Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit?


  • This topic is locked This topic is locked
10 replies to this topic

#1 Khale62

Khale62

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 18 July 2017 - 02:02 PM

My kids think I'm paranoid but i think i have some kind of virus or malware that is controlling my PC.  I have taken to the shop to have the virus(?) removed and the problem came back as soon as I connected to the internet.  I think it is connecting to a dummy network called "NETWORK" automatically when I start my computer.  I have tried to find this problem on my computer and ended up just playing wach-a-mole. One problem solved another 2 or 3 new ones crop up.

 

This virus or whatever has taken over my user account creation and managemnt and has corrupted my BIOS setup so that I cannot change either.  I think it has changed the security certificates too.  I have run FRST logs and will copy and paste them here.

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-07-2017
Ran by karen (17-07-2017 16:12:21)
Running from C:\Users\karen\AppData\Local\Microsoft\Windows\INetCache\IE\NEDWWKPS
Windows 8.1 (X64) (2017-07-17 18:52:31)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2652415918-4041363896-755345647-500 - Administrator - Disabled)
Guest (S-1-5-21-2652415918-4041363896-755345647-501 - Limited - Disabled)
karen (S-1-5-21-2652415918-4041363896-755345647-1001 - Administrator - Enabled) => C:\Users\karen
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2652415918-4041363896-755345647-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
17-07-2017 13:05:24 105
 
==================== Faulty Device Manager Devices =============
 
Name: Generic Bluetooth Adapter
Description: Generic Bluetooth Adapter
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: GenericAdapter
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Network Controller
Description: Network Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
Name: Trusted Platform Module 2.0
Description: Trusted Platform Module 2.0
Class Guid: {d94ee5d8-d189-4994-83d2-f68d7d41b0e6}
Manufacturer: (Standard)
Service: TPM
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/17/2017 03:07:55 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.3.9600.16384 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 724
 
Start Time: 01d2ff46a23cb546
 
Termination Time: 0
 
Application Path: C:\Windows\Explorer.EXE
 
Report Id: 5762cbd3-6b3c-11e7-824f-b083feb47613
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (07/17/2017 01:30:50 PM) (Source: RasClient) (EventID: 20227) (User: )
Description: CoId={68CB399C-62C3-474D-A986-6613E24013B8}: The user jean-marie\karen dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.
 
Error: (07/17/2017 01:30:01 PM) (Source: RasClient) (EventID: 20227) (User: )
Description: CoId={CC828747-3695-47E2-A2E1-4A96D976D956}: The user jean-marie\karen dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.
 
 
System errors:
=============
Error: (07/17/2017 02:49:27 PM) (Source: TPM) (EventID: 15) (User: NT AUTHORITY)
Description: The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.
 
Error: (07/17/2017 02:49:40 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: The computer has rebooted from a bugcheck.  The bugcheck was: 0xc000021a (0xffffc0000666fdf0, 0x0000000000000000, 0x0000000000000000, 0x0000000000000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 071717-12218-01.
 
Error: (07/17/2017 02:49:39 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 2:31:06 PM on ‎7/‎17/‎2017 was unexpected.
 
Error: (07/17/2017 02:46:45 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Remote Procedure Call (RPC) service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
 
Error: (07/17/2017 02:46:45 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The RPC Endpoint Mapper service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.
 
Error: (07/17/2017 02:31:06 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 1:48:08 PM on ‎7/‎17/‎2017 was unexpected.
 
Error: (07/17/2017 11:49:21 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The Printer Extensions and Notifications service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
Error: (07/17/2017 11:45:05 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error: 
The device is not ready.
 
Error: (07/17/2017 11:44:55 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error: 
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
 
Error: (07/17/2017 11:44:06 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!
 
 
==================== Memory info =========================== 
 
Processor: AMD E2-7110 APU with AMD Radeon R2 Graphics 
Percentage of memory in use: 22%
Total physical RAM: 3521.07 MB
Available physical RAM: 2717.32 MB
Total Virtual: 7021.07 MB
Available Virtual: 6096.59 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:464.61 GB) (Free:449.82 GB) NTFS
Drive d: (Win8_1_x64) (CDROM) (Total:4.96 GB) (Free:0 GB) UDF
Drive e: (ESD-USB) (Removable) (Total:31.99 GB) (Free:28.56 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: C8ACBFE1)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=464.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=828 MB) - (Type=27)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 58.9 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-07-2017
Ran by karen (administrator) on MYPC (17-07-2017 16:11:23)
Running from C:\Users\karen\AppData\Local\Microsoft\Windows\INetCache\IE\NEDWWKPS
Loaded Profiles: karen (Available Profiles: karen)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKU\S-1-5-21-2652415918-4041363896-755345647-1001\...\MountPoints2: {e8664ab1-6b1f-11e7-824c-806e6f6e6963} - "D:\setup.exe" 
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{AA2DA007-D9FD-4CA6-9BD7-7E4659FA2257}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
 
Internet Explorer:
==================
HKU\S-1-5-21-2652415918-4041363896-755345647-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKU\S-1-5-21-2652415918-4041363896-755345647-1001 -> DefaultScope {1A95DC8F-4A6D-4938-B715-50B59B516306} URL = 
SearchScopes: HKU\S-1-5-21-2652415918-4041363896-755345647-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 tbaseprovisioning; C:\Windows\SysWOW64\tbaseprovisioning.exe [51208 2017-01-10] (Advanced Micro Devices, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 amdkmcsp; C:\Windows\system32\DRIVERS\amdkmcsp.sys [100744 2017-01-10] (Advanced Micro Devices, Inc. )
R0 amdpsp; C:\Windows\System32\DRIVERS\amdpsp.sys [255368 2017-01-10] (Advanced Micro Devices, Inc. )
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-17 16:11 - 2017-07-17 16:11 - 00000000 ____D C:\FRST
2017-07-17 15:55 - 2017-07-17 15:55 - 00054897 _____ C:\Users\karen\Desktop\82.htm
2017-07-17 15:31 - 2017-07-17 15:57 - 00000000 ____D C:\ESD
2017-07-17 15:29 - 2017-07-17 15:29 - 00000000 ___HD C:\$Windows.~WS
2017-07-17 15:29 - 2017-07-17 15:29 - 00000000 ____D C:\$WINDOWS.~BT
2017-07-17 15:25 - 2017-07-17 15:25 - 18357776 _____ (Microsoft Corporation) C:\Users\karen\Desktop\MediaCreationTool.exe
2017-07-17 15:25 - 2017-07-17 15:25 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2017-07-17 15:09 - 2017-07-17 15:09 - 00000000 ____D C:\Users\karen\AppData\Local\ElevatedDiagnostics
2017-07-17 15:08 - 2017-07-17 15:30 - 00000000 _____ C:\Recovery.txt
2017-07-17 14:50 - 2017-07-17 14:50 - 00000000 ____D C:\Windows\tbaseregistry
2017-07-17 14:50 - 2013-08-22 02:08 - 00344576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IEShims.dll
2017-07-17 14:49 - 2017-07-17 14:49 - 250102527 _____ C:\Windows\MEMORY.DMP
2017-07-17 14:49 - 2017-07-17 14:49 - 00282696 _____ C:\Windows\Minidump\071717-12218-01.dmp
2017-07-17 14:49 - 2017-07-17 14:49 - 00000000 ____D C:\Windows\Minidump
2017-07-17 13:02 - 2017-07-17 13:02 - 00000000 ____D C:\prof
2017-07-17 12:48 - 2017-07-17 12:48 - 00139448 _____ C:\Users\karen\Documents\sic uriti.txt
2017-07-17 12:48 - 2017-07-17 12:48 - 00047317 _____ C:\Users\karen\Documents\sis tem.txt
2017-07-17 12:46 - 2017-07-17 12:46 - 00063720 _____ C:\Users\karen\Documents\app logi.txt
2017-07-17 12:46 - 2017-07-17 12:46 - 00002867 _____ C:\Users\karen\Documents\addmi.txt
2017-07-17 12:44 - 2017-07-17 12:44 - 00000000 ____D C:\Windows\System32\Tasks\Event Viewer Tasks
2017-07-17 12:36 - 2017-07-17 15:57 - 00000000 ____D C:\Windows\Panther
2017-07-17 12:35 - 2013-08-24 23:36 - 00000022 ____R C:\Windows\csup.txt
2017-07-17 12:15 - 2017-07-17 12:15 - 00000000 ____D C:\Users\karen\AppData\Roaming\Macromedia
2017-07-17 12:04 - 2017-07-17 12:04 - 00000870 _____ C:\Users\karen\Desktop\Downloads.lnk
2017-07-17 12:03 - 2017-07-17 12:03 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2017-07-17 12:02 - 2017-07-17 12:02 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_amdpsp_01011.Wdf
2017-07-17 11:58 - 2017-07-17 15:38 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2652415918-4041363896-755345647-1001
2017-07-17 11:54 - 2017-07-17 15:26 - 00818732 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-17 11:52 - 2017-07-17 14:31 - 00000000 ____D C:\Users\karen
2017-07-17 11:52 - 2017-07-17 11:53 - 00000000 ____D C:\Users\karen\AppData\Local\Packages
2017-07-17 11:52 - 2017-07-17 11:52 - 00001442 _____ C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-07-17 11:52 - 2017-07-17 11:52 - 00000020 ___SH C:\Users\karen\ntuser.ini
2017-07-17 11:52 - 2017-07-17 11:52 - 00000000 ____D C:\Users\karen\AppData\Roaming\Adobe
2017-07-17 11:52 - 2017-07-17 11:52 - 00000000 ____D C:\Users\karen\AppData\Local\VirtualStore
2017-07-17 11:49 - 2013-08-21 22:17 - 02407936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-17 15:26 - 2013-08-22 06:36 - 00000000 ____D C:\Windows\Inf
2017-07-17 15:09 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\NDF
2017-07-17 14:49 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-17 14:47 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2017-07-17 13:30 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\tracing
2017-07-17 12:36 - 2013-08-22 08:36 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2017-07-17 11:58 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\AppReadiness
2017-07-17 11:53 - 2013-08-22 08:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-07-17 11:52 - 2013-08-22 08:36 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-07-17 11:52 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\WinStore
2017-07-17 11:52 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\FileManager
2017-07-17 11:52 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Camera
2017-07-17 11:50 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\rescache
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-07-17 11:44
 
