {A836F7B4-99EA-4E50-A990-B3F7EC2BFADA} - System32\Tasks\GoogleUpdateTaskMachineUA1d12e0322fb5505 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {D0C35E8C-B03E-48C3-9523-3C575F6C3A09} - System32\Tasks\GoogleUpdateTaskMachineCore1d08f4e6efa191e => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {FAC5A27E-230A-43E1-8B5F-FA96E19EC447} - System32\Tasks\GoogleUpdateTaskMachineCore1d12e03222c3d4d => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\windows\Tasks\Adobe Flash Player Updater.job => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1cf2b9f2e26c015.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1d08f4e6efa191e.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1d0bf4e4439ab1a.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1d0e247ccf0645.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1d0f09fec40a7f.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore1d12e03222c3d4d.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1cf8c382c9411b0.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0402a73c96ae7.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d08f4e6f9d5e0d.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0bf4e44e76f8e.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0e247d734538.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d0f09ff46f62e.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d12e0322fb5505.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d15d53e1629406.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA1d1ab0c71464b5.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Lesley\AppData\Roaming\Microsoft\Windows\Network Shortcuts\My Web Sites on MSN\target.lnk -> hxxp://www.msnusers.com

==================== Loaded Modules (Whitelisted) ==============

2010-12-07 11:32 - 2010-12-07 11:32 - 01501696 _____ () C:\Program Files\Common Files\Intel\WirelessCommon\Libeay32.dll
2011-02-18 09:48 - 2011-02-18 09:48 - 00092504 _____ () C:\Program Files (x86)\Novatel Wireless\Novacore\Server\NvtlSrvr.exe
2010-12-07 11:32 - 2010-12-07 11:32 - 01501696 _____ () C:\Program Files\Common Files\Intel\WirelessCommon\LIBEAY32.dll
2011-01-27 07:11 - 2011-01-27 07:11 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2016-10-20 18:32 - 2016-10-20 18:32 - 05176984 _____ () C:\Program Files (x86)\Sync\sync-worker.exe
2011-03-04 11:49 - 2011-03-04 11:49 - 00202752 _____ () C:\Program Files (x86)\Cisco Systems\VPN Client\vpnapi.dll
2013-11-11 14:11 - 2010-08-24 19:06 - 00085840 _____ () C:\Program Files (x86)\Trend Micro\RUBotted\hc_help.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:00D99749 [132]
AlternateDataStreams: C:\ProgramData\TEMP:0E22C5DB [137]
AlternateDataStreams: C:\ProgramData\TEMP:10CB85CA [127]
AlternateDataStreams: C:\ProgramData\TEMP:1239BE94 [290]
AlternateDataStreams: C:\ProgramData\TEMP:1CF1FB36 [128]
AlternateDataStreams: C:\ProgramData\TEMP:1FA4C06F [118]
AlternateDataStreams: C:\ProgramData\TEMP:206470A5 [121]
AlternateDataStreams: C:\ProgramData\TEMP:24C072FF [236]
AlternateDataStreams: C:\ProgramData\TEMP:2701CA70 [450]
AlternateDataStreams: C:\ProgramData\TEMP:27974442 [205]
AlternateDataStreams: C:\ProgramData\TEMP:27F44544 [126]
AlternateDataStreams: C:\ProgramData\TEMP:2AD33723 [468]
AlternateDataStreams: C:\ProgramData\TEMP:2AE74FF9 [219]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2F360FB3 [502]
AlternateDataStreams: C:\ProgramData\TEMP:35110824 [148]
AlternateDataStreams: C:\ProgramData\TEMP:363E775E [508]
AlternateDataStreams: C:\ProgramData\TEMP:38D2EA83 [120]
AlternateDataStreams: C:\ProgramData\TEMP:3969ACF7 [466]
AlternateDataStreams: C:\ProgramData\TEMP:3B454A5C [218]
AlternateDataStreams: C:\ProgramData\TEMP:3C4BD225 [134]
AlternateDataStreams: C:\ProgramData\TEMP:43D2A298 [448]
AlternateDataStreams: C:\ProgramData\TEMP:48862C37 [510]
AlternateDataStreams: C:\ProgramData\TEMP:512E1728 [119]
AlternateDataStreams: C:\ProgramData\TEMP:5539129F [482]
AlternateDataStreams: C:\ProgramData\TEMP:56699AAF [498]
AlternateDataStreams: C:\ProgramData\TEMP:57B2B96C [226]
AlternateDataStreams: C:\ProgramData\TEMP:5FC043A8 [137]
AlternateDataStreams: C:\ProgramData\TEMP:607A99D7 [139]
AlternateDataStreams: C:\ProgramData\TEMP:60C897F3 [414]
AlternateDataStreams: C:\ProgramData\TEMP:61A065F2 [141]
AlternateDataStreams: C:\ProgramData\TEMP:6294B369 [450]
AlternateDataStreams: C:\ProgramData\TEMP:65137F0D [213]
AlternateDataStreams: C:\ProgramData\TEMP:6896CCCE [498]
AlternateDataStreams: C:\ProgramData\TEMP:6A9CA6CB [502]
AlternateDataStreams: C:\ProgramData\TEMP:6BEADDC0 [480]
AlternateDataStreams: C:\ProgramData\TEMP:6DD124E2 [472]
AlternateDataStreams: C:\ProgramData\TEMP:6EB8C6CD [460]
AlternateDataStreams: C:\ProgramData\TEMP:869C6B4A [498]
AlternateDataStreams: C:\ProgramData\TEMP:87A3A233 [262]
AlternateDataStreams: C:\ProgramData\TEMP:8E5EA40F [424]
AlternateDataStreams: C:\ProgramData\TEMP:902C848D [118]
AlternateDataStreams: C:\ProgramData\TEMP:9BAC4211 [141]
AlternateDataStreams: C:\ProgramData\TEMP:9BB8C675 [288]
AlternateDataStreams: C:\ProgramData\TEMP:9EDA68BD [478]
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE [452]
AlternateDataStreams: C:\ProgramData\TEMP:A4241298 [412]
AlternateDataStreams: C:\ProgramData\TEMP:A9223B61 [130]
AlternateDataStreams: C:\ProgramData\TEMP:A9562832 [462]
AlternateDataStreams: C:\ProgramData\TEMP:A9F13D2D [480]
AlternateDataStreams: C:\ProgramData\TEMP:AA6CA4C7 [100]
AlternateDataStreams: C:\ProgramData\TEMP:ACCEFF0E [216]
AlternateDataStreams: C:\ProgramData\TEMP:AD179392 [456]
AlternateDataStreams: C:\ProgramData\TEMP:AED4A2B7 [118]
AlternateDataStreams: C:\ProgramData\TEMP:AF2F9D4A [282]
AlternateDataStreams: C:\ProgramData\TEMP:B3A5945E [145]
AlternateDataStreams: C:\ProgramData\TEMP:C22674B6 [220]
AlternateDataStreams: C:\ProgramData\TEMP:C370B84F [211]
AlternateDataStreams: C:\ProgramData\TEMP:C76CFF82 [229]
AlternateDataStreams: C:\ProgramData\TEMP:C820549A [252]
AlternateDataStreams: C:\ProgramData\TEMP:CA7E8F16 [138]
AlternateDataStreams: C:\ProgramData\TEMP:CBAF0C30 [133]
AlternateDataStreams: C:\ProgramData\TEMP:D3A8AA31 [134]
AlternateDataStreams: C:\ProgramData\TEMP:D5E3E8C4 [148]
AlternateDataStreams: C:\ProgramData\TEMP:D987CB43 [514]
AlternateDataStreams: C:\ProgramData\TEMP:E8AEB2BF [131]
AlternateDataStreams: C:\ProgramData\TEMP:ECF3C50F [232]
AlternateDataStreams: C:\ProgramData\TEMP:F591490A [412]
AlternateDataStreams: C:\ProgramData\TEMP:F7F6E6CB [210]
AlternateDataStreams: C:\ProgramData\TEMP:F7FFE8AF [268]
AlternateDataStreams: C:\ProgramData\TEMP:FB71A279 [141]
AlternateDataStreams: C:\ProgramData\TEMP:FC70A22A [225]
AlternateDataStreams: C:\ProgramData\TEMP:FD8BCF62 [498]
AlternateDataStreams: C:\ProgramData\TEMP:FF9C44FE [232]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tvnserver => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\starstable.com -> starstable.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2015-09-02 14:46 - 2016-11-02 09:31 - 00000045 ____A C:\windows\system32\Drivers\etc\hosts

