Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Requested resource is in use"


  • This topic is locked This topic is locked
18 replies to this topic

#1 dandeletesdem

dandeletesdem

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 22 April 2017 - 07:01 PM

Howdy!

 

I have a trojan that does not let me run files. When I try to run a file, it shows the file location and "Requested resource is in use". I believe I have narrowed the troublemaker to a drmkpro64 service that is locked and a ct.exe file acting as windowsmanagementservice.

 

I have tried to remove these by using FRST, but somehow these files are protected. Any advice?

Mod Edit:  Pasted data into post - Hamluis.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-04-2017 01
Ran by michael (22-04-2017 19:42:13) Run:6
Running from D:\
Loaded Profiles: michael (Available Profiles: defaultuser0 & michael)
Boot Mode: Safe Mode (with Networking)
==============================================

fixlist content:
*****************
CloseProcesses:

Unlock: C:\Users\michael\AppData\Local\moajdxpd\ct.exe
Unlock: C:\Windows\System32\drivers\ndistpr64.sys

unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f
unlock: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice
reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f


R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed]
S2 windowsmanagementservice; C:\Users\michael\AppData\Local\moajdxpd\ct.exe [X]

EmptyTemp:
*****************

Processes closed successfully.
"C:\Users\michael\AppData\Local\moajdxpd\ct.exe" => not found.
"C:\Windows\System32\drivers\ndistpr64.sys" => could not be unlocked
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" => key was unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\drmkpro64" /f =========

ERROR: Access is denied.



========= End of Reg: =========

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" => key was unlocked

========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\windowsmanagementservice" /f =========

ERROR: Access is denied.



========= End of Reg: =========

drmkpro64 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12689168 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 414858 B
Edge => 0 B
Chrome => 1105169 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
defaultuser0 => 0 B
michael => 2367574 B

RecycleBin => 0 B
EmptyTemp: => 15.8 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Safe Mode (with Networking)) (Date&Time: 22-04-2017 19:42:57)


Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected

==== End of Fixlog 19:42:57 ====

 

I've been successfully able to run mbar and while it did find threats during the first scan, it has consistently not found any subsequently. I am unable to run Zemana because the "Requested resource is in use" message comes up. I did try an unsigned version of Zemana, but it said it could not run in Safe Mode. If I try to start the computer in normal mode, it crashes with a blue screen and then restarts (only way I was able to put it in safe mode was by quickly going to msconfig and checking safe mode before it crashed). I tried running RogueKiller and it successfully ran, found and removed threats. Additionally, I was able to run aswMBR and it found the drmkpro64 file, but could not do anything as it was **LOCKED**.

 


Edited by hamluis, 22 April 2017 - 07:31 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 22 April 2017 - 08:58 PM

Hi dandeletesdem :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the guide below. Please download and use the MBAR linked in it as well.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

It may take several attempts to get MBAR up and running. Once you do, make sure that you update the database before launching the scan. Once you're done scanning with MBAR, and it removed the threats, go into the MBAR folder, and copy/paste the content of the mbar-log-TODAY'S-DATE.txt log here.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 dandeletesdem

dandeletesdem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 22 April 2017 - 11:04 PM

Hi Aura,

 

Thank you so much for responding. Please see the mbar scan log that found malware and successfully removed it below. Note that after running mbar again, there were no threats found, and I am still unable to log in to normal mode without the computer crashing with a blue screen and subsequently rebooting. I am unable to run Zemana Antivirus because when I try to do so I get the message "Requested resource is in use". Furthermore, I've tried to use the Zemana antivirus version that does not have a signature, but have not been able to use it because when I try to launch it, it says it only works in normal mode (not safe mode).

Malwarebytes Anti-Rootkit BETA 1.9.3.1001www.malwarebytes.org


Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01


Windows 10 x64 NTFS (Safe Mode/Networking)
Internet Explorer 11.953.14393.0
michael :: DESKTOP-C51RM9G [administrator]


4/19/2017 8:53:44 PM
mbar-log-2017-04-19 (20-53-44).txt


Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 376265
Time elapsed: 9 minute(s), 21 second(s)


Memory Processes Detected: 0
(No malicious items detected)


Memory Modules Detected: 0
(No malicious items detected)


Registry Keys Detected: 8
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [65d85ce1bebedd5979549c58b64d27d9]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [1d2026176418d0665591916322e103fd]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [64d90736aeceff37c83e10e78182d828]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [fb425ce1dca01a1c56776a8a9d66d12f]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [ec5168d553295adc7f675e96c63d13ed]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [ff3e58e56e0e63d3957146b1f2118a76]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [68d50f2e98e4fe38c1b4cc825da814ec]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [68d50f2e98e4fe38c1b4cc825da814ec]


Registry Values Detected: 0
(No malicious items detected)


Registry Data Items Detected: 0
(No malicious items detected)


Folders Detected: 0
(No malicious items detected)


Files Detected: 1
C:\Users\michael\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Delete on reboot. [68d50f2e98e4fe38c1b4cc825da814ec]


Physical Sectors Detected: 0
(No malicious items detected)


(end)


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 22 April 2017 - 11:09 PM

Here's the problem:
Database version:
  main:    v2014.11.18.05
  rootkit: v2014.11.12.01
You need to update the database before launching the scan. Otherwise, MBAR won't be able to detect and delete the infection that is currently active on your system. If you download the MBAR from the link I gave you in my previous post, the database it comes with should have the signatures for that infection, but you should still update it just in case. Simply click on the "Update" button when you open MBAR to update the databases, and then launch the scan.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 dandeletesdem

dandeletesdem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 23 April 2017 - 12:17 AM

Aura,

 

You are truly a life saver!!! After trying several attempts, running the updated version of mbar has resolved the issue. I am now able to run Zemana antivirus! Please see the result of the last mbar scan below:

 

Malwarebytes Anti-Rootkit BETA 1.9.4.1001
www.malwarebytes.org


Database version:
  main:    v2017.04.23.01
  rootkit: v2017.04.02.01


Windows 10 x64 NTFS (Safe Mode/Networking)
Internet Explorer 11.953.14393.0
michael :: DESKTOP-C51RM9G [administrator]


4/23/2017 12:30:41 AM
mbar-log-2017-04-23 (00-30-41).txt


Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 304482
Time elapsed: 8 minute(s), 43 second(s)


Memory Processes Detected: 0
(No malicious items detected)


Memory Modules Detected: 0
(No malicious items detected)


Registry Keys Detected: 2
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 (Rootkit.Agent.PUA) -> Delete on reboot. [d8a52bc9faae5fd7f1153e0535cc8080]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE (Trojan.Clicker) -> Delete on reboot. [9de0f9fb3d6ba3931fdfcae5c53c6997]


Registry Values Detected: 1
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE|ImagePath (Trojan.Clicker) -> Data: C:\Users\michael\AppData\Local\moajdxpd\ct.exe -> Delete on reboot. [9de0f9fb3d6ba3931fdfcae5c53c6997]


Registry Data Items Detected: 0
(No malicious items detected)


Folders Detected: 0
(No malicious items detected)


Files Detected: 1
C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys (Rootkit.Agent.PUA) -> Delete on reboot. [06010fff408a9d867ca7b51afc3d0c5e]


Physical Sectors Detected: 0
(No malicious items detected)


(end)


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 23 April 2017 - 08:54 AM

Good :) Now you should be able to install and run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button;
    • If it asks you to restart your computer to complete the removal, do so;
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 dandeletesdem

dandeletesdem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 23 April 2017 - 09:42 AM

Last night I ran both Zemana and Malwarebytes. Below is the scan from Malwarebytes:

 

Malwarebytes
www.malwarebytes.com


-Log Details-
Scan Date: 4/23/17
Scan Time: 1:22 AM
Logfile: 
Administrator: Yes


-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.103
Update Package Version: 1.0.1789
License: Free


-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-C51RM9G\michael


-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 392682
Time Elapsed: 2 min, 1 sec


-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled


-Scan Details-
Process: 0
(No malicious items detected)


Module: 0
(No malicious items detected)


Registry Key: 6
PUP.Optional.WindowService, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\realtek_amd64_RASAPI32, Quarantined, [635], [388264],1.0.1789
PUP.Optional.WindowService, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\realtek_amd64_RASMANCS, Quarantined, [635], [388264],1.0.1789
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}, Quarantined, [536], [335317],1.0.1789
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0847AE0-465A-4D7B-A555-AABB43B550F0}, Quarantined, [536], [321304],1.0.1789
PUP.Optional.ProxyGate, HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DragonBoost, Quarantined, [955], [375419],1.0.1789
PUP.Optional.WindowService, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\WindowService, Quarantined, [635], [391768],1.0.1789


Registry Value: 4
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}|CONTACT, Quarantined, [536], [333852],1.0.1789
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{52F7BE5C-2C3B-4C7B-A96D-F19B9EC1992D}|URLINFOABOUT, Quarantined, [536], [335317],1.0.1789
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0847AE0-465A-4D7B-A555-AABB43B550F0}|CONTACT, Quarantined, [536], [333852],1.0.1789
PUP.Optional.OnlineIO, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0847AE0-465A-4D7B-A555-AABB43B550F0}|URLINFOABOUT, Quarantined, [536], [321304],1.0.1789


Registry Data: 0
(No malicious items detected)


Data Stream: 0
(No malicious items detected)


Folder: 0
(No malicious items detected)


File: 0
(No malicious items detected)


Physical Sector: 0
(No malicious items detected)




(end)


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 23 April 2017 - 09:45 AM

Good :) You can provide me the Zemana log as well if you still have it. We'll do a sweep with JRT and AdwCleaner now.

iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    MV5ejgW.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted Zemana log (if you still have it);
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 dandeletesdem

dandeletesdem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 23 April 2017 - 11:13 AM

Unfortunately, I do not have the Zemana log, but I just ran JRT and AdwCleaner. Below are the logs:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64 
Ran by michael (Administrator) on Sun 04/23/2017 at 11:53:34.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~








File System: 2 


Successfully deleted: C:\Windows\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\Windows\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)






Registry: 1 


Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{FF8E9C87-6AB3-4596-8B2A-9DD4FB72F05B} (Registry Key)








~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 04/23/2017 at 11:55:34.25
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
And AdwCleaner log:
 
# AdwCleaner v6.045 - Logfile created 23/04/2017 at 11:57:22
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-22.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : michael - DESKTOP-C51RM9G
# Running from : C:\Users\michael\Desktop\Antivirus\adwcleaner_6.045.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support






***** [ Services ] *****


No malicious services found.