==================== End of FRST.txt ============================
Users shortcut scan result (x64) Version: 15-07-2017
Ran by karen (17-07-2017 16:17:55)
Running from C:\Users\karen\AppData\Local\Microsoft\Windows\INetCache\IE\NEDWWKPS
Boot Mode: Normal
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Camera.lnk -> C:\Windows\Camera\Camera.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Desktop.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileManager.lnk -> C:\Windows\FileManager\FileManager.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotosApp.lnk -> C:\Windows\FileManager\PhotosApp.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Store.lnk -> C:\Windows\WinStore\WinStore.htm ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Windows Easy Transfer.lnk -> C:\Windows\System32\migwiz\migwiz.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk -> C:\Windows\System32\comexp.msc ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\dfrgui.lnk -> C:\Windows\System32\dfrgui.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk -> C:\Windows\System32\cleanmgr.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk -> C:\Windows\System32\iscsicpl.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk -> C:\Windows\System32\MdSched.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk -> C:\Windows\SysWOW64\odbcad32.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk -> C:\Windows\System32\odbcad32.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk -> C:\Windows\System32\services.msc ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk -> C:\Windows\System32\msconfig.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Information.lnk -> C:\Windows\System32\msinfo32.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Firewall with Advanced Security.lnk -> C:\Windows\System32\WF.msc ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnk -> C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell ISE (x86).lnk -> C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell_ISE.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell ISE.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell_ISE.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk -> C:\Windows\System32\calc.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk -> C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk -> C:\Windows\System32\mspaint.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk -> C:\Windows\System32\mstsc.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk -> C:\Windows\System32\SnippingTool.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk -> C:\Windows\System32\SoundRecorder.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Steps Recorder.lnk -> C:\Windows\System32\psr.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk -> C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk -> C:\Windows\System32\WFS.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk -> C:\Program Files\Windows NT\Accessories\wordpad.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\XPS Viewer.lnk -> C:\Windows\System32\xpsrchvw.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk -> C:\Program Files\Windows Journal\Journal.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk -> C:\Windows\System32\charmap.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk -> C:\Windows\explorer.exe,-30
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Help.lnk -> C:\Windows\HelpPane.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk -> C:\Windows\System32\shell32.dll (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Windows.Defender.lnk -> C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk -> C:\Windows\System32\notepad.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk -> C:\Windows\System32\Magnify.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk -> C:\Windows\System32\Narrator.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk -> C:\Windows\System32\osk.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk -> C:\Windows\System32\compmgmt.msc ()
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk -> C:\Windows\System32\diskmgmt.msc ()
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk -> C:\Windows\System32\eventvwr.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk -> C:\Windows\System32\mblctr.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\Links\Desktop.lnk -> C:\Users\karen\Desktop ()
Shortcut: C:\Users\karen\Links\Downloads.lnk -> C:\Users\karen\Downloads ()
Shortcut: C:\Users\karen\Links\RecentPlaces.lnk -> [::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}]
Shortcut: C:\Users\karen\Desktop\Downloads.lnk -> C:\Users\karen\Downloads ()
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk -> C:\Windows\explorer.exe,-30
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Help.lnk -> C:\Windows\HelpPane.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk -> C:\Windows\System32\shell32.dll (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Windows.Defender.lnk -> C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk -> C:\Windows\System32\notepad.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk -> C:\Windows\System32\Magnify.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk -> C:\Windows\System32\Narrator.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk -> C:\Windows\System32\osk.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK -> C:\Windows\System32\fsquirt.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk -> C:\Windows\System32\compmgmt.msc ()
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk -> C:\Windows\System32\diskmgmt.msc ()
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk -> C:\Windows\System32\eventvwr.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk -> C:\Windows\System32\mblctr.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.ZuneVideo_8wekyb3d8bbwe\Microsoft.ZuneVideo.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.ZuneMusic_8wekyb3d8bbwe\Microsoft.ZuneMusic.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.XboxLIVEGames_8wekyb3d8bbwe\Microsoft.XboxLIVEGames.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsScan_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsReadingList_8wekyb3d8bbwe\Microsoft.WindowsReadingList.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Calendar.lnk -> [LFz1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweQmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.CalendardC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwe1SPSMԆi<D*TQ ModernCalendar\CalendarLogo.pngU!ModernCalendar\CalendarBadge.png]%ModernCalendar\CalendarSmallLogo.pngY$ModernCalendar\CalendarWideLogo.pngQ3]%ModernCalendar\CalendarLargeLogo.pngMms-resource:calendarAppTitleY$ModernCalendar\CalendarTinyLogo.pngi1SPS0%G`Mms-resource:calendarAppTitle-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Mail.lnk -> [LF1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweMmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.MaildC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwev1SPSMԆi<D*TIModernMail\Res\MailLogo.pngMModernMail\Res\MailBadge.pngU!ModernMail\Res\MailSmallLogo.pngQ ModernMail\Res\MailWideLogo.pngrU!ModernMail\Res\MailLargeLogo.pngEms-resource:mailAppTitleQ ModernMail\Res\MailTinyLogo.pnga1SPS0%G`Ems-resource:mailAppTitleq1SPS}@H1U!ms-resource:mailShareDescription-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.People.lnk -> [LFr1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweOmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.PeopledC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwe1SPSMԆi<D*TAModernPeople\People.pngMModernPeople\PeopleSmall.pngIModernPeople\PeopleWide.pngG&MModernPeople\PeopleLarge.png]%ms-resource:///strings/peopleAppNameIModernPeople\PeopleTiny.pngy1SPS0%G`]%ms-resource:///strings/peopleAppName1SPS}@H1e*ms-resource:///strings/raShareDescription-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsCalculator_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsAlarms_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.SkypeApp_kzf8qxf38zg5c\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.Reader_8wekyb3d8bbwe\Microsoft.Reader.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.HelpAndTips_8wekyb3d8bbwe\HelpAndTips.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingWeather_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingTravel_8wekyb3d8bbwe\AppexTravel.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingSports_8wekyb3d8bbwe\AppexSports.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingNews_8wekyb3d8bbwe\AppexNews.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingMaps_8wekyb3d8bbwe\AppexMaps.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingHealthAndFitness_8wekyb3d8bbwe\AppexHealthAndFitness.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingFoodAndDrink_8wekyb3d8bbwe\AppexFoodAndDrink.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingFinance_8wekyb3d8bbwe\AppexFinance.lnk -> Tile and icon assets
 
 
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation) -> -sta {C90FB8CA-3295-4462-A721-2935E83694BA}
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Default Programs.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.DefaultPrograms
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk -> C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) -> /7
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk -> C:\Windows\System32\compmgmt.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk -> C:\Windows\System32\eventvwr.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk -> C:\Windows\System32\perfmon.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk -> C:\Windows\System32\perfmon.exe (Microsoft Corporation) -> /res
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk -> C:\Windows\System32\taskschd.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player.lnk -> C:\Program Files (x86)\Windows Media Player\wmplayer.exe (Microsoft Corporation) -> /prefetch:1
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Speech Recognition.lnk -> C:\Windows\Speech\Common\sapisvr.exe (Microsoft Corporation) -> -SpeechUX
ShortcutWithArgument: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk -> C:\Windows\System32\WFS.exe (Microsoft Corporation) -> /SendTo
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - Network Connections.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.DeviceManager
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - System.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.System
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\08 - Power Options.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.PowerOptions
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\10 - Programs and Features.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.ProgramsAndFeatures
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk -> C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) -> /0
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}
ShortcutWithArgument: C:\Users\karen\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk -> C:\Windows\System32\WFS.exe (Microsoft Corporation) -> /SendTo
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - Network Connections.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.DeviceManager
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\06 - System.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.System
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\08 - Power Options.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.PowerOptions
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\10 - Programs and Features.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.ProgramsAndFeatures
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk -> C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) -> /0
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}
 
 
InternetURL: C:\Users\karen\Favorites\Bing.url -> URL: hxxp://go.microsoft.com/fwlink/p/?LinkId=255142
 
==================== End of Shortcut.txt =============================
 ANy help would be great! I know you are volunteers and I have had this problem for a while.  I will patiently await a response.
 
Khale62

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:39 PM

Posted 19 July 2017 - 07:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please move the Farbar Recovery Scan Tool (x64) program from the NEDWWKPS folder to your Desktop.
Running from C:\Users\karen\AppData\Local\Microsoft\Windows\INetCache\IE\NEDWWKPS

Run the program in an Administrator profile and post fresh FRST and Addition.txt logs.

p.s.
To create a new Addition.txt file make sure that the Check box to create an Addition.txt is marked.

Wait for further instructions.

#3 Khale62

Khale62
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 20 July 2017 - 01:29 PM

Hi nasdaq. these are fresh files.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-07-2017
Ran by karen (administrator) on MIMI (20-07-2017 11:21:00)
Running from C:\Users\karen\Desktop
Loaded Profiles: karen (Available Profiles: mama & karen)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{3AB054A3-0140-4D34-8D6A-EB8B11D9898D}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
 
Internet Explorer:
==================
HKU\S-1-5-21-415923800-1773576462-1608788284-1004\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://dell13.msn.com/?pc=DCJB
HKU\S-1-5-21-415923800-1773576462-1608788284-1004\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
SearchScopes: HKU\S-1-5-21-415923800-1773576462-1608788284-1004 -> DefaultScope {1A95DC8F-4A6D-4938-B715-50B59B516306} URL = 
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-20] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-07-20] (Google Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.ighome.com/?t=366053
CHR StartupUrls: Default -> "hxxp://www.ighome.com/","hxxp://www.ighome.com/?t=371223"
CHR Profile: C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default [2017-07-20]
CHR Extension: (Google Slides) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-07-20]
CHR Extension: (Google Docs) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-07-20]
CHR Extension: (Google Drive) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-07-20]
CHR Extension: (Adguard AdBlocker) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\bgnkhhnnamicmpeenaelnjfhikgbkllg [2017-07-20]
CHR Extension: (YouTube) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-07-20]
CHR Extension: (Google Sheets) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-07-20]
CHR Extension: (Word Online) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiombgjlkfpdpkbhfioofeeinbehmajg [2017-07-20]
CHR Extension: (Google Docs Offline) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-07-20]
CHR Extension: (Google Calendar (by Google)) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmbgaklkmjakoegficnlkhebmhkjfich [2017-07-20]
CHR Extension: (Roomstyler 3D planner) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfnniehafojoidolddmhfnpnbiolbppi [2017-07-20]
CHR Extension: (Google Maps) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2017-07-20]
CHR Extension: (AdRemover for Google Chrome™) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcefmojpghnaceadnghednjhbmphipkb [2017-07-20]
CHR Extension: (Chrome Web Store Payments) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-07-20]
CHR Extension: (PDF Viewer) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\oemmndcbldboiebfnladdacbdfmadadm [2017-07-20]
CHR Extension: (Gmail) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-07-20]
CHR Extension: (Chrome Media Router) - C:\Users\karen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-07-20]
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 tbaseprovisioning; C:\Windows\SysWOW64\tbaseprovisioning.exe [51208 2017-01-10] (Advanced Micro Devices, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 amdkmcsp; C:\Windows\system32\DRIVERS\amdkmcsp.sys [100744 2017-01-10] (Advanced Micro Devices, Inc. )
R0 amdpsp; C:\Windows\System32\DRIVERS\amdpsp.sys [255368 2017-01-10] (Advanced Micro Devices, Inc. )
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [34760 2013-08-22] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [265056 2013-08-22] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [124256 2013-08-22] (Microsoft Corporation)
 
