Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/ W32.Sality!dr downloader via .mp3 hardware.


  • This topic is locked This topic is locked
19 replies to this topic

#1 BobbyA

BobbyA

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 28 January 2018 - 01:18 AM

I just received an a "MP3 Infrared Wireless PIR Motion Sensor Store Welcome USB Door Bell Entry Alarm" from China via an Ebay purchase. In addition it appears it also had a trojan file. Initially all I could see with the usb cable connected was .mp3  sound files in Chinese (only .mp3 extension was readable). After making a backup copy o fthem < deleted them to put my own sound file in. It was then I saw a file windows was identifying as a ms-dos file. I think it had a .pif extension but I am not certain. When I tried to send the file to Norton to scan the file was instantly flagged and the computer crashed.
 
I unplugged the .mp3 player. When I rebooted I wanted to run scans for malware on my computer and noticed malwarebytes web protection was off. It just hung at starting when I tried to turn it on. When I ran a scan with Norton it was taking a long time, at about 600K files (have a lot of photographs) a windows running out of memory error window popped up. I looked at the memory usage and saw malware bytes climbing past 11GB and 20% cpu. It eventually hit about 13gb and the swap file kicked in (I'm guessing). Norton said it found 1 threat and removed it w32.Sality!dr I uninstalled malwarebytes and ran another Norton scan which came up clear. While at malwarebytes site to get a fresh install, I saw the notice about today's update causing the memory and cpu hog problem. It said the latest version this afternoon had fixed the issue. When I reinstalled malwarebytes and ran a scan everything seemed fine.
 
I ran one more Norton scan a bit later and noticed I now had more detections and some were not being resolved. Plus I was seeming more files being scanned. Rebooting and trying to run norton NPE just resulted in more files and more unresolved detections. I prepared and tried a bootable USB from Nortons iso file, as wel as a DVD. Neither stopped the computer from booting through to windows even though they have been made first boot devices in bios. 
 
The last Norton scan said about 1200 risks had been detected with about half resolved. In the Norton History log file it appears most of those risks were repeated tried of several different downloaders.
 
It is an i7 win 8.1 laptop with 16gb ddr3 500gb SSD (C:)  1TB (D:) 
 
Can someone help or advise ?

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27.01.2018
Ran by Me (administrator) on TOSH (28-01-2018 00:27:30)
Running from D:\D_Downloads
Loaded Profiles: Me (Available Profiles: Me & Camera_User)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\WTabletServicePro.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(Dell Inc.) C:\Program Files (x86)\Dell Printers\Dell Printer Hub\DLDPHSUP.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Garmin Ltd. or its subsidiaries) C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe
(Bitsum LLC) D:\Program Files\CPUBalance\ProBalance.exe
(Bitsum LLC) D:\Program Files\CPUBalance\ProcessGovernor.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Nalpeiron Ltd.) C:\Windows\SysWOW64\nlssrv32.exe
(Symantec Corporation) D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\ns.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe
(Microsoft Corporation) C:\Windows\System32\TCPSVCS.EXE
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(X-Rite Inc.) C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe
(Symantec Corporation) D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\ns.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Toshiba Corporation) C:\Program Files\Toshiba\Teco\TecoService.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Samsung Electronics Co. Ltd.) C:\Program Files (x86)\Samsung\Samsung Magician\SamsungMagician.exe
(Wacom Technology) C:\Program Files\Tablet\Wacom\WacomHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(SRS Labs, Inc.) C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Teco\TecoResident.exe
(TOSHIBA Corporation) C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe
() C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe
(TOSHIBA Corporation) C:\Windows\System32\ThpSrv.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\Hotkey\TCrdMain_Win8.exe
() C:\Program Files\Toshiba\Hotkey\Hotkey\TCrdKBB.exe
(Provo Craft & Novelty, Inc.) C:\Users\Me\AppData\Roaming\CricutDesignSpace3\BRIDGE\CricutLauncher4.exe
(Provo Craft & Novelty, Inc.) C:\Users\Me\AppData\Roaming\CricutDesignSpace3\BRIDGE\CricutBridge4.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtMng.exe
(TOSHIBA CORPORATION) C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtSrv.exe
(Dell Inc.) C:\Program Files (x86)\Dell Printers\Dell Printer Hub\DLDPHSTS.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosA2dp.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtHid.exe
(TOSHIBA CORPORATION.) C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtHSP.exe
(Dell Inc.) C:\Program Files (x86)\Dell Printers\Dell Printer Hub\DLDPHCM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Mozilla Corporation) D:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\SymcPCCULaunchSvc.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\HDD Accelerator\THAccelSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13261456 2012-11-29] (Realtek Semiconductor)
HKLM\...\Run: [SRS Premium Sound 3D] => C:\Program Files\SRS Labs\SRS Control Panel\SRSPanel_64.exe [2172816 2012-10-22] (SRS Labs, Inc.)
HKLM\...\Run: [TecoResident] => C:\Program Files\TOSHIBA\Teco\TecoResident.exe [178016 2013-08-21] (TOSHIBA Corporation)
HKLM\...\Run: [TSleepSrv] => C:\Program Files (x86)\TOSHIBA\System Setting\TSleepSrv.exe [1548952 2012-08-04] (TOSHIBA Corporation)
HKLM\...\Run: [TODDMain] => C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe [213136 2012-08-04] ()
HKLM\...\Run: [ThpSrv] => C:\windows\system32\thpsrv /logon
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500208 2010-03-06] (Adobe Systems Incorporated)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\Hotkey\TCrdMain_Win8.exe [2556768 2013-08-17] (TOSHIBA Corporation)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS5ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe [402432 2010-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Aimersoft Helper Compact.exe] => C:\Program Files (x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe [1734144 2013-05-29] (AimerSoft)
HKLM-x32\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [2068856 2011-10-12] (Flexera Software LLC.)