***** [ Folders ] *****


Folder Found:  C:\ProgramData\3f182d05-35ee-45bb-9b2c-a9683a6498f0
Folder Found:  C:\ProgramData\8a25a145-fc9e-4bde-9a0f-6d0a8d52a8aa




***** [ Files ] *****


No malicious files found.




***** [ DLL ] *****


No malicious DLLs found.




***** [ WMI ] *****


No malicious keys found.




***** [ Shortcuts ] *****


No infected shortcut found.




***** [ Scheduled Tasks ] *****


No malicious task found.




***** [ Registry ] *****


Value Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [AnonymizerGadget]
Key Found:  HKCU\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd
Key Found:  [x64] HKCU\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd




***** [ Web browsers ] *****


No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - fcfenmboojpjinhpgggodefccipikbpd


*************************


C:\AdwCleaner\AdwCleaner[S0].txt - [1657 Bytes] - [23/04/2017 11:57:22]


########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1730 Bytes] ##########
 


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 23 April 2017 - 12:00 PM

Good. Now let's grab a fresh set of FRST logs to see if there's anything left to remove.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop;
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Make sure the Addition.txt box is checked;
  • Click on the Scan button;
    KSJwAxg.png
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 dandeletesdem

dandeletesdem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 23 April 2017 - 02:18 PM

Below is the FRST.txt log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-04-2017 01
Ran by michael (administrator) on DESKTOP-C51RM9G (23-04-2017 14:22:22)
Running from C:\Users\michael\Desktop\Antivirus
Loaded Profiles: michael (Available Profiles: defaultuser0 & michael)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/


==================== Processes (Whitelisted) =================


(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)


(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\igfxCUIService.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Common Files\EPSON\EBAPI\eEBSvc.exe
(Autodesk Inc.) C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(Autodesk, Inc.) C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\IntelCpHDCPSvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Rivet Networks) C:\Program Files\Killer Networking\Network Manager\KillerService.exe
(Intel Corporation) C:\Windows\System32\Intel\DPTF\esif_uf.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(Intel Security, Inc.) C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe
(Waves Audio Ltd.) C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\IntelCpHeciSvc.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\VSCore_15_6\mcapexe.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\mcsvchost\McSvHost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\CSP\2.3.322.0\McCSPServiceHost.exe
(Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe
(Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\igfxEM.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Flux Software LLC) C:\Users\michael\AppData\Local\FluxSoftware\Flux\flux.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\McUICnt.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe
(Dell Inc.) C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe
(Dell) C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemedationService.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Dell Products, LP.) C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Dell) C:\Program Files\Dell\Dell Product Registration\PRSvc.exe
(Dell Inc.) C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Dell) C:\Program Files\Dell\Dell Foundation Services\DFS.Common.Agent.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Intel Security) C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(McAfee, Inc.) C:\Program Files\mcafee\virusscan\McVsShld.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\platform\core\mchost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ====================


(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)


HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [320568 2016-09-06] (Intel Corporation)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [9089560 2016-12-07] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_WAVES_SKYLAKE] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1489432 2016-12-07] (Realtek Semiconductor)
HKLM\...\Run: [WavesSvc] => C:\Program Files\Waves\MaxxAudio\WavesSvc64.exe [940976 2016-11-19] (Waves Audio Ltd.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-07-01] (Adobe Systems Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [Dropbox] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe [28344776 2017-04-17] (Dropbox, Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [673616 2009-04-07] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [ADSKAppManager] => C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgr.exe [529480 2016-02-24] (Autodesk Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2404952 2017-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Run: [f.lux] => C:\Users\michael\AppData\Local\FluxSoftware\Flux\flux.exe [1024240 2016-12-05] (Flux Software LLC)
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Run: [Akamai NetSession Interface] => C:\Users\michael\AppData\Local\Akamai\netsession_win.exe [4490200 2017-01-03] (Akamai Technologies, Inc.)
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Run: [WorkForce 310(Network)] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIFHA.EXE [223232 2008-11-17] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1081224 2013-02-05] (Autodesk, Inc.)
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27545048 2017-03-14] (Skype Technologies S.A.)
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Run: [BingSvc] => C:\Users\michael\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Policies\Explorer: [] 
HKU\S-1-5-18\...\Run: [Autodesk Sync] => C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe [1081224 2013-02-05] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-10-25] ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-10-25] ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll [2016-10-25] ()
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2013-02-08] (Autodesk, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [   DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.16.0.dll [2017-04-17] (Dropbox, Inc.)


==================== Internet (Whitelisted) ====================


(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)


Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{40fe3cf0-6d42-43e2-9ef8-169610249653}: [DhcpNameServer] 75.75.75.75 75.75.76.76


Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
SearchScopes: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001 -> DefaultScope {FF8E9C87-6AB3-4596-8B2A-9DD4FB72F05B} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-03-05] (Microsoft Corporation)
BHO: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-04-18] (McAfee, Inc.)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-03-05] (Microsoft Corporation)
BHO-x32: McAfee WebAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-04-18] (McAfee, Inc.)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-05] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-05] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-05] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-03-05] (Microsoft Corporation)
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll [2017-04-18] (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll [2017-04-18] (McAfee, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll [2017-02-28] (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll [2017-02-28] (McAfee, Inc.)


FireFox:
========
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF Extension: (McAfee WebAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi [2017-02-14]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files (x86)\McAfee\SiteAdvisor\saffplg.xpi
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK
FF Extension: (McAfee Anti-Spam Thunderbird Extension) - C:\Program Files\McAfee\MSK [2017-04-11] [not signed]
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL [2017-02-28] ()
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll [2017-03-27] (Adobe Systems)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL [2017-02-28] ()
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-03-05] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-01-21] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-01-21] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-04-04] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll [2017-03-27] (Adobe Systems)


Chrome: 
=======
CHR Profile: C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default [2017-04-23]
CHR Extension: (Google Slides) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-01-21]
CHR Extension: (Google Docs) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-01-21]
CHR Extension: (Google Drive) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-01-21]
CHR Extension: (YouTube) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-01-21]
CHR Extension: (Google Sheets) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-01-21]
CHR Extension: (McAfee® WebAdvisor) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2017-03-31]
CHR Extension: (Google Docs Offline) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-21]
CHR Extension: (AdBlock) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-04-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-11]
CHR Extension: (Gmail) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-01-21]
CHR Extension: (Chrome Media Router) - C:\Users\michael\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-07]
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - hxxp://clients2.google.com/service/update2/crx


==================== Services (Whitelisted) ====================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


R2 AdAppMgrSvc; C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\AdAppMgrSvc.exe [1145928 2016-02-24] (Autodesk Inc.)
R2 AdobeUpdateService; C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe [771672 2017-03-14] (Adobe Systems Incorporated)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2227312 2017-02-27] (Adobe Systems, Incorporated)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [338312 2016-09-07] (Windows (R) Win 7 DDK provider)
R2 Autodesk Content Service; C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [12288 2012-12-13] (Autodesk, Inc.) [File not signed]
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [3737792 2017-03-26] (Microsoft Corporation)
R3 ClientAnalyticsService; C:\Program Files\Common Files\McAfee\ClientAnalytics\Legacy\McClientAnalytics.exe [1752480 2017-02-24] (Intel Security)
R3 cphs; C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\IntelCpHeciSvc.exe [284144 2016-10-06] (Intel Corporation)
R2 cplspcon; C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\IntelCpHDCPSvc.exe [462832 2016-10-06] (Intel Corporation)
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-01-21] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2017-01-21] (Dropbox, Inc.)
R2 DbxSvc; C:\Windows\system32\DbxSvc.exe [48944 2017-04-17] (Dropbox, Inc.)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [130936 2016-12-21] (Dell Inc.)
R2 Dell Foundation Services; C:\Program Files\Dell\Dell Foundation Services\DFSSvc.exe [97616 2017-01-11] (Dell)
R2 Dell Help & Support; C:\Program Files\Dell\Dell Help & Support\MDLCSvc.exe [77648 2016-12-22] (Dell Inc.)
R2 Dell SupportAssist Remediation; C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemedationService.exe [114720 2016-08-05] (Dell)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2572024 2016-12-13] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [202488 2016-12-13] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [230248 2016-09-22] (Dell Inc.)
R2 esifsvc; C:\Windows\system32\Intel\DPTF\esif_uf.exe [2208888 2016-09-02] (Intel Corporation)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [17976 2016-09-06] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\igfxCUIService.exe [324592 2016-10-06] (Intel Corporation)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [987432 2016-07-26] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [177440 2016-08-30] (Intel Corporation)
R2 Killer Service V2; C:\Program Files\Killer Networking\Network Manager\KillerService.exe [457432 2016-09-22] (Rivet Networks)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 McAfee SiteAdvisor Service; C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe [188264 2017-04-18] (McAfee, Inc.)
R2 McAPExe; C:\Program Files\Common Files\McAfee\VSCore_15_6\McApExe.exe [994312 2017-03-13] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\McAfee\ActWiz\McAWFwk.exe [419096 2016-04-01] (McAfee, Inc.)
R2 McBootDelayStartSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 mccspsvc; C:\Program Files\Common Files\McAfee\CSP\2.3.322.0\\McCSPServiceHost.exe [2054080 2017-02-28] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [1344472 2017-02-24] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\McAfee\platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
R3 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [241040 2017-01-18] (McAfee, Inc.)
R2 mfemms; C:\Program Files\Common Files\McAfee\SystemCore\\mfemms.exe [385112 2017-01-18] (McAfee, Inc.)
R3 mfevtp; C:\Windows\system32\mfevtps.exe [343792 2017-01-18] (McAfee, Inc.)
R2 ModuleCoreService; C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe [1551512 2017-02-26] (McAfee, Inc.)
S3 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [641520 2017-02-22] (McAfee, Inc.)
S3 ose; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [198192 2017-03-25] (Microsoft Corporation) [File not signed]
R2 PEFService; C:\Program Files\Common Files\Intel Security\PEF\CORE\PEFService.exe [1104304 2016-11-15] (Intel Security, Inc.)
R2 Product Registration; C:\Program Files\Dell\Dell Product Registration\PRSvc.exe [80208 2016-09-22] (Dell)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [338456 2016-12-07] (Realtek Semiconductor)
R2 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [32728 2017-04-13] (Dell Inc.)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10351856 2016-12-15] (TeamViewer GmbH)
S3 ThunderboltService; c:\Program Files (x86)\Intel\Thunderbolt Software\tbtsvc.exe [2015968 2016-08-15] (Intel Corporation)
R2 WavesSysSvc; C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe [410032 2016-11-19] (Waves Audio Ltd.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-03-04] (Microsoft Corporation)