========================== Drivers MD5 =======================
 
C:\Windows\System32\drivers\1394ohci.sys E1832BD9FD7E0FC2DC9FA5935DE3E8C1
C:\Windows\System32\drivers\3ware.sys AD508A1A46EC21B740AB31C28EFDFDB1
C:\Windows\System32\drivers\ACPI.sys E19D921EBBD1A2CA4C48D7B5F1685B30
C:\Windows\System32\Drivers\acpiex.sys AC8279D229398BCF05C3154ADCA86813
C:\Windows\System32\drivers\acpipagr.sys A8970D9BF23CD309E0403978A1B58F3F
C:\Windows\System32\drivers\acpipmi.sys 111A89C99C5B4F1A7BCE5F643DD86F65
C:\Windows\System32\drivers\acpitime.sys 5758387D68A20AE7D3245011B07E36E7
C:\Windows\System32\drivers\ADP80XX.SYS 7C1FDF1B48298CBA7CE4BDD4978951AD
C:\Windows\system32\drivers\afd.sys 239268BAB58EAE9A3FF4E08334C00451
C:\Windows\System32\drivers\agp440.sys 7DFAEBA9AD62D20102B576D5CAC45EC8
C:\Windows\System32\DRIVERS\ahcache.sys 8E8E34B7BA059050EED827410D0697A2
C:\Windows\System32\drivers\amdk8.sys 7589DE749DB6F71A68489DCE04158729
C:\Windows\system32\DRIVERS\amdkmcsp.sys 97744D377C8B892D1C9CA0DC0B23A586
C:\Windows\System32\drivers\amdppm.sys B46D2D89AFF8A9490FA8C98C7A5616E3
C:\Windows\System32\DRIVERS\amdpsp.sys 320C63E57979AD78A6380067C928CAA1
C:\Windows\System32\drivers\amdsata.sys D2BF2F94A47D332814910FD47C6BBCD2
C:\Windows\System32\drivers\amdsbs.sys A8E04943C7BBA7219AA50400272C3C6E
C:\Windows\System32\drivers\amdxata.sys CEA5F4F27CFC08E3A44D576811B35F50
C:\Windows\system32\drivers\appid.sys BE3BFEFD0EDA6AA4C3A81B0490B1F7F5
C:\Windows\System32\drivers\arcsas.sys 65045784366F7EC5FB4E71BCF923187B
C:\Windows\System32\drivers\atapi.sys 74B14192CF79A72F7536B27CB8814FBD
C:\Windows\System32\drivers\bxvbda.sys A4A73F631FE2AA2826FBE4A399B04DEF
C:\Windows\System32\drivers\BasicDisplay.sys 8CC7F7E4AFCBA605921B137ED7992C68
C:\Windows\System32\drivers\BasicRender.sys 2748E116F8621A4DB0D39FCDD7318C01
C:\Windows\System32\drivers\bcmfn2.sys C1ABB0F7E3BEA48A0417BDF6FF14AB21
C:\Windows\System32\Drivers\Beep.sys EC19013E4CF87609534165DF897274D6
C:\Windows\System32\DRIVERS\bowser.sys 6B4FFFDDC618FCF64473CAA86E305697
C:\Windows\System32\drivers\BthAvrcpTg.sys A8F23D453A424FF4DE04989C4727ECC7
C:\Windows\system32\DRIVERS\BthEnum.sys 131F1C8573E7BFB41C54FBF5309CCD94
C:\Windows\System32\drivers\bthhfenum.sys 746B9F94214915AECDE4B7FEA5FF9664
C:\Windows\System32\drivers\BthHFHid.sys 71FE2A48E4C93DDB9798C024880B6C07
C:\Windows\system32\DRIVERS\BthLEEnum.sys FCD8BD17B7193CFFF18C332D1A381D7F
C:\Windows\System32\drivers\bthmodem.sys 07E33226AD218A2A162662A05CAFB52F
C:\Windows\system32\DRIVERS\bthpan.sys 3AFE71D80EDF5D4DE0C5731352905669
C:\Windows\System32\Drivers\BTHport.sys 8458ECAB701EE385851C2559B71D1209
C:\Windows\System32\Drivers\BTHUSB.sys 2C0B77176CD68F1F60510CDF36ADC401
C:\Windows\System32\DRIVERS\cdfs.sys 2FA6510E33F7DEFEC03658B74101A9B9
C:\Windows\System32\drivers\cdrom.sys C6796EA22B513E3457514D92DCDB1A3D
C:\Windows\System32\drivers\circlass.sys BE9936EDD3267FAAFF94A7835867F00B
C:\Windows\System32\drivers\CLFS.sys 7F006813C2AFE622C13D7AF94F56CD07
C:\Windows\System32\drivers\CmBatt.sys EF6EF85DADC3184A10D8F2F7159973CB
C:\Windows\System32\Drivers\cng.sys 825BE21E6395E00698D8A23955A87972
C:\Windows\System32\drivers\CompositeBus.sys 03AAED827C36F35D70900558B8274905
C:\Windows\System32\drivers\condrv.sys A1FF7DFBFBE164CF92603C651D304DD2
C:\Windows\System32\drivers\dam.sys 315BA4BC19316D72B2E037534E048B93
C:\Windows\System32\Drivers\dfsc.sys 5DB26D7E0216D0BF364A81D3829AD7B9
C:\Windows\System32\drivers\disk.sys 4D40C9B33F738797CF50E77CB7C53E85
C:\Windows\System32\drivers\dmvsc.sys EB70A894708D1BC176AFD690FF06085F
C:\Windows\system32\drivers\drmkaud.sys DDC11A202207C0400CBE07315B8FDE5E
C:\Windows\System32\drivers\dxgkrnl.sys 5A5C2A5D961CADF49DDE26582B8ED1FA
C:\Windows\System32\drivers\evbda.sys 114BCFDF367FF37C3F1B0A96AF542E4D
C:\Windows\System32\drivers\EhStorClass.sys 43531A5993380CC5113242C29D265FD9
C:\Windows\System32\drivers\EhStorTcgDrv.sys 6F8E738A9505A388B1157FDDE7B3101B
C:\Windows\System32\drivers\errdev.sys DFFFAE1442BA4076E18EED5E406FA0D3
C:\Windows\System32\Drivers\exfat.sys 7729D294A555C7AEB281ED8E4D0E01E4
C:\Windows\System32\Drivers\fastfat.sys 7C4E0D5900B2A1D11EDD626D6DDB937B
C:\Windows\System32\drivers\fdc.sys 5D8402613E778B3BD45E687A8372710B
C:\Windows\System32\drivers\fileinfo.sys 957A7A8F5ACCAF23DD9DFF6DAA393CE5
C:\Windows\System32\drivers\filetrace.sys A1A66C4FDAFD6B0289523232AFB7D8AF
C:\Windows\System32\drivers\flpydisk.sys BE743083CF7063C486A4398E3AEFE59A
C:\Windows\System32\drivers\fltmgr.sys 60D5067FCE6D9433D35E04C01D8538B3
C:\Windows\System32\drivers\FsDepends.sys 35005534E600E993A90B036E4E599F2B
C:\Windows\System32\Drivers\Fs_Rec.sys 09F460AFEDCA03F3BF6E07D1CCC9AC42
C:\Windows\System32\DRIVERS\fvevol.sys 818CF11786B2FA424E33A49E2CB79CC9
C:\Windows\System32\drivers\fxppm.sys 9591D0B9351ED489EAFD9D1CE52A8015
C:\Windows\System32\drivers\gagp30kx.sys FC3EF65EE20D39F8749C2218DBA681CA
C:\Windows\System32\drivers\vmgencounter.sys 0BF5CAD281E25F1418E5B8875DC5ADD1
C:\Windows\System32\Drivers\msgpioclx.sys FDA72810CA2F8409D9B31E833C448E34
C:\Windows\system32\drivers\HdAudio.sys 56F69F7C25FB67C970997D7066DBC593
C:\Windows\System32\drivers\HDAudBus.sys 03909BDBFF0DCACCABF2B2D4ADEE44DC
C:\Windows\System32\drivers\HidBatt.sys 10A70BC1871CD955D85CD88372724906
C:\Windows\System32\drivers\hidbth.sys 1EA1B4FABB8CC348E73CA90DBA22E104
C:\Windows\System32\drivers\hidi2c.sys C241A8BAFBBFC90176EA0F5240EACC17
C:\Windows\System32\drivers\hidir.sys 9BDDEE26255421017E161CCB9D5EDA95
C:\Windows\System32\drivers\hidusb.sys F31397220D9687E11EB448649AA6E038
C:\Windows\System32\drivers\HpSAMD.sys A6AACEA4C785789BDA5912AD1FEDA80D
C:\Windows\System32\drivers\HTTP.sys 3502776E366C913D49C0DA928AE3E6CB
C:\Windows\System32\drivers\hwpolicy.sys 90656C0B3864804B090434EFC582404F
C:\Windows\System32\drivers\hyperkbd.sys 6D6F9E3BF0484967E52F7E846BFF1CA1
C:\Windows\system32\DRIVERS\HyperVideo.sys 907C870F8C31F8DDD6F090857B46AB25
C:\Windows\System32\drivers\i8042prt.sys 84CFC5EFA97D0C965EDE1D56F116A541
C:\Windows\System32\drivers\iaLPSSi_GPIO.sys 5D90E32E36CE5D4C535D17CE08AEAF05
C:\Windows\System32\drivers\iaLPSSi_I2C.sys DD05E7E80F52ADE9AEB292819920F32C
C:\Windows\System32\drivers\iaStorAV.sys 08BFE413B0B4AA8DFA4B5684CE06D3DC
C:\Windows\System32\drivers\iaStorV.sys A2200C3033FA4EF249FC096A7A7D02A2
C:\Windows\System32\drivers\intelide.sys 4E448FCFFD00E8D657CD9E48D3E47157
C:\Windows\System32\drivers\intelpep.sys 647CF2AB16D2A23F1C441A313BC39820
C:\Windows\System32\drivers\intelppm.sys 47E74A8E53C7C24DCE38311E1451C1D9
C:\Windows\System32\DRIVERS\ipfltdrv.sys 9DB76D7F9E4E53EFE5DD8C53DE837514
C:\Windows\System32\drivers\IPMIDrv.sys 9949A3C7590B8C536C05312205079A82
C:\Windows\System32\drivers\ipnat.sys 0063040EFD7C5B81D67CF985BA35388A
C:\Windows\System32\drivers\irenum.sys AE44C526AB5F8A487D941CEB57B10C97
C:\Windows\System32\drivers\isapnp.sys 8AFEEA3955AA43616A60F133B1D25F21
C:\Windows\System32\drivers\msiscsi.sys 034D4BD9DC67C64F3A4C8A049B5173BF
C:\Windows\System32\drivers\kbdclass.sys 8BE92376799B6B44D543E8D07CDCF885
C:\Windows\System32\drivers\kbdhid.sys FB6E47E569D4872ABEB506BE03A45FBA
C:\Windows\system32\DRIVERS\kdnic.sys 813871C7D402A05F2E3A7075F9584A05
C:\Windows\System32\Drivers\ksecdd.sys 0AD1DF5AF3E1AEE66583F9718E892B50
C:\Windows\System32\Drivers\ksecpkg.sys 7296EA420134EAC390798B3232D066A4
C:\Windows\system32\drivers\ksthunk.sys 11AFB527AA370B1DAFD5C36F35F6D45F
C:\Windows\system32\DRIVERS\lltdio.sys C09010B3680860131631F53E8FE7BAD8
C:\Windows\System32\drivers\lsi_sas.sys C755AE4635457AA2A11F79C0DF857ABC
C:\Windows\System32\drivers\lsi_sas2.sys ADAC09CBE7A2040B7F68B5E5C9A75141
C:\Windows\System32\drivers\lsi_sas3.sys 04D1274BB9BBCCF12BD12374002AA191
C:\Windows\System32\drivers\lsi_sss.sys 327469EEF3833D0C584B7E88A76AEC0C
C:\Windows\system32\drivers\luafv.sys 5EF604B0698F4FA962778285E8C5F1F2
C:\Windows\System32\drivers\megasas.sys EB5C03A070F30D64A6DF80E53B22F53F