HKLM-x32\...\Run: [DelaypluginInstall] => C:\ProgramData\Wondershare\Player\DelayPluginI.exe [1960008 2013-09-28] ()
HKLM-x32\...\Run: [ITSecMng] => C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [80840 2011-04-01] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [ABNotify] => C:\Program Files (x86)\AOMEI Backupper\ABNotify.exe [89968 2016-12-30] ()
HKLM-x32\...\Run: [DLDPHSTS] => C:\Program Files (x86)\Dell Printers\Dell Printer Hub\DLDPHSTS.exe [38752 2016-09-29] (Dell Inc.)
HKLM-x32\...\Run: [DLDPHCM] => C:\Program Files (x86)\Dell Printers\Dell Printer Hub\DLDPHCM.exe [615776 2016-09-29] (Dell Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2017-12-19] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Run: [Google Update] => C:\Users\Me\AppData\Local\Google\Update\1.3.33.7\GoogleUpdateCore.exe [601680 2017-11-14] (Google Inc.)
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Run: [Cricut Design Space3] => C:\Users\Me\AppData\Roaming\CricutDesignSpace3\BRIDGE\CricutLauncher4.exe [437912 2017-10-11] (Provo Craft & Novelty, Inc.)
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1421736 2018-01-10] (Garmin Ltd. or its subsidiaries)
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\MountPoints2: {7bbb88ae-2433-11e3-be7a-008cfa3784b5} - "F:\IronKey.exe"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\MountPoints2: {97f534dd-528e-11e6-bf35-008cfa3784b5} - "F:\HTC_Sync_Manager_PC.exe"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\MountPoints2: {d5ba27d1-9f89-11e6-bf46-008cfa3784b5} - "F:\TVCenterPro.exe" -autorun
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\windows\system32\Bubbles.scr [788480 2014-11-21] (Microsoft Corporation)
HKU\S-1-5-18\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [1421736 2018-01-10] (Garmin Ltd. or its subsidiaries)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk [2015-04-15]
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\i1Profiler Tray.lnk [2017-06-19]
ShortcutTarget: i1Profiler Tray.lnk -> D:\Program Files (x86)\X-Rite\i1Profiler\i1ProfilerTray.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\XRGamma.lnk [2017-06-19]
ShortcutTarget: XRGamma.lnk -> D:\Program Files (x86)\X-Rite\i1Profiler\XRGamma.exe (LOGO Kommunikations- und Drucktechnik GmbH & Co. KG)
GroupPolicy: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{095FBD90-A892-4463-9391-53EB84FF6FFE}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://toshiba13.msn.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.creativelive.com/
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://toshiba13.msn.com
SearchScopes: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001 -> DefaultScope {EAF15F91-F3C0-449A-97AB-ED9D45EF30D8} URL =
SearchScopes: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001 -> {EAF15F91-F3C0-449A-97AB-ED9D45EF30D8} URL =
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
BHO: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\coIEPlg.dll [2017-11-10] (Symantec Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-04-20] (IvoSoft)
BHO-x32: Wondershare Player 1.6.0 -> {43D9786F-A485-683B-9B5B-ACC97ABC17FC} -> C:\ProgramData\Wondershare\Player\WSBrowserAppMgr.dll [2013-09-28] (Wondershare)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO-x32: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> D:\Program Files (x86)\Nuance\PDFViewer\Bin\PlusIEContextMenu.dll [2011-06-30] (Zeon Corporation)
BHO-x32: Norton Identity Safety -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> D:\Program Files (x86)\Norton Security\Engine32\22.11.2.7\coIEPlg.dll [2017-11-10] (Symantec Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_161\bin\ssv.dll [2018-01-24] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_161\bin\jp2ssv.dll [2018-01-24] (Oracle Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\coIEPlg.dll [2017-11-10] (Symantec Corporation)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - D:\Program Files (x86)\Norton Security\Engine32\22.11.2.7\coIEPlg.dll [2017-11-10] (Symantec Corporation)
Handler: WSIEChrome - {6D02ED5F-FD0D-4C4C - No File

FireFox:
========
FF DefaultProfile: k7s4m087.default-1379600839587
FF ProfilePath: C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\k7s4m087.default-1379600839587 [2018-01-28]
FF Homepage: Mozilla\Firefox\Profiles\k7s4m087.default-1379600839587 -> www.google.com
FF Extension: (Blur) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\k7s4m087.default-1379600839587\Extensions\donottrackplus@abine.com.xpi [2018-01-25]
FF Extension: (FlashStopper) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\k7s4m087.default-1379600839587\Extensions\flashstopper@byo.co.il.xpi [2018-01-26] [Legacy]
FF Extension: (Garmin Communicator) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\k7s4m087.default-1379600839587\Extensions\{195A3098-0BD5-4e90-AE22-BA1C540AFD1E} [2016-04-27] [Legacy]
FF Extension: (RightToClick) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\k7s4m087.default-1379600839587\Extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi [2016-09-05] [Legacy]
FF Extension: (Adblock Plus) - C:\Users\Me\AppData\Roaming\Mozilla\Firefox\Profiles\k7s4m087.default-1379600839587\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2017-12-12]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_28_0_0_137.dll [2018-01-09] ()
FF Plugin: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_28_0_0_137.dll [2018-01-09] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.161.2 -> C:\Program Files (x86)\Java\jre1.8.0_161\bin\dtplugin\npDeployJava1.dll [2018-01-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.161.2 -> C:\Program Files (x86)\Java\jre1.8.0_161\bin\plugin2\npjp2.dll [2018-01-24] (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-13] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2017-05-24] (VideoLAN)
FF Plugin-x32: @wacom.com/wtPlugin,version=2.1.0.7 -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-11-04] (Adobe Systems Inc.)
