Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 x64 Infection Unknown (Most exe's blocked)


  • This topic is locked This topic is locked
19 replies to this topic

#1 Judman13

Judman13

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 02 September 2017 - 03:58 PM

Hello,

 

My dad got a malware/adware trying to use a bad windows 7 activation tool. Right now the pc is getting linkjacking in browsers, it was serving random audio ads in the background. Seems like the PC is totally hijacked.

 

Avast was no good at blocking the infection now it has taken over the system. MBAM installer is unable to run even as a .bat. Tried Chameleon and none of the options work. FileAssassin cannot delete some offending files. rkill.com .scr .exe won't start. adwcleaner.exe can't run.

 

All the tools I have tried give the same "The requested resource is in use." error screen.

 

I am really suprised FRST64.exe ran. Attached are the FRST.exe and Addition.txt.

 

I was going to try and run a Sophos bootable anti-virus tool, but I figured I might post here first for some expert advice first.

 

Logs are attached, but I will paste here too per the help guidelines.

 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017
Ran by Joe Meherg (administrator) on HOME-OPI (02-09-2017 15:32:54)
Running from C:\Users\Joe Meherg\Desktop
Loaded Profiles: Joe Meherg (Available Profiles: Joe Meherg)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
() C:\Windows\System32\mswygme.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(© 2015 Microsoft Corporation) C:\Users\Joe Meherg\AppData\Local\Microsoft\BingSvc\BingSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe
() C:\Program Files\Blue Iris 4\BlueIrisService.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Oracle Corporation) C:\Program Files (x86)\Java\jre1.8.0_111\bin\javaw.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE
(Perspective Software) C:\Program Files\Blue Iris 4\BlueIris.exe
() C:\Program Files\ntuserlitelist\svcvmx\svcvmx.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Seagate LLC) C:\Program Files (x86)\Seagate\Seagate_Media\AgrregationStatus\stxmediamenumgr.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
() C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\TrayTipAgentE.exe
(CHENGDU YIWO Tech Development Co., Ltd) C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\EpmNews.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
() C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate_Media\Sync\MediaAggreService.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
() C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213832 2017-07-18] (AVAST Software)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11545192 2014-05-01] (Realtek Semiconductor)
HKLM-x32\...\Run: [svcvmx] => C:\Program Files\ntuserlitelist\svcvmx\svcvmx.exe [884224 2017-08-29] ()
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe [299504 2016-08-17] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.)
HKLM-x32\...\Run: [FreeAgentTheaterTrayIcon] => C:\Program Files (x86)\Seagate\Seagate_Media\AgrregationStatus\StxMediaMenuMgr.exe [189480 2014-03-13] (Seagate LLC)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1057920 2012-07-31] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [EaseUS EPM Tray Agent] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\TrayTipAgentE.exe [255072 2014-11-18] ()
HKLM-x32\...\Run: [EaseUS EPM tray] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\EpmNews.exe [2090176 2016-09-20] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2015-07-31] (Western Digital Technologies, Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [] => [X]
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27815896 2017-07-28] (Skype Technologies S.A.)
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [BingSvc] => C:\Users\Joe Meherg\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-11] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [AcuRiteConnect2] => C:\Program Files (x86)\AcuRite\AcuRiteConnect.exe [1312768 2016-07-22] (Chaney Instrument Co)
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [AcuRiteConnect1] => C:\Program Files\AcuRite\AcuRiteConnect.exe
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\MountPoints2: F - F:\Lenovo_Suite.exe
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\MountPoints2: {5014a032-4e95-11e7-8471-14dae9dd9059} - F:\Lenovo_Suite.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DuckDns.lnk [2016-03-10]
ShortcutTarget: DuckDns.lnk -> C:\Program Files (x86)\DuckDNS\DuckDns.exe ()
Startup: C:\Users\Joe Meherg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Avast Free Antivirus.lnk [2017-09-01]
ShortcutTarget: Avast Free Antivirus.lnk -> C:\Program Files\AVAST Software\Avast\avastui.exe (AVAST Software)
Startup: C:\Users\Joe Meherg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Outlook 2010.lnk [2014-05-01]
ShortcutTarget: Microsoft Outlook 2010.lnk -> C:\Windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\outicon.exe ()
BootExecute: autocheck autochk * aswBoot.exe /M:eb80d6053 /A:"* " /L:"1033" /heur:80 /RA:fix /pup /archives /IA:0 /KBD:2 /wow /dir:"C:\Program Files\AVAST Software\Avast"

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.114.81.1 75.114.81.2
Tcpip\..\Interfaces\{8A135F5E-5531-4624-A0E8-027459BA553C}: [DhcpNameServer] 75.114.81.1 75.114.81.2
Tcpip\..\Interfaces\{D26D50F4-333E-4EEC-B155-83C4ADB3057D}: [NameServer] 82.163.142.8,95.211.158.136
Tcpip\..\Interfaces\{D26D50F4-333E-4EEC-B155-83C4ADB3057D}: [DhcpNameServer] 75.114.81.1 75.114.81.2

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://speedial.com/?f=1&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://speedial.com/?f=1&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://speedial.com/results.php?f=4&q={searchTerms}&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://speedial.com/results.php?f=4&q={searchTerms}&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
SearchScopes: HKU\S-1-5-21-1322323461-4163524923-2021594764-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://speedial.com/results.php?f=4&q={searchTerms}&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
SearchScopes: HKU\S-1-5-21-1322323461-4163524923-2021594764-1000 -> {38D8F50C-EC1D-4E40-ABBA-7F315AAE7793} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-11-26] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-11-26] (Oracle Corporation)
Handler-x32: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files (x86)\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll [2009-09-16] (TODO: <Company name>)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2017-06-01] (Skype Technologies)

FireFox:
========
FF DefaultProfile: x5no8ms2.default
FF ProfilePath: C:\Users\Joe Meherg\AppData\Roaming\Mozilla\Firefox\Profiles\x5no8ms2.default [2017-09-01]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-11-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-11-26] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-07-31] (Adobe Systems Inc.)
FF Plugin-x32: Web Components -> C:\Program Files (x86)\Web Components\npWebVideoPlugin.dll [2016-05-17] ()
FF Plugin HKU\S-1-5-21-1322323461-4163524923-2021594764-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Joe Meherg\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-05-01] (Citrix Online)
FF Plugin HKU\S-1-5-21-1322323461-4163524923-2021594764-1000: @zoom.us/ZoomVideoPlugin -> C:\Users\Joe Meherg\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2014-11-17] (Zoom Video Communications, Inc.)

Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> msn.com
CHR StartupUrls: Default -> "hxxps://news.google.com/","hxxp://drudgereport.com/"
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default [2017-09-02]
CHR Extension: (Yahoo Partner) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhfhojbhbnajajgihpicejdalbjlpcep [2017-08-27]
CHR Extension: (uBlock Origin) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-08-27]
CHR Extension: (Bing) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2017-08-27]
CHR Extension: (Yahoo Partner) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol [2017-08-27]
CHR Extension: (Cisco WebEx Extension) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2017-08-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-27]
CHR Extension: (Chrome Media Router) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-27]
CHR HKLM\...\Chrome\Extension: [bakijjialdiiboeaknfpmflphhmljfkd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bakijjialdiiboeaknfpmflphhmljfkd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bhfhojbhbnajajgihpicejdalbjlpcep] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2012-10-12] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-10-12] (ASUSTeK Computer Inc.)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-10-12] (ASUSTeK Computer Inc.)
S3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7430992 2017-07-18] (AVAST Software s.r.o.)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [263312 2017-07-18] (AVAST Software)
R2 BlueIris; C:\Program Files\Blue Iris 4\BlueIrisService.exe [59960 2015-09-14] ()
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 FreeAgentTheater Service; C:\Program Files (x86)\Seagate\Seagate_Media\Sync\MediaAggreService.exe [243752 2014-03-13] (Seagate Technology LLC)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [732448 2017-02-24] (Intel(R) Corporation)
S2 Intel(R) TPM Provisioning Service; C:\Program Files\Intel\iCLS Client\TPMProvisioningService.exe [548648 2017-02-24] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [197264 2017-06-06] (Intel Corporation)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [20480 2009-09-16] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2007-05-24] (Intuit Inc.) [File not signed]
S3 RoxMediaDBVHS; C:\Program Files (x86)\Common Files\Roxio Shared\VHStoDVD\SharedCOM\RoxMediaDBVHS.exe [1112720 2012-07-30] (Corel Corporation)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10803440 2017-08-17] (TeamViewer GmbH)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [307064 2015-07-31] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 windowsmanagementservice; C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\scjhfg\zbnmj\ct.exe [689664 2017-08-26] () [File not signed] <==== ATTENTION
S2 u4IinpQfYVSg Updater; C:\Program Files (x86)\u4IinpQfYVSg Updater\u4IinpQfYVSg Updater.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-10-12] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2012-10-12] ()
R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [320008 2017-07-18] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [198976 2017-07-18] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [343288 2017-07-18] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [57728 2017-07-18] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [46984 2017-07-03] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [146704 2017-08-09] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [110352 2017-07-03] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [84392 2017-07-03] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1015880 2017-08-09] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [585608 2017-07-03] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [198768 2017-07-03] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [361336 2017-07-03] (AVAST Software)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [24056 2016-01-14] ()
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [21496 2016-01-14] ()
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [10848 2016-07-11] ()
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [10208 2016-07-11] ()
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [200272 2017-04-10] (Intel Corporation)
R2 NPF; C:\Windows\SysWOW64\drivers\npf64.sys [36600 2015-09-11] (Riverbed Technology, Inc.)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2015-08-18] (NVIDIA Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-07-10] (Corel Corporation)
S3 Ser2ph; C:\Windows\system32\drivers\ser2ph64.sys [89600 2009-05-19] (Prolific Technology Inc.)
S3 ssuddmgr; C:\Windows\system32\drivers\ssuddmgr.sys [203672 2013-06-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 ssudobex; C:\Windows\system32\drivers\ssudobex.sys [203672 2013-06-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 ssudrmnet; C:\Windows\system32\drivers\ssudrmnet.sys [67864 2013-06-20] (DEVGURU Co., LTD.)
S3 ssudserd; C:\Windows\system32\drivers\ssudserd.sys [203672 2013-06-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 ubloxusb; C:\Windows\system32\drivers\ubloxusb.sys [95232 2009-05-19] (u-blox AG)
S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDA64A.sys [738328 2012-05-04] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEM64A.sys [1226136 2012-05-04] (eMPIA Technology, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-02 15:32 - 2017-09-02 15:33 - 000024612 _____ C:\Users\Joe Meherg\Desktop\FRST.txt
2017-09-02 15:32 - 2017-09-02 15:32 - 002395648 _____ (Farbar) C:\Users\Joe Meherg\Desktop\FRST64.exe
2017-09-02 15:32 - 2017-09-02 15:32 - 000000000 ____D C:\FRST
2017-09-02 15:12 - 2017-09-02 15:30 - 000000000 ____D C:\sbav
2017-09-02 15:01 - 2017-09-02 15:01 - 008182736 _____ (Malwarebytes) C:\Users\Joe Meherg\Desktop\adwcleaner_7.0.2.1.exe
2017-09-02 14:55 - 2017-09-02 14:55 - 000001059 _____ C:\Users\Public\Desktop\FileASSASSIN.lnk
2017-09-02 14:55 - 2017-09-02 14:55 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2017-09-02 14:55 - 2017-09-02 14:55 - 000000000 ____D C:\Program Files (x86)\FileASSASSIN
2017-09-02 14:54 - 2017-09-02 14:54 - 000167034 _____ C:\Users\Joe Meherg\Desktop\fileassassin-setup-1.06.exe
2017-09-02 14:51 - 2017-09-02 14:52 - 006705178 _____ C:\Users\Joe Meherg\Desktop\mbam-chameleon-3.1.33.0.zip
2017-09-02 14:49 - 2017-09-02 14:50 - 066347240 _____ (Malwarebytes ) C:\Users\Joe Meherg\Desktop\mb3-setup-consumer-3.2.2.2018.bat
2017-09-01 17:02 - 2017-09-01 19:30 - 000000000 ____D C:\Users\Joe Meherg\AppData\Local\llssoft
2017-08-27 21:30 - 2017-08-27 21:30 - 000002663 _____ C:\Users\Joe Meherg\Desktop\AcuRite PC Connect.lnk
2017-08-27 09:13 - 2017-08-27 09:13 - 000000000 ____D C:\Users\Admin\AppData\Local\CEF
2017-08-27 09:12 - 2017-08-27 09:12 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Epson
2017-08-27 09:11 - 2017-08-27 09:12 - 000002259 _____ C:\Users\Admin\Desktop\Google Chrome.lnk
2017-08-27 09:11 - 2017-08-27 09:12 - 000000000 ____D C:\Users\Admin
2017-08-27 09:11 - 2017-08-27 09:11 - 000001377 _____ C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-08-27 09:11 - 2017-08-27 09:11 - 000000020 ___SH C:\Users\Admin\ntuser.ini
2017-08-27 09:11 - 2017-08-27 09:11 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Adobe
2017-08-27 09:11 - 2017-08-27 09:11 - 000000000 ____D C:\Users\Admin\AppData\Local\Google
2017-08-27 09:11 - 2015-09-27 20:37 - 000000000 ____D C:\Users\Admin\AppData\Roaming\AVAST Software
2017-08-27 09:11 - 2009-07-14 02:45 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Media Center Programs
2017-08-26 23:13 - 2017-08-29 17:28 - 000000000 ____D C:\Program Files\ntuserlitelist
2017-08-26 22:06 - 2017-08-26 23:24 - 000000000 ____D C:\AdwCleaner
2017-08-26 17:11 - 2017-09-01 18:40 - 000000000 ____D C:\Windows\pss
2017-08-26 16:55 - 2017-08-26 16:55 - 000000000 ___HD C:\$AV_ASW
2017-08-26 16:53 - 2017-08-26 16:53 - 000000000 ____D C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\scjhfg
2017-08-26 16:52 - 2017-08-26 16:57 - 000000000 ____D C:\Program Files (x86)\u4IinpQfYVSg
2017-08-26 16:52 - 2017-08-26 16:52 - 002768896 ____N C:\Windows\system32\mswygme.exe
2017-08-26 16:52 - 2017-08-26 16:52 - 000021538 _____ C:\Windows\System32\Tasks\u4IinpQfYVSg
2017-08-26 16:52 - 2017-08-26 16:52 - 000003834 _____ C:\Windows\System32\Tasks\11376101
2017-08-26 16:52 - 2017-08-26 16:52 - 000003800 _____ C:\Windows\System32\Tasks\34481239
2017-08-26 16:52 - 2017-08-26 16:52 - 000003794 _____ C:\Windows\System32\Tasks\k34481239
2017-08-26 16:52 - 2017-08-26 16:52 - 000003794 _____ C:\Windows\System32\Tasks\8727122
2017-08-26 16:52 - 2017-08-26 16:52 - 000003682 _____ C:\Windows\System32\Tasks\ba1137610111376101
2017-08-26 16:52 - 2017-08-26 16:52 - 000003648 _____ C:\Windows\System32\Tasks\ba3448123934481239
2017-08-26 16:52 - 2017-08-26 16:52 - 000003642 _____ C:\Windows\System32\Tasks\bak34481239k34481239
2017-08-26 16:52 - 2017-08-26 16:52 - 000003642 _____ C:\Windows\System32\Tasks\ba87271228727122
2017-08-26 16:52 - 2017-08-26 16:52 - 000000020 _____ C:\Windows\b8727122
2017-08-26 12:18 - 2016-08-17 23:46 - 000053248 _____ (Intel Corporation) C:\Windows\system32\Drivers\USB3Ver.dll
2017-08-26 12:16 - 2017-08-26 12:16 - 000003646 _____ C:\Windows\System32\Tasks\Intel PTT EK Recertification
2017-08-26 12:15 - 2017-08-26 12:16 - 000000000 ____D C:\ProgramData\Intel
2017-08-26 12:15 - 2017-08-26 12:15 - 000000000 __SHD C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\EmieUserList
2017-08-26 12:15 - 2017-08-26 12:15 - 000000000 __SHD C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\EmieSiteList
2017-08-26 11:54 - 2017-08-27 12:06 - 000000000 ____D C:\Users\Joe Meherg.HOME-OPI-NEW-PC
2017-08-26 11:54 - 2017-08-26 11:54 - 000000020 ___SH C:\Users\Joe Meherg.HOME-OPI-NEW-PC\ntuser.ini
2017-08-26 11:54 - 2015-09-27 20:37 - 000000000 ____D C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Roaming\AVAST Software
2017-08-26 02:55 - 2017-08-26 02:55 - 000014336 _____ (Droite) C:\Windows\generic.exe
2017-08-23 18:10 - 2017-08-23 18:10 - 000002210 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth Pro.lnk
2017-08-23 18:10 - 2017-08-23 18:10 - 000002172 _____ C:\Users\Public\Desktop\Google Earth Pro.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-02 15:33 - 2014-05-01 15:54 - 000000000 ____D C:\Users\Joe Meherg\AppData\Roaming\Skype
2017-09-02 15:33 - 2009-07-13 21:34 - 020971520 _____ C:\Windows\system32\config\HARDWARE
2017-09-02 14:58 - 2016-05-13 17:52 - 000000000 ____D C:\Users\Joe Meherg\Desktop\mbam-chameleon-3.1.33.0
2017-09-02 14:36 - 2015-03-24 10:10 - 000000520 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job
2017-09-02 14:11 - 2016-11-19 11:53 - 000000616 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job
2017-09-02 13:51 - 2014-05-01 16:13 - 000000000 ____D C:\Users\Joe Meherg\Documents\Outlook Files
2017-09-01 19:40 - 2009-07-13 23:45 - 000023408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-09-01 19:40 - 2009-07-13 23:45 - 000023408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-09-01 19:29 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-01 18:28 - 2015-02-07 09:12 - 000000000 ____D C:\Users\Joe Meherg\AppData\Roaming\TeamViewer
2017-09-01 16:53 - 2014-05-02 12:15 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2017-08-30 12:48 - 2015-11-28 18:09 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-08-29 23:24 - 2015-07-04 18:29 - 000000000 ____D C:\Users\Joe Meherg\Desktop\New House & Land
2017-08-28 16:46 - 2014-05-01 11:18 - 000002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-08-28 00:00 - 2016-10-22 20:51 - 000000000 ____D C:\Chaney Instrument Co
2017-08-27 16:03 - 2017-03-19 12:10 - 000000000 ____D C:\Users\Joe Meherg\Desktop\Game camera
2017-08-27 16:03 - 2009-07-14 00:13 - 000786362 _____ C:\Windows\system32\PerfStringBackup.INI
2017-08-27 16:03 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2017-08-27 11:00 - 2016-11-09 19:11 - 000000971 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-08-27 11:00 - 2016-11-09 19:11 - 000000959 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
2017-08-27 09:14 - 2009-07-14 00:09 - 000000000 ____D C:\Windows\System32\Tasks\WPD
2017-08-27 09:11 - 2009-07-13 23:57 - 000001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2017-08-27 08:52 - 2017-04-15 09:23 - 000750916 _____ C:\Windows\ntbtlog.txt
2017-08-26 23:39 - 2014-05-01 13:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2017-08-26 22:26 - 2014-05-01 12:20 - 000000000 ____D C:\ProgramData\AVAST Software
2017-08-26 22:07 - 2011-11-24 22:43 - 000000000 ____D C:\A
2017-08-26 20:43 - 2014-05-02 09:56 - 000000000 ____D C:\Windows\AutoKMS
2017-08-26 17:01 - 2017-02-04 10:59 - 000000000 ____D C:\ProgramData\NVIDIA
2017-08-26 17:01 - 2014-05-01 11:16 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2017-08-26 17:01 - 2014-05-01 11:15 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2017-08-26 17:01 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\Help
2017-08-26 14:08 - 2014-05-02 09:56 - 000000266 _____ C:\Windows\Tasks\AutoKMS.job
2017-08-26 14:06 - 2017-04-08 06:08 - 000000000 _____ C:\Windows\SysWOW64\last.dump
2017-08-26 12:18 - 2014-05-01 12:13 - 000000000 ____D C:\Program Files (x86)\Intel
2017-08-26 12:16 - 2017-04-15 08:13 - 000000000 ____D C:\Program Files\Intel
2017-08-26 12:03 - 2017-02-07 11:07 - 000004172 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-08-26 11:06 - 2014-05-01 12:01 - 000000000 ____D C:\Windows\SysWOW64\RTCOM
2017-08-25 06:00 - 2014-05-01 10:46 - 000000000 ____D C:\Users\Joe Meherg
2017-08-24 17:22 - 2011-11-24 22:43 - 000000000 ____D C:\Data
2017-08-23 18:10 - 2014-05-01 11:17 - 000000000 ____D C:\Program Files (x86)\Google
2017-08-23 10:35 - 2017-07-09 01:17 - 000000000 ____D C:\Program Files (x86)\GoToMeeting
2017-08-23 10:35 - 2016-11-19 11:53 - 000003670 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000
2017-08-23 10:35 - 2015-03-24 10:10 - 000003574 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000
2017-08-23 10:21 - 2016-03-10 20:33 - 000000000 ____D C:\Program Files\Blue Iris 4
2017-08-21 07:46 - 2016-12-30 18:35 - 000000000 ____D C:\Users\Joe Meherg\Desktop\Office
2017-08-12 19:41 - 2014-05-08 21:22 - 000000000 ____D C:\Users\Joe Meherg\AppData\Local\Wings of Prey
2017-08-12 19:32 - 2014-05-08 20:50 - 000000000 ____D C:\Program Files (x86)\Gaijin
2017-08-11 09:06 - 2015-01-10 12:31 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-08-09 14:09 - 2014-05-01 12:21 - 001015880 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2017-08-09 14:09 - 2014-05-01 12:21 - 000146704 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2017-08-09 03:00 - 2015-05-05 07:24 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-08-09 03:00 - 2014-09-01 09:00 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-08-09 03:00 - 2014-09-01 09:00 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-08-09 03:00 - 2014-09-01 08:59 - 000000000 ____D C:\Windows\system32\Macromed
2017-08-09 03:00 - 2014-05-01 19:42 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-08-06 17:47 - 2014-05-04 16:14 - 000000000 ____D C:\Users\Joe Meherg\AppData\Roaming\vlc
2017-08-03 14:14 - 2014-05-01 15:54 - 000000000 ____D C:\ProgramData\Skype