===================== Drivers (Whitelisted) ======================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


R1 BfLwf; C:\Windows\system32\DRIVERS\bwcW10x64.sys [145736 2016-09-19] (Rivet Networks, LLC.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [88464 2017-01-20] (McAfee, Inc.)
R3 DDDriver; C:\Windows\system32\drivers\DDDriver64Dcsa.sys [32352 2016-10-13] (Dell Inc.)
R3 DellProf; C:\Windows\system32\drivers\DellProf.sys [24240 2016-06-23] (Dell Computer Corporation)
R3 dptf_acpi; C:\Windows\System32\drivers\dptf_acpi.sys [71232 2016-08-12] (Intel Corporation)
R3 dptf_cpu; C:\Windows\System32\drivers\dptf_cpu.sys [66624 2016-08-12] (Intel Corporation)
R3 esif_lf; C:\Windows\system32\DRIVERS\esif_lf.sys [350272 2016-08-12] (Intel Corporation)
R3 HidEventFilter; C:\Windows\System32\drivers\HidEventFilter.sys [54800 2016-08-16] (Intel Corporation)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [207968 2016-02-24] (McAfee, Inc.)
R3 iaLPSS2_GPIO2; C:\Windows\System32\drivers\iaLPSS2_GPIO2.sys [89912 2016-08-30] (Intel Corporation)
R3 iaLPSS2_I2C; C:\Windows\System32\drivers\iaLPSS2_I2C.sys [184632 2016-08-30] (Intel Corporation)
S3 iaLPSS2_SPI; C:\Windows\System32\drivers\iaLPSS2_SPI.sys [151352 2016-08-30] (Intel Corporation)
S3 iaLPSS2_UART2; C:\Windows\System32\drivers\iaLPSS2_UART2.sys [282424 2016-08-30] (Intel Corporation)
R3 igfx; C:\Windows\System32\DriverStore\FileRepository\k18647a.inf_amd64_d30e8907e2541ff2\igdkmd64.sys [10588648 2016-10-06] (Intel Corporation)
R3 IntcAudioBus; C:\Windows\System32\drivers\IntcAudioBus.sys [234608 2016-12-07] (Intel(R) Corporation)
R3 IntcOED; C:\Windows\System32\drivers\IntcOED.sys [737384 2016-12-07] (Intel(R) Corporation)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [251832 2017-04-23] (Malwarebytes)
R3 mfeaack; C:\Windows\System32\drivers\mfeaack.sys [487184 2017-01-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [366328 2017-01-20] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [85048 2017-01-23] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [518704 2017-01-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [923640 2017-01-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\System32\DRIVERS\mfencbdc.sys [498648 2017-01-19] (McAfee, Inc.)
S3 mfencrk; C:\Windows\System32\DRIVERS\mfencrk.sys [109320 2017-01-19] (McAfee, Inc.)
R3 mfeplk; C:\Windows\System32\drivers\mfeplk.sys [110256 2017-01-20] (McAfee, Inc.)
R3 mfesapsn; C:\Program Files (x86)\McAfee\SiteAdvisor\x64\mfesapsn.sys [46240 2016-06-06] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [254800 2017-01-20] (McAfee, Inc.)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 Qcamain10x64; C:\Windows\system32\DRIVERS\Qcamain10x64.sys [2403248 2016-09-22] (Qualcomm Atheros, Inc.)
R3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [796672 2016-12-15] (Realsil Semiconductor Corporation)
S3 rtux64w10; C:\Windows\System32\drivers\rtux64w10.sys [366640 2016-10-25] (Realtek                                                                )
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-04-22] ()
R3 VirtualButtons; C:\Windows\System32\drivers\VirtualButtons.sys [40008 2016-08-16] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2017-04-23] (Zemana Ltd.)
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]


==================== NetSvcs (Whitelisted) ===================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)




==================== One Month Created files and folders ========


(If an entry is included in the fixlist, the file/folder will be moved.)