FF Plugin-x32: wacom.com/WacomTabletPlugin -> C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll [2014-03-25] (Wacom)
FF Plugin-x32: ZEON/PDF,version=2.0 -> D:\Program Files (x86)\Nuance\PDFViewer\bin\nppdf.dll [2011-07-15] (Zeon Corporation)
FF Plugin HKU\S-1-5-21-4007766687-3714460472-3212241914-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Me\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-08-19] (Citrix Online)
FF Plugin HKU\S-1-5-21-4007766687-3714460472-3212241914-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\Me\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-4007766687-3714460472-3212241914-1001: @talk.google.com/O1DPlugin -> C:\Users\Me\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-4007766687-3714460472-3212241914-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin HKU\S-1-5-21-4007766687-3714460472-3212241914-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.7\npGoogleUpdate3.dll [2017-11-14] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Me\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Me\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
StartMenuInternet: FIREFOX.EXE - D:\Program Files (x86)\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\Exts\Chrome.crx <not found>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bkdegagmpemadclljncealhmmkojfoam] - C:\ProgramData\Wondershare\Player\Player@Wondershare.com.crx [2014-07-24]
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Backupper Service; C:\Program Files (x86)\AOMEI Backupper\ABService.exe [122728 2016-12-30] (AOMEI Tech Co., Ltd.)
R2 DLDPHSUP; C:\Program Files (x86)\Dell Printers\Dell Printer Hub\DLDPHSUP.exe [23904 2016-09-29] (Dell Inc.)
R2 Garmin Device Interaction Service; C:\Program Files (x86)\Garmin\Device Interaction Service\GarminService.exe [1136656 2018-01-10] (Garmin Ltd. or its subsidiaries)
R2 hasplms; C:\windows\system32\hasplms.exe [4608320 2014-11-27] (SafeNet Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [129856 2012-06-27] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6234056 2017-11-01] (Malwarebytes)
S3 NitroExpressDriverReadSpool; C:\Program Files\Common Files\Nitro PDF\Express\2.0\NitroPDFExpressDriverServicex64.exe [324912 2009-10-06] (Nitro PDF Software)
R2 Norton PC Checkup Application Launcher; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\SymcPCCULaunchSvc.exe [123320 2012-07-23] (Symantec Corporation)
R2 NS; D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\NS.exe [326144 2017-11-10] (Symantec Corporation)
R2 PCCUJobMgr; C:\Program Files (x86)\Norton PC Checkup\Engine\2.0.18.15\ccSvcHst.exe [126392 2012-07-23] (Symantec Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [201872 2012-12-05] (Realtek Semiconductor)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 THAccelSvc; C:\Program Files\TOSHIBA\HDD Accelerator\THAccelSvc.exe [214488 2012-08-10] (TOSHIBA CORPORATION)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-01-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-01-12] (Microsoft Corporation)
R2 WTabletServicePro; C:\Program Files\Tablet\Wacom\WTabletServicePro.exe [672208 2017-04-05] (Wacom Technology, Corp.)
R2 xrdd.exe; C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe [83312 2015-09-18] (X-Rite Inc.)
S3 BrYNSvc; "C:\Program Files (x86)\Browny02\BrYNSvc.exe" [X]
S2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [51120 2016-12-22] ()
R2 ammntdrv; C:\WINDOWS\system32\ammntdrv.sys [171952 2016-12-22] ()
S3 ampa; C:\WINDOWS\system32\ampa.sys [38320 2016-12-25] ()
S3 ampa; C:\WINDOWS\SysWOW64\ampa.sys [38320 2016-12-25] ()
R2 amwrtdrv; C:\WINDOWS\system32\amwrtdrv.sys [38320 2016-12-22] ()
R3 Apowersoft_AudioDevice; C:\Windows\system32\drivers\Apowersoft_AudioDevice.sys [31920 2013-06-02] (Wondershare)
R3 azvusb; C:\Windows\System32\drivers\azvusb.sys [54784 2009-08-24] (AzureWave Technologies, Inc.)
R1 BHDrvx64; D:\Program Files (x86)\Norton Security\NortonData\22.5.0.124\Definitions\BASHDefs\20180124.001\BHDrvx64.sys [1872024 2017-10-11] (Symantec Corporation)
R1 ccSet_NS; C:\Windows\system32\drivers\NSx64\160B020.007\ccSetx64.sys [187544 2017-11-10] (Symantec Corporation)
S3 dg_ssudbus; C:\Windows\system32\DRIVERS\ssudbus.sys [131984 2017-05-18] (Samsung Electronics Co., Ltd.)
S3 DigiartyVirtualCDBus; C:\Windows\System32\drivers\DigiartyVirtualCDBus.sys [276256 2016-12-21] (Digiarty Software, Inc.)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [507984 2018-01-03] (Symantec Corporation)
R1 ElRawDisk; C:\windows\system32\drivers\rsdrvx64.sys [26024 2009-02-12] (EldoS Corporation)
S3 epmntdrv; C:\windows\system32\epmntdrv.sys [18528 2014-11-18] () [File not signed]
S3 epmntdrv; C:\windows\SysWOW64\epmntdrv.sys [15968 2014-11-18] () [File not signed]
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [152656 2018-01-13] (Symantec Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77432 2017-11-29] ()
S3 EuGdiDrv; C:\windows\system32\EuGdiDrv.sys [10848 2014-11-18] () [File not signed]
S3 EuGdiDrv; C:\windows\SysWOW64\EuGdiDrv.sys [10208 2014-11-18] () [File not signed]
R2 hardlock; C:\windows\system32\drivers\hardlock.sys [331608 2014-11-27] (SafeNet Inc.)