==================== Files in the root of some directories =======

2014-08-17 14:46 - 2014-03-20 17:49 - 001170056 _____ (Microsoft Corporation) C:\Users\Joe Meherg\AppData\Roaming\467ZP4IWI7.exe
2014-06-17 10:05 - 2014-10-24 15:51 - 000000408 _____ () C:\Users\Joe Meherg\AppData\Roaming\HOME-OPI.MTBF.txt
2014-12-25 11:10 - 2014-12-25 11:10 - 000038430 _____ () C:\Users\Joe Meherg\AppData\Roaming\Microsoft Excel 97-2003.ADR
2014-12-29 21:33 - 2014-12-29 21:48 - 000000712 _____ () C:\Users\Joe Meherg\AppData\Roaming\wavv
2014-06-02 10:06 - 2014-06-02 10:06 - 000000042 _____ () C:\Users\Joe Meherg\AppData\Roaming\WB.CFG
2014-06-17 10:05 - 2014-10-24 15:52 - 000000902 _____ () C:\Users\Joe Meherg\AppData\Roaming\__AvidCloudManager.log
2014-06-17 10:05 - 2014-06-17 10:29 - 000000358 _____ () C:\Users\Joe Meherg\AppData\Roaming\__AvidCloudManagerPrevious.log
2017-05-12 22:39 - 2017-05-12 22:39 - 000000000 ____H () C:\Users\Joe Meherg\AppData\Local\BIT79C2.tmp
2014-06-17 10:32 - 2014-06-17 10:32 - 000003584 _____ () C:\Users\Joe Meherg\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-06-13 16:27 - 2017-06-13 16:27 - 000004940 _____ () C:\Users\Joe Meherg\AppData\Local\recently-used.xbel
2016-07-09 21:11 - 2016-07-09 21:11 - 000007597 _____ () C:\Users\Joe Meherg\AppData\Local\Resmon.ResmonCfg
2017-05-12 22:38 - 2017-05-12 22:39 - 000000000 _____ () C:\Users\Joe Meherg\AppData\Local\{F44637E8-E3C4-44A8-9BCF-EB738C09BDEF}
2014-05-01 14:50 - 2016-04-23 14:30 - 000001041 _____ () C:\ProgramData\currdat.lst
2014-06-07 20:46 - 2016-04-23 14:30 - 000001041 _____ () C:\ProgramData\currdat.lst.tmp
2014-05-01 14:46 - 2014-05-01 14:46 - 010485760 _____ () C:\ProgramData\WV5DataStore

Some files in TEMP:
====================
2017-08-12 19:31 - 2017-08-12 19:31 - 002640128 _____ (                                                            ) C:\Users\Joe Meherg\AppData\Local\Temp\downloader_setup.exe
2017-07-13 14:03 - 2017-07-13 14:04 - 030950664 _____ () C:\Users\Joe Meherg\AppData\Local\Temp\vlc-2.2.6-win32.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-08-27 12:24

==================== End of FRST.txt ============================

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by Joe Meherg (02-09-2017 15:33:32)
Running from C:\Users\Joe Meherg\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2017-05-13 11:52:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1322323461-4163524923-2021594764-500 - Administrator - Disabled)
Guest (S-1-5-21-1322323461-4163524923-2021594764-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1322323461-4163524923-2021594764-1002 - Limited - Enabled)
Joe Meherg (S-1-5-21-1322323461-4163524923-2021594764-1000 - Administrator - Enabled) => C:\Users\Joe Meherg

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Disabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Disabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.22 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0922-000001000000}) (Version: 9.22.00.0 - Igor Pavlov)
ABBYY FineReader 9.0 Sprint (HKLM-x32\...\{F9000000-0018-0000-0000-074957833700}) (Version: 9.00.15.58233 - ABBYY) Hidden
ABBYY FineReader 9.0 Sprint (HKLM-x32\...\ABBYY FineReader 9.0 Sprint) (Version: 9.00.15.58233 - ABBYY)
AcuRite PC Connect for Windows (HKLM-x32\...\{6E613C42-AC6D-457D-BE81-88811AD84473}) (Version: 2.0.2 - Chaney Instrument Co.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated)
Adobe Flash Player 26 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 26.0.0.151 - Adobe Systems Incorporated)
Amazon Kindle (HKLM-x32\...\Amazon Kindle) (Version:  - Amazon)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.2.9.0 - Asmedia Technology)
Audacity 2.0.5 (HKLM-x32\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.5.2303 - AVAST Software)
Blue Iris 4 (HKLM-x32\...\{24DBFE51-243F-4538-BB28-2FD7EC8E7F16}) (Version: 4.4.8.6 - Perspective Software)
Blue Iris ActiveX Control (HKLM-x32\...\{7106E079-28CA-4FEC-A083-6577EB674526}) (Version: 4.0.0.4 - Perspective Software) Hidden
Blue Iris ActiveX Control (HKLM-x32\...\InstallShield_{7106E079-28CA-4FEC-A083-6577EB674526}) (Version: 4.0.0.4 - Perspective Software)
Brother's Keeper 6.2 (HKLM-x32\...\Brother's Keeper 6.2) (Version:  - )
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
CPUID CPU-Z 1.78 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
Creative Pack Volume 1 (HKLM-x32\...\{05181A78-3BA6-4B63-BCE8-888A4BCAACFA}) (Version: 3.0.1 - Corel Corporation)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - Acro Software Inc.)
Data Lifeguard Diagnostic for Windows 1.29 (HKLM-x32\...\{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1) (Version:  - Western Digital Corporation)
Dazzle Video Capture DVC100 X64 Driver 1.06 (HKLM-x32\...\{BFF23267-1D19-444E-93E2-E5059BE805EA}) (Version: 1.06.0000 - Pinnacle)
DCS World (HKLM\...\DCS World_is1) (Version: 1.2.10.32275 - )
Deluge 1.3.13 (HKLM-x32\...\Deluge) (Version:  - )
DirectX 9 Runtime (HKLM-x32\...\{AF9E97C1-7431-426D-A8D5-ABE40995C0B2}) (Version: 1.00.0000 - Sonic Solutions) Hidden
DuckDns version 1.0.5 (HKLM-x32\...\{72C90F4B-DDFB-410B-8761-9769CCF481AA}}_is1) (Version: 1.0.5 - ETX Software Inc.)
EaseUS Partition Master 11.10 (HKLM-x32\...\EaseUS Partition Master_is1) (Version:  - EaseUS)
Easy Photo Scan (HKLM-x32\...\{F2132D5C-4C3F-41A9-865B-68966A06B01C}) (Version: 1.00.0000 - Seiko Epson Corporation)
Epson Copy Utility 3.5 (HKLM-x32\...\{AA72FB28-73B4-49E5-B6B4-E78F44BBD0AD}) (Version: 3.5.0.0 - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.0.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{10144CFE-D76C-4CFA-81A1-37A1642349A3}) (Version: 3.01.0013 - Seiko Epson Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WF-7010 Series Printer Uninstall (HKLM\...\EPSON WF-7010 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.5.00 - SEIKO EPSON CORPORATION)
FileASSASSIN (HKLM-x32\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 60.0.3112.113 - Google Inc.)
Google Earth Pro (HKLM-x32\...\{ECF2E224-42F5-4E50-B58E-94CA70E85697}) (Version: 7.3.0.3832 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 8.10.0.7495 (HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\GoToMeeting) (Version: 8.10.0.7495 - LogMeIn, Inc.)
Hollywood FX Volumes 1-3 (HKLM-x32\...\{E3D181F8-246B-497F-945E-6DB98CBA6677}) (Version: 2.0.1 - Corel Corporation)
Intel(R) Chipset Device Software (HKLM-x32\...\{bb0592a7-5772-4736-9d55-2402740085db}) (Version: 10.1.1.38 - Intel(R) Corporation) Hidden
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.7.0.1028 - Intel Corporation)
Intel(R) USB 3.0\3.1 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 5.0.0.32 - Intel Corporation)
iSpy package installer (64 bit) (HKLM-x32\...\{d747743e-b4c8-4ae7-8a61-a46b2a8f1c27}) (Version: 6.5.3.0 - DeveloperInABox)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
LADSPA_plugins-win-0.4.15 (HKLM-x32\...\LADSPA_plugins-win_is1) (Version:  - Audacity Team)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
Magical Jelly Bean KeyFinder (HKLM-x32\...\KeyFinder_is1) (Version: 2.0.10.9 - Magical Jelly Bean)
MagicDisc 2.7.106 (HKLM-x32\...\MagicDisc 2.7.106) (Version:  - )
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109}) (Version: 3.60.253.0 - Microsoft Corporation)
Microsoft MapPoint North America 2010 (HKLM-x32\...\{C82185E8-C27B-4EF4-2010-1111BC2C2B6D}) (Version: 17.0.18.2200 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Access database engine 2007 (English) (HKLM-x32\...\{90120000-00D1-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1031 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 51.0.1.6234 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Naval War Arctic Circle (HKLM-x32\...\Naval War Arctic Circle_is1) (Version:  - )
Perfection V550 User’s Guide version 1.0 (HKLM-x32\...\UsersGuidePerfection V550 User’s Guide_is1) (Version: 1.0 - )
Pinnacle Studio 17 - Install Manager (HKLM-x32\...\{F04D92CC-5C3A-46FA-9C98-6EACBDD262FF}) (Version: 17.0.128 - Corel Corporation)
Pinnacle Studio 17 - Standard Content Pack (HKLM-x32\...\{BA98BFA8-5EDF-450B-A92E-C096DC135D0E}) (Version: 17.0 - Corel Corporation)
Pinnacle Studio 17 (HKLM-x32\...\{3DA8F808-72E2-4361-82EC-433081D23005}) (Version: 17.0.0.128 - Corel Corporation)
Pinnacle Studio 17 Add-Ons (HKLM-x32\...\{0B9B3056-3E89-427D-BB27-B555F6077C47}) (Version: 17.0 - Corel) Hidden
Premium Pack Volumes 1-2 (HKLM-x32\...\{88C4D8A6-9954-46A0-965D-92E55DAB8734}) (Version: 2.0.1 - Corel Corporation)
QuickBooks Pro 2008 (HKLM-x32\...\{8ECB8220-F422-4BEB-9596-97033C533702}) (Version: 18.0.4010.606 - Intuit Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.31.1025.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6235 - Realtek Semiconductor Corp.)
Rise of Flight (HKLM-x32\...\{1101370E-0BBC-4939-8037-2AED92A5C15C}_is1) (Version:  - 1C-777)
Roxio Easy VHS to DVD 3 (HKLM-x32\...\{01EA1B5D-04A2-45BD-83BD-488D6EB7B942}) (Version: 3.0 - Roxio)
SADPTool (HKLM-x32\...\{7D9B79C2-B1B2-433B-844F-F4299B86F26E}) (Version: 3.0.0.2 - hikvision)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.27.0 - SAMSUNG Electronics Co., Ltd.)
ScoreFitter Volumes 1-2 (HKLM-x32\...\{0FDA9ECA-6DA3-480E-B7A9-76F353AF6B6C}) (Version: 2.0.1 - Corel Corporation)
Seagate Media Software (HKLM-x32\...\{56EC58EF-F243-4313-9F4E-E00A054A321E}) (Version: 2.01.0412 - Seagate) Hidden
Seagate Media Software (HKLM-x32\...\InstallShield_{56EC58EF-F243-4313-9F4E-E00A054A321E}) (Version: 2.01.0412 - Seagate)
SimCity 3000 (HKLM-x32\...\SimCity 3000) (Version:  - )
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.39 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.39.102 - Skype Technologies S.A.)
SupportSoft Assisted Service (HKLM-x32\...\{5A3F6A80-7913-475E-8B96-477A952CFA43}) (Version: 15 - SupportSoft)
SYSM Monitor (HKLM-x32\...\SYSM Monitor_is1) (Version:  - SYSM Monitor)
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.82216 - TeamViewer)
Title Extreme (HKLM-x32\...\{F7214014-27EE-4237-9978-2F9D1551559B}) (Version: 2.0.1 - Corel Corporation)
TurboFloorPlan 3D Home and Landscape Pro v17 (HKLM-x32\...\{D11B97EA-0DB6-4866-9E88-4564C44F3C2D}) (Version: 17.0 - IMSI Design, LLC)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
WD Drive Utilities (HKLM-x32\...\{22662b08-91e0-4540-bb98-c96f32e09417}) (Version: 1.3.0.18 - Western Digital Technologies, Inc.)
WD Drive Utilities (HKLM-x32\...\{DD0C1657-A79B-4FED-B70C-26C1FE50BFB5}) (Version: 1.3.0.18 - Western Digital Technologies, Inc.) Hidden
Web Components (HKLM-x32\...\{03B13AF8-9625-478A-AF0E-205337B9415A}_is1) (Version:  - )
Wings of Prey (Collector's Edition) (HKLM-x32\...\Wings of Prey (Collector's Edition)_is1) (Version:  - )
WUHU (HKLM-x32\...\WUHU) (Version:  - )
Yamaha QL Editor (HKLM-x32\...\{73963C3C-B681-484E-9B18-FC8494923990}) (Version: 4.1.0 - Yamaha Corporation) Hidden
Yamaha QL Editor (HKLM-x32\...\InstallShield_{73963C3C-B681-484E-9B18-FC8494923990}) (Version: 4.1.0 - Yamaha Corporation)
yuPlay client 0.7.50 (HKLM-x32\...\yuPlay клиент_is1) (Version:  - )
Zoom (HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\ZoomUMX) (Version: 3.0 - Zoom Video Communications, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1322323461-4163524923-2021594764-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files (x86)\Citrix\GoToMeeting\5530\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-18] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-18] (AVAST Software)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2011-04-19] (Igor Pavlov)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-18] (AVAST Software)
ContextMenuHandlers1: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} => C:\Program Files (x86)\MagicISO\misosh64.dll -> No File
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-18] (AVAST Software)
ContextMenuHandlers3-x32: [FAExt] -> {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} => C:\Program Files (x86)\FileASSASSIN\FileASSASSINExt.dll [2007-03-30] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2011-04-19] (Igor Pavlov)
ContextMenuHandlers4: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} => C:\Program Files (x86)\MagicISO\misosh64.dll -> No File
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-07-18] (AVAST Software)
ContextMenuHandlers6: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} => C:\Program Files (x86)\MagicISO\misosh64.dll -> No File