C:\Windows\System32\drivers\megasr.sys F6F13533196DE7A582D422B0241E4363
C:\Windows\System32\drivers\modem.sys 8B38C44F69259987C95135C9627E2378
C:\Windows\System32\drivers\monitor.sys 601589000CC90F0DF8DA2CC254A3CCC9
C:\Windows\System32\drivers\mouclass.sys CEAC6D40FE887CE8406C2393CF97DE06
C:\Windows\System32\drivers\mouhid.sys 02D98BF804084E9A0D69D1C69B02CCA9
C:\Windows\System32\drivers\mountmgr.sys 515549560D481138E6E21AF7C6998E56
C:\Windows\System32\drivers\mpsdrv.sys F170510BE94CF45E3C6274578F6204B2
C:\Windows\system32\drivers\mrxdav.sys 59DCEC7499095DE5AED741358037AE2D
C:\Windows\System32\DRIVERS\mrxsmb.sys 405A2E5754DF76663CF0522B87D7929F
C:\Windows\System32\DRIVERS\mrxsmb10.sys 295771B092D4F7FCF2B62F80CCD14320
C:\Windows\System32\DRIVERS\mrxsmb20.sys FFC548EABBB8271E979B0EEE0EA4D55B
C:\Windows\system32\DRIVERS\bridge.sys 4E888019078AC363076A5433E89AA4F8
C:\Windows\System32\Drivers\Msfs.sys D13329FBF8345B28AB30F44CC247DC08
C:\Windows\System32\drivers\msgpiowin32.sys C6B474E46F9E543B875981ED3FFE6ADD
C:\Windows\System32\drivers\mshidkmdf.sys 65C92EB9D08DB5C69F28C7FFD4E84E31
C:\Windows\System32\drivers\mshidumdf.sys 52299F086AC2DAFD100DD5DC4A8614BA
C:\Windows\System32\drivers\msisadrv.sys 36D92AF3343C3A3E57FEF11C449AEA4C
C:\Windows\system32\drivers\MSKSSRV.sys A9BBBD2BAE6142253B9195E949AC2E8D
C:\Windows\system32\DRIVERS\mslldp.sys 375E44168F2DFB91A68B8A3F619C5A7C
C:\Windows\system32\drivers\MSPCLOCK.sys 7B2128EB875DCBC006E6A913211006D6
C:\Windows\system32\drivers\MSPQM.sys 1E88171579B218115C7A772F8DE04BD8
C:\Windows\System32\Drivers\MsRPC.sys BBE2A455053E63BECBF42C2F9B21FAE0
C:\Windows\System32\drivers\mssmbios.sys 8D6B7D515C5CBCDB75B928A0B73C3C5E
C:\Windows\system32\drivers\MSTEE.sys 115019AE01E0EB9C048530D2928AB4A2
C:\Windows\System32\drivers\MTConfig.sys 96D604A35070360F0DD4A7A8AF410B5E
C:\Windows\System32\Drivers\mup.sys 619CA29326B82372621DB2C0964D8365
C:\Windows\System32\drivers\mvumis.sys B8C35C94DCB2DFEAF03BB42131F2F77F
C:\Windows\system32\DRIVERS\nwifi.sys 869055F61568AA08E7DEE95EC82ED653
C:\Windows\System32\drivers\ndis.sys 424B0796F85BB0DADD4438EAFFADA133
C:\Windows\system32\DRIVERS\ndiscap.sys C6BB12BC35D1637CA17AE16D3A4725EB
C:\Windows\system32\DRIVERS\NdisImPlatform.sys 9F1DA20E943BE7AA4ED5F3E1EBA78B37
C:\Windows\system32\DRIVERS\ndistapi.sys 9423421E735BD5394351E0C47C76BB92
C:\Windows\system32\DRIVERS\ndisuio.sys B832B35055BA2B7B4181861FF94D8E59
C:\Windows\System32\drivers\NdisVirtualBus.sys 1F58E48EF75F34C35D8E93A0DC535CFE
C:\Windows\system32\DRIVERS\ndiswan.sys DEC29080202D4F9F17F55E18BCFCC41A
C:\Windows\system32\DRIVERS\ndiswan.sys DEC29080202D4F9F17F55E18BCFCC41A
C:\Windows\System32\Drivers\NDProxy.sys A5BD69A8812FA79D1A487691DD3FB244
C:\Windows\System32\drivers\Ndu.sys 5A072F0B90C29C5233D78BE33EF5ED78
C:\Windows\System32\DRIVERS\netbios.sys A83D67D347A684F10B7D3019C8A6380C
C:\Windows\System32\DRIVERS\netbt.sys 0217532E19A748F0E5D569307363D5FD
C:\Windows\system32\DRIVERS\netvsc63.sys 70414DB660BFBB7BD58FCE8EA4364E1B
C:\Windows\System32\Drivers\Npfs.sys 8F44A2F57C9F1A19AC9C6288C10FB351
C:\Windows\System32\drivers\npsvctrig.sys CBDB4F0871C88DF930FC0E8588CA67FC
C:\Windows\System32\drivers\nsiproxy.sys E490B459978CB87779E84C761D22B827
C:\Windows\System32\Drivers\Ntfs.sys 4412D565C0278C401575E11072C7DCE3
C:\Windows\System32\Drivers\Null.sys EF1B290FC9F0E47CC0B537292BEE5904
C:\Windows\System32\drivers\nvraid.sys BC6B5942AFF25EBAF62DE43C3807EDF8
C:\Windows\System32\drivers\nvstor.sys 1F43ABFFAC3D6CA356851D517392966E
C:\Windows\System32\drivers\nv_agp.sys 6934A936A7369DFE37B7DBA93F5E5E49
C:\Windows\System32\drivers\parport.sys 764B1121867B2D9B31C491668AC72B2B
C:\Windows\System32\drivers\partmgr.sys EF0C1749C9A8CEE9A457473D433CC00F
C:\Windows\System32\drivers\pci.sys C0D3F3BC1C84B4BA746D9847314C1164
C:\Windows\System32\drivers\pciide.sys 346E38FCC6859A727DD28AFAD1F0AFF4
C:\Windows\System32\drivers\pcmcia.sys 4D3BDCC1C7B40C9D7B6AD990E6DEC397
C:\Windows\System32\drivers\pcw.sys BF28771D1436C88BE1D297D3098B0F7D
C:\Windows\System32\drivers\pdc.sys 28AAACD3B871305F07188A0DB366B439
C:\Windows\System32\drivers\peauth.sys BA50CC0BD19004AAB88BE37338B6FA0D
C:\Windows\System32\drivers\processr.sys ECD373F9571C745894367CC2635EA44F
C:\Windows\system32\DRIVERS\pacer.sys 8528BB05E4D4E25945F78B00B2555FB7
C:\Windows\system32\drivers\qwavedrv.sys 3FB466684609A4329858CF2EBD62E0FD
C:\Windows\System32\DRIVERS\rasacd.sys 2C56F0EE27E4EF70CA4B4983D3638905
C:\Windows\system32\DRIVERS\raspppoe.sys 5247F308C4103CDC4FE12AE1D235800A
C:\Windows\System32\DRIVERS\rdbss.sys B939A2A0F9D6C6C186721E268EB6FA93
C:\Windows\System32\drivers\rdpbus.sys 6B21EBF892CD8CACB71669B35AB5DE32
C:\Windows\System32\drivers\rdpdr.sys 680C1DAE268B6FB67FA21B389A8B79EF
C:\Windows\System32\drivers\rdpvideominiport.sys 858776908AF838E3790F3261B799CDA6
C:\Windows\System32\drivers\rdyboost.sys 2C915EFFF23EA65D1E760FA397BCA6AB
C:\Windows\System32\Drivers\ReFS.sys 036746D54347FD2D0385668E2A4064E4
C:\Windows\system32\DRIVERS\rfcomm.sys 6D22E97C0390D736D220B03015A5569F
C:\Windows\system32\DRIVERS\rspndr.sys 2D05A5508F4685412F2B89E8C2189ABC
C:\Windows\system32\DRIVERS\Rt630x64.sys 19764658C1468C2C0CEF133D28414A6B
C:\Windows\System32\drivers\vms3cap.sys 1A063730F221B2746FF00457AE17E4F0
C:\Windows\System32\drivers\sbp2port.sys C624A1B32211C3166EDB3F4AB02A30B7
C:\Windows\System32\DRIVERS\scfilter.sys ABD0237B15DBD2B4695F4B7D734A58F7
C:\Windows\System32\drivers\sdbus.sys C6A6F8921B94BC1673AC9AB485DF9A18
C:\Windows\System32\drivers\sdstor.sys 4EAF4DCF9DBD9A56952A58F56D61C005
C:\Windows\System32\Drivers\secdrv.sys ==> MD5 is legit
C:\Windows\System32\drivers\SerCx.sys DB2FF24CE0BDD15FE75870AFE312BA89
C:\Windows\System32\drivers\SerCx2.sys 53BDBF04ECAF943CBF6359E3BCB2445E
C:\Windows\System32\drivers\serenum.sys 3CD600C089C1251BEEB4CD4CD5164F9E
C:\Windows\System32\drivers\serial.sys D864381BC9C725FAB01D94C060660166
C:\Windows\System32\drivers\sermouse.sys 0BD2B65DCE756FDE95A2E5CCCBF7705D
C:\Windows\System32\drivers\sfloppy.sys 472B7A5AC181C050888DB454663DD764
C:\Windows\System32\drivers\SiSRaid2.sys 2F518D13DD6F3053837FE606F1A2EA1F
C:\Windows\System32\drivers\sisraid4.sys 1AC9A200A9C49C4508F04AAFFCA34A3F
C:\Windows\System32\drivers\spaceport.sys 349059B0C9EAED5A951D1693132A2EA8
C:\Windows\System32\drivers\SpbCx.sys F337BE11071818FC3F5DC2940B6BDE34
C:\Windows\System32\DRIVERS\srv.sys CD7534BA5BA92086B1BC10ADF880FC49
C:\Windows\System32\DRIVERS\srv2.sys 59F15EFD74FDE8A1D9278F2C04F5D0B9
C:\Windows\System32\DRIVERS\srvnet.sys 96A7F9E8B3E0DD0355067D894C71A8F7
C:\Windows\System32\drivers\stexstor.sys 366DEA74BBA65B362BCCFC6FC2ADFD8B
C:\Windows\System32\drivers\storahci.sys 0ED2E318ABB68C1A35A8B8038BDB4C90
C:\Windows\System32\DRIVERS\vmstorfl.sys 7A08CEE1535F5A448215634C5EA74E50
C:\Windows\System32\drivers\stornvme.sys D57AEE34C7C0DD1DC8B6B54B7A89649C
C:\Windows\System32\drivers\storvsc.sys 548759755BC73DAD663250239D7E0B9F
C:\Windows\System32\drivers\swenum.sys 84E0F5D41C138C5CC975137A2A98F6D3
C:\Windows\System32\drivers\tcpip.sys C9436791C9DD3B5206DDBB1F75EE3E54
C:\Windows\system32\DRIVERS\tcpip.sys C9436791C9DD3B5206DDBB1F75EE3E54
C:\Windows\System32\drivers\tcpipreg.sys 33A7D83EEB15431773A6E186CFAABA21
C:\Windows\system32\DRIVERS\tdx.sys FFF28F9F6823EB1756C60F1649560BBF
C:\Windows\System32\drivers\terminpt.sys 232D185D2337F141311D0CF1983E1431
C:\Windows\system32\drivers\tpm.sys 82F909359600D3603FE852DB7F135626
C:\Windows\System32\drivers\tsusbflt.sys BF8F54CA37E9C9D6582C31C5761F8C93
C:\Windows\System32\drivers\TsUsbGD.sys E0088068DCE2EE82897027DDB8E05254
C:\Windows\system32\DRIVERS\tunnel.sys C8E0E78B5D284C2FF59BDFFDAF997242
C:\Windows\System32\drivers\uagp35.sys F6EEAD052943B5A3104C1405BB856C54
C:\Windows\System32\drivers\uaspstor.sys FE6067B1FD4E63650C667B33D080565B
C:\Windows\System32\drivers\ucx01000.sys 5D1B430EA11064C56E7C8F84B90DEB6A
C:\Windows\System32\DRIVERS\udfs.sys 1EC649F112896FAE33250F0B97AC5D0B