R1 IDSVia64; D:\Program Files (x86)\Norton Security\NortonData\22.5.0.124\Definitions\IPSDefs\20180127.001\IDSvia64.sys [1056920 2017-10-13] (Symantec Corporation)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [193968 2018-01-27] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\DRIVERS\farflt.sys [110016 2018-01-27] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [46008 2018-01-27] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [253880 2018-01-27] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\DRIVERS\mwac.sys [94144 2018-01-27] (Malwarebytes)
S3 MDA_NTDRV; C:\WINDOWS\system32\MDA_NTDRV.sys [47104 2016-05-20] ()
S3 mmpDrv; C:\windows\system32\Drivers\mmpDrv.sys [21008 2012-10-18] (<company name here>)
S3 mmpguidrv; C:\windows\system32\Drivers\MmpGuiDrv.sys [12304 2012-10-18] ()
R3 NETwNe64; C:\Windows\system32\DRIVERS\Netwew00.sys [3349984 2014-04-17] (Intel Corporation)
S3 pwdrvio; C:\windows\system32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\windows\system32\pwdspio.sys [12504 2013-09-30] ()
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [269968 2012-07-03] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2014-08-06] (Synaptics Incorporated)
R3 SRTSP; C:\Windows\System32\Drivers\NSx64\160B020.007\SRTSP64.SYS [812696 2017-11-10] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NSx64\160B020.007\SRTSPX64.SYS [49304 2017-11-10] (Symantec Corporation)
S3 ssudmdm; C:\Windows\system32\DRIVERS\ssudmdm.sys [166288 2017-05-18] (Samsung Electronics Co., Ltd.)
R0 SymEFASI; C:\Windows\System32\drivers\NSx64\160B020.007\SYMEFASI64.SYS [1938584 2017-11-10] (Symantec Corporation)
S0 SymELAM; C:\Windows\System32\drivers\NSx64\160B020.007\SymELAM.sys [24608 2017-11-10] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [102600 2017-11-16] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NSx64\160B020.007\Ironx64.SYS [309984 2017-11-10] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NSx64\160B020.007\SYMNETS.SYS [566936 2017-11-10] (Symantec Corporation)
R0 THAccel; C:\Windows\System32\DRIVERS\THAccel.sys [131520 2012-08-10] (TOSHIBA CORPORATION)
R3 Thotkey; C:\Windows\System32\drivers\Thotkey.sys [32624 2013-08-19] (Windows ® Win 7 DDK provider)
R3 usb3Hub; C:\Windows\System32\drivers\usb3Hub.sys [47072 2012-11-29] (Windows ® Win 7 DDK provider)
R3 WacHidRouterPro; C:\Windows\System32\drivers\wachidrouter.sys [120976 2017-03-27] (Wacom Technology)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-02-10] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-01-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-01-12] (Microsoft Corporation)
R2 WinI2C-DDC; C:\windows\system32\drivers\DDCDrv.sys [20832 2017-05-24] (Nicomsoft Ltd.)
R2 WinI2C-DDC; C:\windows\SysWOW64\drivers\DDCDrv.sys [10240 2017-05-24] (Nicomsoft Ltd.) [File not signed]
S3 WirelessKeyboardFilter; C:\Windows\System32\drivers\WirelessKeyboardFilter.sys [49896 2016-07-22] (Microsoft Corporation)
S3 WiseHDInfo; C:\windows\WiseHDInfo64.dll [14800 2015-12-25] (wisecleaner.com) [File not signed]
R3 XHCIPort; C:\Windows\System32\drivers\XHCIPort.sys [188896 2012-11-29] (Windows ® Win 7 DDK provider)
S3 WinRing0_1_2_0; \??\D:\Program Files (x86)\AnVir Task Manager\OpenHardwareMonitor\OpenHardwareMonitor.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-28 00:26 - 2018-01-28 00:27 - 000000000 ____D C:\FRST
2018-01-27 22:57 - 2018-01-27 22:57 - 000000000 ____D C:\Windows\System32\Tasks\Remediation
2018-01-27 20:47 - 2018-01-27 20:47 - 000000000 ____D C:\NPE
2018-01-27 15:41 - 2018-01-27 22:33 - 000110016 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2018-01-27 15:41 - 2018-01-27 22:33 - 000046008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2018-01-27 15:41 - 2018-01-27 15:41 - 000193968 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2018-01-27 15:38 - 2018-01-27 15:38 - 000253880 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2018-01-27 15:38 - 2018-01-27 15:38 - 000001894 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2018-01-27 15:38 - 2018-01-27 15:38 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2018-01-27 15:38 - 2017-11-29 09:11 - 000077432 _____ C:\Windows\system32\Drivers\mbae64.sys
2018-01-27 12:38 - 2018-01-27 12:38 - 000000016 _____ C:\InjectIntoProcess crash
2018-01-25 12:26 - 2018-01-25 12:26 - 000000954 _____ C:\Users\Me\Desktop\WonderFox DVD Ripper Pro.lnk
2018-01-23 08:42 - 2018-01-23 09:26 - 000000000 ____D C:\Program Files\Common Files\FlashIntegro
2018-01-23 08:42 - 2018-01-09 17:58 - 000076472 _____ (Flash-Integro LLC) C:\Windows\system32\mslvddsfilter4.ax
2018-01-23 08:42 - 2011-12-07 18:32 - 000216064 _____ ( ) C:\Windows\system32\Lagarith.dll
2018-01-23 08:42 - 2005-08-01 18:43 - 000245760 _____ () C:\Windows\system32\lame.ax
2018-01-23 08:42 - 2004-12-10 09:03 - 000438272 _____ (On2.com) C:\Windows\system32\vp6vfw.dll
2018-01-23 08:42 - 2004-09-06 15:06 - 000053248 _____ C:\Windows\system32\xvid.ax
2018-01-23 08:42 - 2004-07-03 20:08 - 000139264 _____ C:\Windows\system32\xvidvfw.dll
2018-01-23 08:42 - 2004-07-03 19:59 - 000524288 _____ C:\Windows\system32\xvidcore.dll
2018-01-23 08:42 - 2004-02-04 20:11 - 000081920 _____ (fccHandler) C:\Windows\system32\AC3ACM.acm
2018-01-23 08:42 - 2003-05-22 11:26 - 000638976 _____ (DivXNetworks, Inc.) C:\Windows\system32\divx.dll