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {05CE024D-9AF0-4D7F-897A-9BF6BB8FCD77} - System32\Tasks\34481239 => C:\Program Files (x86)\Backfired\droite.exe <==== ATTENTION
Task: {0BC51137-0029-4F0A-82F5-A1FE574DC0C3} - System32\Tasks\{8B10AD68-143F-4864-A07E-BA6CD2FB7ACD} => C:\Program Files (x86)\Brother's Keeper 6\Bk6w.exe [2006-01-26] (John Steed / Brother's Keeper)
Task: {0FA73C66-32EA-42F4-9FA6-4B1106C4EC25} - System32\Tasks\{1F68D3D6-1CED-406D-993F-0EDA0EE911F5} => C:\Windows\system32\pcalua.exe -a "C:\Users\Joe Meherg\Downloads\IRST_V10501026_XPVistaWin7\IRST_V10501026_XPVistaWin7\Install\Setup.exe" -d "C:\Users\Joe Meherg\Downloads\IRST_V10501026_XPVistaWin7\IRST_V10501026_XPVistaWin7\Install\"
Task: {11CCB2B6-9241-4CC3-9571-4863A959DC2B} - System32\Tasks\ba1137610111376101 => C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\droite.exe
Task: {1DE3967A-4715-4B38-9D63-DBC835E8E4B3} - System32\Tasks\Auto Restart => C:\Windows\System32\shutdown.exe [2009-07-13] (Microsoft Corporation)
Task: {200490A7-0432-4BDD-BBB8-114A211CDAFE} - System32\Tasks\Intel PTT EK Recertification => C:\Program Files\Intel\iCLS Client\IntelPTTEKRecertification.exe [2017-02-24] (Intel(R) Corporation)
Task: {2BD136E5-2E2C-4D05-B463-04930C080EE3} - System32\Tasks\11376101 => C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\droite.exe <==== ATTENTION
Task: {41286237-89EE-4C9E-BB94-E29C39FA1CBE} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2017-07-13] (AVAST Software)
Task: {569D7A2C-CA0B-4E38-AA7A-AB4041AEA2AC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {5BD71F69-429F-41C4-95C5-EDBDEE532765} - System32\Tasks\{86816B0A-99D8-4856-8C70-115FCFE70EE9} => C:\Windows\system32\pcalua.exe -a D:\ar405eng.exe -d D:\
Task: {6B40ECDF-7400-49EB-A4F0-383F7D10F93A} - System32\Tasks\u4IinpQfYVSg => u4iinpqfyvsg.exe
Task: {6C1E8862-1E8A-4CA7-96A1-D4A0940CEB5D} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy
Task: {6C3EAB03-8CC5-4054-9D38-A8BC811B0589} - System32\Tasks\k34481239 => C:\Program Files (x86)\wolfe\wolfe.exe
Task: {78CDB515-234E-4368-94B2-4539CFD9A579} - System32\Tasks\8727122 => C:\Program Files (x86)\Squeaker\droite.exe <==== ATTENTION
Task: {79439569-CEDD-4AF9-A2BC-FA74699A932D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-08-09] (Adobe Systems Incorporated)
Task: {795AD91F-0E8D-44DD-B8D0-7366457925F7} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated)
Task: {7B9A8AB7-B68F-42E2-B5CE-0559459F889B} - System32\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000 => C:\Program Files (x86)\GoToMeeting\7495\g2mupload.exe [2017-08-23] (LogMeIn, Inc.)
Task: {80793E39-8EB4-4F10-9E66-875A9A2DD30F} - System32\Tasks\bak34481239k34481239 => C:\Program Files (x86)\wolfe\wolfe.exe
Task: {879EFC11-3380-4874-B6BB-AB3142F4C197} - System32\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000 => C:\Program Files (x86)\GoToMeeting\7495\g2mupdate.exe [2017-08-23] (LogMeIn, Inc.)
Task: {8ED62C3C-486D-4278-AA06-7AA792A47965} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-07-18] (AVAST Software)
Task: {9C7A4281-E536-457C-80C1-B66E21E85EC5} - System32\Tasks\{5864F3C9-0903-418D-BFB1-9F105E21DD8B} => "c:\program files (x86)\google\chrome\application\chrome.exe" hxxp://ui.skype.com/ui/0/7.4.85.102/en/abandoninstall?page=tsProgressBar
Task: {BB68571C-9D55-4A1E-9CC9-E5CFCFF080F3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {F2F8651D-2D71-4F3A-BBBD-533D36A668A2} - System32\Tasks\{21D3E6A0-0503-4B89-894D-81B381C8F838} => C:\Windows\system32\pcalua.exe -a C:\Windows\system32\pcwrun.exe -c "C:\Program Files (x86)\Brother's Keeper 6\Bk6w.exe"
Task: {F3C496CC-FAC0-4AE0-A7B2-0BE90DDB9ECA} - System32\Tasks\ba3448123934481239 => C:\Program Files (x86)\Backfired\droite.exe
Task: {FA92903C-B7F6-427B-9386-CE2EDBE13A82} - System32\Tasks\ba87271228727122 => C:\Program Files (x86)\Squeaker\droite.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job => C:\Program Files (x86)\GoToMeeting\7495\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job => C:\Program Files (x86)\GoToMeeting\7495\g2mupload.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2014-05-30 10:55 - 2013-10-23 14:24 - 000087600 _____ () C:\Windows\System32\cpwmon64.dll
2017-08-26 16:52 - 2017-08-26 16:52 - 002768896 ____N () C:\WINDOWS\SYSTEM32\MSWYGME.EXE
2016-07-09 20:58 - 2012-10-12 03:59 - 000920736 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
2016-03-10 20:33 - 2015-09-14 21:55 - 000059960 _____ () C:\Program Files\Blue Iris 4\BlueIrisService.exe
2017-08-29 17:28 - 2017-08-29 17:28 - 000884224 _____ () C:\Program Files\ntuserlitelist\svcvmx\svcvmx.exe
2017-04-15 09:31 - 2014-11-18 14:44 - 000255072 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\TrayTipAgentE.exe
2017-08-29 17:28 - 2017-08-29 17:28 - 001081856 _____ () C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
2017-08-28 16:46 - 2017-08-23 03:48 - 002692952 _____ () C:\Program Files (x86)\Google\Chrome\Application\60.0.3112.113\swiftshader\libglesv2.dll
2017-08-28 16:46 - 2017-08-23 03:48 - 000137048 _____ () C:\Program Files (x86)\Google\Chrome\Application\60.0.3112.113\swiftshader\libegl.dll
2016-07-09 20:58 - 2017-09-01 19:29 - 000032040 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\PEbiosinterface32.dll
2016-07-09 20:58 - 2012-10-12 03:58 - 000104448 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\ATKEX.dll
2017-07-24 15:57 - 2017-07-24 15:57 - 001991640 ____R () C:\Program Files (x86)\Skype\Phone\skypert.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000222792 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\traynet.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000275528 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\libcurl.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000113166 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\zlib1.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000249928 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\uexper.dll
2017-08-29 17:28 - 2017-08-29 17:28 - 053460480 _____ () C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
2017-06-06 00:23 - 2017-06-06 00:23 - 001244304 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll
2011-03-17 00:11 - 2011-03-17 00:11 - 004297568 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2010-12-21 01:15 - 2010-12-21 01:15 - 001041248 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2017-08-29 17:28 - 2017-08-29 17:28 - 017599640 _____ () C:\Program Files\ntuserlitelist\svcvmx\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
AlternateDataStreams: C:\ProgramData\TEMP:A66CF953 [179]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tvnserver => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2017-09-02 15:05 - 000008796 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 3dns-2.adobe.com #192.150.22.22
127.0.0.1 3dns-3.adobe.com #192.150.14.21
127.0.0.1 3dns-4.adobe.com #192.150.18.247
127.0.0.1 3dns-5.adobe.com #192.150.22.46
127.0.0.1 adobe-dns.adobe.com #192.150.11.30
127.0.0.1 adobe-dns-2.adobe.com #192.150.11.247
127.0.0.1 adobe-dns-3.adobe.com #192.150.22.30
127.0.0.1 adobe.activate.com #69.175.22.26
127.0.0.1 activate.adobe.com #192.150.22.40
127.0.0.1 activate.wip3.adobe.com #192.150.22.40
127.0.0.1 activate.wip4.adobe.com #192.150.22.40
127.0.0.1 activate-sea.adobe.com #192.150.22.40
127.0.0.1 activate-sjc0.adobe.com #192.150.14.69
127.0.0.1 ereg.adobe.com #192.150.18.103
127.0.0.1 ereg.wip3.adobe.com #192.150.18.63
127.0.0.1 ereg.wip4.adobe.com #192.150.18.103
127.0.0.1 practivate.adobe.com #192.150.18.54
127.0.0.1 www.wip3.adobe.com #192.150.8.60
127.0.0.1 www.wip4.adobe.com #192.150.18.200
127.0.0.1 www.adobeereg.com #75.125.24.83
127.0.0.1 adobeereg.com #207.66.2.10
127.0.0.1 hl2rcv.adobe.com #192.150.14.174
127.0.0.1 wwis-dubc1-vip30.adobe.com #192.150.8.30
127.0.0.1 wwis-dubc1-vip31.adobe.com #192.150.8.31
127.0.0.1 wwis-dubc1-vip32.adobe.com #192.150.8.32
127.0.0.1 wwis-dubc1-vip33.adobe.com #192.150.8.33
127.0.0.1 wwis-dubc1-vip34.adobe.com #192.150.8.34
127.0.0.1 wwis-dubc1-vip35.adobe.com #192.150.8.35
127.0.0.1 wwis-dubc1-vip36.adobe.com #192.150.8.36
127.0.0.1 wwis-dubc1-vip37.adobe.com #192.150.8.37

There are 151 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Joe Meherg\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 82.163.142.8 - 95.211.158.136
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: windowsmanagementservice => 

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{8543BA2A-75AD-4655-82C7-FFBF6F7D910C}] => (Allow) C:\Users\Joe Meherg\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{3F005EBF-C407-4E93-9B28-3BC9CC559E38}] => (Allow) C:\Users\Joe Meherg\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{DD5BD65E-7609-4447-BFFC-2B39BA398B33}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{C74A7003-B857-49E4-9D48-92A9137B86A7}] => (Allow) C:\Users\Joe Meherg\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F114005A-D281-43DA-AF3C-A819AB6A62ED}] => (Allow) C:\Users\Joe Meherg\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{33A89EDD-964E-43CF-A756-FF8370918ABB}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [UDP Query User{67992DBE-A0DC-4525-BCFF-30AE9A685973}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [TCP Query User{EAC80919-909D-45A3-9834-129C244E5FD7}C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe] => (Allow) C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe
FirewallRules: [UDP Query User{8CA3CBC3-44D9-4312-B113-A33F1BB81849}C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe] => (Allow) C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe
FirewallRules: [{229B4FBF-0CC3-4900-AC3C-BBD6FABF92F0}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{BF299D90-A90C-4501-92F0-6C29F2356911}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{0198D458-417B-4103-8F84-97CDE7FC91D9}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{B092710C-0136-4A79-9FC5-472EB4C512C1}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{61BA9762-2B0E-4D0A-AF38-2454F16A65F2}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{476C30E3-8325-4BF1-A066-053AB2DAB3AE}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{2E666FBE-EFF8-4F7B-978A-5ED605E2E2C1}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{18CC84B2-E645-46B9-8CFE-6AE269E7F168}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{3F5A2F0C-7574-471F-9BA9-33671F58F5E6}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\RM.exe
FirewallRules: [{911020FB-8CD1-4109-BB17-FD0C5088825D}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\RM.exe
FirewallRules: [{708A7CAF-A905-47D2-9733-9B7FE22B37CC}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\NGStudio.exe
FirewallRules: [{12A61F65-7B6D-4B84-B1DB-7A216030CE95}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\NGStudio.exe
FirewallRules: [{7F545608-E8C3-43A1-82AA-48F083C1A5A8}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\UMI.exe
FirewallRules: [{681D187B-7973-4962-9B0B-66C55E057A1F}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\UMI.exe
FirewallRules: [TCP Query User{6AE72AC7-5FE5-4F56-B923-EF57C19AA25E}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [UDP Query User{03F3E862-41B6-44D6-8271-30AEC48CC566}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [{D2A2E315-793A-47C6-83FE-C43E2818CB50}] => (Block) %ProgramFiles% (x86)\IMSI Design\TurboFloorPlan Pro v17\TurboFloorPlanPro.exe
FirewallRules: [TCP Query User{62D8D4DA-ADE3-483A-99E3-5D621F0CB6E5}C:\program files\ispy\ispy.exe] => (Allow) C:\program files\ispy\ispy.exe
FirewallRules: [UDP Query User{CA9A07E8-AF99-4FC6-ACC5-3B1EF74C7EDB}C:\program files\ispy\ispy.exe] => (Allow) C:\program files\ispy\ispy.exe
FirewallRules: [{532779D6-304D-452F-B70E-C0C3E2907A94}] => (Allow) C:\Program Files (x86)\Fiddler2\Fiddler.exe
FirewallRules: [TCP Query User{E1ED780C-2FE9-4366-9519-0AECC04FBEAE}C:\program files (x86)\sadptool\sadptool.exe] => (Allow) C:\program files (x86)\sadptool\sadptool.exe
FirewallRules: [UDP Query User{69C33B1E-692D-4E0E-A724-54F2F883EDD2}C:\program files (x86)\sadptool\sadptool.exe] => (Allow) C:\program files (x86)\sadptool\sadptool.exe
FirewallRules: [TCP Query User{0720A3E8-4677-4644-BE6B-94ECABAEEB45}C:\program files (x86)\synesis\onvif device manager\odm.exe] => (Allow) C:\program files (x86)\synesis\onvif device manager\odm.exe
FirewallRules: [UDP Query User{88BF81F6-93CE-4922-9E22-8121553EC306}C:\program files (x86)\synesis\onvif device manager\odm.exe] => (Allow) C:\program files (x86)\synesis\onvif device manager\odm.exe
FirewallRules: [{2D7BA09C-E620-4DDC-9985-520EEF91B5EA}] => (Allow) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
FirewallRules: [{A24AFF49-EFEB-42DD-981F-A9BEC19F766E}] => (Allow) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
FirewallRules: [TCP Query User{B1EE5ACF-A4D4-49F1-AD7A-A87A4FF901C9}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{482C9E87-8754-466E-B6C1-88EAEE161920}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [TCP Query User{8AFA5409-95F9-46C3-B8B2-FCF035947E3C}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{3C9628E9-A54C-4523-A5E5-7211AB37DE90}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{CC7DC9C6-33EC-45EC-92D0-73C17234C45F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2CE4CD41-5177-4484-89A1-BD1011A5B176}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{40ACE292-57CD-46A8-9FE6-18B05C80FCC5}] => (Allow) C:\Program Files\Blue Iris 4\BlueIris.exe
FirewallRules: [TCP Query User{E7DF7FD0-0638-4E4A-BF2B-B14148BCE257}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [UDP Query User{A0A54C96-DFFA-445C-B433-4C9E4A198B0E}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [TCP Query User{45785A2C-5CD8-4296-9E57-2B258A351F1E}C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe] => (Allow) C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe
FirewallRules: [UDP Query User{0A439D12-AE37-44CD-A478-E27EFC3CBE15}C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe] => (Allow) C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe
FirewallRules: [{951AFF54-EDDF-4742-96D6-DEB96778336B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{E4B3E5E8-3981-4BF9-91D6-9362305C5728}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{FCD83BAD-3934-4BF5-AF3E-A89B7169386C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{9721C62D-5B59-4147-AD76-DC56CC9AF943}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{B0E9205E-58C2-4DE2-BDC0-6345CF40E07D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{5F1174CF-323E-4796-B1D1-129D86B18190}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
StandardProfile\AuthorizedApplications: [C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe] => Enabled:Windows Messanger
StandardProfile\AuthorizedApplications: [C:\Users\Joe Meherg\AppData\Roaming\467ZP4IWI7.exe] => Enabled:Windows Messanger