2017-04-23 12:02 - 2017-04-23 12:02 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2017-04-23 11:46 - 2017-04-23 11:46 - 00001741 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator CS6.lnk
2017-04-23 11:44 - 2017-04-23 11:44 - 00001577 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator CS6 (64 Bit).lnk
2017-04-23 11:44 - 2017-04-23 11:44 - 00000000 ____D C:\ProgramData\ALM
2017-04-23 11:43 - 2017-04-23 11:43 - 00001084 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6 (64bit).lnk
2017-04-23 11:38 - 2017-04-23 11:38 - 00000000 ____D C:\Users\michael\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
2017-04-23 11:35 - 2017-04-23 11:35 - 00003666 _____ C:\Windows\System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-michaelerr08@gmail.com
2017-04-23 11:20 - 2017-04-23 11:46 - 00000000 ____D C:\ProgramData\regid.1986-12.com.adobe
2017-04-23 11:20 - 2017-04-23 11:20 - 00001274 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe InDesign CS6.lnk
2017-04-23 11:16 - 2017-04-23 11:16 - 00001248 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS6.lnk
2017-04-23 11:14 - 2017-04-23 11:16 - 00001364 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Media Encoder CS6.lnk
2017-04-23 11:14 - 2017-04-23 11:14 - 00001602 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS6.lnk
2017-04-23 11:14 - 2017-04-23 11:14 - 00001432 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS6.lnk
2017-04-23 11:12 - 2017-04-23 11:12 - 00001072 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Help.lnk
2017-04-23 11:12 - 2017-04-23 11:12 - 00000000 ____D C:\Users\Default\AppData\Roaming\Macromedia
2017-04-23 11:12 - 2017-04-23 11:12 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Macromedia
2017-04-23 01:25 - 2017-04-23 14:22 - 00061888 _____ C:\Windows\ZAM_Guard.krnl.trace
2017-04-23 01:20 - 2017-04-23 14:22 - 00000000 ___RD C:\Users\michael\Desktop\Antivirus
2017-04-23 01:20 - 2017-04-23 01:21 - 00092096 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-04-23 01:20 - 2017-04-23 01:20 - 00111544 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-04-23 01:20 - 2017-04-23 01:20 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-04-23 01:20 - 2017-04-23 01:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-04-23 01:20 - 2017-04-23 01:20 - 00000000 ____D C:\Program Files\Malwarebytes
2017-04-23 01:20 - 2017-03-22 11:02 - 00077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-04-23 01:19 - 2017-04-23 01:19 - 60107896 _____ (Malwarebytes ) C:\Users\michael\Downloads\mb3-setup-consumer-3.0.6.1469-10103.exe
2017-04-23 01:18 - 2017-04-23 12:40 - 00004034 _____ C:\Windows\System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse
2017-04-23 01:18 - 2017-04-23 01:18 - 00004222 _____ C:\Windows\System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse
2017-04-23 01:16 - 2017-04-23 11:54 - 00000000 ____D C:\Users\michael\AppData\Local\CrashDumps
2017-04-23 01:16 - 2017-04-23 01:25 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2017-04-23 01:16 - 2017-04-23 01:19 - 00050235 _____ C:\Windows\ZAM.krnl.trace
2017-04-23 01:16 - 2017-04-23 01:16 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2017-04-23 01:15 - 2017-04-23 01:15 - 05774688 _____ (Zemana Ltd. ) C:\Users\michael\Downloads\Zemana.AntiMalware.Setup.exe
2017-04-23 01:10 - 2017-04-23 01:10 - 00000000 ____D C:\ProgramData\SupportAssistAgent
2017-04-23 01:08 - 2017-04-23 01:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-04-23 01:04 - 2017-04-23 12:00 - 00000000 ____D C:\AdwCleaner
2017-04-23 01:04 - 2017-04-23 01:04 - 00000562 _____ C:\TDSSKiller.3.1.0.12_23.04.2017_01.04.17_log.txt
2017-04-22 18:51 - 2017-04-22 18:51 - 00001171 _____ C:\Windows\system32\drivers - Shortcut.lnk
2017-04-22 18:51 - 2017-04-22 18:51 - 00001171 _____ C:\Windows\system32\drivers - Shortcut (2).lnk
2017-04-22 18:11 - 2017-04-22 18:11 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2017-04-22 18:10 - 2017-04-22 18:30 - 00000000 ____D C:\ProgramData\RogueKiller
2017-04-22 18:10 - 2017-04-22 18:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-04-22 18:10 - 2017-04-22 18:10 - 00000000 ____D C:\Program Files\RogueKiller
2017-04-22 16:17 - 2017-04-22 16:18 - 00000000 ____D C:\Users\michael\Desktop\USB
2017-04-22 16:04 - 2017-04-22 16:04 - 00426612 _____ C:\Windows\Minidump\042217-8328-01.dmp
2017-04-22 16:03 - 2017-04-22 16:03 - 00426668 _____ C:\Windows\Minidump\042217-7046-01.dmp
2017-04-22 16:02 - 2017-04-22 16:02 - 00426636 _____ C:\Windows\Minidump\042217-12125-01.dmp
2017-04-22 16:01 - 2017-04-22 16:01 - 00426660 _____ C:\Windows\Minidump\042217-7062-01.dmp
2017-04-22 16:00 - 2017-04-22 16:00 - 00426564 _____ C:\Windows\Minidump\042217-7078-01.dmp
2017-04-22 13:13 - 2017-04-22 13:13 - 00426708 _____ C:\Windows\Minidump\042217-8453-02.dmp
2017-04-22 13:12 - 2017-04-22 13:12 - 00426740 _____ C:\Windows\Minidump\042217-8437-02.dmp
2017-04-22 13:10 - 2017-04-22 13:11 - 00426788 _____ C:\Windows\Minidump\042217-9406-01.dmp
2017-04-22 13:09 - 2017-04-22 13:09 - 00426748 _____ C:\Windows\Minidump\042217-9109-01.dmp
2017-04-22 13:00 - 2017-04-22 13:01 - 00426740 _____ C:\Windows\Minidump\042217-9312-01.dmp
2017-04-22 12:58 - 2017-04-22 12:58 - 00426636 _____ C:\Windows\Minidump\042217-8437-01.dmp
2017-04-22 12:51 - 2017-04-22 12:51 - 00426788 _____ C:\Windows\Minidump\042217-8375-01.dmp
2017-04-22 12:50 - 2017-04-22 12:50 - 00426724 _____ C:\Windows\Minidump\042217-8531-02.dmp
2017-04-22 12:49 - 2017-04-22 12:49 - 00426596 _____ C:\Windows\Minidump\042217-8312-01.dmp
2017-04-22 12:47 - 2017-04-22 12:47 - 00426636 _____ C:\Windows\Minidump\042217-8531-01.dmp
2017-04-22 12:46 - 2017-04-22 12:46 - 00426764 _____ C:\Windows\Minidump\042217-9375-01.dmp
2017-04-22 12:45 - 2017-04-22 12:45 - 00426652 _____ C:\Windows\Minidump\042217-8296-01.dmp
2017-04-22 12:43 - 2017-04-22 12:43 - 00426796 _____ C:\Windows\Minidump\042217-8453-01.dmp
2017-04-22 12:42 - 2017-04-22 12:42 - 00426700 _____ C:\Windows\Minidump\042217-8468-01.dmp
2017-04-22 12:41 - 2017-04-22 12:41 - 00426700 _____ C:\Windows\Minidump\042217-9296-01.dmp
2017-04-22 12:39 - 2017-04-22 12:40 - 00426620 _____ C:\Windows\Minidump\042217-8421-01.dmp
2017-04-20 00:24 - 2017-04-20 00:24 - 00426604 _____ C:\Windows\Minidump\042017-8937-01.dmp
2017-04-20 00:22 - 2017-04-20 00:22 - 00426668 _____ C:\Windows\Minidump\042017-8609-01.dmp
2017-04-20 00:20 - 2017-04-20 00:20 - 00426588 _____ C:\Windows\Minidump\042017-9562-01.dmp
2017-04-19 22:39 - 2017-04-19 22:39 - 00000000 ____D C:\Users\michael\AppData\Local\Zemana
2017-04-19 21:40 - 2017-04-19 21:40 - 00426708 _____ C:\Windows\Minidump\041917-8703-01.dmp
2017-04-19 20:53 - 2017-04-23 11:58 - 00251832 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-04-19 20:53 - 2017-04-23 01:25 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-04-19 20:53 - 2017-04-23 01:20 - 00000000 ____D C:\ProgramData\Malwarebytes
2017-04-19 20:52 - 2017-04-23 01:20 - 00186304 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2017-04-19 00:41 - 2017-04-23 14:22 - 00000000 ____D C:\FRST
2017-04-17 11:14 - 2017-04-17 11:14 - 00048944 _____ (Dropbox, Inc.) C:\Windows\system32\DbxSvc.exe
2017-04-12 20:36 - 2017-04-12 20:36 - 00426636 _____ C:\Windows\Minidump\041217-8812-01.dmp
2017-04-12 20:35 - 2017-04-12 20:35 - 00426692 _____ C:\Windows\Minidump\041217-9562-01.dmp
2017-04-12 20:34 - 2017-04-12 20:34 - 00000000 ___HD C:\OneDriveTemp
2017-04-12 00:51 - 2017-04-12 00:51 - 00426532 _____ C:\Windows\Minidump\041217-9250-01.dmp
2017-04-12 00:49 - 2017-04-12 00:49 - 00426748 _____ C:\Windows\Minidump\041217-9218-01.dmp
2017-04-12 00:04 - 2017-04-23 01:03 - 00000214 _____ C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job
2017-04-12 00:03 - 2017-04-12 00:03 - 00426756 _____ C:\Windows\Minidump\041217-8437-01.dmp
2017-04-12 00:01 - 2017-04-12 00:01 - 00426716 _____ C:\Windows\Minidump\041217-9515-01.dmp
2017-04-12 00:00 - 2017-04-12 00:00 - 00426540 _____ C:\Windows\Minidump\041217-10062-01.dmp
2017-04-11 23:59 - 2017-04-12 00:03 - 00000000 ____D C:\Windows\pss
2017-04-11 23:59 - 2017-04-11 23:59 - 00426692 _____ C:\Windows\Minidump\041117-9406-01.dmp
2017-04-11 23:57 - 2017-04-11 23:57 - 00426660 _____ C:\Windows\Minidump\041117-9437-01.dmp
2017-04-11 23:56 - 2017-04-11 23:56 - 00426724 _____ C:\Windows\Minidump\041117-9453-02.dmp
2017-04-11 23:54 - 2017-04-11 23:54 - 00426716 _____ C:\Windows\Minidump\041117-9421-01.dmp
2017-04-11 23:52 - 2017-04-11 23:52 - 00426724 _____ C:\Windows\Minidump\041117-8750-01.dmp
2017-04-11 23:51 - 2017-04-11 23:51 - 00426612 _____ C:\Windows\Minidump\041117-9250-01.dmp
2017-04-11 23:49 - 2017-04-11 23:49 - 00426780 _____ C:\Windows\Minidump\041117-9453-01.dmp
2017-04-11 23:47 - 2017-04-11 23:47 - 00426572 _____ C:\Windows\Minidump\041117-9328-02.dmp
2017-04-11 23:39 - 2017-04-11 23:39 - 00426572 _____ C:\Windows\Minidump\041117-9500-02.dmp
2017-04-11 23:37 - 2017-04-11 23:38 - 00426108 _____ C:\Windows\Minidump\041117-8640-01.dmp
2017-04-11 23:36 - 2017-04-11 23:36 - 00426540 _____ C:\Windows\Minidump\041117-8937-01.dmp
2017-04-11 23:34 - 2017-04-11 23:34 - 00426700 _____ C:\Windows\Minidump\041117-8515-01.dmp
2017-04-11 23:32 - 2017-04-11 23:32 - 00426796 _____ C:\Windows\Minidump\041117-9343-01.dmp
2017-04-11 23:30 - 2017-04-11 23:30 - 00426764 _____ C:\Windows\Minidump\041117-10828-01.dmp
2017-04-11 23:28 - 2017-04-11 23:28 - 00426732 _____ C:\Windows\Minidump\041117-11062-01.dmp
2017-04-11 23:27 - 2017-04-11 23:27 - 00426780 _____ C:\Windows\Minidump\041117-10000-01.dmp
2017-04-11 23:20 - 2017-04-11 23:20 - 00426700 _____ C:\Windows\Minidump\041117-10265-01.dmp
2017-04-11 23:17 - 2017-04-11 23:17 - 00426748 _____ C:\Windows\Minidump\041117-10250-01.dmp
2017-04-11 22:31 - 2017-04-22 16:04 - 820516019 _____ C:\Windows\MEMORY.DMP
2017-04-11 22:30 - 2017-04-23 12:03 - 00000000 ___HD C:\Users\Public\Documents\AdobeGC
2017-04-11 22:30 - 2017-04-22 16:04 - 00000000 ____D C:\Windows\Minidump
2017-04-09 22:41 - 2017-04-09 22:41 - 00001087 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Photoshop CC 2017.lnk
2017-04-09 22:41 - 2017-04-09 22:41 - 00000000 ____D C:\Users\michael\Documents\Adobe
2017-04-09 21:56 - 2017-04-09 21:56 - 00001075 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe InDesign CC 2017.lnk
2017-04-09 21:53 - 2017-04-23 11:44 - 00000000 ____D C:\Program Files\Common Files\Adobe
2017-04-09 21:53 - 2017-04-09 21:53 - 00002522 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Illustrator CC 2017.lnk
2017-04-09 21:50 - 2017-04-23 11:43 - 00000000 ____D C:\Program Files\Adobe
2017-04-09 21:49 - 2017-04-11 21:16 - 00000000 ___RD C:\Users\michael\Creative Cloud Files
2017-04-09 21:49 - 2017-04-09 21:49 - 00000000 ____D C:\ProgramData\boost_interprocess
2017-04-09 21:48 - 2017-04-09 21:48 - 00001304 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Creative Cloud.lnk
2017-04-09 21:48 - 2017-04-09 21:48 - 00001292 _____ C:\Users\Public\Desktop\Adobe Creative Cloud.lnk
2017-04-06 23:31 - 2017-04-06 23:31 - 00003132 _____ C:\Windows\System32\Tasks\SystemToolsDailyTest-Retry
2017-03-31 20:41 - 2017-03-31 20:41 - 00000000 __HDC C:\ProgramData\{042448DA-1440-41DE-BC4B-7C215005F4ED}


==================== One Month Modified files and folders ========


(If an entry is included in the fixlist, the file/folder will be moved.)