2018-01-23 08:42 - 2003-05-22 11:26 - 000221215 _____ (DivXNetworks, Inc.) C:\Windows\system32\divxdec.ax
2018-01-23 08:42 - 2003-05-21 22:50 - 000261632 _____ (MainConcept) C:\Windows\system32\mcdvd_32.dll
2018-01-23 08:42 - 2003-05-21 22:50 - 000082944 _____ (Voxware, Inc.) C:\Windows\system32\vct3216.acm
2018-01-23 08:42 - 2003-05-21 22:50 - 000038912 _____ (NCT Company) C:\Windows\system32\alf2cd.acm
2018-01-23 08:42 - 2003-05-21 22:50 - 000024576 _____ (Microsoft Corporation) C:\Windows\system32\msxml3a.dll
2018-01-23 08:42 - 2003-03-25 04:49 - 000098304 _____ (Fraunhofer Institut Integrierte Schaltungen IIS) C:\Windows\system32\L3CODECX.AX
2018-01-23 08:42 - 2002-08-19 23:41 - 000413760 _____ (Microsoft Corporation) C:\Windows\system32\mpg4c32.dll
2018-01-23 08:42 - 2000-03-14 19:55 - 000013239 _____ (SHARP Corporation) C:\Windows\system32\Scg726.acm
2018-01-21 13:45 - 2018-01-23 22:34 - 000001568 _____ C:\Users\Me\Desktop\Meetup_PVC.txt
2018-01-16 04:49 - 2018-01-16 04:49 - 000001917 _____ C:\Users\Public\Desktop\Garmin Express.lnk
2018-01-16 04:49 - 2018-01-16 04:49 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Garmin
2018-01-12 15:16 - 2018-01-12 15:16 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PortraitPro Body Studio 2
2018-01-12 15:16 - 2018-01-12 15:16 - 000000000 ____D C:\Program Files\PortraitPro Body Studio 2
2018-01-09 09:04 - 2018-01-02 03:00 - 000590680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fvevol.sys
2018-01-09 09:04 - 2018-01-02 03:00 - 000242520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdyboost.sys
2018-01-09 09:04 - 2018-01-02 03:00 - 000214392 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Storage.ApplicationData.dll
2018-01-09 09:04 - 2018-01-02 02:56 - 002530400 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2018-01-09 09:04 - 2018-01-02 02:56 - 000567656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2018-01-09 09:04 - 2018-01-02 02:56 - 000397224 _____ (Microsoft Corporation) C:\Windows\system32\bcryptprimitives.dll
2018-01-09 09:04 - 2018-01-02 02:56 - 000136536 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wfplwfs.sys
2018-01-09 09:04 - 2018-01-02 01:39 - 022374248 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2018-01-09 09:04 - 2018-01-02 01:39 - 007408984 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2018-01-09 09:04 - 2018-01-02 01:39 - 002013016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2018-01-09 09:04 - 2018-01-02 01:39 - 000418648 _____ (Microsoft Corporation) C:\Windows\system32\hal.dll
2018-01-09 09:04 - 2018-01-02 01:39 - 000354648 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\fltMgr.sys
2018-01-09 09:04 - 2018-01-02 01:38 - 002176064 _____ (Microsoft Corporation) C:\Windows\system32\combase.dll
2018-01-09 09:04 - 2018-01-02 01:38 - 001662096 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2018-01-09 09:04 - 2018-01-02 01:38 - 001063464 _____ (Microsoft Corporation) C:\Windows\system32\WinTypes.dll
2018-01-09 09:04 - 2018-01-02 01:37 - 001737600 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2018-01-09 09:04 - 2018-01-02 01:37 - 001676056 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi
2018-01-09 09:04 - 2018-01-02 01:37 - 001536120 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2018-01-09 09:04 - 2018-01-02 01:37 - 001500432 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi
2018-01-09 09:04 - 2018-01-02 01:37 - 001371352 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2018-01-09 09:04 - 2018-01-02 01:37 - 001135280 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2018-01-09 09:04 - 2018-01-02 01:37 - 000685440 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2018-01-09 09:04 - 2018-01-02 01:35 - 001307840 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2018-01-09 09:04 - 2018-01-02 01:35 - 000989528 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\http.sys
2018-01-09 09:04 - 2018-01-02 01:05 - 000164296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Storage.ApplicationData.dll
2018-01-09 09:04 - 2018-01-02 01:03 - 025739264 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2018-01-09 09:04 - 2018-01-02 01:03 - 000341384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcryptprimitives.dll
2018-01-09 09:04 - 2018-01-02 01:01 - 001902328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2018-01-09 09:04 - 2018-01-02 01:00 - 019790760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2018-01-09 09:04 - 2018-01-02 00:59 - 001565520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\combase.dll
2018-01-09 09:04 - 2018-01-02 00:59 - 001213784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2018-01-09 09:04 - 2018-01-02 00:58 - 001502000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2018-01-09 09:04 - 2018-01-02 00:48 - 000507176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2018-01-09 09:04 - 2018-01-02 00:40 - 000284672 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2018-01-09 09:04 - 2018-01-02 00:39 - 000686080 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2018-01-09 09:04 - 2018-01-02 00:39 - 000402432 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdbss.sys
2018-01-09 09:04 - 2018-01-02 00:39 - 000072192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndproxy.sys