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: WinDivert1.2
Description: WinDivert1.2
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: WinDivert1.2
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: PCI Memory Controller
Description: PCI Memory Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/02/2017 03:10:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0x2674
Faulting application start time: 0x01d324264abe6622
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: bc8e3632-901a-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 01:12:23 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x00180814
Faulting process id: 0x24c4
Faulting application start time: 0x01d32416eb7bf242
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 4400cda2-900a-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 10:03:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1180
Faulting application start time: 0x01d323fc6c68f762
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: d8108142-8fef-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 08:53:21 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1fc0
Faulting application start time: 0x01d323f2a61f8656
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 14727762-8fe6-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 06:03:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0xebc
Faulting application start time: 0x01d323daf452ad16
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 48b3cf66-8fce-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 01:53:05 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0xd00
Faulting application start time: 0x01d323a8962dcc16
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 5e5882c6-8fab-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 12:46:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0xb00
Faulting application start time: 0x01d323a476c46726
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 16823f36-8fa2-11e7-a61e-2c4d5468b4ef

Error: (09/01/2017 10:15:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0x19fc
Faulting application start time: 0x01d3238b330f10c6
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: f5ffb1d6-8f8c-11e7-a61e-2c4d5468b4ef

Error: (09/01/2017 10:03:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1420
Faulting application start time: 0x01d32397e7e02a56
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 506390d6-8f8b-11e7-a61e-2c4d5468b4ef

Error: (09/01/2017 05:12:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1348
Faulting application start time: 0x01d3236f5daa01b2
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: b2b61d8a-8f62-11e7-a64e-2c4d5468b4ef


System errors:
=============
Error: (09/02/2017 02:56:25 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Windows Management Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/01/2017 09:37:54 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 09:37:54 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 09:37:54 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 09:37:54 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 09:37:53 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 09:37:53 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 09:37:53 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 09:37:53 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.

Error: (09/01/2017 07:30:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The WinDivert1.2 service failed to start due to the following error: 
The system cannot find the file specified.


CodeIntegrity:
===================================
  Date: 2016-09-20 21:51:13.292
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswHdsKe.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-09-20 21:51:13.292
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswHdsKe.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-07-20 09:22:08.391
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-07-20 09:22:08.391
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-25 16:36:38.997
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-25 16:36:38.977
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-7600 CPU @ 3.50GHz
Percentage of memory in use: 83%
Total physical RAM: 16249.75 MB
Available physical RAM: 2626.98 MB
Total Virtual: 32497.68 MB
Available Virtual: 18671.48 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.41 GB) (Free:316.91 GB) NTFS
Drive d: (JM) (Removable) (Total:15.22 GB) (Free:15.2 GB) FAT32
Drive e: (Data Disk) (Fixed) (Total:1397.26 GB) (Free:306.59 GB) NTFS
Drive g: () (Fixed) (Total:688.64 GB) (Free:35.45 GB) NTFS
Drive h: (H-Back-Up) (Fixed) (Total:326.01 GB) (Free:46.83 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 582EC891)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 419A82D2)
Partition 1: (Active) - (Size=1397.3 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 0B22A644)

Partition: GPT.

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 15.2 GB) (Disk ID: FDC01076)
Partition 1: (Active) - (Size=15.2 GB) - (Type=0C)

==================== End of Addition.txt ============================

Many Thanks in advance for the help and even having this resource available! 

Attached Files



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 02 September 2017 - 04:03 PM

Hi Judman13 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-TODAY'S-DATE.txt" log that is located in the MBAR folder here after.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Judman13

Judman13
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 02 September 2017 - 04:16 PM

Aura!

 

Thank you very much for the response and the time looking over the logs!

 

I understand the process we have both entered into and will do my very best to follow your instructions to the letter and ask for clarification when needed.

 

I am running the Malwarebytes Anti-Rootkit Beta v1.09.4.1001 (I am very happy it ran!) I will continue to follow the instruction in the thread and post the results as requested.

 

Thank you again for the help!



#4 Judman13

Judman13
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 03 September 2017 - 09:50 PM

Aura,

 

I finally have an update. The Anti-Rootkit ran fine and the log will be posted below. However, it seems that an avast bootscan I scheduled and attempted to run before reaching finally ran after the Anti-Rootkit fixed the issues it discovered.

Malwarebytes Anti-Rootkit BETA 1.9.4.1001
www.malwarebytes.org

Database version:
  main:    v2017.09.02.07
  rootkit: v2017.08.02.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17358
Joe Meherg :: HOME-OPI [administrator]

9/2/2017 4:11:50 PM
mbar-log-2017-09-02 (16-11-50).txt

Scan type: 
Scan options enabled: Anti-Rootkit | Drivers | MBR
Scan options disabled: Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Objects scanned: 354
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\WINDOWS\SYSTEM32\drivers\msidntfs.sys (Rootkit.Agent.PUA) -> Delete on reboot. [593becad261674c91e43f4bf10b3101c]
C:\WINDOWS\SYSTEM32\drivers\rdpbbshk.sys (Rootkit.Agent.PUA) -> Delete on reboot. [2fedd7895becb52eec2b4a42b2641998]

Physical Sectors Detected: 0
(No malicious items detected)

(end)

Below is the log from the Avast Virus Bootscan. I do apologize for this as I did not thing the bootscan was still scheduled or that it would run. We can restart the process with the FRST64 if needed.

09/02/2017 16:16
Scan of all local drives

File C:\$Recycle.Bin\S-1-5-21-1322323461-4163524923-2021594764-1000\$R8VGSH3\svcvmx\svcvmx.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\$Recycle.Bin\S-1-5-21-1322323461-4163524923-2021594764-1000\$R8VGSH3\svcvmx\vmxclient.exe is infected by Win32:Malware-gen, Moved to chest
File C:\A\A\Android-SDK\android-sdk-windows\platforms\android-7\images\userdata.img|>META-INF\MANIFEST.MF Error 42125 {ZIP archive is corrupted.}
File C:\Program Files\ntuserlitelist\regtool\regtool.exe is infected by Win32:Malware-gen, Moved to chest
File C:\Program Files\ntuserlitelist\svcvmx\svcvmx.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe is infected by Win32:Malware-gen, Moved to chest
File C:\ProgramData\Skype\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}\Skype.msi|>Product.CAB|>Skype.exe Error 42127 {CAB archive is corrupted.}
File C:\Users\Joe Meherg\AppData\LocalLow\Google\GoogleEarth\webdata\f_000073|>default.kml Error 42125 {ZIP archive is corrupted.}
File C:\Users\Joe Meherg\AppData\LocalLow\Google\GoogleEarth\webdata\f_0000dc|>doc.kml Error 42125 {ZIP archive is corrupted.}
File C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\scjhfg\zbnmj\ct.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Windows\Installer\35db9.msi|>Product.CAB|>Skype.exe Error 42127 {CAB archive is corrupted.}
File C:\Windows\SoftwareDistribution\Download\08a5b42c7bc06e94717c2dc30a5ec39f\excel-x-none.cab|>excel-x-none.msp Error 42127 {CAB archive is corrupted.}
File C:\Windows.old\Users\Home\AppData\Local\CRE\nemfjadlboooiffmcelkafilagddogim.crx|>plugins\ConduitChromeApiPlugin.dll is infected by Win32:SearchProtect-BZ [Adw], Moved to chest
File C:\Windows.old\Users\Home\AppData\Local\Mozilla\Firefox\Profiles\5ztawlws.default\Cache\2\09\B41C1d01|>Plugins\npConduitFirefoxPlugin.dll is infected by Win32:Conduit-AM [Adw], Moved to chest
File C:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_0004e0|>default.kml Error 42125 {ZIP archive is corrupted.}
File C:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_000551|>doc.kml Error 42125 {ZIP archive is corrupted.}
File C:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_00055c|>doc.kml Error 42125 {ZIP archive is corrupted.}
File C:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_000d0e|>default.kml Error 42125 {ZIP archive is corrupted.}
File C:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_0017b6|>default.kml Error 42125 {ZIP archive is corrupted.}
File C:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_001949|>doc.kml Error 42125 {ZIP archive is corrupted.}
File C:\Data\Plus 3\Projects\Bin Mapping\Master Bin Mapping file 7-14.xls.001|>Workbook Error 42144 {OLE archive is corrupted.}
File C:\Data\Image Craft\Archived\Old Sang\Old Sang 2\ARCHIVE\EXCEL\CAREXP.XLS|>Book Error 42144 {OLE archive is corrupted.}
File E:\A\A\Android-SDK\android-sdk-windows\platforms\android-7\images\userdata.img|>META-INF\MANIFEST.MF Error 42125 {ZIP archive is corrupted.}
File E:\Data\Image Craft\Archived\Old Sang\Old Sang 2\ARCHIVE\EXCEL\CAREXP.XLS|>Book Error 42144 {OLE archive is corrupted.}
File E:\Data\Plus 3\Projects\Bin Mapping\Master Bin Mapping file 7-14.xls.001|>Workbook Error 42144 {OLE archive is corrupted.}
File G:\A\A\Android-SDK\android-sdk-windows\platforms\android-7\images\userdata.img|>META-INF\MANIFEST.MF Error 42125 {ZIP archive is corrupted.}
File G:\A\A\IMSI TurboFloorPlan 3D Home and Landscape Pro v17 - CORE\keygen.exe is infected by Win32:Malware-gen, Moved to chest
File G:\B-Torrent\G-Finished\Amateur_Photographer_13_11_2010.pdf is infected by Win32:FakeAV-ANO [Trj], Moved to chest
File G:\B-Torrent\G-Finished\Google Satellite Maps Downloader v6.45 + Patch By ChattChitto\Google Satellite Maps Downloader v6.45 + Patch By ChattChitto.exe is infected by Win32:Dropper-gen [Drp], Moved to chest
File G:\Data\Image Craft\Archived\Old Sang\Old Sang 2\ARCHIVE\EXCEL\CAREXP.XLS|>Book Error 42144 {OLE archive is corrupted.}
File G:\Data\Plus 3\Projects\Bin Mapping\Master Bin Mapping file 7-14.xls.001|>Workbook Error 42144 {OLE archive is corrupted.}
File G:\ProgramData\Skype\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}\Skype.msi|>Product.CAB|>Skype.exe Error 42127 {CAB archive is corrupted.}
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\373KD02V\spstub[1].exe|>nsis.hdr is infected by Win32:SearchProtect-DG [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R2\$PLUGINSDIR\SPtool.dll is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\CltMngSvc.exe is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\SPTool.dll is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\uninstall.exe|>$R2\$PLUGINSDIR\SPtool.dll is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\cltmng.exe is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\SPVC32.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\SPVC32Loader.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\SPVC64Loader.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\SPVC64.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\rep\$R1\SPTool64.exe is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ\SPSetup[1].exe|>$R1\dialogs\libs\$R1\cltmngui.exe is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JLU2CIZU\KeyFinderInstaller[1].exe|>{tmp}\OCSetupHlp.dll is infected by Win32:OpenCandy-D [PUP], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R2\$PLUGINSDIR\SPtool.dll is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\CltMngSvc.exe is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\SPTool.dll is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\uninstall.exe|>$R2\$PLUGINSDIR\SPtool.dll is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\cltmng.exe is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\SPVC32.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\SPVC32Loader.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\SPVC64Loader.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\SPVC64.dll is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\rep\$R1\SPTool64.exe is infected by Win32:Conduit-I [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\Local\Temp\nsh7FDC\SpSetup.exe|>$R1\dialogs\libs\$R1\cltmngui.exe is infected by Win32:Conduit-F [Adw], Moved to chest
File G:\Users\Joe Meherg\AppData\LocalLow\Google\GoogleEarth\webdata\f_000073|>default.kml Error 42125 {ZIP archive is corrupted.}
File G:\Users\Joe Meherg\AppData\LocalLow\Google\GoogleEarth\webdata\f_0000dc|>doc.kml Error 42125 {ZIP archive is corrupted.}
File G:\Users\Joe Meherg\AppData\Roaming\OpenCandy\C661848B4DA24120A4B7D44293730F61\bundlore_sp.exe|>{tmp}\sp-downloader.exe|>nsis.hdr is infected by Win32:SearchProtect-DG [Adw], Moved to chest
File G:\Windows\AutoKMS\AutoKMS.exe is infected by Win32:PUP-gen [PUP], Moved to chest
File G:\Windows\Installer\35db9.msi|>Product.CAB|>Skype.exe Error 42127 {CAB archive is corrupted.}
File G:\Windows.old\Program Files (x86)\OApps\SelectionLinks.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File G:\Windows.old\ProgramData\Tarma Installer\{68F250EA-9638-4DCF-96C4-D68CC340EC48}\_Setupx.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File G:\Windows.old\Users\Home\AppData\Local\CRE\nemfjadlboooiffmcelkafilagddogim.crx|>plugins\ConduitChromeApiPlugin.dll is infected by Win32:SearchProtect-BZ [Adw], Moved to chest
File G:\Windows.old\Users\Home\AppData\Local\Mozilla\Firefox\Profiles\5ztawlws.default\Cache\2\09\B41C1d01|>Plugins\npConduitFirefoxPlugin.dll is infected by Win32:Conduit-AM [Adw], Moved to chest
File G:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_0004e0|>default.kml Error 42125 {ZIP archive is corrupted.}
File G:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_000551|>doc.kml Error 42125 {ZIP archive is corrupted.}
File G:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_00055c|>doc.kml Error 42125 {ZIP archive is corrupted.}
File G:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_000d0e|>default.kml Error 42125 {ZIP archive is corrupted.}
File G:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_0017b6|>default.kml Error 42125 {ZIP archive is corrupted.}
File G:\Windows.old\Users\Home\AppData\LocalLow\Google\GoogleEarth\webdata\f_001949|>doc.kml Error 42125 {ZIP archive is corrupted.}
File G:\Windows.old\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\5ztawlws.default\extensions\{07cbf788-1359-421b-a4e3-5a8d041b90a3}\Plugins\npConduitFirefoxPlugin.dll is infected by Win32:Conduit-AM [Adw], Moved to chest
File G:\Windows.old\Users\Home\AppData\Roaming\Yontoo\dat\Dora.dat is infected by Win32:Adware-gen [Adw], Moved to chest
File G:\Windows.old\Users\Home\AppData\Roaming\Yontoo\dat\Paladin.dat is infected by Win32:Adware-gen [Adw], Moved to chest
File G:\Windows.old\Users\Home\AppData\Roaming\Yontoo\dat\Phoenix.dat is infected by Win32:GenMaliciousA-VSH [PUP], Moved to chest
File H:\B Torrent\Finished\Amateur_Photographer_13_11_2010.pdf is infected by Win32:FakeAV-ANO [Trj], Deleted
File H:\Data\Image Craft\Archived\Old Sang\Old Sang 2\ARCHIVE\EXCEL\CAREXP.XLS|>Book Error 42144 {OLE archive is corrupted.}
File H:\Data\Plus 3\Projects\Bin Mapping\Master Bin Mapping file 7-14.xls.001|>Workbook Error 42144 {OLE archive is corrupted.}
Number of searched folders: 162655
Number of tested files: 6259207
Number of infected files: 46


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 03 September 2017 - 10:02 PM

It's fine, no worries :)

Now, let's run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 Judman13

Judman13
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 September 2017 - 01:39 PM

Aura,

 

I can finally access the thread again!!

 

Attached is the MalwareBytes Anti-Malware scan that broke the thread when I tried to paste it.



#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 05 September 2017 - 01:43 PM

Awesome :) I don't see anything attached in your post however!

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 Judman13

Judman13
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 September 2017 - 01:48 PM

Duh! I chose the file, but didn't click "Attach This File". Guess I got a little excited.

 

It is attached now!