2017-04-23 14:20 - 2016-11-29 21:14 - 00000000 ____D C:\Windows\system32\SleepStudy
2017-04-23 12:03 - 2016-11-29 21:25 - 01482724 _____ C:\Windows\system32\PerfStringBackup.INI
2017-04-23 12:01 - 2017-01-25 00:34 - 00000000 ____D C:\Users\michael\AppData\Roaming\Atom
2017-04-23 11:58 - 2017-01-21 17:53 - 00000000 __SHD C:\Users\michael\IntelGraphicsProfiles
2017-04-23 11:58 - 2016-11-29 21:14 - 04935976 _____ C:\Windows\system32\FNTCACHE.DAT
2017-04-23 11:58 - 2016-11-29 21:14 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-04-23 11:58 - 2016-07-16 02:04 - 00524288 _____ C:\Windows\system32\config\BBI
2017-04-23 11:47 - 2017-01-25 00:49 - 00000000 ____D C:\Users\michael\AppData\Local\Adobe
2017-04-23 11:47 - 2017-01-21 17:53 - 00000000 ____D C:\Users\michael\AppData\Roaming\Adobe
2017-04-23 11:41 - 2017-01-25 00:59 - 00000000 ____D C:\Program Files (x86)\Adobe
2017-04-23 11:14 - 2017-01-25 01:00 - 00004562 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-04-23 11:14 - 2017-01-25 00:50 - 00000000 ____D C:\ProgramData\Adobe
2017-04-23 11:13 - 2017-01-25 01:00 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-04-23 10:47 - 2016-07-16 07:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-23 10:47 - 2016-07-16 07:47 - 00000000 ____D C:\Windows\AppReadiness
2017-04-23 02:53 - 2016-07-16 07:36 - 00000000 ____D C:\Windows\CbsTemp
2017-04-23 01:25 - 2017-01-24 23:10 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2017-04-23 01:25 - 2016-11-29 21:27 - 00000000 ____D C:\Program Files (x86)\McAfee
2017-04-23 01:16 - 2017-01-21 17:51 - 00000000 ____D C:\Users\michael
2017-04-23 01:12 - 2017-01-25 00:34 - 00000000 ____D C:\Users\michael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GitHub, Inc
2017-04-23 01:12 - 2017-01-25 00:34 - 00000000 ____D C:\Users\michael\AppData\Local\atom
2017-04-23 01:08 - 2016-11-29 21:27 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-04-23 01:01 - 2016-11-29 21:27 - 00000000 ____D C:\ProgramData\McAfee
2017-04-23 01:01 - 2016-07-16 02:04 - 00032768 _____ C:\Windows\system32\config\ELAM
2017-04-22 18:27 - 2016-07-16 07:47 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2017-04-22 16:08 - 2017-01-21 22:28 - 00000000 ____D C:\Users\michael\AppData\Local\ElevatedDiagnostics
2017-04-22 13:12 - 2017-01-21 22:29 - 00000000 ____D C:\Users\michael\AppData\Roaming\Skype
2017-04-22 13:12 - 2017-01-21 22:25 - 00000000 ___RD C:\Users\michael\OneDrive
2017-04-12 00:37 - 2017-01-24 23:10 - 00000000 ____D C:\Users\michael\AppData\Roaming\TeamViewer
2017-04-11 22:30 - 2016-07-16 07:45 - 00000000 ____D C:\Windows\INF
2017-04-09 21:48 - 2016-11-29 21:24 - 00000000 ____D C:\ProgramData\Package Cache
2017-04-06 23:29 - 2016-07-16 07:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-04-06 23:28 - 2016-11-29 21:34 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-04-06 22:16 - 2017-01-21 18:08 - 00002274 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-04-06 22:16 - 2017-01-21 18:08 - 00002262 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-03-31 21:07 - 2016-11-29 21:27 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-03-31 21:07 - 2016-07-16 07:47 - 00000000 ___HD C:\Windows\ELAMBKUP
2017-03-31 21:06 - 2016-11-29 21:28 - 00003126 _____ C:\Windows\System32\Tasks\McAfeeLogon
2017-03-31 21:06 - 2016-11-29 21:28 - 00000000 ____D C:\Windows\System32\Tasks\McAfee
2017-03-31 21:04 - 2016-11-29 21:27 - 00000000 ____D C:\Program Files\Common Files\AV


==================== Files in the root of some directories =======


2017-01-24 23:26 - 2017-01-24 23:26 - 0000153 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc


==================== Bamital & volsnap ======================


(There is no automatic fix for files that do not pass verification.)


C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2017-04-09 22:49


==================== End of FRST.txt ============================
 
And here is the Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-04-2017 01
Ran by michael (23-04-2017 14:23:24)
Running from C:\Users\michael\Desktop\Antivirus
Windows 10 Home Version 1607 (X64) (2017-01-21 21:49:02)
Boot Mode: Normal
==========================================================




==================== Accounts: =============================


Administrator (S-1-5-21-4170285323-1899740614-2586525237-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-4170285323-1899740614-2586525237-503 - Limited - Disabled)
defaultuser0 (S-1-5-21-4170285323-1899740614-2586525237-1000 - Limited - Disabled) => C:\Users\defaultuser0
Guest (S-1-5-21-4170285323-1899740614-2586525237-501 - Limited - Disabled)
michael (S-1-5-21-4170285323-1899740614-2586525237-1001 - Administrator - Enabled) => C:\Users\michael


==================== Security Center ========================


(If an entry is included in the fixlist, it will be removed.)


AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee VirusScan (Enabled - Up to date) {8BCDACFA-D264-3528-5EF8-E94FD0BC1FBC}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee VirusScan (Enabled - Up to date) {30AC4D1E-F45E-3AA6-6448-D23DAB3B5501}
FW: McAfee Firewall (Enabled) {B3F62DDF-980B-3470-75A7-407A2E6F58C7}


==================== Installed Programs ======================


(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)


Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.009.20044 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 4.0.1.188 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Illustrator CC 2017 (HKLM-x32\...\ILST_21_1_0) (Version: 21.1.0 - Adobe Systems Incorporated)
Adobe Illustrator CS6 (HKLM-x32\...\{4869414E-7AEA-4C8E-BE1C-8D40977FD517}) (Version: 16.0 - Adobe Systems Incorporated)
Adobe InDesign CC 2017 (HKLM-x32\...\IDSN_12_1_0) (Version: 12.1.0 - Adobe Systems Incorporated)
Adobe InDesign CS6 (HKLM-x32\...\{CFB770D7-8D43-1014-922B-CC2715FADE3F}) (Version: 8.0 - Adobe Systems Incorporated)
Adobe Photoshop CC 2017 (HKLM-x32\...\PHSP_18_1) (Version: 18.1.0 - Adobe Systems Incorporated)
Akamai NetSession Interface (HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Akamai) (Version:  - Akamai Technologies, Inc)
Asmedia USB Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.16.41.3 - Asmedia Technology)
Atom (HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\atom) (Version: 1.16.0 - GitHub Inc.)
AutoCAD 2014 - English (Version: 19.1.18.0 - Autodesk) Hidden
AutoCAD 2014 Language Pack - English (Version: 19.1.18.0 - Autodesk) Hidden
Autodesk 360 (HKLM\...\{52B28CAD-F49D-47BA-9FFE-29C2E85F0D0B}) (Version: 4.0.27.1 - Autodesk)
Autodesk App Manager (HKLM-x32\...\{C070121A-C8C5-4D52-9A7D-D240631BD433}) (Version: 1.1.0 - Autodesk)
Autodesk Application Manager (HKLM-x32\...\Autodesk Application Manager) (Version: 5.0.142.14 - Autodesk)
Autodesk AutoCAD 2014 - English (HKLM\...\AutoCAD 2014 - English) (Version: 19.1.18.0 - Autodesk)
Autodesk BIM 360 Revit 2015 Add-in 64 bit (HKLM\...\{37E1C3A1-7DBF-4250-9314-46167B68383D}) (Version: 3.32.3357 - Autodesk)
Autodesk Content Service (HKLM-x32\...\Autodesk Content Service) (Version: 3.1.3.0 - Autodesk)
Autodesk Content Service (x32 Version: 3.1.3.0 - Autodesk) Hidden
Autodesk Content Service Language Pack (x32 Version: 3.1.3.0 - Autodesk) Hidden
Autodesk Featured Apps (HKLM-x32\...\{F732FEDA-7713-4428-934B-EF83B8DD65D0}) (Version: 1.1.0 - Autodesk)
Autodesk Material Library 2014 (HKLM-x32\...\{644F9B19-A462-499C-BF4D-300ABC2A28B1}) (Version: 4.0.19.0 - Autodesk)
Autodesk Material Library 2015 (HKLM-x32\...\{427F733F-4D6C-45BC-9324-EB743104C321}) (Version: 5.2.8.100 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2014 (HKLM-x32\...\{51BF3210-B825-4092-8E0D-66D689916E02}) (Version: 4.0.19.0 - Autodesk)
Autodesk Material Library Base Resolution Image Library 2015 (HKLM-x32\...\{ABE2F70B-8D94-44E9-AA04-F0DB35063D62}) (Version: 5.2.8.100 - Autodesk)
Autodesk Material Library Low Resolution Image Library 2015 (HKLM-x32\...\{4FBC9635-AC56-4378-8FDE-C4D3ED072681}) (Version: 5.2.8.100 - Autodesk)
Autodesk Material Library Medium Resolution Image Library 2015 (HKLM-x32\...\{9F6466D9-6EFC-4A10-B931-C72D1A3F1763}) (Version: 5.2.8.100 - Autodesk)
Autodesk ReCap (HKLM\...\Autodesk ReCap) (Version: 1.0.43.13 - Autodesk)
Autodesk ReCap (Version: 1.0.43.13 - Autodesk) Hidden
Autodesk ReCap Language Pack-English (Version: 1.0.43.13 - Autodesk) Hidden
Autodesk Revit Architecture 2015 (HKLM\...\Autodesk Revit Architecture 2015) (Version: 15.0.136.0 - Autodesk)
Autodesk Revit Architecture Content Libraries 2015 (HKLM\...\Autodesk Revit Architecture Content Libraries 2015) (Version: 15.0.136.0 - Autodesk)
Autodesk Workflows 2015 (HKLM\...\{A90DD6F8-60D2-4803-AFF6-796400E73E1B}) (Version: 5.2.11.100 - Autodesk, Inc.)
Dell Customer Connect (HKLM-x32\...\{4FA72FF9-DD64-43A8-8704-6380A11F11D5}) (Version: 1.4.15.0 - Dell Inc.)
Dell Data Vault (Version: 4.4.1.0 - Dell Inc.) Hidden
Dell Digital Delivery (HKLM-x32\...\{99B7C4B5-DC14-441D-A5B6-7340F682BC81}) (Version: 3.1.1117.0 - Dell Products, LP)
Dell Foundation Services (HKLM\...\{BDB50421-E961-42F3-B803-6DAC6F173834}) (Version: 3.4.16100.0 - Dell Inc.)
Dell Help & Support (HKLM-x32\...\InstallShield_{E8669F4E-F2BE-48A9-B5A5-0BC12CA4CB4F}) (Version: 2.4.18.0 - Dell Inc.)
Dell Help & Support (Version: 2.4.18.0 - Dell Inc.) Hidden
Dell Product Registration (HKLM-x32\...\InstallShield_{85B14AE3-1624-45BE-942B-A528DF6F1CCE}) (Version: 3.0.123.0 - Dell Inc.)
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.3.6855.72 - Dell)
Dell SupportAssist Remediation (HKLM-x32\...\{56e3476e-a4e0-418b-926c-8be09f6c37ce}) (Version: 2.0.2.1818 - Dell Inc.)
Dell SupportAssist Remediation (Version: 2.0.2.1818 - Dell Inc.) Hidden
Dell SupportAssistAgent (HKLM-x32\...\{1AE53ECE-2255-4191-998B-07741E5EFCDA}) (Version: 1.4.1.8 - Dell)
Dell Update - SupportAssist Update Plugin (HKLM\...\{D5A4BC07-13BB-4D8B-A9DA-77AC5D953A19}) (Version: 2.0.2.1818 - Dell Inc.)
Dell Update (HKLM-x32\...\{49655877-33CF-4C8A-B07C-9694935431E4}) (Version: 1.9.7.0 - Dell Inc.)
Dropbox (HKLM-x32\...\Dropbox) (Version: 24.4.16 - Dropbox, Inc.)
Dropbox 20 GB (HKLM-x32\...\{84D8451D-2ED6-3A59-ABA5-2A447F7C6310}) (Version: 4.1.2.0 - Dropbox, Inc.)
Dropbox Update Helper (x32 Version: 1.3.65.1 - Dropbox, Inc.) Hidden
Epson Event Manager (HKLM-x32\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 2.30.01 - SEIKO EPSON Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - )
EPSON WorkForce 310 Series Printer Uninstall (HKLM\...\EPSON WorkForce 310 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
EpsonNet Setup (HKLM-x32\...\{FFFAE01B-466F-4C07-9821-A94FD753BDDA}) (Version: 3.1c - SEIKO EPSON CORPORATION)
f.lux (HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Flux) (Version:  - )
FARO LS 1.1.501.0 (64bit) (HKLM-x32\...\{8A470330-70B2-49AD-86AF-79885EF9898A}) (Version: 5.1.0.30630 - FARO Scanner Production)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 57.0.2987.133 - Google Inc.)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Intel(R) Chipset Device Software (x32 Version: 10.1.1.35 - Intel(R) Corporation) Hidden
Intel(R) Dynamic Platform and Thermal Framework (HKLM-x32\...\{654EE65D-FAA4-4EA6-8C07-DC94E6A304D4}) (Version: 8.2.11000.2996 - Intel Corporation)
Intel(R) HID Event Filter (HKLM-x32\...\3FB06EEC-013D-4366-9918-71B97DFB84EB) (Version: 1.1.0.317 - Intel Corporation)
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.6.0.1025 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 21.20.16.4526 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 15.0.4.1048 - Intel Corporation)
Intel(R) Virtual Buttons (HKLM-x32\...\1992736F-C90A-481C-B21B-EE34CAD07387) (Version: 1.1.0.21 - Intel Corporation)
Killer Bandwidth Control Filter Driver (Version: 1.1.64.1312 - Rivet Networks) Hidden
Killer Network Manager (Version: 1.1.64.1312 - Rivet Networks) Hidden
Killer Wireless Suite (HKLM-x32\...\{E70DB50B-10B4-46BC-9DE2-AB8B49E061EE}) (Version: 1.1.64.1312 - Rivet Networks)
Killer Wireless-AC Drivers (Version: 1.1.64.1312 - Rivet Networks) Hidden
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Maxx Audio Installer (x64) (Version: 2.7.8942.2 - Waves Audio Ltd.) Hidden
McAfee LiveSafe (HKLM-x32\...\MSC) (Version: 14.0 R13 - McAfee, Inc.)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.127 - McAfee, Inc.)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.7870.2031 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\OneDriveSetup.exe) (Version: 17.3.6798.0207 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23918 (HKLM-x32\...\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}) (Version: 14.0.23918.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (HKLM-x32\...\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}) (Version: 3.0.5305.0 - Microsoft Corp.)
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.7870.2024 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (Version: 16.0.7830.1018 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.7870.2024 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.7668.2066 - Microsoft Corporation) Hidden
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Product Registration (Version: 3.0.123.0 - Dell Inc.) Hidden
Qualcomm Atheros Bluetooth Installer (64) (HKLM\...\{628988B4-3FA5-4EA6-BAA3-DA640F6718BD}) (Version: 10.0.0.279 - Qualcomm Atheros)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.14393.21292 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7989 - Realtek Semiconductor Corp.)
Revit Architecture 2015 (Version: 15.0.136.0 - Autodesk) Hidden
Revit Architecture 2015 Language Pack - English (Version: 15.0.136.0 - Autodesk) Hidden
Revit Architecture Content Libraries 2015 (Version: 15.0.136.0 - Autodesk) Hidden
RogueKiller version 12.10.5.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.10.5.0 - Adlice Software)
SketchUp Import for AutoCAD 2014 (HKLM-x32\...\{644E9589-F73A-49A4-AC61-A953B9DE5669}) (Version: 1.1.0 - Autodesk)
Skype™ 7.33 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.33.105 - Skype Technologies S.A.)
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.72365 - TeamViewer)
Thunderbolt(TM) Software (HKLM-x32\...\{F55C97BF-D9B2-4BB6-B16A-25A621BC50E9}) (Version: 16.2.52.250 - Intel Corporation)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{6DA2B636-698A-3294-BF4A-B5E11B238CDD}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{8CCEA24C-51AE-3B71-9092-7D0C44DDA2DF}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{C3A57BB3-9AA6-3F6F-9395-6C062BDD5FC4}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x64 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{F6F09DD8-F39B-3A16-ADB9-C9E6B56903F9}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{04B34E21-5BEE-3D2B-8D3D-E3E80D253F64}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{14866AAD-1F23-39AC-A62B-7091ED1ADE64}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{4B90093A-5D9C-3956-8ABB-95848BE6EFAD}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
Visual C++ 2008 - x86 (KB958357) - v9.0.30729.177 (HKLM-x32\...\{B42E259C-E4D4-37F1-A1B2-EB9C4FC5A04D}.KB958357) (Version: 9.0.30729.177 - Microsoft Corporation)
WinRAR 5.40 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.40.0 - win.rar GmbH)


==================== Custom CLSID (Whitelisted): ==========================


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-344A1754EEA6}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{6A221957-2D85-42A7-8E19-BE33950D1DEB}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{7DE1BE5C-CEBA-4F1D-ACBC-9CE11EE9A2A1}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{a9872fee-5a55-4ecb-9b0f-b06fedcf14d1}\localserver32 -> C:\Program Files\Waves\MaxxAudio\MaxxAudioPro.exe (Waves Audio Ltd)
CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{BD0DEB94-63DB-4392-9420-6EEE05094B1F}\localserver32 -> C:\Program Files\Autodesk\AutoCAD 2014\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\Autodesk\AutoCAD 2014\en-US\acadficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)