 

0.0.0.1 mssplus.mcafee.com

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Lesley\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^Users^Lesley^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk => C:\windows\pss\Dropbox.lnk.Startup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher =>
MSCONFIG\startupreg: Bell Canada Connection Manager => "C:\Program Files (x86)\Bell\Mobile Connect\MobileConnect.exe" -a
MSCONFIG\startupreg: Cisco AnyConnect Secure Mobility Agent for Windows => "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
MSCONFIG\startupreg: HSON => %ProgramFiles%\TOSHIBA\TBS\HSON.exe
MSCONFIG\startupreg: iolo Startup => "C:\Program Files (x86)\iolo\Common\Lib\ioloLManager.exe"
MSCONFIG\startupreg: NortonOnlineBackupReminder => "C:\Program Files (x86)\Toshiba\Toshiba Online Backup\Activation\TOBuActivation.exe" UNATTENDED
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: SmartFaceVWatcher => %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: swg => "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
MSCONFIG\startupreg: TCrdMain => %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
MSCONFIG\startupreg: Teco => "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
MSCONFIG\startupreg: TOSDCR => %ProgramFiles%\TOSHIBA\PasswordUtility\TOSDCR.exe
MSCONFIG\startupreg: ToshibaAppPlace => "C:\Program Files (x86)\Toshiba\Toshiba App Place\ToshibaAppPlace.exe"
MSCONFIG\startupreg: ToshibaServiceStation => "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60
MSCONFIG\startupreg: TosNC => %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
MSCONFIG\startupreg: TosReelTimeMonitor => %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
MSCONFIG\startupreg: TosSENotify => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
MSCONFIG\startupreg: TosWaitSrv => %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
MSCONFIG\startupreg: TPwrMain => %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
MSCONFIG\startupreg: TSleepSrv => %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe
MSCONFIG\startupreg: TWebCamera => "C:\Program Files (x86)\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{6A99E2DE-180E-4632-BF06-7492C68D58FE}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{83E14453-891D-4EE6-B9F8-B009CAB60440}] => (Allow) LPort=2869
FirewallRules: [{14AC19F3-D143-4536-B4B6-37EE28A51464}] => (Allow) LPort=1900
FirewallRules: [{735481E0-FB70-4A79-943C-AC2D0A24E03C}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{D72DB1FA-86B6-4C95-B304-CC37E4BB1B99}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{4454AF1E-16DA-46E0-B452-79E78F2B2274}] => (Allow) C:\Program Files (x86)\Intel Corporation\Intel Wireless Display\WiDiApp.exe
FirewallRules: [{0455FDC3-DBC4-466F-B686-10C570EC8313}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{13AF5476-004A-401E-8C26-E460B0407CB3}] => (Allow) C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe
FirewallRules: [{950D8EEB-B8EB-4995-A53D-D447E297A58C}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{8AF72062-3B8B-4B56-8673-8666C4B6C1EB}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{EFA7EDB7-A176-4FD9-89EC-D4903F38DE69}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{EC143D02-5F6D-46EB-B08E-5C04967BDFA3}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{503201B6-3115-4345-8BE9-F142A6FE7D88}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe
FirewallRules: [{89D56729-BAE0-4A39-808D-A85A7FCB82D7}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Terraria\Terraria.exe
FirewallRules: [{DEDBB8B5-058F-4591-A9C8-788D5FD325FA}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\PlanetSide 2\LaunchPad.exe
FirewallRules: [{8DAE64C3-0B4F-44EF-8DCF-F4CBED1ADE25}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\PlanetSide 2\LaunchPad.exe
FirewallRules: [{68CBF36E-28F9-4400-90C1-63BE057F273F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\War Thunder\launcher.exe
FirewallRules: [{0BD9AE45-34F0-4F47-AC74-DEC58103BA61}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\War Thunder\launcher.exe
FirewallRules: [{255CF96F-1FA9-45D3-B4F3-E8E9FE7C31AB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Tom Clancy's Ghost Recon Phantoms NA\Launcher.exe
FirewallRules: [{F649305E-D480-4E4E-B798-71746C9D1BEB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Tom Clancy's Ghost Recon Phantoms NA\Launcher.exe
FirewallRules: [{E67440CF-6746-4B46-9828-BA76E97E7BB2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warface\live\nw.exe
FirewallRules: [{569CA7F3-8260-4D03-878D-086AEAAB783D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Warface\live\nw.exe
FirewallRules: [{892B106F-C265-40C0-AF24-D1C5802D45BE}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

26-10-2016 10:29:14 Installed Sync
10-11-2016 10:52:26 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============

Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Cisco Systems VPN Adapter for 64-bit Windows
Description: Cisco Systems VPN Adapter for 64-bit Windows
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: CVirtA
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM_Guard
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Microsoft Virtual WiFi Miniport Adapter
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Microsoft Virtual WiFi Miniport Adapter #2
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/10/2016 01:53:44 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "c:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (11/10/2016 01:30:21 PM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "c:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (11/09/2016 11:41:13 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description: The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.

Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.
.

Error: (11/09/2016 10:50:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: cvpnd.exe, version: 0.0.0.0, time stamp: 0x4d714093
Faulting module name: cvpnd.exe, version: 0.0.0.0, time stamp: 0x4d714093
Exception code: 0xc0000005
Fault offset: 0x000484b3
Faulting process id: 0x5f8
Faulting application start time: 0x01d23aba244716d6
Faulting application path: C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
Faulting module path: C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
Report Id: 6e2dd33e-a6ad-11e6-8e18-e89d87fce820

Error: (11/06/2016 02:48:16 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SMSystemAnalyzer.exe, version: 11.7.1.31, time stamp: 0x51a6495f
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000005
Fault offset: 0x000343e0
Faulting process id: 0x242c
Faulting application start time: 0x01d2381b1e78c677
Faulting application path: C:\Program Files (x86)\iolo\System Mechanic\SMSystemAnalyzer.exe
Faulting module path: C:\windows\SysWOW64\ntdll.dll
Report Id: 859713de-a40e-11e6-b755-e89d87fce820

Error: (11/04/2016 08:42:36 AM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft Outlook: Rejected Safe Mode action : Outlook failed to start correctly last time.  Starting Outlook in safe mode will help you correct or isolate a startup problem in order to successfully start the program.  Some functionality may be disabled in this mode.

Do you want to start Outlook in safe mode?.
Rejected Safe Mode action : Microsoft Outlook.

Error: (10/18/2016 09:26:32 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17344 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 4f8

Start Time: 01d229c1b2c7ddb6

Termination Time: 6381

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id:

Error: (10/18/2016 08:39:41 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program OUTLOOK.EXE version 14.0.7113.5000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 13b0

Start Time: 01d2295d311951d7

Termination Time: 2200

Application Path: C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

Report Id: 507abd1a-9551-11e6-b58e-e89d87fce820

Error: (10/12/2016 09:41:12 AM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft Outlook: Rejected Safe Mode action : Outlook failed to start correctly last time.  Starting Outlook in safe mode will help you correct or isolate a startup problem in order to successfully start the program.  Some functionality may be disabled in this mode.

Do you want to start Outlook in safe mode?.
Rejected Safe Mode action : Microsoft Outlook.

Error: (10/11/2016 09:35:13 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: splwow64.exe, version: 6.1.7601.17777, time stamp: 0x4f35fbfe
Faulting module name: ole32.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c92c
Exception code: 0xc0000005
Fault offset: 0x0000000000029d76
Faulting process id: 0xd54
Faulting application start time: 0x01d223e2b6010dc6
Faulting application path: C:\windows\splwow64.exe
Faulting module path: C:\windows\system32\ole32.dll
Report Id: 107aa0aa-8fd9-11e6-9845-e89d87fce820

System errors:
=============
Error: (11/16/2016 06:35:46 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/16/2016 06:35:22 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/16/2016 12:34:51 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/16/2016 12:34:27 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/15/2016 06:33:59 PM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/15/2016 06:33:35 PM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/15/2016 12:33:09 PM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/15/2016 12:32:45 PM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/15/2016 06:32:19 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (11/15/2016 06:31:55 AM) (Source: iaStor) (EventID: 9) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

==================== Memory info ===========================

Processor: Intel® Core™ i5-2410M CPU @ 2.30GHz
Percentage of memory in use: 69%
Total physical RAM: 3999.43 MB
Available physical RAM: 1231.41 MB
Total Virtual: 7997.03 MB
Available Virtual: 3935.91 MB

==================== Drives ================================

Drive c: (TI106080W0F) (Fixed) (Total:584 GB) (Free:475.23 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 596.2 GB) (Disk ID: DD977F1A)
Partition 1: (Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Not Active) - (Size=584 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=10.7 GB) - (Type=17)

==================== End of Addition.txt ============================



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 24 November 2016 - 11:03 AM

Greetings runclub and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Are you familiar with this User Account?

jlskngfbnu

Please post the RogueKiller log if you still have it.

Please consider and do this.

===================================================

Uninstalling a Program using Add/Remove Program

--------------------

I recommend the uninstalling of the below listed program(s) because BleepingComputer does not recommend the use of System Cleanup Tools. If you desire to keep the program I would ask that you reinstall it following our efforts here.
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