Attached Files



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 05 September 2017 - 01:49 PM

All good :) Now let's do a sweep with AdwCleaner and JRT.

zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Press on any key to launch the scan and let it complete
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply
Your next reply(ies) should therefore contain:
  • Copy/pasted AdwCleaner clean log
  • Copy/pasted JRT log

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Judman13

Judman13
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 September 2017 - 02:12 PM

Both ran with no issues!

 

AdwCleaner Log

# AdwCleaner 7.0.2.1 - Logfile created on Tue Sep 05 19:00:53 2017
# Updated on 2017/29/08 by Malwarebytes 
# Running on Windows 7 Ultimate (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

Deleted: C:\Users\Joe Meherg\AppData\Local\llssoft
Deleted: C:\Program Files\ntuserlitelist


***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\dotomi.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\speedial.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
Deleted: [Key] - HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\APN PIP
Deleted: [Key] - HKCU\Software\APN PIP
Deleted: [Key] - HKCU\Software\Classes\CLSID\{BEBBC426-4F16-4567-8FE1-BE198C982027}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
Deleted: [Key] - HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Speedial
Deleted: [Key] - HKCU\Software\Speedial
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driversupport.com


***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: MSN Homepage & Bing Search Engine - 


*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [2462 B] - [2017/8/27 3:10:52]
C:/AdwCleaner/AdwCleaner[C1].txt - [1372 B] - [2017/8/27 4:24:20]
C:/AdwCleaner/AdwCleaner[S0].txt - [2673 B] - [2017/8/27 3:8:10]
C:/AdwCleaner/AdwCleaner[S1].txt - [1322 B] - [2017/8/27 4:22:53]
C:/AdwCleaner/AdwCleaner[S2].txt - [2459 B] - [2017/9/5 18:59:56]


########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt ##########

 

Junkware Removal Tool

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Ultimate x64 
Ran by Joe Meherg (Administrator) on Tue 09/05/2017 at 14:08:14.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 88 

Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0R2SYS3X (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UWB3IQL (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\31WY4OO0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\32RFSUC2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\373KD02V (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3BVJBAFL (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4CYV4RZT (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\543CL5HA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\72627HNZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7L3CMFF5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X068E7K (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8FEZK50E (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8I9IGIC7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8LFPQ1KY (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A0BLX5HO (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFHHXRV2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BLP7A3OZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN48TRSK (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DPSQ3DA6 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DU0P5U0P (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E7UWN24O (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E91UOR3E (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FBWLQHZU (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G52UR0BD (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5US8NT4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GZ22E5SJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJKGBFPB (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAQ8XWMG (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JLU2CIZU (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MXQ7UOCW (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N7U2VZJI (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P37O9A3D (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBTG4K4E (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLONFHGE (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QRHIWH3Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TG6XWH4U (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEXWJM8Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VDZBECO0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VNGTALC9 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRY72J8Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XG8IZAB5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XI3738PV (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Joe Meherg\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZRX57ZXE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0R2SYS3X (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UWB3IQL (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\31WY4OO0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\32RFSUC2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\373KD02V (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3BVJBAFL (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4CYV4RZT (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\543CL5HA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\72627HNZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7L3CMFF5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7X068E7K (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8FEZK50E (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8I9IGIC7 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8LFPQ1KY (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A0BLX5HO (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFHHXRV2 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BLP7A3OZ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CN48TRSK (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DPSQ3DA6 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DSNQTMTJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DU0P5U0P (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E7UWN24O (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E91UOR3E (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FBWLQHZU (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G52UR0BD (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G5US8NT4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GZ22E5SJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJKGBFPB (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JAQ8XWMG (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JLU2CIZU (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MXQ7UOCW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N7U2VZJI (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P37O9A3D (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBTG4K4E (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLONFHGE (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QRHIWH3Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TG6XWH4U (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UEXWJM8Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VDZBECO0 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VNGTALC9 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRY72J8Y (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XG8IZAB5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XI3738PV (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZRX57ZXE (Temporary Internet Files Folder) 



Registry: 1 

Successfully deleted: HKCU\Software\Google\Chrome\Extensions\bakijjialdiiboeaknfpmflphhmljfkd (Registry Key) 




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 09/05/2017 at 14:11:35.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Edited by Judman13, 05 September 2017 - 02:12 PM.


#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 05 September 2017 - 02:29 PM

Awesome :) Now, let's run a scan with FRST to see if there's anything left to remove.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • Click on the Scan button
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 Judman13

Judman13
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 September 2017 - 02:34 PM

Alright, FRST done. Logs below.

 

FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017
Ran by Joe Meherg (administrator) on HOME-OPI (05-09-2017 14:31:46)
Running from C:\Users\Joe Meherg\Desktop
Loaded Profiles: Joe Meherg (Available Profiles: Joe Meherg)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe
() C:\Program Files\Blue Iris 4\BlueIrisService.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE
(Perspective Software) C:\Program Files\Blue Iris 4\BlueIris.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Oracle Corporation) C:\Program Files (x86)\Java\jre1.8.0_111\bin\javaw.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
() C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\TrayTipAgentE.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc64.exe
(Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate_Media\Sync\MediaAggreService.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [239856 2017-09-04] (AVAST Software)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11545192 2014-05-01] (Realtek Semiconductor)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 3.1 eXtensible Host Controller Driver\Application\iusb3mon.exe [299504 2016-08-17] (Intel Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.)
HKLM-x32\...\Run: [FreeAgentTheaterTrayIcon] => C:\Program Files (x86)\Seagate\Seagate_Media\AgrregationStatus\StxMediaMenuMgr.exe [189480 2014-03-13] (Seagate LLC)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [1057920 2012-07-31] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [EaseUS EPM Tray Agent] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\TrayTipAgentE.exe [255072 2014-11-18] ()
HKLM-x32\...\Run: [EaseUS EPM tray] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\EpmNews.exe [2090176 2016-09-20] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM-x32\...\Run: [DriveUtilitiesHelper] => C:\Program Files (x86)\Western Digital\WD Utilities\WDDriveUtilitiesHelper.exe [1890664 2015-07-31] (Western Digital Technologies, Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [] => [X]
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27832272 2017-08-25] (Skype Technologies S.A.)
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [BingSvc] => C:\Users\Joe Meherg\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-11] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [AcuRiteConnect2] => C:\Program Files (x86)\AcuRite\AcuRiteConnect.exe [1312768 2016-07-22] (Chaney Instrument Co)
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [AcuRiteConnect1] => C:\Program Files\AcuRite\AcuRiteConnect.exe
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\MountPoints2: F - F:\Lenovo_Suite.exe
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\MountPoints2: {5014a032-4e95-11e7-8471-14dae9dd9059} - F:\Lenovo_Suite.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\DuckDns.lnk [2016-03-10]
ShortcutTarget: DuckDns.lnk -> C:\Program Files (x86)\DuckDNS\DuckDns.exe ()
Startup: C:\Users\Joe Meherg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Avast Free Antivirus.lnk [2017-09-01]
ShortcutTarget: Avast Free Antivirus.lnk -> C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
Startup: C:\Users\Joe Meherg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Outlook 2010.lnk [2014-05-01]
ShortcutTarget: Microsoft Outlook 2010.lnk -> C:\Windows\Installer\{90140000-003D-0000-0000-0000000FF1CE}\outicon.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.114.81.1 75.114.81.2
Tcpip\Parameters: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{8A135F5E-5531-4624-A0E8-027459BA553C}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{8A135F5E-5531-4624-A0E8-027459BA553C}: [DhcpNameServer] 8.8.8.8
Tcpip\..\Interfaces\{D26D50F4-333E-4EEC-B155-83C4ADB3057D}: [NameServer] 8.8.8.8
Tcpip\..\Interfaces\{D26D50F4-333E-4EEC-B155-83C4ADB3057D}: [DhcpNameServer] 75.114.81.1 75.114.81.2

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://speedial.com/?f=1&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://speedial.com/?f=1&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1322323461-4163524923-2021594764-1000 -> {38D8F50C-EC1D-4E40-ABBA-7F315AAE7793} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-11-26] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-11-26] (Oracle Corporation)
Handler-x32: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - C:\Program Files (x86)\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll [2009-09-16] (TODO: <Company name>)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2017-07-18] (Skype Technologies)

FireFox:
========
FF DefaultProfile: x5no8ms2.default
FF ProfilePath: C:\Users\Joe Meherg\AppData\Roaming\Mozilla\Firefox\Profiles\x5no8ms2.default [2017-09-04]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-11-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-11-26] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-27] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-07-31] (Adobe Systems Inc.)
FF Plugin-x32: Web Components -> C:\Program Files (x86)\Web Components\npWebVideoPlugin.dll [2016-05-17] ()
FF Plugin HKU\S-1-5-21-1322323461-4163524923-2021594764-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Joe Meherg\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-05-01] (Citrix Online)
FF Plugin HKU\S-1-5-21-1322323461-4163524923-2021594764-1000: @zoom.us/ZoomVideoPlugin -> C:\Users\Joe Meherg\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2014-11-17] (Zoom Video Communications, Inc.)

Chrome: 
=======
CHR DefaultProfile: Default
CHR HomePage: Default -> msn.com
CHR StartupUrls: Default -> "hxxps://news.google.com/","hxxp://drudgereport.com/"
CHR NewTab: Default ->  Active:"chrome-extension://fcfenmboojpjinhpgggodefccipikbpd/newTab.html"
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Profile: C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default [2017-09-05]
CHR Extension: (Yahoo Partner) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhfhojbhbnajajgihpicejdalbjlpcep [2017-08-27]
CHR Extension: (uBlock Origin) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-09-05]
CHR Extension: (Bing) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2017-09-05]
CHR Extension: (Yahoo Partner) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol [2017-08-27]
CHR Extension: (Cisco WebEx Extension) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2017-08-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-27]
CHR Extension: (Chrome Media Router) - C:\Users\Joe Meherg\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-27]
CHR HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bhfhojbhbnajajgihpicejdalbjlpcep] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2012-10-12] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-10-12] (ASUSTeK Computer Inc.)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-10-12] (ASUSTeK Computer Inc.)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7452288 2017-09-04] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [275208 2017-09-04] (AVAST Software)
R2 BlueIris; C:\Program Files\Blue Iris 4\BlueIrisService.exe [59960 2015-09-14] ()
R2 EpsonScanSvc; C:\Windows\system32\EscSvc64.exe [135824 2011-12-12] (Seiko Epson Corporation)
R2 FreeAgentTheater Service; C:\Program Files (x86)\Seagate\Seagate_Media\Sync\MediaAggreService.exe [243752 2014-03-13] (Seagate Technology LLC)
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [732448 2017-02-24] (Intel(R) Corporation)
S2 Intel(R) TPM Provisioning Service; C:\Program Files\Intel\iCLS Client\TPMProvisioningService.exe [548648 2017-02-24] (Intel(R) Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [197264 2017-06-06] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-21] (Malwarebytes)
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [20480 2009-09-16] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2007-05-24] (Intuit Inc.) [File not signed]
S3 RoxMediaDBVHS; C:\Program Files (x86)\Common Files\Roxio Shared\VHStoDVD\SharedCOM\RoxMediaDBVHS.exe [1112720 2012-07-30] (Corel Corporation)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [10803440 2017-08-17] (TeamViewer GmbH)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [307064 2015-07-31] (Western Digital Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-10-12] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2012-10-12] ()
R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [320528 2017-09-04] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [198976 2017-09-04] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [343296 2017-09-04] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [57736 2017-09-04] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [47016 2017-09-04] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [147784 2017-09-04] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [110376 2017-09-04] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [84416 2017-09-04] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1016384 2017-09-04] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [590880 2017-09-04] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [199312 2017-09-04] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [361336 2017-09-04] (AVAST Software)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [24056 2016-01-14] ()
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [21496 2016-01-14] ()
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77440 2017-08-24] ()
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [10848 2016-07-11] ()
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [10208 2016-07-11] ()
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [192960 2017-09-04] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [101824 2017-09-05] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [45472 2017-09-05] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [253888 2017-09-05] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [84256 2017-09-05] (Malwarebytes)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [200272 2017-04-10] (Intel Corporation)
R2 NPF; C:\Windows\SysWOW64\drivers\npf64.sys [36600 2015-09-11] (Riverbed Technology, Inc.)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38032 2015-08-18] (NVIDIA Corporation)
R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-07-10] (Corel Corporation)
S3 Ser2ph; C:\Windows\system32\drivers\ser2ph64.sys [89600 2009-05-19] (Prolific Technology Inc.)
S3 ssuddmgr; C:\Windows\system32\drivers\ssuddmgr.sys [203672 2013-06-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 ssudobex; C:\Windows\system32\drivers\ssudobex.sys [203672 2013-06-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 ssudrmnet; C:\Windows\system32\drivers\ssudrmnet.sys [67864 2013-06-20] (DEVGURU Co., LTD.)
S3 ssudserd; C:\Windows\system32\drivers\ssudserd.sys [203672 2013-06-20] (DEVGURU Co., LTD.(www.devguru.co.kr))
S3 ubloxusb; C:\Windows\system32\drivers\ubloxusb.sys [95232 2009-05-19] (u-blox AG)
S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDA64A.sys [738328 2012-05-04] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEM64A.sys [1226136 2012-05-04] (eMPIA Technology, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-05 14:31 - 2017-09-05 14:32 - 000021722 _____ C:\Users\Joe Meherg\Desktop\FRST.txt
2017-09-05 14:08 - 2017-09-05 14:08 - 000000000 ____D C:\ProgramData\SWCUTemp
2017-09-04 12:03 - 2017-09-04 12:03 - 000401488 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2017-09-04 07:07 - 2017-09-05 14:03 - 000101824 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2017-09-04 07:07 - 2017-09-05 14:03 - 000084256 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2017-09-04 07:07 - 2017-09-05 14:03 - 000045472 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2017-09-04 07:07 - 2017-09-04 07:07 - 000192960 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2017-09-04 07:07 - 2017-09-04 07:07 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-09-04 07:07 - 2017-09-04 07:07 - 000000000 ____D C:\Program Files\Malwarebytes
2017-09-04 07:07 - 2017-08-24 11:27 - 000077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-09-03 21:50 - 2017-09-05 14:31 - 000000000 ____D C:\Users\Joe Meherg\Desktop\Malware Tools
2017-09-02 16:11 - 2017-09-05 14:03 - 000253888 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-09-02 16:11 - 2017-09-04 11:51 - 000000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2017-09-02 16:11 - 2017-09-04 07:07 - 000000000 ____D C:\ProgramData\Malwarebytes
2017-09-02 15:32 - 2017-09-05 14:31 - 000000000 ____D C:\FRST
2017-09-02 15:32 - 2017-09-02 15:32 - 002395648 _____ (Farbar) C:\Users\Joe Meherg\Desktop\FRST64.exe
2017-09-02 15:12 - 2017-09-02 15:30 - 000000000 ____D C:\sbav
2017-09-02 14:55 - 2017-09-02 14:55 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileASSASSIN
2017-09-02 14:55 - 2017-09-02 14:55 - 000000000 ____D C:\Program Files (x86)\FileASSASSIN
2017-08-27 21:30 - 2017-08-27 21:30 - 000002663 _____ C:\Users\Joe Meherg\Desktop\AcuRite PC Connect.lnk
2017-08-27 09:13 - 2017-08-27 09:13 - 000000000 ____D C:\Users\Admin\AppData\Local\CEF
2017-08-27 09:12 - 2017-08-27 09:12 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Epson
2017-08-27 09:11 - 2017-08-27 09:12 - 000002259 _____ C:\Users\Admin\Desktop\Google Chrome.lnk
2017-08-27 09:11 - 2017-08-27 09:12 - 000000000 ____D C:\Users\Admin
2017-08-27 09:11 - 2017-08-27 09:11 - 000001377 _____ C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2017-08-27 09:11 - 2017-08-27 09:11 - 000000020 ___SH C:\Users\Admin\ntuser.ini
2017-08-27 09:11 - 2017-08-27 09:11 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Adobe
2017-08-27 09:11 - 2017-08-27 09:11 - 000000000 ____D C:\Users\Admin\AppData\Local\Google
2017-08-27 09:11 - 2015-09-27 20:37 - 000000000 ____D C:\Users\Admin\AppData\Roaming\AVAST Software
2017-08-27 09:11 - 2009-07-14 02:45 - 000000000 ____D C:\Users\Admin\AppData\Roaming\Media Center Programs
2017-08-26 22:06 - 2017-09-05 14:00 - 000000000 ____D C:\AdwCleaner
2017-08-26 17:11 - 2017-09-01 18:40 - 000000000 ____D C:\Windows\pss
2017-08-26 16:55 - 2017-08-26 16:55 - 000000000 ___HD C:\$AV_ASW
2017-08-26 16:53 - 2017-08-26 16:53 - 000000000 ____D C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\scjhfg
2017-08-26 16:52 - 2017-08-26 16:52 - 002768896 ____N (TOSHIBA CORPORATION) C:\Windows\system32\mswygme.exe
2017-08-26 16:52 - 2017-08-26 16:52 - 000021538 _____ C:\Windows\System32\Tasks\u4IinpQfYVSg
2017-08-26 16:52 - 2017-08-26 16:52 - 000000020 _____ C:\Windows\b8727122
2017-08-26 12:18 - 2016-08-17 23:46 - 000053248 _____ (Intel Corporation) C:\Windows\system32\Drivers\USB3Ver.dll
2017-08-26 12:16 - 2017-08-26 12:16 - 000003646 _____ C:\Windows\System32\Tasks\Intel PTT EK Recertification
2017-08-26 12:15 - 2017-08-26 12:16 - 000000000 ____D C:\ProgramData\Intel
2017-08-26 12:15 - 2017-08-26 12:15 - 000000000 __SHD C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\EmieUserList
2017-08-26 12:15 - 2017-08-26 12:15 - 000000000 __SHD C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\EmieSiteList
2017-08-26 11:54 - 2017-08-27 12:06 - 000000000 ____D C:\Users\Joe Meherg.HOME-OPI-NEW-PC
2017-08-26 11:54 - 2017-08-26 11:54 - 000000020 ___SH C:\Users\Joe Meherg.HOME-OPI-NEW-PC\ntuser.ini
2017-08-26 11:54 - 2015-09-27 20:37 - 000000000 ____D C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Roaming\AVAST Software
2017-08-26 02:55 - 2017-08-26 02:55 - 000014336 _____ (Droite) C:\Windows\generic.exe
2017-08-23 18:10 - 2017-08-23 18:10 - 000002210 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth Pro.lnk
2017-08-23 18:10 - 2017-08-23 18:10 - 000002172 _____ C:\Users\Public\Desktop\Google Earth Pro.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-09-05 14:23 - 2014-05-01 15:54 - 000000000 ____D C:\Users\Joe Meherg\AppData\Roaming\Skype
2017-09-05 14:12 - 2009-07-13 23:45 - 000023408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-09-05 14:12 - 2009-07-13 23:45 - 000023408 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-09-05 14:11 - 2016-11-19 11:53 - 000000616 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job
2017-09-05 14:09 - 2014-05-01 16:13 - 000000000 ____D C:\Users\Joe Meherg\Documents\Outlook Files
2017-09-05 14:02 - 2009-07-14 00:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-05 13:36 - 2015-03-24 10:10 - 000000520 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job
2017-09-05 11:16 - 2017-03-15 14:38 - 000000000 ___RD C:\Program Files (x86)\Skype
2017-09-05 11:16 - 2014-05-01 15:54 - 000000000 ____D C:\ProgramData\Skype
2017-09-05 07:14 - 2009-07-14 00:13 - 000786362 _____ C:\Windows\system32\PerfStringBackup.INI
2017-09-05 07:14 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\inf
2017-09-05 07:12 - 2017-03-19 12:10 - 000000000 ____D C:\Users\Joe Meherg\Desktop\Game camera
2017-09-04 19:07 - 2015-12-03 08:32 - 000000000 ____D C:\Program Files\Common Files\AV
2017-09-04 12:03 - 2017-02-07 11:07 - 000003914 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-09-04 12:03 - 2014-05-01 12:21 - 001016384 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2017-09-04 12:03 - 2014-05-01 12:21 - 000590880 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2017-09-04 12:03 - 2014-05-01 12:21 - 000361336 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-09-04 12:03 - 2014-05-01 12:21 - 000199312 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-09-04 12:03 - 2014-05-01 12:21 - 000147784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2017-09-04 12:03 - 2014-05-01 12:21 - 000110376 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-09-04 12:03 - 2014-05-01 12:21 - 000084416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-09-04 12:03 - 2014-05-01 12:21 - 000047016 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-09-04 12:02 - 2017-02-07 11:07 - 000343296 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbloga.sys
2017-09-04 12:02 - 2017-02-07 11:07 - 000320528 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-09-04 12:02 - 2017-02-07 11:07 - 000198976 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsha.sys
2017-09-04 12:02 - 2017-02-07 11:07 - 000057736 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbuniva.sys
2017-09-04 12:02 - 2014-05-02 12:15 - 000000000 ____D C:\Program Files (x86)\TeamViewer
2017-09-04 00:00 - 2016-10-22 20:51 - 000000000 ____D C:\Chaney Instrument Co
2017-09-02 16:15 - 2009-07-13 21:34 - 020971520 _____ C:\Windows\system32\config\HARDWARE
2017-09-01 18:28 - 2015-02-07 09:12 - 000000000 ____D C:\Users\Joe Meherg\AppData\Roaming\TeamViewer
2017-08-30 12:48 - 2015-11-28 18:09 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-08-29 23:24 - 2015-07-04 18:29 - 000000000 ____D C:\Users\Joe Meherg\Desktop\New House & Land
2017-08-28 16:46 - 2014-05-01 11:18 - 000002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-08-27 11:00 - 2016-11-09 19:11 - 000000971 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 12.lnk
2017-08-27 11:00 - 2016-11-09 19:11 - 000000959 _____ C:\Users\Public\Desktop\TeamViewer 12.lnk
2017-08-27 09:14 - 2009-07-14 00:09 - 000000000 ____D C:\Windows\System32\Tasks\WPD
2017-08-27 09:11 - 2009-07-13 23:57 - 000001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2017-08-27 08:52 - 2017-04-15 09:23 - 000750916 _____ C:\Windows\ntbtlog.txt
2017-08-26 23:39 - 2014-05-01 13:21 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2017-08-26 22:26 - 2014-05-01 12:20 - 000000000 ____D C:\ProgramData\AVAST Software
2017-08-26 22:07 - 2011-11-24 22:43 - 000000000 ____D C:\A
2017-08-26 20:43 - 2014-05-02 09:56 - 000000000 ____D C:\Windows\AutoKMS
2017-08-26 17:01 - 2017-02-04 10:59 - 000000000 ____D C:\ProgramData\NVIDIA
2017-08-26 17:01 - 2014-05-01 11:16 - 000000000 ____D C:\ProgramData\NVIDIA Corporation
2017-08-26 17:01 - 2014-05-01 11:15 - 000000000 ____D C:\Program Files\NVIDIA Corporation
2017-08-26 17:01 - 2009-07-13 22:20 - 000000000 ____D C:\Windows\Help
2017-08-26 14:08 - 2014-05-02 09:56 - 000000266 _____ C:\Windows\Tasks\AutoKMS.job
2017-08-26 14:06 - 2017-04-08 06:08 - 000000000 _____ C:\Windows\SysWOW64\last.dump
2017-08-26 12:18 - 2014-05-01 12:13 - 000000000 ____D C:\Program Files (x86)\Intel
2017-08-26 12:16 - 2017-04-15 08:13 - 000000000 ____D C:\Program Files\Intel
2017-08-26 11:06 - 2014-05-01 12:01 - 000000000 ____D C:\Windows\SysWOW64\RTCOM
2017-08-25 06:00 - 2014-05-01 10:46 - 000000000 ____D C:\Users\Joe Meherg
2017-08-24 17:22 - 2011-11-24 22:43 - 000000000 ____D C:\Data
2017-08-23 18:10 - 2014-05-01 11:17 - 000000000 ____D C:\Program Files (x86)\Google
2017-08-23 10:35 - 2017-07-09 01:17 - 000000000 ____D C:\Program Files (x86)\GoToMeeting
2017-08-23 10:35 - 2016-11-19 11:53 - 000003670 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000
2017-08-23 10:35 - 2015-03-24 10:10 - 000003574 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000
2017-08-23 10:21 - 2016-03-10 20:33 - 000000000 ____D C:\Program Files\Blue Iris 4
2017-08-21 07:46 - 2016-12-30 18:35 - 000000000 ____D C:\Users\Joe Meherg\Desktop\Office
2017-08-12 19:41 - 2014-05-08 21:22 - 000000000 ____D C:\Users\Joe Meherg\AppData\Local\Wings of Prey
2017-08-12 19:32 - 2014-05-08 20:50 - 000000000 ____D C:\Program Files (x86)\Gaijin
2017-08-11 09:06 - 2015-01-10 12:31 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-08-09 03:00 - 2015-05-05 07:24 - 000004312 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-08-09 03:00 - 2014-09-01 09:00 - 000803328 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-08-09 03:00 - 2014-09-01 09:00 - 000144896 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-08-09 03:00 - 2014-09-01 08:59 - 000000000 ____D C:\Windows\system32\Macromed
2017-08-09 03:00 - 2014-05-01 19:42 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-08-06 17:47 - 2014-05-04 16:14 - 000000000 ____D C:\Users\Joe Meherg\AppData\Roaming\vlc