2018-01-09 09:04 - 2018-01-02 00:39 - 000048128 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netbios.sys
2018-01-09 09:04 - 2018-01-02 00:38 - 000559616 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2018-01-09 09:04 - 2018-01-02 00:38 - 000445952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\nwifi.sys
2018-01-09 09:04 - 2018-01-02 00:38 - 000416256 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2018-01-09 09:04 - 2018-01-02 00:38 - 000401408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2018-01-09 09:04 - 2018-01-02 00:38 - 000243200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2018-01-09 09:04 - 2018-01-02 00:38 - 000151040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\pacer.sys
2018-01-09 09:04 - 2018-01-02 00:38 - 000138752 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dfsc.sys
2018-01-09 09:04 - 2018-01-02 00:37 - 000110080 _____ (Microsoft Corporation) C:\Windows\system32\appinfo.dll
2018-01-09 09:04 - 2018-01-02 00:37 - 000080384 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\wanarp.sys
2018-01-09 09:04 - 2018-01-02 00:34 - 000360448 _____ (Microsoft Corporation) C:\Windows\system32\ncsi.dll
2018-01-09 09:04 - 2018-01-02 00:31 - 000040448 _____ (Microsoft Corporation) C:\Windows\system32\rfxvmt.dll
2018-01-09 09:04 - 2018-01-02 00:30 - 002900480 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2018-01-09 09:04 - 2018-01-02 00:28 - 005796352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2018-01-09 09:04 - 2018-01-02 00:28 - 000577024 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2018-01-09 09:04 - 2018-01-02 00:28 - 000417280 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2018-01-09 09:04 - 2018-01-02 00:28 - 000048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2018-01-09 09:04 - 2018-01-02 00:28 - 000013312 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2018-01-09 09:04 - 2018-01-02 00:20 - 020275200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2018-01-09 09:04 - 2018-01-02 00:19 - 000108544 _____ (Microsoft Corporation) C:\Windows\system32\fdWCN.dll
2018-01-09 09:04 - 2018-01-02 00:18 - 000615936 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2018-01-09 09:04 - 2018-01-02 00:17 - 000817152 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2018-01-09 09:04 - 2018-01-02 00:17 - 000116224 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2018-01-09 09:04 - 2018-01-02 00:16 - 000814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2018-01-09 09:04 - 2018-01-02 00:09 - 000445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2018-01-09 09:04 - 2018-01-02 00:06 - 000489984 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2018-01-09 09:04 - 2018-01-02 00:02 - 000862720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2018-01-09 09:04 - 2018-01-01 23:59 - 000014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2018-01-09 09:04 - 2018-01-01 23:59 - 000005632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2018-01-09 09:04 - 2018-01-01 23:57 - 000025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2018-01-09 09:04 - 2018-01-01 23:56 - 000199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2018-01-09 09:04 - 2018-01-01 23:54 - 000145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2018-01-09 09:04 - 2018-01-01 23:53 - 000315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2018-01-09 09:04 - 2018-01-01 23:52 - 000499712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2018-01-09 09:04 - 2018-01-01 23:51 - 000341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2018-01-09 09:04 - 2018-01-01 23:49 - 002294272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2018-01-09 09:04 - 2018-01-01 23:48 - 001033216 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2018-01-09 09:04 - 2018-01-01 23:45 - 000091136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fdWCN.dll
2018-01-09 09:04 - 2018-01-01 23:44 - 015284224 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2018-01-09 09:04 - 2018-01-01 23:44 - 000476160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2018-01-09 09:04 - 2018-01-01 23:43 - 000662528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2018-01-09 09:04 - 2018-01-01 23:42 - 000620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2018-01-09 09:04 - 2018-01-01 23:42 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2018-01-09 09:04 - 2018-01-01 23:41 - 000380416 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2018-01-09 09:04 - 2018-01-01 23:40 - 001436672 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2018-01-09 09:04 - 2018-01-01 23:40 - 000807936 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2018-01-09 09:04 - 2018-01-01 23:40 - 000726528 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2018-01-09 09:04 - 2018-01-01 23:38 - 002134528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2018-01-09 09:04 - 2018-01-01 23:37 - 000324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2018-01-09 09:04 - 2018-01-01 23:34 - 001217536 _____ (Microsoft Corporation) C:\Windows\system32\sysmain.dll
2018-01-09 09:04 - 2018-01-01 23:34 - 000416256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2018-01-09 09:04 - 2018-01-01 23:33 - 001080320 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2018-01-09 09:04 - 2018-01-01 23:33 - 000845312 _____ (Microsoft Corporation) C:\Windows\system32\BFE.DLL