==================== Scheduled Tasks (Whitelisted) =============


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


Task: {0539FC67-E535-4087-89C4-1C4B43EE6EE9} - System32\Tasks\McAfee\McAfee Idle Detection Task
Task: {11C37E22-C9E5-46FD-848D-E3D10A2EA497} - System32\Tasks\RtHDVBg_PushButton => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2016-12-07] (Realtek Semiconductor)
Task: {12C4D512-EB94-4094-AAFE-603B1F6B2FCF} - System32\Tasks\Dell Cleanup => c:\windows\system32\oem\startmenufix.vbs [2016-09-14] ()
Task: {26247331-AE2C-470A-9C48-909CEA97C409} - System32\Tasks\Intel Security DAT Reputation (AMCore) periodic endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\1.50.1291.1\mcdatrep.exe [2017-02-08] (McAfee, Inc.)
Task: {26558430-385A-426C-A3D2-DEFE4163C223} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-03-26] (Microsoft Corporation)
Task: {2F30E06F-09ED-4EF5-8DCC-29044BE2F6BB} - System32\Tasks\SystemToolsDailyTest-Retry => uaclauncher.exe 
Task: {34D4A25E-50A0-4B52-9335-9C71C7EF6BCB} - System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service on boot if driver is up => tbtsvc.exe 
Task: {5013E161-B62F-4EC9-926E-E39852F8268B} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2017-01-21] (Dropbox, Inc.)
Task: {5E6E4CA6-DAEB-4B84-A6A8-AB40A853A4C9} - System32\Tasks\PCDDataUploadTask => uaclauncher.exe 
Task: {60AD0D55-C64E-414B-9C59-CDEAB41B2D69} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2017-03-26] (Microsoft Corporation)
Task: {67152639-8B47-49DE-A12E-1C35277859F6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-21] (Google Inc.)
Task: {6BC3953D-1BF0-4EE6-9F7D-B27D28CA9532} - System32\Tasks\Intel PTT EK Recertification => C:\Program Files\Intel\iCLS Client\IntelPTTEKRecertification.exe [2016-07-26] (Intel(R) Corporation)
Task: {6EEF05D6-0309-4BD1-A6E1-75002065133B} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe 
Task: {7A684046-2025-4122-B77E-1B862262C97B} - System32\Tasks\Intel\Thunderbolt\Start Thunderbolt application on login if service is up => ConditionalAppStarter.exe 
Task: {84833785-1123-4F44-B836-171B43D000C8} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2016-11-30] (DropboxOEM)
Task: {A35CE783-ED38-4C3C-AEA5-C6B02D5D187D} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-02-02] (Adobe Systems Incorporated)
Task: {AB5CC4D8-8565-4973-83B0-878BD761924E} - System32\Tasks\Intel\Thunderbolt\Start Thunderbolt application when hardware is detected => ConditionalAppStarter.exe 
Task: {AF8918BF-C73F-474F-A9D7-E06A6DBEF64D} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-03-26] (Microsoft Corporation)
Task: {BA1D3C22-EC8C-4CEE-9BDE-689123EA16BA} - System32\Tasks\Intel\Thunderbolt\Start Thunderbolt service when hardware is detected => sc.exe start ThunderboltService
Task: {DD1B98CB-FABD-4880-BA0E-C2727E3B159A} - System32\Tasks\Intel Security DAT Reputation (AMCore) Post DAT update endpoint safety pulse => C:\Program Files\Common Files\McAfee\AMContent\scanners\x86_64\datrep\1.50.1291.1\mcdatrep.exe [2017-02-08] (McAfee, Inc.)
Task: {E8C777D3-B45D-4745-8AC2-40A7A6AB739E} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-michaelerr08@gmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2016-07-01] (Adobe Systems Incorporated)
Task: {EACBC2D0-2A90-41A6-91A5-54B0F0B40DC3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-01-21] (Google Inc.)
Task: {F2879B8E-7450-4394-9B5D-ED481906D35F} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2017-04-13] (Dell Inc.)
Task: {F3375660-C290-47EF-9624-8FE1575A79DB} - System32\Tasks\McAfee\McAfee Auto Maintenance Task Agent
Task: {F44B10AF-7424-46A3-BD18-83609BCFB635} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2017-01-21] (Dropbox, Inc.)
Task: {FC82DF03-5F57-45BE-9349-B938AB1FAE34} - System32\Tasks\McAfeeLogon => C:\Program Files\Common Files\McAfee\platform\McUICnt.exe [2017-02-22] (McAfee, Inc.)


(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


Task: C:\Windows\Tasks\CreateExplorerShellUnelevatedTask.job => C:\Windows\explorer.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\Windows\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe


==================== Shortcuts =============================


(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============


2016-07-16 07:42 - 2016-07-16 07:42 - 00231424 _____ () C:\Windows\SYSTEM32\ism32k.dll
2017-03-16 00:19 - 2017-03-04 03:19 - 02681200 _____ () C:\Windows\system32\CoreUIComponents.dll
2017-04-23 01:20 - 2017-03-22 10:24 - 02271520 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2017-03-16 00:19 - 2017-03-04 03:19 - 02681200 _____ () C:\Windows\SYSTEM32\CoreUIComponents.dll
2016-10-25 09:57 - 2016-10-25 09:57 - 00491184 _____ () C:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSyncExtension\CoreSync_x64.dll
2016-11-29 21:09 - 2016-11-29 21:09 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-03-15 23:58 - 2017-03-04 02:31 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-03-15 23:58 - 2017-03-04 02:30 - 00693248 _____ () C:\Windows\ShellExperiences\MtcUvc.dll
2017-03-16 00:19 - 2017-03-04 02:12 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-03-16 00:19 - 2017-03-04 02:05 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-03-16 00:19 - 2017-03-04 02:05 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-03-16 00:19 - 2017-03-04 02:05 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-03-16 00:19 - 2017-03-04 02:05 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-03-16 00:19 - 2017-03-04 02:08 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-04-10 21:17 - 2017-04-10 21:18 - 00077312 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-04-10 21:17 - 2017-04-10 21:18 - 00189952 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-04-10 21:17 - 2017-04-10 21:18 - 42507264 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-04-10 21:17 - 2017-04-10 21:18 - 02334184 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.13.133.0_x64__kzf8qxf38zg5c\skypert.dll
2017-03-31 20:43 - 2017-03-31 20:43 - 00019456 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2017-03-31 20:43 - 2017-03-31 20:43 - 22723584 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2017-03-31 20:43 - 2017-03-31 20:43 - 00448512 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\Microsoft.Photos.AGM.Native.Windows.dll
2017-03-31 20:43 - 2017-03-31 20:43 - 05427200 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\MediaEngine.dll
2017-01-21 19:15 - 2017-01-21 19:15 - 00680448 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\Microsoft.DesignCore.dll
2017-03-31 20:43 - 2017-03-31 20:43 - 00435712 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\Microsoft.RichMedia.Ink.Controls.dll
2017-03-31 20:43 - 2017-03-31 20:43 - 01062400 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\Microsoft.Sharing.dll
2016-07-16 10:20 - 2016-07-16 10:20 - 00291328 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_17.313.10010.0_x64__8wekyb3d8bbwe\StoreRatingPromotion.dll
2017-02-01 00:54 - 2016-02-24 00:48 - 00062024 _____ () C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\QtSolutions_Service-head.dll
2017-02-01 00:54 - 2016-02-24 00:47 - 00110664 _____ () C:\Program Files (x86)\Common Files\Autodesk Shared\AppManager\R1\qjson0.dll
2017-01-27 00:24 - 2009-03-12 16:45 - 00135168 ____N () C:\Program Files (x86)\Epson Software\Event Manager\Assistants\Scan Assistant\ScanEngine.dll
2017-01-27 00:24 - 2008-11-21 14:58 - 00057344 ____N () C:\Program Files (x86)\Epson Software\Event Manager\Assistants\Scan Assistant\Satwain.dll
2016-12-21 11:24 - 2016-12-21 11:24 - 00134008 _____ () C:\Program Files (x86)\Dell Customer Connect\ServiceTagPlusPlus.dll
2016-05-02 18:46 - 2016-05-02 18:46 - 00134008 _____ () c:\Program Files (x86)\Dell Digital Delivery\ServiceTagPlusPlus.dll
2016-09-22 12:56 - 2016-09-22 12:56 - 00133992 _____ () C:\Program Files (x86)\Dell Update\ServiceTagPlusPlus.dll
2016-08-30 04:19 - 2016-08-30 04:19 - 01243936 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll


==================== Alternate Data Streams (Whitelisted) =========


(If an entry is included in the fixlist, only the ADS will be removed.)




==================== Safe Mode (Whitelisted) ===================


(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ModuleCoreService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeaack.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeavfk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfemms => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfeplk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ModuleCoreService => ""="Service"


==================== Association (Whitelisted) ===============


(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\Software\Classes\.scr: scrfile =>  <===== ATTENTION


==================== Internet Explorer trusted/restricted ===============


(If an entry is included in the fixlist, it will be removed from the registry.)




==================== Hosts content: ===============================


(If needed Hosts: directive could be included in the fixlist to reset Hosts.)


2016-07-16 07:47 - 2016-07-16 07:45 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts




==================== Other Areas ============================


(Currently there is no automatic fix for this section.)


HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\Control Panel\Desktop\\Wallpaper -> 
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.


==================== MSCONFIG/TASK MANAGER disabled items ==


HKLM\...\StartupApproved\Run: => "IAStorIcon"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run: => "WavesSvc"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "Dropbox"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "ADSKAppManager"
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\StartupApproved\Run: => "Akamai NetSession Interface"
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\StartupApproved\Run: => "Autodesk Sync"
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\StartupApproved\Run: => "BingSvc"
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\StartupApproved\Run: => "Skype"
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\StartupApproved\Run: => "teidsc"


==================== FirewallRules (Whitelisted) ===============


(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{30093B5C-7808-4CB6-B8C9-4677F11F19AE}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{95EAA53B-6C25-497F-A1D9-E33D964AD7E8}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{FC73B79B-1C7E-4C65-AB96-589ADAFA9BB4}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{5333F394-BFD0-4EEC-A7C8-A2F63844AB5F}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{C8BA1072-DEA8-4869-A422-424253E41DCF}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{1F64A260-D29C-4D38-ABA9-7CE37F605724}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{6BCEF01B-36B8-4056-80E7-4ED100D7F7C1}] => (Allow) LPort=50248
FirewallRules: [{902F1BCE-1AF8-474E-B02A-38A64370441D}] => (Allow) LPort=59194
FirewallRules: [{8C671CB3-1377-4267-A9CC-1EB0808E255D}] => (Allow) LPort=5000
FirewallRules: [{251D4DC4-5B32-494E-8811-0C407FCBC921}] => (Allow) C:\Program Files (x86)\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe
FirewallRules: [{C7974168-5B8E-4711-8E66-07F2F9EE3C28}] => (Allow) C:\Program Files (x86)\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe
FirewallRules: [{E988AFD8-9812-48A4-A7EB-70796CD68218}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{46B974D0-28FF-4CCB-B600-60E6F178EA8E}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{B640BE7A-F64B-4772-A4AC-B6825DC78BCE}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [TCP Query User{94035637-0A8E-4164-B8ED-D3C1EAABD802}C:\users\michael\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\michael\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{29A5B013-9C6B-4E0C-8B39-C0F5D2C2AEF7}C:\users\michael\appdata\local\akamai\netsession_win.exe] => (Block) C:\users\michael\appdata\local\akamai\netsession_win.exe
FirewallRules: [{2DB96EDC-8304-400C-A9C2-23B085E0EED0}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe


==================== Restore Points =========================


31-03-2017 21:30:57 Scheduled Checkpoint
09-04-2017 21:47:52 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
23-04-2017 11:53:34 JRT Pre-Junkware Removal


==================== Faulty Device Manager Devices =============




==================== Event log errors: =========================


Application errors:
==================
Error: (04/23/2017 12:44:57 PM) (Source: DellSupportAssistRemedationService.exe) (EventID: 0) (User: )
Description: [17] ERROR- Exception on processing Diags log: Path: C:\ProgramData\Dell\SARemediation\esp\EFI\Dell\logs\diags_current.xml #StackInfo#


Error: (04/23/2017 11:54:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 10.0.14393.953, time stamp: 0x58ba5aa4
Faulting module name: QtCore_Ad_SyncNs_4.dll_unloaded, version: 4.8.2.0, time stamp: 0x50d3fca7
Exception code: 0xc0000005
Fault offset: 0x00000000000265fe
Faulting process id: 0x1d3c
Faulting application start time: 0x01d2bbf5094f2b1c
Faulting application path: C:\Windows\Explorer.EXE
Faulting module path: QtCore_Ad_SyncNs_4.dll
Report Id: f1c68ce7-d831-49fe-a2ea-57b1a6422639
Faulting package full name: 
Faulting package-relative application ID:


Error: (04/23/2017 11:53:36 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.