iolo technologies' System Mechanic

  • Reboot your computer
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\MountPoints2: {1234a1ab-25de-11e1-9b21-8ca9822dd5b0} - E:\AutoLaunch.exe
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> {6945FE14-5F76-4F81-AB72-932CB703E826} URL =
SearchScopes: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> {D3A36BAC-30AD-4AA5-B21B-2E1F60A6FE7F} URL = 
Toolbar: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
R4 eamonm; system32\DRIVERS\eamonm.sys [X]
R4 ehdrv; system32\DRIVERS\ehdrv.sys [X]
R4 epfw; system32\DRIVERS\epfw.sys [X]
S1 ZAM; \??\C:\windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\windows\System32\drivers\zamguard64.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:00D99749 [132]
AlternateDataStreams: C:\ProgramData\TEMP:0E22C5DB [137]
AlternateDataStreams: C:\ProgramData\TEMP:10CB85CA [127]
AlternateDataStreams: C:\ProgramData\TEMP:1239BE94 [290]
AlternateDataStreams: C:\ProgramData\TEMP:1CF1FB36 [128]
AlternateDataStreams: C:\ProgramData\TEMP:1FA4C06F [118]
AlternateDataStreams: C:\ProgramData\TEMP:206470A5 [121]
AlternateDataStreams: C:\ProgramData\TEMP:24C072FF [236]
AlternateDataStreams: C:\ProgramData\TEMP:2701CA70 [450]
AlternateDataStreams: C:\ProgramData\TEMP:27974442 [205]
AlternateDataStreams: C:\ProgramData\TEMP:27F44544 [126]
AlternateDataStreams: C:\ProgramData\TEMP:2AD33723 [468]
AlternateDataStreams: C:\ProgramData\TEMP:2AE74FF9 [219]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2F360FB3 [502]
AlternateDataStreams: C:\ProgramData\TEMP:35110824 [148]
AlternateDataStreams: C:\ProgramData\TEMP:363E775E [508]
AlternateDataStreams: C:\ProgramData\TEMP:38D2EA83 [120]
AlternateDataStreams: C:\ProgramData\TEMP:3969ACF7 [466]
AlternateDataStreams: C:\ProgramData\TEMP:3B454A5C [218]
AlternateDataStreams: C:\ProgramData\TEMP:3C4BD225 [134]
AlternateDataStreams: C:\ProgramData\TEMP:43D2A298 [448]
AlternateDataStreams: C:\ProgramData\TEMP:48862C37 [510]
AlternateDataStreams: C:\ProgramData\TEMP:512E1728 [119]
AlternateDataStreams: C:\ProgramData\TEMP:5539129F [482]
AlternateDataStreams: C:\ProgramData\TEMP:56699AAF [498]
AlternateDataStreams: C:\ProgramData\TEMP:57B2B96C [226]
AlternateDataStreams: C:\ProgramData\TEMP:5FC043A8 [137]
AlternateDataStreams: C:\ProgramData\TEMP:607A99D7 [139]
AlternateDataStreams: C:\ProgramData\TEMP:60C897F3 [414]
AlternateDataStreams: C:\ProgramData\TEMP:61A065F2 [141]
AlternateDataStreams: C:\ProgramData\TEMP:6294B369 [450]
AlternateDataStreams: C:\ProgramData\TEMP:65137F0D [213]
AlternateDataStreams: C:\ProgramData\TEMP:6896CCCE [498]
AlternateDataStreams: C:\ProgramData\TEMP:6A9CA6CB [502]
AlternateDataStreams: C:\ProgramData\TEMP:6BEADDC0 [480]
AlternateDataStreams: C:\ProgramData\TEMP:6DD124E2 [472]
AlternateDataStreams: C:\ProgramData\TEMP:6EB8C6CD [460]
AlternateDataStreams: C:\ProgramData\TEMP:869C6B4A [498]
AlternateDataStreams: C:\ProgramData\TEMP:87A3A233 [262]
AlternateDataStreams: C:\ProgramData\TEMP:8E5EA40F [424]
AlternateDataStreams: C:\ProgramData\TEMP:902C848D [118]
AlternateDataStreams: C:\ProgramData\TEMP:9BAC4211 [141]
AlternateDataStreams: C:\ProgramData\TEMP:9BB8C675 [288]
AlternateDataStreams: C:\ProgramData\TEMP:9EDA68BD [478]
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE [452]
AlternateDataStreams: C:\ProgramData\TEMP:A4241298 [412]
AlternateDataStreams: C:\ProgramData\TEMP:A9223B61 [130]
AlternateDataStreams: C:\ProgramData\TEMP:A9562832 [462]
AlternateDataStreams: C:\ProgramData\TEMP:A9F13D2D [480]
AlternateDataStreams: C:\ProgramData\TEMP:AA6CA4C7 [100]
AlternateDataStreams: C:\ProgramData\TEMP:ACCEFF0E [216]
AlternateDataStreams: C:\ProgramData\TEMP:AD179392 [456]
AlternateDataStreams: C:\ProgramData\TEMP:AED4A2B7 [118]
AlternateDataStreams: C:\ProgramData\TEMP:AF2F9D4A [282]
AlternateDataStreams: C:\ProgramData\TEMP:B3A5945E [145]
AlternateDataStreams: C:\ProgramData\TEMP:C22674B6 [220]
AlternateDataStreams: C:\ProgramData\TEMP:C370B84F [211]
AlternateDataStreams: C:\ProgramData\TEMP:C76CFF82 [229]
AlternateDataStreams: C:\ProgramData\TEMP:C820549A [252]
AlternateDataStreams: C:\ProgramData\TEMP:CA7E8F16 [138]
AlternateDataStreams: C:\ProgramData\TEMP:CBAF0C30 [133]
AlternateDataStreams: C:\ProgramData\TEMP:D3A8AA31 [134]
AlternateDataStreams: C:\ProgramData\TEMP:D5E3E8C4 [148]
AlternateDataStreams: C:\ProgramData\TEMP:D987CB43 [514]
AlternateDataStreams: C:\ProgramData\TEMP:E8AEB2BF [131]
AlternateDataStreams: C:\ProgramData\TEMP:ECF3C50F [232]
AlternateDataStreams: C:\ProgramData\TEMP:F591490A [412]
AlternateDataStreams: C:\ProgramData\TEMP:F7F6E6CB [210]
AlternateDataStreams: C:\ProgramData\TEMP:F7FFE8AF [268]
AlternateDataStreams: C:\ProgramData\TEMP:FB71A279 [141]
AlternateDataStreams: C:\ProgramData\TEMP:FC70A22A [225]
AlternateDataStreams: C:\ProgramData\TEMP:FD8BCF62 [498]
AlternateDataStreams: C:\ProgramData\TEMP:FF9C44FE [232]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper => ""=""
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • RogueKiller log
  • FRST results
  • Addition log
  • System Summary Information

Edited by Oh My!, 24 November 2016 - 03:21 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 runclub

runclub
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 24 November 2016 - 12:31 PM

Thank you for your response.  I will proceed as instructed.

 

My name is Jason.

 

I am not familiar with the user account you questioned.

 

I will follow the instructions you have provided and then post the info you requested.  I just wanted to clarify the user account is unfamiliar.

 

Cheers and thanks for your help.

Jason

 