2018-01-09 09:04 - 2018-01-01 23:33 - 000086016 _____ (Microsoft Corporation) C:\Windows\system32\nlaapi.dll
2018-01-09 09:04 - 2018-01-01 23:32 - 000571392 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2018-01-09 09:04 - 2018-01-01 23:29 - 000817664 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2018-01-09 09:04 - 2018-01-01 23:29 - 000754176 _____ (Microsoft Corporation) C:\Windows\system32\FirewallAPI.dll
2018-01-09 09:04 - 2018-01-01 23:27 - 001696256 _____ (Microsoft Corporation) C:\Windows\system32\wevtsvc.dll
2018-01-09 09:04 - 2018-01-01 23:27 - 000168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2018-01-09 09:04 - 2018-01-01 23:26 - 003241472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2018-01-09 09:04 - 2018-01-01 23:25 - 000795648 _____ (Microsoft Corporation) C:\Windows\system32\winhttp.dll
2018-01-09 09:04 - 2018-01-01 23:25 - 000279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2018-01-09 09:04 - 2018-01-01 23:25 - 000128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2018-01-09 09:04 - 2018-01-01 23:23 - 004508160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2018-01-09 09:04 - 2018-01-01 23:23 - 002882048 _____ (Microsoft Corporation) C:\Windows\system32\actxprxy.dll
2018-01-09 09:04 - 2018-01-01 23:22 - 000880640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2018-01-09 09:04 - 2018-01-01 23:22 - 000129536 _____ (Microsoft Corporation) C:\Windows\system32\WcnApi.dll
2018-01-09 09:04 - 2018-01-01 23:21 - 000391680 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2018-01-09 09:04 - 2018-01-01 23:20 - 013680128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2018-01-09 09:04 - 2018-01-01 23:18 - 000380416 _____ (Microsoft Corporation) C:\Windows\system32\pnrpsvc.dll
2018-01-09 09:04 - 2018-01-01 23:18 - 000230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2018-01-09 09:04 - 2018-01-01 23:17 - 001547264 _____ (Microsoft Corporation) C:\Windows\system32\wlansvc.dll
2018-01-09 09:04 - 2018-01-01 23:17 - 000694272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2018-01-09 09:04 - 2018-01-01 23:17 - 000465920 _____ (Microsoft Corporation) C:\Windows\system32\wcncsvc.dll
2018-01-09 09:04 - 2018-01-01 23:17 - 000331776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2018-01-09 09:04 - 2018-01-01 23:16 - 002058752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2018-01-09 09:04 - 2018-01-01 23:16 - 000881152 _____ (Microsoft Corporation) C:\Windows\system32\MPSSVC.dll
2018-01-09 09:04 - 2018-01-01 23:16 - 000747520 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2018-01-09 09:04 - 2018-01-01 23:16 - 000464384 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2018-01-09 09:04 - 2018-01-01 23:15 - 001545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2018-01-09 09:04 - 2018-01-01 23:13 - 000216576 _____ (Microsoft Corporation) C:\Windows\system32\P2P.dll
2018-01-09 09:04 - 2018-01-01 23:11 - 000185856 _____ (Microsoft Corporation) C:\Windows\system32\rascfg.dll
2018-01-09 09:04 - 2018-01-01 23:11 - 000065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2018-01-09 09:04 - 2018-01-01 23:09 - 000827392 _____ (Microsoft Corporation) C:\Windows\system32\spoolsv.exe
2018-01-09 09:04 - 2018-01-01 23:09 - 000713216 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2018-01-09 09:04 - 2018-01-01 23:09 - 000543232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FirewallAPI.dll
2018-01-09 09:04 - 2018-01-01 23:08 - 000110080 _____ (Microsoft Corporation) C:\Windows\system32\icfupgd.dll
2018-01-09 09:04 - 2018-01-01 23:07 - 001265664 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2018-01-09 09:04 - 2018-01-01 23:07 - 000440832 _____ (Microsoft Corporation) C:\Windows\system32\p2psvc.dll
2018-01-09 09:04 - 2018-01-01 23:06 - 000626176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winhttp.dll
2018-01-09 09:04 - 2018-01-01 23:05 - 000097280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WcnApi.dll
2018-01-09 09:04 - 2018-01-01 23:04 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2018-01-09 09:04 - 2018-01-01 22:59 - 000177664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\P2P.dll
2018-01-09 09:04 - 2018-01-01 22:58 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2018-01-09 09:04 - 2018-01-01 22:57 - 000164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rascfg.dll
2018-01-09 09:04 - 2018-01-01 22:56 - 000562176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2018-01-09 09:04 - 2018-01-01 22:55 - 003548160 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2018-01-09 09:04 - 2018-01-01 22:54 - 001313792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2018-01-09 09:04 - 2018-01-01 22:53 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2018-01-09 09:04 - 2017-12-29 03:21 - 000107520 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2018-01-09 09:04 - 2017-12-14 18:26 - 000374096 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2018-01-09 09:04 - 2017-12-14 16:39 - 000315736 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2018-01-09 09:04 - 2017-12-14 05:19 - 000096256 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2018-01-09 09:04 - 2017-12-14 05:17 - 000044032 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2018-01-09 09:04 - 2017-12-10 08:59 - 000077824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2018-01-09 09:04 - 2017-12-10 08:58 - 000035840 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2018-01-09 09:04 - 2017-12-10 08:46 - 007079424 _____ (Microsoft Corporation) C:\Windows\system32\glcndFilter.dll