==================== Files in the root of some directories =======

2014-08-17 14:46 - 2014-03-20 17:49 - 001170056 _____ (Microsoft Corporation) C:\Users\Joe Meherg\AppData\Roaming\467ZP4IWI7.exe
2014-06-17 10:05 - 2014-10-24 15:51 - 000000408 _____ () C:\Users\Joe Meherg\AppData\Roaming\HOME-OPI.MTBF.txt
2014-12-25 11:10 - 2014-12-25 11:10 - 000038430 _____ () C:\Users\Joe Meherg\AppData\Roaming\Microsoft Excel 97-2003.ADR
2014-12-29 21:33 - 2014-12-29 21:48 - 000000712 _____ () C:\Users\Joe Meherg\AppData\Roaming\wavv
2014-06-02 10:06 - 2014-06-02 10:06 - 000000042 _____ () C:\Users\Joe Meherg\AppData\Roaming\WB.CFG
2014-06-17 10:05 - 2014-10-24 15:52 - 000000902 _____ () C:\Users\Joe Meherg\AppData\Roaming\__AvidCloudManager.log
2014-06-17 10:05 - 2014-06-17 10:29 - 000000358 _____ () C:\Users\Joe Meherg\AppData\Roaming\__AvidCloudManagerPrevious.log
2017-05-12 22:39 - 2017-05-12 22:39 - 000000000 ____H () C:\Users\Joe Meherg\AppData\Local\BIT79C2.tmp
2014-06-17 10:32 - 2014-06-17 10:32 - 000003584 _____ () C:\Users\Joe Meherg\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2017-06-13 16:27 - 2017-06-13 16:27 - 000004940 _____ () C:\Users\Joe Meherg\AppData\Local\recently-used.xbel
2016-07-09 21:11 - 2016-07-09 21:11 - 000007597 _____ () C:\Users\Joe Meherg\AppData\Local\Resmon.ResmonCfg
2017-05-12 22:38 - 2017-05-12 22:39 - 000000000 _____ () C:\Users\Joe Meherg\AppData\Local\{F44637E8-E3C4-44A8-9BCF-EB738C09BDEF}
2014-05-01 14:50 - 2016-04-23 14:30 - 000001041 _____ () C:\ProgramData\currdat.lst
2014-06-07 20:46 - 2016-04-23 14:30 - 000001041 _____ () C:\ProgramData\currdat.lst.tmp
2014-05-01 14:46 - 2014-05-01 14:46 - 010485760 _____ () C:\ProgramData\WV5DataStore

Some files in TEMP:
====================
2017-08-12 19:31 - 2017-08-12 19:31 - 002640128 _____ (                                                            ) C:\Users\Joe Meherg\AppData\Local\Temp\downloader_setup.exe
2017-07-13 14:03 - 2017-07-13 14:04 - 030950664 _____ () C:\Users\Joe Meherg\AppData\Local\Temp\vlc-2.2.6-win32.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-08-27 12:24

==================== End of FRST.txt ============================

Addition.txt

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by Joe Meherg (05-09-2017 14:32:27)
Running from C:\Users\Joe Meherg\Desktop
Windows 7 Ultimate Service Pack 1 (X64) (2017-05-13 11:52:37)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1322323461-4163524923-2021594764-500 - Administrator - Disabled)
Guest (S-1-5-21-1322323461-4163524923-2021594764-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1322323461-4163524923-2021594764-1002 - Limited - Enabled)
Joe Meherg (S-1-5-21-1322323461-4163524923-2021594764-1000 - Administrator - Enabled) => C:\Users\Joe Meherg