#6 runclub

runclub
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 24 November 2016 - 02:23 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 23-11-2016
Ran by Lesley (24-11-2016 11:08:30) Run:1
Running from C:\aaa
Loaded Profiles: Lesley (Available Profiles: Lesley & dxunrrahjx)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\...\MountPoints2: {1234a1ab-25de-11e1-9b21-8ca9822dd5b0} - E:\AutoLaunch.exe
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> {6945FE14-5F76-4F81-AB72-932CB703E826} URL =
SearchScopes: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> {D3A36BAC-30AD-4AA5-B21B-2E1F60A6FE7F} URL =
Toolbar: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-3650914020-3955857237-3003940392-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
FF HKLM\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird => not found
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\pdf.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\gcswf32.dll => No File
CHR Plugin: (Shockwave Flash) - C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => No File
R4 eamonm; system32\DRIVERS\eamonm.sys [X]
R4 ehdrv; system32\DRIVERS\ehdrv.sys [X]
R4 epfw; system32\DRIVERS\epfw.sys [X]
S1 ZAM; \??\C:\windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\windows\System32\drivers\zamguard64.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:00D99749 [132]
AlternateDataStreams: C:\ProgramData\TEMP:0E22C5DB [137]
AlternateDataStreams: C:\ProgramData\TEMP:10CB85CA [127]
AlternateDataStreams: C:\ProgramData\TEMP:1239BE94 [290]
AlternateDataStreams: C:\ProgramData\TEMP:1CF1FB36 [128]
AlternateDataStreams: C:\ProgramData\TEMP:1FA4C06F [118]
AlternateDataStreams: C:\ProgramData\TEMP:206470A5 [121]
AlternateDataStreams: C:\ProgramData\TEMP:24C072FF [236]
AlternateDataStreams: C:\ProgramData\TEMP:2701CA70 [450]
AlternateDataStreams: C:\ProgramData\TEMP:27974442 [205]
AlternateDataStreams: C:\ProgramData\TEMP:27F44544 [126]
AlternateDataStreams: C:\ProgramData\TEMP:2AD33723 [468]
AlternateDataStreams: C:\ProgramData\TEMP:2AE74FF9 [219]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2F360FB3 [502]
AlternateDataStreams: C:\ProgramData\TEMP:35110824 [148]
AlternateDataStreams: C:\ProgramData\TEMP:363E775E [508]
AlternateDataStreams: C:\ProgramData\TEMP:38D2EA83 [120]
AlternateDataStreams: C:\ProgramData\TEMP:3969ACF7 [466]
AlternateDataStreams: C:\ProgramData\TEMP:3B454A5C [218]
AlternateDataStreams: C:\ProgramData\TEMP:3C4BD225 [134]
AlternateDataStreams: C:\ProgramData\TEMP:43D2A298 [448]
AlternateDataStreams: C:\ProgramData\TEMP:48862C37 [510]
AlternateDataStreams: C:\ProgramData\TEMP:512E1728 [119]
AlternateDataStreams: C:\ProgramData\TEMP:5539129F [482]
AlternateDataStreams: C:\ProgramData\TEMP:56699AAF [498]
AlternateDataStreams: C:\ProgramData\TEMP:57B2B96C [226]
AlternateDataStreams: C:\ProgramData\TEMP:5FC043A8 [137]
AlternateDataStreams: C:\ProgramData\TEMP:607A99D7 [139]
AlternateDataStreams: C:\ProgramData\TEMP:60C897F3 [414]
AlternateDataStreams: C:\ProgramData\TEMP:61A065F2 [141]
AlternateDataStreams: C:\ProgramData\TEMP:6294B369 [450]
AlternateDataStreams: C:\ProgramData\TEMP:65137F0D [213]
AlternateDataStreams: C:\ProgramData\TEMP:6896CCCE [498]
AlternateDataStreams: C:\ProgramData\TEMP:6A9CA6CB [502]
AlternateDataStreams: C:\ProgramData\TEMP:6BEADDC0 [480]
AlternateDataStreams: C:\ProgramData\TEMP:6DD124E2 [472]
AlternateDataStreams: C:\ProgramData\TEMP:6EB8C6CD [460]
AlternateDataStreams: C:\ProgramData\TEMP:869C6B4A [498]
AlternateDataStreams: C:\ProgramData\TEMP:87A3A233 [262]
AlternateDataStreams: C:\ProgramData\TEMP:8E5EA40F [424]
AlternateDataStreams: C:\ProgramData\TEMP:902C848D [118]
AlternateDataStreams: C:\ProgramData\TEMP:9BAC4211 [141]
AlternateDataStreams: C:\ProgramData\TEMP:9BB8C675 [288]
AlternateDataStreams: C:\ProgramData\TEMP:9EDA68BD [478]
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE [452]
AlternateDataStreams: C:\ProgramData\TEMP:A4241298 [412]
AlternateDataStreams: C:\ProgramData\TEMP:A9223B61 [130]
AlternateDataStreams: C:\ProgramData\TEMP:A9562832 [462]
AlternateDataStreams: C:\ProgramData\TEMP:A9F13D2D [480]
AlternateDataStreams: C:\ProgramData\TEMP:AA6CA4C7 [100]
AlternateDataStreams: C:\ProgramData\TEMP:ACCEFF0E [216]
AlternateDataStreams: C:\ProgramData\TEMP:AD179392 [456]
AlternateDataStreams: C:\ProgramData\TEMP:AED4A2B7 [118]
AlternateDataStreams: C:\ProgramData\TEMP:AF2F9D4A [282]
AlternateDataStreams: C:\ProgramData\TEMP:B3A5945E [145]
AlternateDataStreams: C:\ProgramData\TEMP:C22674B6 [220]
AlternateDataStreams: C:\ProgramData\TEMP:C370B84F [211]
AlternateDataStreams: C:\ProgramData\TEMP:C76CFF82 [229]
AlternateDataStreams: C:\ProgramData\TEMP:C820549A [252]
AlternateDataStreams: C:\ProgramData\TEMP:CA7E8F16 [138]
AlternateDataStreams: C:\ProgramData\TEMP:CBAF0C30 [133]
AlternateDataStreams: C:\ProgramData\TEMP:D3A8AA31 [134]
AlternateDataStreams: C:\ProgramData\TEMP:D5E3E8C4 [148]
AlternateDataStreams: C:\ProgramData\TEMP:D987CB43 [514]
AlternateDataStreams: C:\ProgramData\TEMP:E8AEB2BF [131]
AlternateDataStreams: C:\ProgramData\TEMP:ECF3C50F [232]
AlternateDataStreams: C:\ProgramData\TEMP:F591490A [412]
AlternateDataStreams: C:\ProgramData\TEMP:F7F6E6CB [210]
AlternateDataStreams: C:\ProgramData\TEMP:F7FFE8AF [268]
AlternateDataStreams: C:\ProgramData\TEMP:FB71A279 [141]
AlternateDataStreams: C:\ProgramData\TEMP:FC70A22A [225]
AlternateDataStreams: C:\ProgramData\TEMP:FD8BCF62 [498]
AlternateDataStreams: C:\ProgramData\TEMP:FF9C44FE [232]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper => ""=""
*****************

"HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1234a1ab-25de-11e1-9b21-8ca9822dd5b0}" => key removed successfully
HKCR\CLSID\{1234a1ab-25de-11e1-9b21-8ca9822dd5b0} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => key removed successfully
HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => key removed successfully
HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => key removed successfully
HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt4" => key removed successfully
HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6945FE14-5F76-4F81-AB72-932CB703E826}" => key removed successfully
HKCR\CLSID\{6945FE14-5F76-4F81-AB72-932CB703E826} => key not found.
"HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D3A36BAC-30AD-4AA5-B21B-2E1F60A6FE7F}" => key removed successfully
HKCR\CLSID\{D3A36BAC-30AD-4AA5-B21B-2E1F60A6FE7F} => key not found.
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
HKU\S-1-5-21-3650914020-3955857237-3003940392-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key not found.
HKLM\Software\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com => value removed successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com => value removed successfully
C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\pdf.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\gcswf32.dll => not found.
C:\windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_235.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll => not found.
c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll => not found.
eamonm => service not found.
ehdrv => service not found.
epfw => service not found.
ZAM => service removed successfully
ZAM_Guard => service removed successfully
C:\ProgramData\TEMP => ":00D99749" ADS removed successfully.
C:\ProgramData\TEMP => ":0E22C5DB" ADS removed successfully.
C:\ProgramData\TEMP => ":10CB85CA" ADS removed successfully.
C:\ProgramData\TEMP => ":1239BE94" ADS removed successfully.
C:\ProgramData\TEMP => ":1CF1FB36" ADS removed successfully.
C:\ProgramData\TEMP => ":1FA4C06F" ADS removed successfully.
C:\ProgramData\TEMP => ":206470A5" ADS removed successfully.
C:\ProgramData\TEMP => ":24C072FF" ADS removed successfully.
C:\ProgramData\TEMP => ":2701CA70" ADS removed successfully.
C:\ProgramData\TEMP => ":27974442" ADS removed successfully.
C:\ProgramData\TEMP => ":27F44544" ADS removed successfully.
C:\ProgramData\TEMP => ":2AD33723" ADS removed successfully.
C:\ProgramData\TEMP => ":2AE74FF9" ADS removed successfully.
C:\ProgramData\TEMP => ":2CB9631F" ADS removed successfully.
C:\ProgramData\TEMP => ":2F360FB3" ADS removed successfully.
C:\ProgramData\TEMP => ":35110824" ADS removed successfully.
C:\ProgramData\TEMP => ":363E775E" ADS removed successfully.
C:\ProgramData\TEMP => ":38D2EA83" ADS removed successfully.
C:\ProgramData\TEMP => ":3969ACF7" ADS removed successfully.
C:\ProgramData\TEMP => ":3B454A5C" ADS removed successfully.
C:\ProgramData\TEMP => ":3C4BD225" ADS removed successfully.
C:\ProgramData\TEMP => ":43D2A298" ADS removed successfully.
C:\ProgramData\TEMP => ":48862C37" ADS removed successfully.
C:\ProgramData\TEMP => ":512E1728" ADS removed successfully.
C:\ProgramData\TEMP => ":5539129F" ADS removed successfully.
C:\ProgramData\TEMP => ":56699AAF" ADS removed successfully.
C:\ProgramData\TEMP => ":57B2B96C" ADS removed successfully.
C:\ProgramData\TEMP => ":5FC043A8" ADS removed successfully.
C:\ProgramData\TEMP => ":607A99D7" ADS removed successfully.
C:\ProgramData\TEMP => ":60C897F3" ADS removed successfully.
C:\ProgramData\TEMP => ":61A065F2" ADS removed successfully.
C:\ProgramData\TEMP => ":6294B369" ADS removed successfully.
C:\ProgramData\TEMP => ":65137F0D" ADS removed successfully.
C:\ProgramData\TEMP => ":6896CCCE" ADS removed successfully.
C:\ProgramData\TEMP => ":6A9CA6CB" ADS removed successfully.
C:\ProgramData\TEMP => ":6BEADDC0" ADS removed successfully.
C:\ProgramData\TEMP => ":6DD124E2" ADS removed successfully.
C:\ProgramData\TEMP => ":6EB8C6CD" ADS removed successfully.
C:\ProgramData\TEMP => ":869C6B4A" ADS removed successfully.
C:\ProgramData\TEMP => ":87A3A233" ADS removed successfully.
C:\ProgramData\TEMP => ":8E5EA40F" ADS removed successfully.
C:\ProgramData\TEMP => ":902C848D" ADS removed successfully.
C:\ProgramData\TEMP => ":9BAC4211" ADS removed successfully.
C:\ProgramData\TEMP => ":9BB8C675" ADS removed successfully.
C:\ProgramData\TEMP => ":9EDA68BD" ADS removed successfully.
C:\ProgramData\TEMP => ":A02025CE" ADS removed successfully.
C:\ProgramData\TEMP => ":A4241298" ADS removed successfully.
C:\ProgramData\TEMP => ":A9223B61" ADS removed successfully.
C:\ProgramData\TEMP => ":A9562832" ADS removed successfully.
C:\ProgramData\TEMP => ":A9F13D2D" ADS removed successfully.
C:\ProgramData\TEMP => ":AA6CA4C7" ADS removed successfully.
C:\ProgramData\TEMP => ":ACCEFF0E" ADS removed successfully.
C:\ProgramData\TEMP => ":AD179392" ADS removed successfully.
C:\ProgramData\TEMP => ":AED4A2B7" ADS removed successfully.
C:\ProgramData\TEMP => ":AF2F9D4A" ADS removed successfully.
C:\ProgramData\TEMP => ":B3A5945E" ADS removed successfully.
C:\ProgramData\TEMP => ":C22674B6" ADS removed successfully.
C:\ProgramData\TEMP => ":C370B84F" ADS removed successfully.
C:\ProgramData\TEMP => ":C76CFF82" ADS removed successfully.
C:\ProgramData\TEMP => ":C820549A" ADS removed successfully.
C:\ProgramData\TEMP => ":CA7E8F16" ADS removed successfully.
C:\ProgramData\TEMP => ":CBAF0C30" ADS removed successfully.
C:\ProgramData\TEMP => ":D3A8AA31" ADS removed successfully.
C:\ProgramData\TEMP => ":D5E3E8C4" ADS removed successfully.
C:\ProgramData\TEMP => ":D987CB43" ADS removed successfully.
C:\ProgramData\TEMP => ":E8AEB2BF" ADS removed successfully.
C:\ProgramData\TEMP => ":ECF3C50F" ADS removed successfully.
C:\ProgramData\TEMP => ":F591490A" ADS removed successfully.
C:\ProgramData\TEMP => ":F7F6E6CB" ADS removed successfully.
C:\ProgramData\TEMP => ":F7FFE8AF" ADS removed successfully.
C:\ProgramData\TEMP => ":FB71A279" ADS removed successfully.
C:\ProgramData\TEMP => ":FC70A22A" ADS removed successfully.
C:\ProgramData\TEMP => ":FD8BCF62" ADS removed successfully.
C:\ProgramData\TEMP => ":FF9C44FE" ADS removed successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\ioloSystemService => key not found.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ioloSystemService => key not found.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper" => key removed successfully