C:\Windows\System32\drivers\UEFI.sys 9578691F297E1B1F519970FE6D47CB21
C:\Windows\System32\drivers\uliagpkx.sys 5EAB5117DDB24FC4D39E6FFFCF1837B9
C:\Windows\System32\drivers\umbus.sys DA34C39A18E60E7C3FA0630566408034
C:\Windows\System32\drivers\umpass.sys AE8294875E5446E359B1E8035D40C05E
C:\Windows\System32\drivers\usbccgp.sys 3432E857B8EC1C1316AB098F2BCCDFB6
C:\Windows\System32\drivers\usbcir.sys B3D6457D841A0CAEF4C52D88621715F2
C:\Windows\System32\drivers\usbehci.sys 5477D6E27C7D266EF8C152B9A25ADE5E
C:\Windows\System32\drivers\usbhub.sys DF56C2C04EFA328D7A66B69007130266
C:\Windows\System32\drivers\UsbHub3.sys 4475096DAB15E613A95D6A53F800B377
C:\Windows\System32\drivers\usbohci.sys 3019097FB6C985EF24C058090FF3BDBD
C:\Windows\System32\drivers\usbprint.sys 4D655E3B684BE9B0F7FFD8A2935C348C
C:\Windows\System32\drivers\USBSTOR.SYS B1230E9813B5C7E762DF27756AA23917
C:\Windows\System32\drivers\usbuhci.sys BA4FA655E0FC577DB7436FC963932CE4
C:\Windows\System32\Drivers\usbvideo.sys 18F744E8CCEB2670040EBAF7AD77B8C6
C:\Windows\System32\drivers\USBXHCI.SYS BCD8FC0A47AA31889C94168A4E56BB26
C:\Windows\System32\drivers\vdrvroot.sys FEB26E3B8345A7E8D62F945C4AE86562
C:\Windows\System32\drivers\VerifierExt.sys 2582B87082A935ACB76F949F760AF236
C:\Windows\System32\drivers\vhdmp.sys 041D3EF364E624DBB2703A64A5AADF89
C:\Windows\System32\drivers\viaide.sys 06D38968028E9AB19DE9B618C7B6D199
C:\Windows\System32\drivers\vmbus.sys C6305BDFC4F7CE51F72BB072C03D4ACE
C:\Windows\System32\drivers\VMBusHID.sys DA40BEA0A863CE768C940CA9723BF81F
C:\Windows\System32\drivers\volmgr.sys 55D7D963DE85162F1C49721E502F9744
C:\Windows\System32\drivers\volmgrx.sys CCB9E901F7254BF96D28EB1B0E5329B7
C:\Windows\System32\drivers\volsnap.sys 9F9CE33B50611A1C61A46B8911E0B30B
C:\Windows\System32\drivers\vpci.sys 01355C98B5C3ED1EC446743CDA848FCE
C:\Windows\System32\drivers\vsmraid.sys 4539F45F9F4C9757A86A56C949421E07
C:\Windows\System32\drivers\vstxraid.sys 0849B7260F26FE05EA56DED0672E2F4B
C:\Windows\System32\drivers\vwifibus.sys BE970C369E43B509C1EDA2B8FA7CECB0
C:\Windows\System32\drivers\wacompen.sys 0910AB9ED404C1434E2D0376C2AD5D8B
C:\Windows\System32\drivers\WdBoot.sys 694B28DE12AD47031FFB4B052662131A
C:\Windows\System32\drivers\Wdf01000.sys CB6C63FF8342B467E2EF76E98D5B934D
C:\Windows\System32\drivers\WdFilter.sys 0B99529A3BECC3528D865DDECB62503B
C:\Windows\System32\Drivers\WdNisDrv.sys 282E7D46310338FF4A6B7680440EB0DA
C:\Windows\System32\DRIVERS\wfplwfs.sys 011F431624366917180C904CE17FEA1A
C:\Windows\System32\drivers\wimmount.sys 867BCC69ED9C31C501465EB0E8BA9DFA
C:\Windows\System32\drivers\wmiacpi.sys 2834D9D3B4F554A39C72F00EA3F0E128
C:\Windows\System32\DRIVERS\wpcfltr.sys E746BCDBA2E02CF6B8D6B26FB167FBE0
C:\Windows\System32\drivers\WpdUpFltr.sys 9F2904B55F6CECCD1A8D986B5CE2609A
C:\Windows\system32\drivers\ws2ifsl.sys AE072B0339D0A18E455DC21666CAD572
C:\Windows\System32\drivers\WudfPf.sys 2FEAE33E9B2B56104596E1BA444405A9
C:\Windows\System32\drivers\WUDFRd.sys 19240C13F526125554B5370566F21A0A
C:\Windows\system32\DRIVERS\WUDFRd.sys 19240C13F526125554B5370566F21A0A
C:\Windows\system32\DRIVERS\WUDFRd.sys 19240C13F526125554B5370566F21A0A
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Three Months Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-20 11:21 - 2017-07-20 11:21 - 00026034 _____ C:\Users\karen\Desktop\FRST.txt
2017-07-20 11:20 - 2017-07-20 11:20 - 02382336 _____ (Farbar) C:\Users\karen\Desktop\FRST64.exe
2017-07-20 11:15 - 2017-07-20 11:15 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_LocationProvider_01_11_00.Wdf
2017-07-20 10:43 - 2017-07-20 10:43 - 00000000 ____D C:\Users\karen\AppData\Roaming\Google
2017-07-20 10:11 - 2017-07-20 11:21 - 00000000 ____D C:\fRST
2017-07-20 10:05 - 2017-07-20 09:53 - 02382336 _____ (Farbar) C:\FRST64.exe
2017-07-20 09:56 - 2017-07-20 09:56 - 00001124 _____ C:\Users\karen\Desktop\FRST - Shortcut.lnk
2017-07-20 09:53 - 2017-07-20 09:53 - 02382336 _____ (Farbar) C:\Users\karen\Downloads\FRST64.exe
2017-07-20 09:51 - 2017-07-20 09:51 - 01778176 _____ (Farbar) C:\Users\karen\Downloads\FRST.exe
2017-07-20 09:50 - 2017-07-20 10:53 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-415923800-1773576462-1608788284-1004
2017-07-20 09:48 - 2017-07-20 09:48 - 00003910 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{D4EBB675-E199-47DA-9469-D35238561CCD}
2017-07-20 09:48 - 2017-07-20 09:48 - 00000000 ____D C:\Users\karen\AppData\Roaming\Macromedia
2017-07-20 09:45 - 2017-07-20 10:49 - 00000000 ____D C:\Users\karen\AppData\Local\Google
2017-07-20 09:45 - 2017-07-20 09:46 - 00000000 ____D C:\Users\karen\AppData\Local\Packages
2017-07-20 09:45 - 2017-07-20 09:45 - 00001442 _____ C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-07-20 09:45 - 2017-07-20 09:45 - 00000020 ___SH C:\Users\karen\ntuser.ini
2017-07-20 09:45 - 2017-07-20 09:45 - 00000000 ____D C:\Users\karen\AppData\Roaming\Adobe
2017-07-20 09:45 - 2017-07-20 09:45 - 00000000 ____D C:\Users\karen\AppData\Local\VirtualStore
2017-07-20 09:45 - 2017-07-20 09:45 - 00000000 ____D C:\Users\karen
2017-07-20 09:24 - 2017-07-20 09:24 - 00000000 ____D C:\Users\mama\AppData\Roaming\Google
2017-07-20 09:21 - 2017-07-20 09:21 - 00000000 ____D C:\Windows\tbaseregistry
2017-07-20 09:21 - 2013-08-22 02:08 - 00344576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IEShims.dll
2017-07-20 01:59 - 2017-07-20 09:22 - 00002287 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-07-20 01:59 - 2017-07-20 09:22 - 00002275 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-07-20 01:59 - 2017-07-20 02:40 - 00000000 ___HD C:\$WINDOWS.~BT
2017-07-20 01:57 - 2017-07-20 02:06 - 00000000 ____D C:\Users\mama\AppData\Local\Google
2017-07-20 01:57 - 2017-07-20 01:59 - 00000000 ____D C:\Program Files (x86)\Google
2017-07-20 01:57 - 2017-07-20 01:57 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2017-07-20 01:57 - 2017-07-20 01:57 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2017-07-20 01:54 - 2017-07-20 09:29 - 00003906 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E5D538A6-4A7A-4EF6-AFE6-82C8CA63096B}
2017-07-20 01:54 - 2017-07-20 01:54 - 00000000 ____D C:\Users\mama\AppData\Roaming\Macromedia
2017-07-20 01:44 - 2017-07-20 01:59 - 00000000 ____D C:\Windows\Panther
2017-07-20 01:43 - 2013-08-24 23:36 - 00000022 ____R C:\Windows\csup.txt
2017-07-20 01:40 - 2017-07-20 01:40 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2017-07-20 01:38 - 2017-07-20 01:38 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_amdpsp_01011.Wdf
2017-07-20 01:34 - 2017-07-20 01:59 - 00000000 ____D C:\ESD
2017-07-20 01:31 - 2017-07-20 01:31 - 00000000 ___HD C:\$Windows.~WS
2017-07-20 01:28 - 2017-07-20 09:28 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-415923800-1773576462-1608788284-1001
2017-07-20 01:27 - 2017-07-20 02:40 - 00001908 _____ C:\Windows\diagwrn.xml
2017-07-20 01:27 - 2017-07-20 02:40 - 00001908 _____ C:\Windows\diagerr.xml
2017-07-20 01:26 - 2017-07-20 09:25 - 00818732 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-20 01:24 - 2017-07-20 01:24 - 00000000 ____H C:\Windows\system32\Drivers\Msft_User_WpdFs_01_11_00.Wdf
2017-07-20 01:23 - 2017-07-20 09:45 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2017-07-20 01:22 - 2017-07-20 01:25 - 00000000 ____D C:\Users\mama\AppData\Local\Packages
2017-07-20 01:22 - 2017-07-20 01:22 - 00001442 _____ C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-07-20 01:22 - 2017-07-20 01:22 - 00000020 ___SH C:\Users\mama\ntuser.ini
2017-07-20 01:22 - 2017-07-20 01:22 - 00000000 ____D C:\Users\mama\AppData\Roaming\Adobe
2017-07-20 01:22 - 2017-07-20 01:22 - 00000000 ____D C:\Users\mama\AppData\Local\VirtualStore
2017-07-20 01:22 - 2017-07-20 01:22 - 00000000 ____D C:\Users\mama
2017-07-20 01:22 - 2013-08-21 22:17 - 02407936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PrintConfig.dll
 