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.22 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0922-000001000000}) (Version: 9.22.00.0 - Igor Pavlov)
ABBYY FineReader 9.0 Sprint (HKLM-x32\...\{F9000000-0018-0000-0000-074957833700}) (Version: 9.00.15.58233 - ABBYY) Hidden
ABBYY FineReader 9.0 Sprint (HKLM-x32\...\ABBYY FineReader 9.0 Sprint) (Version: 9.00.15.58233 - ABBYY)
AcuRite PC Connect for Windows (HKLM-x32\...\{6E613C42-AC6D-457D-BE81-88811AD84473}) (Version: 2.0.2 - Chaney Instrument Co.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 17.012.20098 - Adobe Systems Incorporated)
Adobe Flash Player 26 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 26.0.0.151 - Adobe Systems Incorporated)
Amazon Kindle (HKLM-x32\...\Amazon Kindle) (Version:  - Amazon)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.2.9.0 - Asmedia Technology)
Audacity 2.0.5 (HKLM-x32\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.6.2310 - AVAST Software)
Blue Iris 4 (HKLM-x32\...\{24DBFE51-243F-4538-BB28-2FD7EC8E7F16}) (Version: 4.4.8.6 - Perspective Software)
Blue Iris ActiveX Control (HKLM-x32\...\{7106E079-28CA-4FEC-A083-6577EB674526}) (Version: 4.0.0.4 - Perspective Software) Hidden
Blue Iris ActiveX Control (HKLM-x32\...\InstallShield_{7106E079-28CA-4FEC-A083-6577EB674526}) (Version: 4.0.0.4 - Perspective Software)
Brother's Keeper 6.2 (HKLM-x32\...\Brother's Keeper 6.2) (Version:  - )
Citrix Online Launcher (HKLM-x32\...\{09DA5EE2-7E46-4DC4-96F9-BFEE50D40659}) (Version: 1.0.408 - Citrix)
CPUID CPU-Z 1.78 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
Creative Pack Volume 1 (HKLM-x32\...\{05181A78-3BA6-4B63-BCE8-888A4BCAACFA}) (Version: 3.0.1 - Corel Corporation)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - Acro Software Inc.)
Data Lifeguard Diagnostic for Windows 1.29 (HKLM-x32\...\{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1) (Version:  - Western Digital Corporation)
Dazzle Video Capture DVC100 X64 Driver 1.06 (HKLM-x32\...\{BFF23267-1D19-444E-93E2-E5059BE805EA}) (Version: 1.06.0000 - Pinnacle)
DCS World (HKLM\...\DCS World_is1) (Version: 1.2.10.32275 - )
Deluge 1.3.13 (HKLM-x32\...\Deluge) (Version:  - )
DirectX 9 Runtime (HKLM-x32\...\{AF9E97C1-7431-426D-A8D5-ABE40995C0B2}) (Version: 1.00.0000 - Sonic Solutions) Hidden
DuckDns version 1.0.5 (HKLM-x32\...\{72C90F4B-DDFB-410B-8761-9769CCF481AA}}_is1) (Version: 1.0.5 - ETX Software Inc.)
EaseUS Partition Master 11.10 (HKLM-x32\...\EaseUS Partition Master_is1) (Version:  - EaseUS)
Easy Photo Scan (HKLM-x32\...\{F2132D5C-4C3F-41A9-865B-68966A06B01C}) (Version: 1.00.0000 - Seiko Epson Corporation)
Epson Copy Utility 3.5 (HKLM-x32\...\{AA72FB28-73B4-49E5-B6B4-E78F44BBD0AD}) (Version: 3.5.0.0 - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.0.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{10144CFE-D76C-4CFA-81A1-37A1642349A3}) (Version: 3.01.0013 - Seiko Epson Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WF-7010 Series Printer Uninstall (HKLM\...\EPSON WF-7010 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.5.00 - SEIKO EPSON CORPORATION)
FileASSASSIN (HKLM-x32\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 60.0.3112.113 - Google Inc.)
Google Earth Pro (HKLM-x32\...\{ECF2E224-42F5-4E50-B58E-94CA70E85697}) (Version: 7.3.0.3832 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
GoToMeeting 8.10.0.7495 (HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\GoToMeeting) (Version: 8.10.0.7495 - LogMeIn, Inc.)
Hollywood FX Volumes 1-3 (HKLM-x32\...\{E3D181F8-246B-497F-945E-6DB98CBA6677}) (Version: 2.0.1 - Corel Corporation)
Intel(R) Chipset Device Software (HKLM-x32\...\{bb0592a7-5772-4736-9d55-2402740085db}) (Version: 10.1.1.38 - Intel(R) Corporation) Hidden
Intel(R) Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.7.0.1028 - Intel Corporation)
Intel(R) USB 3.0\3.1 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 5.0.0.32 - Intel Corporation)
iSpy package installer (64 bit) (HKLM-x32\...\{d747743e-b4c8-4ae7-8a61-a46b2a8f1c27}) (Version: 6.5.3.0 - DeveloperInABox)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
LADSPA_plugins-win-0.4.15 (HKLM-x32\...\LADSPA_plugins-win_is1) (Version:  - Audacity Team)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
Magical Jelly Bean KeyFinder (HKLM-x32\...\KeyFinder_is1) (Version: 2.0.10.9 - Magical Jelly Bean)
MagicDisc 2.7.106 (HKLM-x32\...\MagicDisc 2.7.106) (Version:  - )
Malwarebytes version 3.2.2.2018 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2018 - Malwarebytes)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109}) (Version: 3.60.253.0 - Microsoft Corporation)
Microsoft MapPoint North America 2010 (HKLM-x32\...\{C82185E8-C27B-4EF4-2010-1111BC2C2B6D}) (Version: 17.0.18.2200 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Access database engine 2007 (English) (HKLM-x32\...\{90120000-00D1-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1031 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 51.0.1.6234 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Naval War Arctic Circle (HKLM-x32\...\Naval War Arctic Circle_is1) (Version:  - )
Perfection V550 User’s Guide version 1.0 (HKLM-x32\...\UsersGuidePerfection V550 User’s Guide_is1) (Version: 1.0 - )
Pinnacle Studio 17 - Install Manager (HKLM-x32\...\{F04D92CC-5C3A-46FA-9C98-6EACBDD262FF}) (Version: 17.0.128 - Corel Corporation)
Pinnacle Studio 17 - Standard Content Pack (HKLM-x32\...\{BA98BFA8-5EDF-450B-A92E-C096DC135D0E}) (Version: 17.0 - Corel Corporation)
Pinnacle Studio 17 (HKLM-x32\...\{3DA8F808-72E2-4361-82EC-433081D23005}) (Version: 17.0.0.128 - Corel Corporation)
Pinnacle Studio 17 Add-Ons (HKLM-x32\...\{0B9B3056-3E89-427D-BB27-B555F6077C47}) (Version: 17.0 - Corel) Hidden
Premium Pack Volumes 1-2 (HKLM-x32\...\{88C4D8A6-9954-46A0-965D-92E55DAB8734}) (Version: 2.0.1 - Corel Corporation)
QuickBooks Pro 2008 (HKLM-x32\...\{8ECB8220-F422-4BEB-9596-97033C533702}) (Version: 18.0.4010.606 - Intuit Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.31.1025.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6235 - Realtek Semiconductor Corp.)
Rise of Flight (HKLM-x32\...\{1101370E-0BBC-4939-8037-2AED92A5C15C}_is1) (Version:  - 1C-777)
Roxio Easy VHS to DVD 3 (HKLM-x32\...\{01EA1B5D-04A2-45BD-83BD-488D6EB7B942}) (Version: 3.0 - Roxio)
SADPTool (HKLM-x32\...\{7D9B79C2-B1B2-433B-844F-F4299B86F26E}) (Version: 3.0.0.2 - hikvision)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.27.0 - SAMSUNG Electronics Co., Ltd.)
ScoreFitter Volumes 1-2 (HKLM-x32\...\{0FDA9ECA-6DA3-480E-B7A9-76F353AF6B6C}) (Version: 2.0.1 - Corel Corporation)
Seagate Media Software (HKLM-x32\...\{56EC58EF-F243-4313-9F4E-E00A054A321E}) (Version: 2.01.0412 - Seagate) Hidden
Seagate Media Software (HKLM-x32\...\InstallShield_{56EC58EF-F243-4313-9F4E-E00A054A321E}) (Version: 2.01.0412 - Seagate)
SimCity 3000 (HKLM-x32\...\SimCity 3000) (Version:  - )
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.40 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.40.103 - Skype Technologies S.A.)
SupportSoft Assisted Service (HKLM-x32\...\{5A3F6A80-7913-475E-8B96-477A952CFA43}) (Version: 15 - SupportSoft)
SYSM Monitor (HKLM-x32\...\SYSM Monitor_is1) (Version:  - SYSM Monitor)
TeamViewer 12 (HKLM-x32\...\TeamViewer) (Version: 12.0.82216 - TeamViewer)
Title Extreme (HKLM-x32\...\{F7214014-27EE-4237-9978-2F9D1551559B}) (Version: 2.0.1 - Corel Corporation)
TurboFloorPlan 3D Home and Landscape Pro v17 (HKLM-x32\...\{D11B97EA-0DB6-4866-9E88-4564C44F3C2D}) (Version: 17.0 - IMSI Design, LLC)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
WD Drive Utilities (HKLM-x32\...\{22662b08-91e0-4540-bb98-c96f32e09417}) (Version: 1.3.0.18 - Western Digital Technologies, Inc.)
WD Drive Utilities (HKLM-x32\...\{DD0C1657-A79B-4FED-B70C-26C1FE50BFB5}) (Version: 1.3.0.18 - Western Digital Technologies, Inc.) Hidden
Web Components (HKLM-x32\...\{03B13AF8-9625-478A-AF0E-205337B9415A}_is1) (Version:  - )
Wings of Prey (Collector's Edition) (HKLM-x32\...\Wings of Prey (Collector's Edition)_is1) (Version:  - )
WUHU (HKLM-x32\...\WUHU) (Version:  - )
Yamaha QL Editor (HKLM-x32\...\{73963C3C-B681-484E-9B18-FC8494923990}) (Version: 4.1.0 - Yamaha Corporation) Hidden
Yamaha QL Editor (HKLM-x32\...\InstallShield_{73963C3C-B681-484E-9B18-FC8494923990}) (Version: 4.1.0 - Yamaha Corporation)
yuPlay client 0.7.50 (HKLM-x32\...\yuPlay клиент_is1) (Version:  - )
Zoom (HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\ZoomUMX) (Version: 3.0 - Zoom Video Communications, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1322323461-4163524923-2021594764-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files (x86)\Citrix\GoToMeeting\5530\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-04] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-04] (AVAST Software)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2011-04-19] (Igor Pavlov)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-04] (AVAST Software)
ContextMenuHandlers1: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} => C:\Program Files (x86)\MagicISO\misosh64.dll -> No File
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-04] (AVAST Software)
ContextMenuHandlers3-x32: [FAExt] -> {05672D66-9736-42F5-8BEB-FA1DD3CA51C4} => C:\Program Files (x86)\FileASSASSIN\FileASSASSINExt.dll [2007-03-30] (Malwarebytes)
ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2011-04-19] (Igor Pavlov)
ContextMenuHandlers4: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} => C:\Program Files (x86)\MagicISO\misosh64.dll -> No File
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-09-04] (AVAST Software)
ContextMenuHandlers6: [MagicISO] -> {DB85C504-C730-49DD-BEC1-7B39C6103B7A} => C:\Program Files (x86)\MagicISO\misosh64.dll -> No File
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-21] (Malwarebytes)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0BC51137-0029-4F0A-82F5-A1FE574DC0C3} - System32\Tasks\{8B10AD68-143F-4864-A07E-BA6CD2FB7ACD} => C:\Program Files (x86)\Brother's Keeper 6\Bk6w.exe [2006-01-26] (John Steed / Brother's Keeper)
Task: {0FA73C66-32EA-42F4-9FA6-4B1106C4EC25} - System32\Tasks\{1F68D3D6-1CED-406D-993F-0EDA0EE911F5} => C:\Windows\system32\pcalua.exe -a "C:\Users\Joe Meherg\Downloads\IRST_V10501026_XPVistaWin7\IRST_V10501026_XPVistaWin7\Install\Setup.exe" -d "C:\Users\Joe Meherg\Downloads\IRST_V10501026_XPVistaWin7\IRST_V10501026_XPVistaWin7\Install\"
Task: {1DE3967A-4715-4B38-9D63-DBC835E8E4B3} - System32\Tasks\Auto Restart => C:\Windows\System32\shutdown.exe [2009-07-13] (Microsoft Corporation)
Task: {200490A7-0432-4BDD-BBB8-114A211CDAFE} - System32\Tasks\Intel PTT EK Recertification => C:\Program Files\Intel\iCLS Client\IntelPTTEKRecertification.exe [2017-02-24] (Intel(R) Corporation)
Task: {41286237-89EE-4C9E-BB94-E29C39FA1CBE} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe
Task: {569D7A2C-CA0B-4E38-AA7A-AB4041AEA2AC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {5BD71F69-429F-41C4-95C5-EDBDEE532765} - System32\Tasks\{86816B0A-99D8-4856-8C70-115FCFE70EE9} => C:\Windows\system32\pcalua.exe -a D:\ar405eng.exe -d D:\
Task: {6B40ECDF-7400-49EB-A4F0-383F7D10F93A} - System32\Tasks\u4IinpQfYVSg => u4iinpqfyvsg.exe
Task: {6C1E8862-1E8A-4CA7-96A1-D4A0940CEB5D} - System32\Tasks\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser => %windir%\system32\rundll32.exe aepdu.dll,AePduRunUpdate -nolegacy
Task: {78CDB515-234E-4368-94B2-4539CFD9A579} - \8727122 -> No File <==== ATTENTION
Task: {79439569-CEDD-4AF9-A2BC-FA74699A932D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-08-09] (Adobe Systems Incorporated)
Task: {795AD91F-0E8D-44DD-B8D0-7366457925F7} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-07-19] (Adobe Systems Incorporated)
Task: {7B9A8AB7-B68F-42E2-B5CE-0559459F889B} - System32\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000 => C:\Program Files (x86)\GoToMeeting\7495\g2mupload.exe [2017-08-23] (LogMeIn, Inc.)
Task: {879EFC11-3380-4874-B6BB-AB3142F4C197} - System32\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000 => C:\Program Files (x86)\GoToMeeting\7495\g2mupdate.exe [2017-08-23] (LogMeIn, Inc.)
Task: {9C7A4281-E536-457C-80C1-B66E21E85EC5} - System32\Tasks\{5864F3C9-0903-418D-BFB1-9F105E21DD8B} => "c:\program files (x86)\google\chrome\application\chrome.exe" hxxp://ui.skype.com/ui/0/7.4.85.102/en/abandoninstall?page=tsProgressBar
Task: {BB68571C-9D55-4A1E-9CC9-E5CFCFF080F3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {F2F8651D-2D71-4F3A-BBBD-533D36A668A2} - System32\Tasks\{21D3E6A0-0503-4B89-894D-81B381C8F838} => C:\Windows\system32\pcalua.exe -a C:\Windows\system32\pcwrun.exe -c "C:\Program Files (x86)\Brother's Keeper 6\Bk6w.exe"
Task: {FC6F1704-8FA4-45DD-8EA4-0C523D145BD1} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-09-04] (AVAST Software)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job => C:\Program Files (x86)\GoToMeeting\7495\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-2716531791-3994404392-2233368955-1000.job => C:\Program Files (x86)\GoToMeeting\7495\g2mupload.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2014-05-30 10:55 - 2013-10-23 14:24 - 000087600 _____ () C:\Windows\System32\cpwmon64.dll
2016-07-09 20:58 - 2012-10-12 03:59 - 000920736 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
2016-03-10 20:33 - 2015-09-14 21:55 - 000059960 _____ () C:\Program Files\Blue Iris 4\BlueIrisService.exe
2017-04-15 09:31 - 2014-11-18 14:44 - 000255072 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\TrayTipAgentE.exe
2017-09-04 07:07 - 2017-08-24 11:27 - 002264528 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000067408 _____ () C:\Program Files\AVAST Software\Avast\x64\module_lifetime.dll
2017-09-04 12:02 - 2017-09-04 12:02 - 000169832 _____ () c:\Program Files\AVAST Software\Avast\x64\vaarclient.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000824944 _____ () C:\Program Files\AVAST Software\Avast\x64\ffl2.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000286712 _____ () c:\Program Files\AVAST Software\Avast\x64\StreamBack.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000059040 _____ () C:\Program Files\AVAST Software\Avast\module_lifetime.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000167096 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000211904 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000241960 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000149568 _____ () C:\Program Files\AVAST Software\Avast\network_notifications.dll
2017-09-05 11:13 - 2017-09-05 11:13 - 005897648 _____ () C:\Program Files\AVAST Software\Avast\defs\17090502\algo.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000685688 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-09-04 12:03 - 2017-09-04 12:03 - 000241448 _____ () C:\Program Files\AVAST Software\Avast\streamback.dll
2016-07-09 20:58 - 2017-09-05 14:02 - 000032040 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\PEbiosinterface32.dll
2016-07-09 20:58 - 2012-10-12 03:58 - 000104448 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\ATKEX.dll
2017-08-17 16:51 - 2017-08-17 16:51 - 001993184 ____R () C:\Program Files (x86)\Skype\Phone\skypert.dll
2017-07-03 06:07 - 2017-07-03 06:07 - 067109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-09-04 12:02 - 2017-09-04 12:02 - 000233768 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000222792 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\traynet.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000275528 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\libcurl.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000113166 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\zlib1.dll
2017-04-15 09:31 - 2014-02-13 15:27 - 000249928 _____ () C:\Program Files (x86)\EaseUS\EaseUS Partition Master 11.10\bin\TrayPopupE\uexper.dll
2017-06-06 00:23 - 2017-06-06 00:23 - 001244304 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
AlternateDataStreams: C:\ProgramData\TEMP:A66CF953 [179]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMPCHelper => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tvnserver => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2017-09-02 15:05 - 000008796 _____ C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 3dns-2.adobe.com #192.150.22.22
127.0.0.1 3dns-3.adobe.com #192.150.14.21
127.0.0.1 3dns-4.adobe.com #192.150.18.247
127.0.0.1 3dns-5.adobe.com #192.150.22.46
127.0.0.1 adobe-dns.adobe.com #192.150.11.30
127.0.0.1 adobe-dns-2.adobe.com #192.150.11.247
127.0.0.1 adobe-dns-3.adobe.com #192.150.22.30
127.0.0.1 adobe.activate.com #69.175.22.26
127.0.0.1 activate.adobe.com #192.150.22.40
127.0.0.1 activate.wip3.adobe.com #192.150.22.40
127.0.0.1 activate.wip4.adobe.com #192.150.22.40
127.0.0.1 activate-sea.adobe.com #192.150.22.40
127.0.0.1 activate-sjc0.adobe.com #192.150.14.69
127.0.0.1 ereg.adobe.com #192.150.18.103
127.0.0.1 ereg.wip3.adobe.com #192.150.18.63
127.0.0.1 ereg.wip4.adobe.com #192.150.18.103
127.0.0.1 practivate.adobe.com #192.150.18.54
127.0.0.1 www.wip3.adobe.com #192.150.8.60
127.0.0.1 www.wip4.adobe.com #192.150.18.200
127.0.0.1 www.adobeereg.com #75.125.24.83
127.0.0.1 adobeereg.com #207.66.2.10
127.0.0.1 hl2rcv.adobe.com #192.150.14.174
127.0.0.1 wwis-dubc1-vip30.adobe.com #192.150.8.30
127.0.0.1 wwis-dubc1-vip31.adobe.com #192.150.8.31
127.0.0.1 wwis-dubc1-vip32.adobe.com #192.150.8.32
127.0.0.1 wwis-dubc1-vip33.adobe.com #192.150.8.33
127.0.0.1 wwis-dubc1-vip34.adobe.com #192.150.8.34
127.0.0.1 wwis-dubc1-vip35.adobe.com #192.150.8.35
127.0.0.1 wwis-dubc1-vip36.adobe.com #192.150.8.36
127.0.0.1 wwis-dubc1-vip37.adobe.com #192.150.8.37