==== End of Fixlog 11:08:31 ====

 

Here is the original roguekiller log

 

RogueKiller V12.8.0.0 (x64) [Nov  7 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Lesley [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 11/10/2016 12:03:45 (Duration : 00:54:13)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{DEE03C2B-0C0C-41A9-9877-FD4B4D7B6EA3} (C:\Users\Lesley\AppData\Local\Roblox\Versions\version-fe88b67aa44a44d9\RobloxProxy64.dll) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3650914020-3955857237-3003940392-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/g/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3650914020-3955857237-3003940392-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://start.toshiba.com/g/  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1F475802-1616-446B-A4EC-F5820A2A2671} | DhcpNameServer : 184.151.118.254 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E2234C5B-8830-49D5-84E3-7C7A39633534} | DhcpNameServer : 70.28.245.255 204.101.237.136 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1F475802-1616-446B-A4EC-F5820A2A2671} | DhcpNameServer : 184.151.118.254 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{E2234C5B-8830-49D5-84E3-7C7A39633534} | DhcpNameServer : 70.28.245.255 204.101.237.136 ([X][X])  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Name][File] C:\Users\Lesley\AppData\Local\Tific\Download\DllHost.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default : homepage [http://start.toshiba.com/g/] -> Found
[PUM.HomePage][Chrome:Config] Default : session.startup_urls [http://start.toshiba.com/g/] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] 55d0ded118d62111051b46e7a6ca8b30
[BSP] c66275420f6d3ca173a622f11675d4eb : HP MBR Code
Partition table:
0 - [ACTIVE] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 598017 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x17) [HIDDEN!] Offset (sectors): 1227812864 | Size: 10962 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Multiple Card  Reader USB Device +++++
--- User ---
[MBR] 6f54629abe58675d8ef932e333cbbb3e
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x6) [VISIBLE] Offset (sectors): 32 | Size: 959 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Imation Clip USB Device +++++
--- User ---
[MBR] ea057341acdca5b2c6cb94d6d9bd86c0
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] FAT16 (0x6) [VISIBLE] Offset (sectors): 8064 | Size: 1907 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

 

 

I am sorry but the only addition.txt file is the original one I posted at the start of this thread.

 

Attached Files



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 24 November 2016 - 03:32 PM

Greetings Jason,

Thank you for the information. Sorry about Addition.txt, you are right, you should only have the original one.

Please do this.

===================================================

Deleting a User Account

-------------------
  • Click Start (Windows 8/10 hit the Windows key + X), Control Panel, then User Accounts
  • Click Manage another account
  • Left click on jlskngfbnu
  • Select Delete the account
  • Select Delete Files
  • Click Delete Account, then click Yes
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
C:\Users\Lesley\AppData\Local\Tific\Download\DllHost.exe
2016-11-10 10:50 - 2016-05-15 19:41 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-11-10 10:08 - 2016-05-15 19:41 - 00045664 _____ C:\windows\ZAM_Guard.krnl.trace
2016-11-09 13:00 - 2016-05-15 19:41 - 00007543 _____ C:\windows\ZAM.krnl.trace
File: C:\Windows\System32\dllhost.exe
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double-click icon then click Install
  • A Window should open highlighting Start Emergency Kit Scanner
  • Right click on the icon and select Run as administrator
  • Click 1. Update now!
  • Once the update is completed select Settings under Scan
  • Uncheck Join the Emsisoft Anti-Malware Network
  • Click Scan at the top
  • Click On scan completion
  • Click Quarantine detected objects, then click OK
  • Click Malware Scan
  • Once completed click View Report
  • Save the file to your Desktop using the default file name
  • Copy and paste the report in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon then click Run
  • Press any key to launch the program
  • Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Account deleted?
  • Fixlog
  • Emsisoft report
  • Security check report
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 runclub

runclub
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 24 November 2016 - 04:08 PM

Hi,

 

I thought I would double check before I proceed.

 

You have asked me to delete the user account:  jlskngfbnu

 

I opened up the user accounts, selected manage other account and it is nowhere to be found  There is one dxunrrahjx but not the one you mention.

 

thanks.



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 24 November 2016 - 04:24 PM

If you don't recognize dxunrrahjx please delete it using the steps I provided. We will follow up on the other one later.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 runclub

runclub
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 24 November 2016 - 06:42 PM

Hello,

 

Account is deleted.  I think I recall it was an account setup by eset for if the computer went missing and someone logged on it sent a message as there was no password to it.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 23-11-2016
Ran by Lesley (24-11-2016 15:07:54) Run:2
Running from C:\aaa
Loaded Profiles: Lesley (Available Profiles: Lesley)
Boot Mode: Normal
==============================================

fixlist content:
*****************
C:\Users\Lesley\AppData\Local\Tific\Download\DllHost.exe
2016-11-10 10:50 - 2016-05-15 19:41 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-11-10 10:08 - 2016-05-15 19:41 - 00045664 _____ C:\windows\ZAM_Guard.krnl.trace
2016-11-09 13:00 - 2016-05-15 19:41 - 00007543 _____ C:\windows\ZAM.krnl.trace
File: C:\Windows\System32\dllhost.exe
emptytemp:
*****************

"C:\Users\Lesley\AppData\Local\Tific\Download\DllHost.exe" => not found.
C:\Program Files (x86)\Zemana AntiMalware => moved successfully
C:\windows\ZAM_Guard.krnl.trace => moved successfully
C:\windows\ZAM.krnl.trace => moved successfully

========================= File: C:\Windows\System32\dllhost.exe ========================

File is digitally signed
MD5: A8EDB86FC2A4D6D1285E4C70384AC35A
Creation and modification date: 2009-07-13 15:59 - 2009-07-13 17:39
Size: 0009728
Attributes: ----A
Company Name: Microsoft Corporation
Internal Name: dllhost.exe
Original Name: dllhost.exe
Product: Microsoft® Windows® Operating System
Description: COM Surrogate
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Version: 6.1.7600.16385
Copyright: © Microsoft Corporation. All rights reserved.