==================== Three Months Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-07-20 11:15 - 2013-08-22 06:36 - 00000000 ____D C:\Windows\Inf
2017-07-20 09:51 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\AppReadiness
2017-07-20 09:20 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-20 02:42 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2017-07-20 02:27 - 2013-08-22 08:36 - 00000000 ___HD C:\Program Files\WindowsApps
2017-07-20 01:43 - 2013-08-22 08:36 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2017-07-20 01:23 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\rescache
2017-07-20 01:22 - 2013-08-22 08:36 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2017-07-20 01:22 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\WinStore
2017-07-20 01:22 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\FileManager
2017-07-20 01:22 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Camera
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
==================== BCD ================================
 
Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
integrityservices       Enable
default                 {current}
resumeobject            {8b1d1b5e-6d27-11e7-bf4b-ae5012d4f94d}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30
 
Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 8.1
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {8b1d1b60-6d27-11e7-bf4b-ae5012d4f94d}
integrityservices       Enable
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {8b1d1b5e-6d27-11e7-bf4b-ae5012d4f94d}
nx                      OptIn
bootmenupolicy          Standard
 
Windows Boot Loader
-------------------
identifier              {8b1d1b60-6d27-11e7-bf4b-ae5012d4f94d}
device                  ramdisk=[C:]\Recovery\WindowsRE\Winre.wim,{8b1d1b61-6d27-11e7-bf4b-ae5012d4f94d}
path                    \windows\system32\winload.exe
description             Windows Recovery Environment
locale                  en-US
inherit                 {bootloadersettings}
displaymessage          Recovery
displaymessageoverride  Recovery
osdevice                ramdisk=[C:]\Recovery\WindowsRE\Winre.wim,{8b1d1b61-6d27-11e7-bf4b-ae5012d4f94d}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes
 
Resume from Hibernate
---------------------
identifier              {8b1d1b5e-6d27-11e7-bf4b-ae5012d4f94d}
device                  partition=C:
path                    \Windows\system32\winresume.exe
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {8b1d1b60-6d27-11e7-bf4b-ae5012d4f94d}
recoveryenabled         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
bootmenupolicy          Standard
debugoptionenabled      No
 
Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes
 
EMS Settings
------------
identifier              {emssettings}
bootems                 No
 
Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200
 
RAM Defects
-----------
identifier              {badmemory}
 
Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}
 
Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}
 
Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200
 
Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}
 
Device options
--------------
identifier              {8b1d1b61-6d27-11e7-bf4b-ae5012d4f94d}
description             Windows Recovery
ramdisksdidevice        partition=C:
ramdisksdipath          \Recovery\WindowsRE\boot.sdi
 
 
LastRegBack: 2017-07-20 01:17
 
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-07-2017
Ran by karen (20-07-2017 11:22:08)
Running from C:\Users\karen\Desktop
Windows 8.1 (X64) (2017-07-20 08:21:57)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-415923800-1773576462-1608788284-500 - Administrator - Disabled)
Guest (S-1-5-21-415923800-1773576462-1608788284-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-415923800-1773576462-1608788284-1003 - Limited - Enabled)
karen (S-1-5-21-415923800-1773576462-1608788284-1004 - Administrator - Enabled) => C:\Users\karen
mama (S-1-5-21-415923800-1773576462-1608788284-1001 - Administrator - Enabled) => C:\Users\mama
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 59.0.3071.115 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {67AE1EFA-A8F7-4047-9477-24299F210333} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-07-20] (Google Inc.)
Task: {D6692473-06F0-40E1-B40C-FD898B3438A3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-07-20] (Google Inc.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts & WMI ========================
 
(The entries could be listed to be restored or removed.)
 
 
==================== Loaded Modules (Whitelisted) ==============
 
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-415923800-1773576462-1608788284-1004\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{D9602EC6-00D3-4CEB-8BB6-2103A8BCA456}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Faulty Device Manager Devices =============
 
Name: Network Controller
Description: Network Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Trusted Platform Module 2.0
Description: Trusted Platform Module 2.0
Class Guid: {d94ee5d8-d189-4994-83d2-f68d7d41b0e6}
Manufacturer: (Standard)
Service: TPM
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/20/2017 01:23:24 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (07/20/2017 01:23:24 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EE7
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c7c00280-b24d-4e82-89ca-4f1288eb1d9e;NotificationInterval=1440;Trigger=TimerEvent
 
Error: (07/20/2017 01:23:22 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
 
Error: (07/20/2017 01:23:22 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details. 
hr=0x80072EE7
 
Error: (07/20/2017 01:23:21 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
 
Error: (07/20/2017 01:23:21 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details. 
hr=0x80072EE7
 
Error: (07/20/2017 01:23:20 AM) (Source: Software Protection Platform Service) (EventID: 1014) (User: )
Description: Acquisition of End User License failed. hr=0x80072EE7
Sku Id=c7c00280-b24d-4e82-89ca-4f1288eb1d9e
 
Error: (07/20/2017 01:23:20 AM) (Source: Software Protection Platform Service) (EventID: 8200) (User: )
Description: License acquisition failure details. 
hr=0x80072EE7
 
 
System errors:
=============
Error: (07/20/2017 10:33:29 AM) (Source: DCOM) (EventID: 10010) (User: mimi)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.
 
Error: (07/20/2017 10:32:59 AM) (Source: DCOM) (EventID: 10010) (User: mimi)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.
 
Error: (07/20/2017 09:51:15 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.
 
Error: (07/20/2017 09:51:14 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.
 