There are 151 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Joe Meherg\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 8.8.8.8
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{8543BA2A-75AD-4655-82C7-FFBF6F7D910C}] => (Allow) C:\Users\Joe Meherg\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{3F005EBF-C407-4E93-9B28-3BC9CC559E38}] => (Allow) C:\Users\Joe Meherg\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{DD5BD65E-7609-4447-BFFC-2B39BA398B33}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{C74A7003-B857-49E4-9D48-92A9137B86A7}] => (Allow) C:\Users\Joe Meherg\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F114005A-D281-43DA-AF3C-A819AB6A62ED}] => (Allow) C:\Users\Joe Meherg\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{33A89EDD-964E-43CF-A756-FF8370918ABB}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [UDP Query User{67992DBE-A0DC-4525-BCFF-30AE9A685973}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [TCP Query User{EAC80919-909D-45A3-9834-129C244E5FD7}C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe] => (Allow) C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe
FirewallRules: [UDP Query User{8CA3CBC3-44D9-4312-B113-A33F1BB81849}C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe] => (Allow) C:\program files (x86)\Paradox Interactive\Naval War Arctic Circle\NWAC.exe
FirewallRules: [{229B4FBF-0CC3-4900-AC3C-BBD6FABF92F0}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{BF299D90-A90C-4501-92F0-6C29F2356911}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{0198D458-417B-4103-8F84-97CDE7FC91D9}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{B092710C-0136-4A79-9FC5-472EB4C512C1}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{61BA9762-2B0E-4D0A-AF38-2454F16A65F2}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{476C30E3-8325-4BF1-A066-053AB2DAB3AE}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{2E666FBE-EFF8-4F7B-978A-5ED605E2E2C1}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{18CC84B2-E645-46B9-8CFE-6AE269E7F168}] => (Allow) C:\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{3F5A2F0C-7574-471F-9BA9-33671F58F5E6}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\RM.exe
FirewallRules: [{911020FB-8CD1-4109-BB17-FD0C5088825D}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\RM.exe
FirewallRules: [{708A7CAF-A905-47D2-9733-9B7FE22B37CC}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\NGStudio.exe
FirewallRules: [{12A61F65-7B6D-4B84-B1DB-7A216030CE95}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\NGStudio.exe
FirewallRules: [{7F545608-E8C3-43A1-82AA-48F083C1A5A8}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\UMI.exe
FirewallRules: [{681D187B-7973-4962-9B0B-66C55E057A1F}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 17\programs\UMI.exe
FirewallRules: [TCP Query User{6AE72AC7-5FE5-4F56-B923-EF57C19AA25E}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [UDP Query User{03F3E862-41B6-44D6-8271-30AEC48CC566}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [{D2A2E315-793A-47C6-83FE-C43E2818CB50}] => (Block) %ProgramFiles% (x86)\IMSI Design\TurboFloorPlan Pro v17\TurboFloorPlanPro.exe
FirewallRules: [TCP Query User{62D8D4DA-ADE3-483A-99E3-5D621F0CB6E5}C:\program files\ispy\ispy.exe] => (Allow) C:\program files\ispy\ispy.exe
FirewallRules: [UDP Query User{CA9A07E8-AF99-4FC6-ACC5-3B1EF74C7EDB}C:\program files\ispy\ispy.exe] => (Allow) C:\program files\ispy\ispy.exe
FirewallRules: [{532779D6-304D-452F-B70E-C0C3E2907A94}] => (Allow) C:\Program Files (x86)\Fiddler2\Fiddler.exe
FirewallRules: [TCP Query User{E1ED780C-2FE9-4366-9519-0AECC04FBEAE}C:\program files (x86)\sadptool\sadptool.exe] => (Allow) C:\program files (x86)\sadptool\sadptool.exe
FirewallRules: [UDP Query User{69C33B1E-692D-4E0E-A724-54F2F883EDD2}C:\program files (x86)\sadptool\sadptool.exe] => (Allow) C:\program files (x86)\sadptool\sadptool.exe
FirewallRules: [TCP Query User{0720A3E8-4677-4644-BE6B-94ECABAEEB45}C:\program files (x86)\synesis\onvif device manager\odm.exe] => (Allow) C:\program files (x86)\synesis\onvif device manager\odm.exe
FirewallRules: [UDP Query User{88BF81F6-93CE-4922-9E22-8121553EC306}C:\program files (x86)\synesis\onvif device manager\odm.exe] => (Allow) C:\program files (x86)\synesis\onvif device manager\odm.exe
FirewallRules: [{2D7BA09C-E620-4DDC-9985-520EEF91B5EA}] => (Allow) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
FirewallRules: [{A24AFF49-EFEB-42DD-981F-A9BEC19F766E}] => (Allow) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
FirewallRules: [TCP Query User{B1EE5ACF-A4D4-49F1-AD7A-A87A4FF901C9}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{482C9E87-8754-466E-B6C1-88EAEE161920}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [TCP Query User{8AFA5409-95F9-46C3-B8B2-FCF035947E3C}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{3C9628E9-A54C-4523-A5E5-7211AB37DE90}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{CC7DC9C6-33EC-45EC-92D0-73C17234C45F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2CE4CD41-5177-4484-89A1-BD1011A5B176}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{40ACE292-57CD-46A8-9FE6-18B05C80FCC5}] => (Allow) C:\Program Files\Blue Iris 4\BlueIris.exe
FirewallRules: [TCP Query User{E7DF7FD0-0638-4E4A-BF2B-B14148BCE257}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [UDP Query User{A0A54C96-DFFA-445C-B433-4C9E4A198B0E}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [TCP Query User{45785A2C-5CD8-4296-9E57-2B258A351F1E}C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe] => (Allow) C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe
FirewallRules: [UDP Query User{0A439D12-AE37-44CD-A478-E27EFC3CBE15}C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe] => (Allow) C:\program files (x86)\gaijin\wings of prey (collector's edition)\yuplay\downloader.exe
FirewallRules: [{951AFF54-EDDF-4742-96D6-DEB96778336B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{E4B3E5E8-3981-4BF9-91D6-9362305C5728}] => (Allow) C:\Windows\system32\rundll32.exe
FirewallRules: [{FCD83BAD-3934-4BF5-AF3E-A89B7169386C}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{9721C62D-5B59-4147-AD76-DC56CC9AF943}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{B0E9205E-58C2-4DE2-BDC0-6345CF40E07D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{5F1174CF-323E-4796-B1D1-129D86B18190}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
StandardProfile\AuthorizedApplications: [C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe] => Enabled:Windows Messanger
StandardProfile\AuthorizedApplications: [C:\Users\Joe Meherg\AppData\Roaming\467ZP4IWI7.exe] => Enabled:Windows Messanger

==================== Restore Points =========================

ATTENTION: System Restore is disabled

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: High Definition Audio Device
Description: High Definition Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: HdAudAddService
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: PCI Memory Controller
Description: PCI Memory Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: WinDivert1.2
Description: WinDivert1.2
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: WinDivert1.2
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/02/2017 03:10:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0x2674
Faulting application start time: 0x01d324264abe6622
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: bc8e3632-901a-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 01:12:23 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x00180814
Faulting process id: 0x24c4
Faulting application start time: 0x01d32416eb7bf242
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 4400cda2-900a-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 10:03:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1180
Faulting application start time: 0x01d323fc6c68f762
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: d8108142-8fef-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 08:53:21 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1fc0
Faulting application start time: 0x01d323f2a61f8656
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 14727762-8fe6-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 06:03:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0xebc
Faulting application start time: 0x01d323daf452ad16
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 48b3cf66-8fce-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 01:53:05 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0xd00
Faulting application start time: 0x01d323a8962dcc16
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 5e5882c6-8fab-11e7-a61e-2c4d5468b4ef

Error: (09/02/2017 12:46:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0xb00
Faulting application start time: 0x01d323a476c46726
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 16823f36-8fa2-11e7-a61e-2c4d5468b4ef

Error: (09/01/2017 10:15:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x001f32b0
Faulting process id: 0x19fc
Faulting application start time: 0x01d3238b330f10c6
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: f5ffb1d6-8f8c-11e7-a61e-2c4d5468b4ef

Error: (09/01/2017 10:03:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1420
Faulting application start time: 0x01d32397e7e02a56
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: 506390d6-8f8b-11e7-a61e-2c4d5468b4ef

Error: (09/01/2017 05:12:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vmxclient.exe, version: 1.0.1.5, time stamp: 0x598e7cd3
Faulting module name: libcef.dll, version: 3.2526.1373.0, time stamp: 0x587a0d9a
Exception code: 0xc0000005
Fault offset: 0x01eed9f0
Faulting process id: 0x1348
Faulting application start time: 0x01d3236f5daa01b2
Faulting application path: C:\Program Files\ntuserlitelist\svcvmx\vmxclient.exe
Faulting module path: C:\Program Files\ntuserlitelist\svcvmx\libcef.dll
Report Id: b2b61d8a-8f62-11e7-a64e-2c4d5468b4ef


System errors:
=============
Error: (09/05/2017 02:07:40 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (09/05/2017 02:03:14 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}
 and APPID 
{344ED43D-D086-4961-86A6-1106F4ACAD9B}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Error: (09/05/2017 02:02:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The WinDivert1.2 service failed to start due to the following error: 
The system cannot find the file specified.

Error: (09/05/2017 02:00:55 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {3EB3C877-1F16-487C-9050-104DBCD66683} did not register with DCOM within the required timeout.

Error: (09/05/2017 02:00:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Seagate Media service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/05/2017 02:00:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Office Software Protection Platform service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/05/2017 02:00:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/05/2017 02:00:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The WD Drive Manager service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/05/2017 02:00:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Epson Scanner Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/05/2017 02:00:51 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Blue Iris Service service terminated unexpectedly.  It has done this 1 time(s).


CodeIntegrity:
===================================
  Date: 2016-09-20 21:51:13.292
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswHdsKe.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-09-20 21:51:13.292
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\aswHdsKe.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-07-20 09:22:08.391
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-07-20 09:22:08.391
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-25 16:36:38.997
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-25 16:36:38.977
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i5-7600 CPU @ 3.50GHz
Percentage of memory in use: 26%
Total physical RAM: 16249.75 MB
Available physical RAM: 12016.94 MB
Total Virtual: 32497.68 MB
Available Virtual: 28216.35 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.41 GB) (Free:303.57 GB) NTFS
Drive d: () (Removable) (Total:3.69 GB) (Free:3.68 GB) FAT32
Drive e: (Data Disk) (Fixed) (Total:1397.26 GB) (Free:306.59 GB) NTFS
Drive g: () (Fixed) (Total:688.64 GB) (Free:35.55 GB) NTFS
Drive h: (H-Back-Up) (Fixed) (Total:326.01 GB) (Free:46.9 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 582EC891)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 419A82D2)
Partition 1: (Active) - (Size=1397.3 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 0B22A644)

Partition: GPT.

========================================================
Disk: 3 (Size: 3.7 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 05 September 2017 - 02:45 PM

Almost done :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply
How's your system behaving now? Are there any other issues to address?

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Judman13

Judman13
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:03:57 AM

Posted 05 September 2017 - 03:09 PM

Fix log below. The system seems MUCH better from what I can see.

 

I did notice that FRST couldn't create a system restore point. Not sure if that is related to this issue or not.

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by Joe Meherg (05-09-2017 15:02:02) Run:1
Running from C:\Users\Joe Meherg\Desktop
Loaded Profiles: Joe Meherg (Available Profiles: Joe Meherg)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\...\Run: [] => [X]

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://speedial.com/?f=1&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://speedial.com/?f=1&a=spd_ir_14_23_ch&cd=2XzuyEtN2Y1L1QzutCyE0D0A0Ezy0D0DzytDyDzyyDtAtC0EtN0D0Tzu0SzzzzyEtN1L2XzutBtFtBtDtFtCzytFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyC0B0FyD0EyDyDzytG0CtC0B0FtG0F0E0B0EtG0F0CtCyBtGtAtD0FyCtA0DtDyBtBzytD0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBzy0CtCyByB0C0AtGyBtC0CyBtGtDtAyC0FtG0Azz0CzztGyE0AyCtAzytB0EzzyDyD0FtA2Q&cr=426248302&ir=
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1322323461-4163524923-2021594764-1000 -> {38D8F50C-EC1D-4E40-ABBA-7F315AAE7793} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default

CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
CHR DefaultSearchKeyword: Default -> Yahoo
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10

Task: {0FA73C66-32EA-42F4-9FA6-4B1106C4EC25} - System32\Tasks\{1F68D3D6-1CED-406D-993F-0EDA0EE911F5} => C:\Windows\system32\pcalua.exe -a "C:\Users\Joe Meherg\Downloads\IRST_V10501026_XPVistaWin7\IRST_V10501026_XPVistaWin7\Install\Setup.exe" -d "C:\Users\Joe Meherg\Downloads\IRST_V10501026_XPVistaWin7\IRST_V10501026_XPVistaWin7\Install\"
Task: {5BD71F69-429F-41C4-95C5-EDBDEE532765} - System32\Tasks\{86816B0A-99D8-4856-8C70-115FCFE70EE9} => C:\Windows\system32\pcalua.exe -a D:\ar405eng.exe -d D:\
Task: {6B40ECDF-7400-49EB-A4F0-383F7D10F93A} - System32\Tasks\u4IinpQfYVSg => u4iinpqfyvsg.exe
Task: {78CDB515-234E-4368-94B2-4539CFD9A579} - \8727122 -> No File <==== ATTENTION
Task: {9C7A4281-E536-457C-80C1-B66E21E85EC5} - System32\Tasks\{5864F3C9-0903-418D-BFB1-9F105E21DD8B} => "c:\program files (x86)\google\chrome\application\chrome.exe" hxxp://ui.skype.com/ui/0/7.4.85.102/en/abandoninstall?page=tsProgressBar
Task: {F2F8651D-2D71-4F3A-BBBD-533D36A668A2} - System32\Tasks\{21D3E6A0-0503-4B89-894D-81B381C8F838} => C:\Windows\system32\pcalua.exe -a C:\Windows\system32\pcwrun.exe -c "C:\Program Files (x86)\Brother's Keeper 6\Bk6w.exe"

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
AlternateDataStreams: C:\ProgramData\TEMP:A66CF953 [179]

FirewallRules: [{8543BA2A-75AD-4655-82C7-FFBF6F7D910C}] => (Allow) C:\Users\Joe Meherg\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [{3F005EBF-C407-4E93-9B28-3BC9CC559E38}] => (Allow) C:\Users\Joe Meherg\AppData\Local\Temp\WZSE0.TMP\Common\EpsonNet Setup\ENEasyApp.exe
FirewallRules: [TCP Query User{6AE72AC7-5FE5-4F56-B923-EF57C19AA25E}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe
FirewallRules: [UDP Query User{03F3E862-41B6-44D6-8271-30AEC48CC566}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe] => (Allow) C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe

C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\scjhfg
C:\Users\Joe Meherg\AppData\Local\{F44637E8-E3C4-44A8-9BCF-EB738C09BDEF}
C:\Users\Joe Meherg\AppData\Local\BIT79C2.tmp
C:\Users\Joe Meherg\AppData\Roaming\467ZP4IWI7.exe
C:\Windows\b8727122
C:\Windows\generic.exe
C:\Windows\system32\mswygme.exe

EmptyTemp:
*****************

Processes closed successfully.
Error: (0) Failed to create a restore point.
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => key removed successfully
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\Software\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-1322323461-4163524923-2021594764-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{38D8F50C-EC1D-4E40-ABBA-7F315AAE7793} => key removed successfully
HKLM\Software\Classes\CLSID\{38D8F50C-EC1D-4E40-ABBA-7F315AAE7793} => key not found. 
Chrome DefaultSearchURL => removed successfully
Chrome DefaultSearchKeyword => removed successfully
Chrome DefaultSuggestURL => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0FA73C66-32EA-42F4-9FA6-4B1106C4EC25} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0FA73C66-32EA-42F4-9FA6-4B1106C4EC25} => key removed successfully
C:\Windows\System32\Tasks\{1F68D3D6-1CED-406D-993F-0EDA0EE911F5} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1F68D3D6-1CED-406D-993F-0EDA0EE911F5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5BD71F69-429F-41C4-95C5-EDBDEE532765} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5BD71F69-429F-41C4-95C5-EDBDEE532765} => key removed successfully
C:\Windows\System32\Tasks\{86816B0A-99D8-4856-8C70-115FCFE70EE9} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{86816B0A-99D8-4856-8C70-115FCFE70EE9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6B40ECDF-7400-49EB-A4F0-383F7D10F93A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B40ECDF-7400-49EB-A4F0-383F7D10F93A} => key removed successfully
C:\Windows\System32\Tasks\u4IinpQfYVSg => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\u4IinpQfYVSg => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{78CDB515-234E-4368-94B2-4539CFD9A579} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78CDB515-234E-4368-94B2-4539CFD9A579} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\8727122 => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9C7A4281-E536-457C-80C1-B66E21E85EC5} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C7A4281-E536-457C-80C1-B66E21E85EC5} => key removed successfully
C:\Windows\System32\Tasks\{5864F3C9-0903-418D-BFB1-9F105E21DD8B} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{5864F3C9-0903-418D-BFB1-9F105E21DD8B} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F2F8651D-2D71-4F3A-BBBD-533D36A668A2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F2F8651D-2D71-4F3A-BBBD-533D36A668A2} => key removed successfully
C:\Windows\System32\Tasks\{21D3E6A0-0503-4B89-894D-81B381C8F838} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{21D3E6A0-0503-4B89-894D-81B381C8F838} => key removed successfully
C:\ProgramData\Reprise => ":wupeogjxldtlfudivq`qsp`26hfm" ADS removed successfully.
C:\ProgramData\TEMP => ":A66CF953" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8543BA2A-75AD-4655-82C7-FFBF6F7D910C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3F005EBF-C407-4E93-9B28-3BC9CC559E38} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{6AE72AC7-5FE5-4F56-B923-EF57C19AA25E}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{03F3E862-41B6-44D6-8271-30AEC48CC566}C:\users\joe meherg\appdata\local\temp\showmypc\smpc3160\smpcph.exe => value removed successfully
C:\Users\Joe Meherg.HOME-OPI-NEW-PC\AppData\Local\scjhfg => moved successfully
C:\Users\Joe Meherg\AppData\Local\{F44637E8-E3C4-44A8-9BCF-EB738C09BDEF} => moved successfully
C:\Users\Joe Meherg\AppData\Local\BIT79C2.tmp => moved successfully
C:\Users\Joe Meherg\AppData\Roaming\467ZP4IWI7.exe => moved successfully
C:\Windows\b8727122 => moved successfully
C:\Windows\generic.exe => moved successfully
C:\Windows\system32\mswygme.exe => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 139019246 B
Java, Flash, Steam htmlcache => 46248 B
Windows/system/drivers => 262483693 B
Edge => 0 B
Chrome => 55958387 B
Firefox => 11792136 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 16802 B
systemprofile32 => 33125 B
LocalService => 16674 B
NetworkService => 16674 B
Joe Meherg => 494037084 B
Admin => 61447 B
Joe Meherg => 0 B

RecycleBin => 0 B
EmptyTemp: => 926.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 15:02:12 ====


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 AM

Posted 05 September 2017 - 05:15 PM

Awesome :) Now I would like you to do one last thing. Can you .zip the C:\FRST\Quarantine folder, and upload it to the link below?

https://www.bleepingcomputer.com/submit-malware.php?channel=194

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users