System Error:
Access is denied.
.


Error: (04/23/2017 11:47:37 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\autodesk\revit architecture 2015\FaroImporter.exe".
Dependent Assembly FARO.LS,processorArchitecture="x86",publicKeyToken="1d23f5635ba800ab",type="win32",version="1.1.408.2" could not be found.
Please use sxstrace.exe for detailed diagnosis.


Error: (04/23/2017 11:40:41 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\autodesk\revit architecture 2015\FaroImporter.exe".
Dependent Assembly FARO.LS,processorArchitecture="x86",publicKeyToken="1d23f5635ba800ab",type="win32",version="1.1.408.2" could not be found.
Please use sxstrace.exe for detailed diagnosis.


Error: (04/23/2017 11:21:08 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\autodesk\revit architecture 2015\FaroImporter.exe".
Dependent Assembly FARO.LS,processorArchitecture="x86",publicKeyToken="1d23f5635ba800ab",type="win32",version="1.1.408.2" could not be found.
Please use sxstrace.exe for detailed diagnosis.


Error: (04/23/2017 10:46:51 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-C51RM9G)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927148 See the Microsoft-Windows-TWinUI/Operational log for additional information.


Error: (04/23/2017 03:09:49 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\autodesk\revit architecture 2015\FaroImporter.exe".
Dependent Assembly FARO.LS,processorArchitecture="x86",publicKeyToken="1d23f5635ba800ab",type="win32",version="1.1.408.2" could not be found.
Please use sxstrace.exe for detailed diagnosis.


Error: (04/23/2017 03:03:50 AM) (Source: DellSupportAssistRemedationService.exe) (EventID: 0) (User: )
Description: [14] ERROR- Exception on processing Diags log: Path: C:\ProgramData\Dell\SARemediation\esp\EFI\Dell\logs\diags_current.xml #StackInfo#


Error: (04/23/2017 01:32:38 AM) (Source: DellSupportAssistRemedationService.exe) (EventID: 0) (User: )
Description: [10] ERROR- Failed to create user process to collect profile from Service. Exception:System.Exception: ProcessUtilities->CreateUIProcessFromLocalSystem->An unhandled exception was caught spawning the process, the exception was: Can't create user process since no one logged in! WTSQueryUserToken() failed
   at utilities.ProcessHelper.CreateUIProcessFromLocalSystem(String in_strTarget, String in_strArguments, Boolean createOnlyForActiveUser, Boolean shouldHidden)
   at MailboxAgent.OSProfileCollector.collectProfiles() #StackInfo#




System errors:
=============
Error: (04/23/2017 01:00:25 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Error: (04/23/2017 12:26:16 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Error: (04/23/2017 12:16:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Error: (04/23/2017 12:09:35 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Error: (04/23/2017 11:58:59 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Error: (04/23/2017 11:58:59 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Error: (04/23/2017 11:58:58 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.


Error: (04/23/2017 11:58:27 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Search service failed to start due to the following error: 
The service did not start due to a logon failure.


Error: (04/23/2017 11:58:27 AM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The WSearch service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: 
The request is not supported.




To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).


Error: (04/23/2017 11:58:19 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.




==================== Memory info =========================== 


Processor: Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
Percentage of memory in use: 34%
Total physical RAM: 8073.21 MB
Available physical RAM: 5314.39 MB
Total Virtual: 8585.21 MB
Available Virtual: 5515.31 MB


==================== Drives ================================


Drive c: (OS) (Fixed) (Total:225.42 GB) (Free:136.63 GB) NTFS
Drive d: (TRANSCEND) (Removable) (Total:7.46 GB) (Free:7.31 GB) FAT32


==================== MBR & Partition Table ==================


========================================================
Disk: 0 (Size: 238.5 GB) (Disk ID: 91BD5F2B)


Partition: GPT.


========================================================
Disk: 1 (Size: 7.5 GB) (Disk ID: 04CF5215)
Partition 1: (Not Active) - (Size=7.5 GB) - (Type=0B)


==================== End of Addition.txt ============================


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 23 April 2017 - 09:09 PM

Well, it looks like there really isn't a lot left to remove so here we go :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;
How's your system behaving now? Are there any other issues that needs to be addressed?

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 dandeletesdem

dandeletesdem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 24 April 2017 - 09:32 PM

Below is the Fixlog.txt log after running the Fix with the provided fixlist.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 23-04-2017 01
Ran by michael (24-04-2017 20:43:13) Run:7
Running from D:\
Loaded Profiles: michael (Available Profiles: defaultuser0 & michael)
Boot Mode: Normal
==============================================


fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:


HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\...\Policies\Explorer: []


CustomCLSID: HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-344A1754EEA6}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File


HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\Software\Classes\.scr: scrfile =>  <===== ATTENTION


C:\ProgramData\{042448DA-1440-41DE-BC4B-7C215005F4ED}


EmptyTemp:


*****************


Processes closed successfully.
Restore point was successfully created.
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\ => value removed successfully
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-344A1754EEA6} => key removed successfully
HKU\S-1-5-21-4170285323-1899740614-2586525237-1001\Software\Classes\.scr => key removed successfully
C:\ProgramData\{042448DA-1440-41DE-BC4B-7C215005F4ED} => moved successfully


=========== EmptyTemp: ==========


BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10618061 B
Java, Flash, Steam htmlcache => 933 B
Windows/system/drivers => 4672284 B
Edge => 0 B
Chrome => 451810754 B
Firefox => 0 B
Opera => 0 B


Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 74 B
systemprofile32 => 0 B
LocalService => 5742 B
NetworkService => 0 B
defaultuser0 => 0 B
michael => 15986553 B


RecycleBin => 65736539 B
EmptyTemp: => 523.4 MB temporary data Removed.


================================




The system needed a reboot.


==== End of Fixlog 20:43:31 ====
 
Again, thank you so much!!!!  :bounce:


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,683 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 PM

Posted 25 April 2017 - 07:06 AM

No problem dandeletesdem, you're welcome!

Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up.

BWuhenj.pngDelFix
Follow the instructions below to download and execute DelFix.
  • Download DelFix and move the executable to your Desktop;
  • Right-click on DelFix.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options :
    • Activate UAC;
    • Remove disinfection tools;
    • Create registry backup;
    • Purge system restore;
    • Reset system settings;
  • Once all the options mentionned above are checked, click on Run;
  • After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply;
Qt25440.pngTips, tricks, advice and recommendations

Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you.

Windows Updates

Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically.Keeping your programs up-to-date

Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like eLDnJfI.pngSecuniaPSI and dqVs5wj.pngHeimdal Free will scan your system for outdated programs, and help you identify them, as well as update them.

Antivirus, Antimalware, Firewall and Anti-Exploit/Ransomware

Having a decent security setup (led by an Antivirus) is the most crucial step to protect a system. These programs are a layer of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Ideally, you should have on your system one Antivirus (never more than one installed at the time), one Antimalware (you can install multiple of these, assuming they do not conflict with each other and the other security programs installed), one Firewall and if you wish, one Anti-Exploit and/or Anti-Ransomware (since Ransomware are currently the most dangerous threat around and it can hit anywhere). Here are a few programs worth checking out if you don't have one yet.

Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products).

AntivirusAntimalwareFirewall
Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below.
  • 7p3JzTS.pngGlassWire - Has both a free and paid version (with different packages);
  • MQIMh6k.pngWindows Firewall Control - Gives you more control over your Windows Firewall;
  • 5RXGshU.pngTinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it;
Anti-Exploit/Anti-RansomwareWeb Browsers and Web Browsing

Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits.

Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install.
  • uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome and Mozilla Firefox, called uBlock on Opera);
  • HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera);
  • Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers);
  • NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers);
  • uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera);
  • LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser);
As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few:As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them.

Other recommendations

Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program.

Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices :gRvSooB.pngThe End!

And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on BleepingComputer and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member.

Do you have any questions before I close this thread? :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 dandeletesdem

dandeletesdem
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 25 April 2017 - 10:53 PM

Please see attached log:

 

# DelFix v1.013 - Logfile created 25/04/2017 at 23:50:07
# Updated 17/04/2016 by Xplode
# Username : michael - DESKTOP-C51RM9G
# Operating System : Windows 10 Home  (64 bits)


~ Activating UAC ... OK


~ Removing disinfection tools ...


Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\log.txt
Deleted : C:\TDSSKiller.3.1.0.12_23.04.2017_01.04.17_log.txt


~ Creating registry backup ... OK


~ Cleaning system restore ...


Deleted : RP #9 [Scheduled Checkpoint | 04/01/2017 01:30:57]
Deleted : RP #10 [Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 | 04/10/2017 01:47:52]
Deleted : RP #11 [JRT Pre-Junkware Removal | 04/23/2017 15:53:34]


New restore point created !


~ Resetting system settings ... OK


########## - EOF - ##########





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users