Error: (07/20/2017 09:50:17 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.
 
Error: (07/20/2017 09:50:17 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 252.
 
Error: (07/20/2017 09:20:19 AM) (Source: TPM) (EventID: 15) (User: NT AUTHORITY)
Description: The device driver for the Trusted Platform Module (TPM) encountered a non-recoverable error in the TPM hardware, which prevents TPM services (such as data encryption) from being used. For further help, please contact the computer manufacturer.
 
Error: (07/20/2017 02:27:52 AM) (Source: DCOM) (EventID: 10010) (User: mimi)
Description: The server {1B1F472E-3221-4826-97DB-2C2324D389AE} did not register with DCOM within the required timeout.
 
Error: (07/20/2017 02:27:22 AM) (Source: DCOM) (EventID: 10010) (User: mimi)
Description: The server {BF6C1E47-86EC-4194-9CE5-13C15DCB2001} did not register with DCOM within the required timeout.
 
Error: (07/20/2017 01:22:58 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The Printer Extensions and Notifications service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.
 
 
==================== Memory info =========================== 
 
Processor: AMD E2-7110 APU with AMD Radeon R2 Graphics 
Percentage of memory in use: 26%
Total physical RAM: 3521.07 MB
Available physical RAM: 2592.94 MB
Total Virtual: 4865.07 MB
Available Virtual: 3794.91 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:464.93 GB) (Free:448.19 GB) NTFS
Drive e: (Win8_1_x64) (CDROM) (Total:4.96 GB) (Free:0 GB) UDF
Drive f: (ESD-USB) (Removable) (Total:31.99 GB) (Free:28.5 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: C8ACBFE1)
Partition 1: (Active) - (Size=350 MB) - (Type=0B)
Partition 2: (Not Active) - (Size=500 MB) - (Type=06)
Partition 3: (Not Active) - (Size=464.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 58.9 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================
Users shortcut scan result (x64) Version: 18-07-2017
Ran by karen (20-07-2017 11:22:32)
Running from C:\Users\karen\Desktop
Boot Mode: Normal
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
 
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Camera.lnk -> C:\Windows\Camera\Camera.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Desktop.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileManager.lnk -> C:\Windows\FileManager\FileManager.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Immersive Control Panel.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotosApp.lnk -> C:\Windows\FileManager\PhotosApp.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Store.lnk -> C:\Windows\WinStore\WinStore.htm ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Windows Easy Transfer.lnk -> C:\Windows\System32\migwiz\migwiz.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk -> C:\Windows\System32\comexp.msc ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\dfrgui.lnk -> C:\Windows\System32\dfrgui.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk -> C:\Windows\System32\cleanmgr.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk -> C:\Windows\System32\iscsicpl.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Memory Diagnostics Tool.lnk -> C:\Windows\System32\MdSched.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (32-bit).lnk -> C:\Windows\SysWOW64\odbcad32.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\ODBC Data Sources (64-bit).lnk -> C:\Windows\System32\odbcad32.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\services.lnk -> C:\Windows\System32\services.msc ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk -> C:\Windows\System32\msconfig.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Information.lnk -> C:\Windows\System32\msinfo32.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows Firewall with Advanced Security.lnk -> C:\Windows\System32\WF.msc ()
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnk -> C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell ISE (x86).lnk -> C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell_ISE.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell ISE.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell_ISE.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk -> C:\Windows\System32\calc.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk -> C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk -> C:\Windows\System32\mspaint.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk -> C:\Windows\System32\mstsc.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk -> C:\Windows\System32\SnippingTool.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk -> C:\Windows\System32\SoundRecorder.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Steps Recorder.lnk -> C:\Windows\System32\psr.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk -> C:\Windows\System32\StikyNot.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk -> C:\Windows\System32\WFS.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk -> C:\Program Files\Windows NT\Accessories\wordpad.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\XPS Viewer.lnk -> C:\Windows\System32\xpsrchvw.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk -> C:\Program Files\Windows Journal\Journal.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk -> C:\Windows\System32\charmap.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk -> C:\Windows\explorer.exe,-30
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Help.lnk -> C:\Windows\HelpPane.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk -> C:\Windows\System32\shell32.dll (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Windows.Defender.lnk -> C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk -> C:\Windows\System32\notepad.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk -> C:\Windows\System32\Magnify.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk -> C:\Windows\System32\Narrator.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk -> C:\Windows\System32\osk.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk -> C:\Windows\System32\compmgmt.msc ()
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk -> C:\Windows\System32\diskmgmt.msc ()
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk -> C:\Windows\System32\eventvwr.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk -> C:\Windows\System32\mblctr.exe (Microsoft Corporation)
Shortcut: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\Links\Desktop.lnk -> C:\Users\karen\Desktop ()
Shortcut: C:\Users\karen\Links\Downloads.lnk -> C:\Users\karen\Downloads ()
Shortcut: C:\Users\karen\Links\RecentPlaces.lnk -> [::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}]
Shortcut: C:\Users\karen\Desktop\FRST - Shortcut.lnk -> C:\Users\karen\Downloads\FRST.exe (Farbar)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk -> C:\Windows\explorer.exe,-30
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Help.lnk -> C:\Windows\HelpPane.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk -> C:\Windows\System32\shell32.dll (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Windows.Defender.lnk -> C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk -> C:\Windows\System32\notepad.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk -> C:\Windows\System32\Magnify.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk -> C:\Windows\System32\Narrator.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk -> C:\Windows\System32\osk.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK -> C:\Windows\System32\fsquirt.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\karen\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk -> C:\Windows\System32\compmgmt.msc ()
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk -> C:\Windows\System32\diskmgmt.msc ()
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk -> C:\Windows\System32\eventvwr.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk -> C:\Windows\System32\mblctr.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\ConnectedSearch\History\txt_794650986_en-US.lnk -> [LF1SPSOh+'ٝEC:\Users\karen\AppData\Local\Microsoft\Windows\INetCache\IE\NEDWWKPS] (No File)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.ZuneVideo_8wekyb3d8bbwe\Microsoft.ZuneVideo.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.ZuneMusic_8wekyb3d8bbwe\Microsoft.ZuneMusic.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.XboxLIVEGames_8wekyb3d8bbwe\Microsoft.XboxLIVEGames.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsScan_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsReadingList_8wekyb3d8bbwe\Microsoft.WindowsReadingList.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Calendar.lnk -> [LFz1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweQmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.CalendardC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwe1SPSMԆi<D*TQ ModernCalendar\CalendarLogo.pngU!ModernCalendar\CalendarBadge.png]%ModernCalendar\CalendarSmallLogo.pngY$ModernCalendar\CalendarWideLogo.pngQ3]%ModernCalendar\CalendarLargeLogo.pngMms-resource:calendarAppTitleY$ModernCalendar\CalendarTinyLogo.pngi1SPS0%G`Mms-resource:calendarAppTitle-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Mail.lnk -> [LF1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweMmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.MaildC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwev1SPSMԆi<D*TIModernMail\Res\MailLogo.pngMModernMail\Res\MailBadge.pngU!ModernMail\Res\MailSmallLogo.pngQ ModernMail\Res\MailWideLogo.pngrU!ModernMail\Res\MailLargeLogo.pngEms-resource:mailAppTitleQ ModernMail\Res\MailTinyLogo.pnga1SPS0%G`Ems-resource:mailAppTitleq1SPS}@H1U!ms-resource:mailShareDescription-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.People.lnk -> [LFr1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweOmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.PeopledC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwe1SPSMԆi<D*TAModernPeople\People.pngMModernPeople\PeopleSmall.pngIModernPeople\PeopleWide.pngG&MModernPeople\PeopleLarge.png]%ms-resource:///strings/peopleAppNameIModernPeople\PeopleTiny.pngy1SPS0%G`]%ms-resource:///strings/peopleAppName1SPS}@H1e*ms-resource:///strings/raShareDescription-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsCalculator_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsAlarms_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.SkypeApp_kzf8qxf38zg5c\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.Reader_8wekyb3d8bbwe\Microsoft.Reader.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.HelpAndTips_8wekyb3d8bbwe\HelpAndTips.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingWeather_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingTravel_8wekyb3d8bbwe\AppexTravel.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingSports_8wekyb3d8bbwe\AppexSports.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingNews_8wekyb3d8bbwe\AppexNews.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingMaps_8wekyb3d8bbwe\AppexMaps.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingHealthAndFitness_8wekyb3d8bbwe\AppexHealthAndFitness.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingFoodAndDrink_8wekyb3d8bbwe\AppexFoodAndDrink.lnk -> Tile and icon assets
Shortcut: C:\Users\karen\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingFinance_8wekyb3d8bbwe\AppexFinance.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\Links\Desktop.lnk -> C:\Users\mama\Desktop ()
Shortcut: C:\Users\mama\Links\Downloads.lnk -> C:\Users\mama\Downloads ()
Shortcut: C:\Users\mama\Links\RecentPlaces.lnk -> [::{22877A6D-37A1-461A-91B0-DBDA5AAEBC99}]
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk -> C:\Windows\explorer.exe,-30
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Help.lnk -> C:\Windows\HelpPane.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk -> C:\Windows\System32\shell32.dll (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Windows.Defender.lnk -> C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk -> C:\Windows\System32\notepad.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk -> C:\Windows\System32\Magnify.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk -> C:\Windows\System32\Narrator.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk -> C:\Windows\System32\osk.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK -> C:\Windows\System32\fsquirt.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk -> C:\Windows\System32\imageres.dll (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\mama\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk -> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk -> C:\Windows\System32\compmgmt.msc ()
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk -> C:\Windows\System32\diskmgmt.msc ()
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk -> C:\Windows\System32\eventvwr.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk -> C:\Windows\System32\mblctr.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.ZuneVideo_8wekyb3d8bbwe\Microsoft.ZuneVideo.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.ZuneMusic_8wekyb3d8bbwe\Microsoft.ZuneMusic.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.XboxLIVEGames_8wekyb3d8bbwe\Microsoft.XboxLIVEGames.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsScan_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsReadingList_8wekyb3d8bbwe\Microsoft.WindowsReadingList.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Calendar.lnk -> [LFz1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweQmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.CalendardC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwe1SPSMԆi<D*TQ ModernCalendar\CalendarLogo.png]%ModernCalendar\CalendarSmallLogo.pngU!ModernCalendar\CalendarBadge.pngY$ModernCalendar\CalendarWideLogo.pngQ3]%ModernCalendar\CalendarLargeLogo.pngMms-resource:calendarAppTitleY$ModernCalendar\CalendarTinyLogo.pngi1SPS0%G`Mms-resource:calendarAppTitle-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.Mail.lnk -> [LF1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweMmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.MaildC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwev1SPSMԆi<D*TIModernMail\Res\MailLogo.pngU!ModernMail\Res\MailSmallLogo.pngMModernMail\Res\MailBadge.pngQ ModernMail\Res\MailWideLogo.pngrU!ModernMail\Res\MailLargeLogo.pngEms-resource:mailAppTitleQ ModernMail\Res\MailTinyLogo.pnga1SPS0%G`Ems-resource:mailAppTitleq1SPS}@H1U!ms-resource:mailShareDescription-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Microsoft.WindowsLive.People.lnk -> [LFr1SPSU(Ly9K-u2microsoft.windowscommunicationsapps_8wekyb3d8bbweGmicrosoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbweOmicrosoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.PeopledC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.4.9600.16384_x64__8wekyb3d8bbwe1SPSMԆi<D*TAModernPeople\People.pngMModernPeople\PeopleSmall.pngIModernPeople\PeopleWide.pngG&MModernPeople\PeopleLarge.png]%ms-resource:///strings/peopleAppNameIModernPeople\PeopleTiny.pngy1SPS0%G`]%ms-resource:///strings/peopleAppName1SPS}@H1e*ms-resource:///strings/raShareDescription-1SPSwlE[([8װY1SPSOYMGm=Microsoft Corporation] (No File)
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsCalculator_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.WindowsAlarms_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.SkypeApp_kzf8qxf38zg5c\App.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.Reader_8wekyb3d8bbwe\Microsoft.Reader.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.HelpAndTips_8wekyb3d8bbwe\HelpAndTips.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingWeather_8wekyb3d8bbwe\App.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingTravel_8wekyb3d8bbwe\AppexTravel.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingSports_8wekyb3d8bbwe\AppexSports.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingNews_8wekyb3d8bbwe\AppexNews.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingMaps_8wekyb3d8bbwe\AppexMaps.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingHealthAndFitness_8wekyb3d8bbwe\AppexHealthAndFitness.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingFoodAndDrink_8wekyb3d8bbwe\AppexFoodAndDrink.lnk -> Tile and icon assets
Shortcut: C:\Users\mama\AppData\Local\Microsoft\Windows\Application Shortcuts\Microsoft.BingFinance_8wekyb3d8bbwe\AppexFinance.lnk -> Tile and icon assets
Shortcut: C:\Users\Public\Desktop\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.)
 