====== End of File: ======

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 4688993 B
Java, Flash, Steam htmlcache => 78015812 B
Windows/system/drivers => 347220938 B
Edge => 0 B
Chrome => 629649775 B
Firefox => 71633089 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 43326689 B
systemprofile32 => 82472 B
LocalService => 115860 B
NetworkService => 830926 B
Lesley => 588597573 B
Guest1 => 106263 B

RecycleBin => 11915717739 B
EmptyTemp: => 12.7 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 15:08:51 ====

 

Emsisoft Emergency Kit - Version 11.9
Last update: 11/24/2016 3:22:25 PM
User account: L-ALLON13\Lesley
Computer name: L-ALLON13
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 11/24/2016 3:23:54 PM

Scanned 75471
Found 0

Scan end: 11/24/2016 3:34:47 PM
Scan time: 0:10:53

 

 Results of screen317's Security Check version 1.014 --- 12/23/15 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 Windows Firewall Disabled! 
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 JavaFX 2.1.1   
 Java™ 6 Update 31 
 Java 7 Update 25 
 Java version 32-bit out of Date!
 Adobe Flash Player 23.0.0.207 
 Adobe Reader 9 Adobe Reader out of Date!
 Adobe Reader 10.1.1 Adobe Reader out of Date! 
 Mozilla Firefox 11.0 Firefox out of Date! 
 Google Chrome (54.0.2840.71)
 Google Chrome (54.0.2840.99)
 Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Trend Micro RUBotted RUBotSrv.exe 
 Trend Micro RUBotted RUBottedGUI.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

I should note that after I deleted the account the computer spontaneously rebooted.

 

Thanks.



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 24 November 2016 - 07:10 PM

Thank you.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
cmd: regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
CMD: type "%userprofile%\desktop\look.txt"
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called look.txt. Please copy and paste the contents of the file in your reply.
===================================================

Update Adobe Reader

--------------------

Your Adobe Reader is out of date and a security concern. Here is some excellent information and a video which explains the importance of minimizing the risk of infection through compromised PDF files.
  • Please visit Adobe Reader
  • Uncheck any optional offers you do not want
  • Click Install now
  • Save the file to your desktop
  • Double click the installation icon
  • Select Run
  • When completed click Finish
  • Press the Windows key + R at the same time
  • Type appwiz.cpl, press Enter, and allow the Programs list to populate
  • Uninstall every Adobe Reader program except the one just downloaded and installed
===================================================

Firefox Update

--------------------

I recommend you consider updating Firefox to the newest version. If you desire to do so please click this link to begin the process.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Look.txt
  • Did the programs update?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 runclub

runclub
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 24 November 2016 - 08:46 PM

Hi,

I didn't get a look.txt file but a fixlog popped up.

Fix result of Farbar Recovery Scan Tool (x64) Version: 23-11-2016
Ran by Lesley (24-11-2016 17:06:05) Run:3
Running from C:\aaa
Loaded Profiles: Lesley (Available Profiles: Lesley)
Boot Mode: Normal
==============================================

fixlist content:
*****************
cmd: regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
CMD: type "%userprofile%\desktop\look.txt"
*****************


========= regedit /e "%userprofile%\desktop\look.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" =========


========= End of CMD: =========


========= type "%userprofile%\desktop\look.txt" =========

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
"ProfilesDirectory"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,\
00,69,00,76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,00,00
"Default"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,\
76,00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,44,00,65,00,66,\
00,61,00,75,00,6c,00,74,00,00,00
"Public"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,00,76,\
00,65,00,25,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,50,00,75,00,62,00,\
6c,00,69,00,63,00,00,00
"ProgramData"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,44,00,72,00,69,\
00,76,00,65,00,25,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,44,00,\
61,00,74,00,61,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18]
"Flags"=dword:0000000c
"State"=dword:00000000
"RefCount"=dword:00000001
"Sid"=hex:01,01,00,00,00,00,00,05,12,00,00,00
"ProfileImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,\
00,6f,00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,\
5c,00,63,00,6f,00,6e,00,66,00,69,00,67,00,5c,00,73,00,79,00,73,00,74,00,65,\
00,6d,00,70,00,72,00,6f,00,66,00,69,00,6c,00,65,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,72,00,6f,00,\
66,00,69,00,6c,00,65,00,73,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,53,00,65,\
00,72,00,76,00,69,00,63,00,65,00,00,00
"Flags"=dword:00000000
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,57,00,69,00,6e,00,64,00,6f,00,77,\
00,73,00,5c,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,50,00,72,00,6f,00,\
66,00,69,00,6c,00,65,00,73,00,5c,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,\
00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00
"Flags"=dword:00000000
"State"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3650914020-3955857237-3003940392-1000]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,4c,00,65,00,73,00,6c,00,65,00,79,00,00,00
"Flags"=dword:00000000
"State"=dword:00000000
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,e4,86,9c,d9,55,97,c9,eb,28,7e,0c,\
b3,e8,03,00,00
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RefCount"=dword:00000006
"RunLogonScriptSync"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3650914020-3955857237-3003940392-1006]
"ProfileImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,\
00,47,00,75,00,65,00,73,00,74,00,31,00,00,00
"Flags"=dword:00000000
"State"=dword:00000204
"Sid"=hex:01,05,00,00,00,00,00,05,15,00,00,00,e4,86,9c,d9,55,97,c9,eb,28,7e,0c,\
b3,ee,03,00,00
"ProfileLoadTimeLow"=dword:00000000
"ProfileLoadTimeHigh"=dword:00000000
"RefCount"=dword:00000000
"RunLogonScriptSync"=dword:00000000


========= End of CMD: =========


==== End of Fixlog 17:06:05 ====

I have updated firefox and deleted adobe reader because we have adobe acrobat instead. I have updated adobe acrobat as well.

The computer seems to be running slow but I am not sure if that is a reflection of the updates or not.

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 25 November 2016 - 02:23 PM

Greetings.

Please describe "slow."

Please do this.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook and save it to your Desktop.
  • Right-click SystemLook.exe and select Run as administrator...
  • Copy the content of the following codebox into the main textfield:
:filefind
*jlskngfbnu*
:regfind
*jlskngfbnu*
*3003940392-1008*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Slow?
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 runclub

runclub
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:11:21 PM

Posted 25 November 2016 - 04:25 PM

It was seeming that programs were slow to load.  browsing was slow.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 13:08 on 25/11/2016 by Lesley
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*jlskngfbnu*"
No files found.

========== regfind ==========

Searching for "*jlskngfbnu*"
No data found.

Searching for "*3003940392-1008*"
No data found.

-= EOF =-



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,713 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:21 PM

Posted 25 November 2016 - 08:22 PM

Was it running faster before?

Boot into Safe Mode with Networking and tell me if your system/browser is faster.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users