 
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk -> C:\Windows\System32\rundll32.exe (Microsoft Corporation) -> -sta {C90FB8CA-3295-4462-A721-2935E83694BA}
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Default Programs.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.DefaultPrograms
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Task Manager.lnk -> C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) -> /7
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk -> C:\Windows\System32\compmgmt.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Event Viewer.lnk -> C:\Windows\System32\eventvwr.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Performance Monitor.lnk -> C:\Windows\System32\perfmon.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk -> C:\Windows\System32\perfmon.exe (Microsoft Corporation) -> /res
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk -> C:\Windows\System32\taskschd.msc () -> /s
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Media Player.lnk -> C:\Program Files (x86)\Windows Media Player\wmplayer.exe (Microsoft Corporation) -> /prefetch:1
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Speech Recognition.lnk -> C:\Windows\Speech\Common\sapisvr.exe (Microsoft Corporation) -> -SpeechUX
ShortcutWithArgument: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk -> C:\Windows\System32\WFS.exe (Microsoft Corporation) -> /SendTo
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - Network Connections.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.DeviceManager
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\06 - System.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.System
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\08 - Power Options.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.PowerOptions
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\10 - Programs and Features.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.ProgramsAndFeatures
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk -> C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) -> /0
ShortcutWithArgument: C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}
ShortcutWithArgument: C:\Users\karen\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk -> C:\Windows\System32\WFS.exe (Microsoft Corporation) -> /SendTo
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - Network Connections.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.DeviceManager
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\06 - System.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.System
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\08 - Power Options.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.PowerOptions
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group3\10 - Programs and Features.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.ProgramsAndFeatures
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk -> C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) -> /0
ShortcutWithArgument: C:\Users\karen\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}
ShortcutWithArgument: C:\Users\mama\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk -> C:\Windows\System32\WFS.exe (Microsoft Corporation) -> /SendTo
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - Network Connections.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> ::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.DeviceManager
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\06 - System.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.System
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\08 - Power Options.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.PowerOptions
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group3\10 - Programs and Features.lnk -> C:\Windows\System32\control.exe (Microsoft Corporation) -> /name Microsoft.ProgramsAndFeatures
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{2559a1f8-21d7-11d4-bdaf-00c04f60b9f0}
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> /e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk -> C:\Windows\System32\Taskmgr.exe (Microsoft Corporation) -> /0
ShortcutWithArgument: C:\Users\mama\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk -> C:\Windows\explorer.exe (Microsoft Corporation) -> shell:::{3080F90D-D7AD-11D9-BD98-0000947B0257}
 
 
InternetURL: C:\Users\karen\Favorites\Bing.url -> URL: hxxp://go.microsoft.com/fwlink/p/?LinkId=255142
InternetURL: C:\Users\mama\Favorites\Bing.url -> URL: hxxp://go.microsoft.com/fwlink/p/?LinkId=255142
 
==================== End of Shortcut.txt =============================
Thank you for your help. I will await further instructions
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:39 PM

Posted 21 July 2017 - 07:15 AM

Hi,

Nothing suspicious was found on your logs.

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  • ===

    Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
    • Click the "Scan" button to start scan.
    • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
    • Please paste the contents of that log in your next reply.
    There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:39 PM

Posted 26 July 2017 - 08:04 AM

Are you still with me?

#6 Khale62

Khale62
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 27 July 2017 - 04:06 PM

Yes I am still with you. 



#7 Khale62

Khale62
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 27 July 2017 - 04:07 PM

yes i am still with you. When i ran the last scan that you wanted my computer crashed. i've been trying to get it back up and i learned some new info. the malware starts in the boot file.  my installation cd that i bought from dell is corrupted. the virus has manipulated the boot file and while the system is setting up. it creates a fake computer as a plug and play device. it also creates a hidden drive . it also install installs a fake modem that is redirecting my internet traffic. several devices have hidden copies like the mouse and the key board. it also is installing hidden users that effectively blocks me from deleting some items because i don't have permission from TrustedInstaller. 
 
i have tried to clean the hard drive but when i choose cmd from the repair your computer option at the installation screen the black screen opens w "X:Resources\. 
even when i change it to c: i cannot clean or format certain section because they contain the boot file.
 
i am in way over my skill level to repair so last night i just re installed the corrupted OS and
let it set up in original infected state. I thought you could help me better with the original infected state without my unsuccessful attempts to repair. 
 
please let me know, in light of this new information, how to proceed.
 
thank for touching base with me again. i haven't forgotten about you. i was trying to get a secure internet connection but i gave up. 
 
so i'm back at square one with some new information.
 
Thanks
 
Khale62 
cleardot.gif


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:39 PM

Posted 28 July 2017 - 09:26 AM


You should have contacted me when the program failed.

You did some changes that I'm not familiar with.

Can you run the Farbar tool and post fresh FRST.txt and Addition.txt logs for my review.

Will take it from there.

#9 Khale62

Khale62
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:39 PM

Posted 28 July 2017 - 11:57 AM

Hi nasdaq,

 

I didn't have a way to contact you after the crash. i tried sending email from my iphone but it kept coming back undeliverable.  I have heard that some internet redirects have blocked access to this website. I assumed that was happening.

I couldn't contact you until i reinstalled the infected Windows 8.1.  I dont think that Fabar scans will help because it only scan local account on the "fake" c: drive.  Remember when I scanned it before it showed nothing unusual and there is no record of unusual activity on this "c:" drive.  There unusual activity in the administrative activities event but the logs were not turned on, but i turned the logs on now.  I think that if you could take a look at this activity it will give you a better idea of whats going on.

 

I am not opposed to run the Farbar Tool, I just don't think youll get much usable infor from it.

 

Khale62



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:39 PM

Posted 28 July 2017 - 12:44 PM

You are probably right but will never know if you don't.

Run this for now.



Repair these services on Windows.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    .. 02.01 File Permissions C:\
    .. 02.02 File Permissions D:\
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    07 - Repair Internet Explorer
    08 - Repair MDAC/MS Jet
    09 - Repair HOSTS File
    10 - Remove Policies Set By Infections
    11 - Repair Start Menu Icons Removed by Infections
    12 - Repair Icons
    13 - Repair Winsock & DNS Cache
    14 - Removed Temp Files
    15 - Repair Proxy Settings
    16 - Unhide Non System Files (2)
    .. 16.01 Unhide C:\
    .. 16.02 Unhide D:\
    17 - Repair Windows Updates
    18 - Repair CD/DVD Missing/Not Working
    19 - Repair Volume Shadow Copy Service
    20 - Repair Windows Sidebar/Gadgets
    21 - Repair MSI (Windows Installer)
    22 - Repair Windows Snipping tool
    23 - Repair File Associations (12)
    .. 23.01 - Repair bat Associations
    .. 23.02 - Repair cmd Associations
    .. 23.03 - Repair com Associations
    .. 23.04 - Repair Directory Associations
    .. 23.05 - Repair Drive Associations
    .. 23.06 - Repair exe Associations
    .. 23.07 - Repair Folder Associations
    .. 23.08 - Repair inf Associations
    .. 23.09 - Repair lnk (Shortcut) Associations
    .. 23.10 - Repair msc Associations
    .. 23.11 - Repair reg Associations
    .. 23.12 - Repair scr Associations
    24 - Repair Windows Safe Mode
    25 - Repair Print Spooler
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    28.01 - Repair Windows 8/10 Apps Store
    28.02 - Repair Windows 8/10 Apps Store (Completely Reset Apps Store)
    29 - Repair Windows 8/10 Component Store
    30 - Repair Windows 8/10 COM+ Unmarshalers
    31 - Repair Windows 'New' Submenu
    32 - Restore UAC (User Account Control) Settings
    33 - Repair Performance Counters
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.
===

Restart the computer normally.

How is the computer running now?

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,256 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:39 PM

Posted 03 August 2017 - 09:51 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users