2018-01-09 09:04 - 2017-12-10 08:24 - 005275136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\glcndFilter.dll
2018-01-09 09:04 - 2017-12-10 08:06 - 007797760 _____ (Microsoft Corporation) C:\Windows\system32\Windows.Data.Pdf.dll
2018-01-09 09:04 - 2017-12-10 07:59 - 005270528 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Windows.Data.Pdf.dll
2018-01-09 09:04 - 2017-12-05 23:42 - 002452816 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys
2018-01-09 09:04 - 2017-12-05 11:58 - 004168192 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2018-01-05 08:41 - 2018-01-05 09:40 - 000000000 ____D C:\Users\Me\AppData\Roaming\MyDraw
2018-01-05 08:41 - 2018-01-05 08:46 - 000000000 ____D C:\ProgramData\MyDraw
2018-01-05 08:41 - 2018-01-05 08:41 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyDraw

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2018-01-28 00:27 - 2017-07-29 10:31 - 000000000 ____D C:\Users\Me\AppData\Local\Dell Printer Hub
2018-01-28 00:15 - 2013-12-14 22:05 - 000000000 ____D C:\Users\Me\AppData\Roaming\ClassicShell
2018-01-28 00:03 - 2013-09-16 20:20 - 000003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4007766687-3714460472-3212241914-1001
2018-01-27 23:59 - 2016-11-15 22:24 - 000000000 ____D C:\Users\Me\AppData\LocalLow\Mozilla
2018-01-27 22:37 - 2014-11-21 03:44 - 000866884 _____ C:\Windows\system32\PerfStringBackup.INI
2018-01-27 22:37 - 2013-08-22 08:36 - 000000000 ____D C:\Windows\Inf
2018-01-27 22:33 - 2017-12-07 09:29 - 000094144 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2018-01-27 22:33 - 2016-07-19 12:05 - 000001398 ____H C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job
2018-01-27 22:33 - 2016-02-10 18:19 - 000001398 ____H C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job
2018-01-27 22:33 - 2015-05-29 22:29 - 000001398 ____H C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job
2018-01-27 22:33 - 2014-07-14 10:16 - 000001398 ____H C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job
2018-01-27 22:33 - 2014-07-10 12:52 - 000001398 ____H C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job
2018-01-27 22:33 - 2014-02-17 07:41 - 000000000 ____D C:\Users\Me\AppData\Roaming\Nitro PDF
2018-01-27 22:33 - 2013-08-22 09:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2018-01-27 22:10 - 2016-07-19 11:21 - 000000000 ____D C:\Users\Me
2018-01-27 21:56 - 2016-07-19 11:29 - 000000258 __RSH C:\ProgramData\ntuser.pol
2018-01-27 21:09 - 2013-10-01 19:48 - 000000000 ____D C:\Users\Me\AppData\Local\NPE
2018-01-27 20:55 - 2015-03-08 18:53 - 000000000 ____D C:\Program Files (x86)\NIKON IMAGE SPACE UPLOADER
2018-01-27 15:37 - 2017-05-19 07:26 - 000000000 ____D C:\ProgramData\Malwarebytes
2018-01-27 12:37 - 2013-09-22 22:55 - 000000000 ____D C:\Users\Me\AppData\Local\CrashDumps
2018-01-27 11:36 - 2014-10-18 06:29 - 000000000 ____D C:\Program Files (x86)\Java
2018-01-27 11:36 - 2013-09-25 07:43 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2018-01-27 08:00 - 2014-07-10 12:51 - 000000406 _____ C:\Windows\Tasks\X-Rite Device Services Software Updater.job
2018-01-26 17:11 - 2013-09-22 22:59 - 000000000 ____D C:\Users\Me\AppData\Roaming\vlc
2018-01-25 12:38 - 2013-10-23 08:31 - 000000000 ____D C:\Users\Me\Pictures\Documents\WonderFox Soft
2018-01-24 12:05 - 2014-10-18 06:29 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2018-01-24 12:05 - 2014-02-05 21:55 - 000000000 ____D C:\ProgramData\Oracle
2018-01-24 12:04 - 2014-10-18 06:29 - 000097344 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2018-01-24 11:40 - 2013-08-22 08:25 - 000262144 ___SH C:\Windows\system32\config\ELAM
2018-01-23 19:01 - 2015-08-08 20:55 - 000000000 ____D C:\Users\Me\AppData\Local\CaptureOne
2018-01-23 09:26 - 2016-10-20 17:40 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FlashIntegro
2018-01-19 17:12 - 2017-09-22 11:28 - 000001162 _____ C:\Users\Me\Desktop\HVAC.txt
2018-01-16 04:49 - 2017-11-29 19:01 - 000003554 _____ C:\Windows\System32\Tasks\GarminUpdaterTask
2018-01-16 04:49 - 2017-11-29 19:01 - 000000000 ____D C:\Program Files (x86)\Garmin
2018-01-16 04:49 - 2014-12-08 10:31 - 000000000 ____D C:\ProgramData\Package Cache
2018-01-16 04:49 - 2014-02-16 20:46 - 000000000 ____D C:\ProgramData\Garmin
2018-01-13 09:39 - 2013-08-22 10:36 - 000000000 ____D C:\Windows\rescache
2018-01-13 08:34 - 2013-08-22 09:44 - 005022768 _____ C:\Windows\system32\FNTCACHE.DAT
2018-01-13 08:34 - 2013-08-22 08:25 - 000524288 ___SH C:\Windows\system32\config\BBI
2018-01-13 08:33 - 2013-08-22 10:36 - 000000000 ___RD C:\Windows\ToastData
2018-01-13 08:17 - 2013-09-18 06:44 - 000000000 ____D C:\Windows\system32\MRT
2018-01-13 08:17 - 2012-07-26 02:59 - 000000000 ____D C:\Windows\CbsTemp
2018-01-13 08:13 - 2017-10-17 08:49 - 129365736 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2018-01-13 08:13 - 2013-09-18 06:44 - 129365736 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2018-01-12 15:19 - 2013-09-26 23:18 - 000000000 ____D C:\Users\Me\AppData\Roaming\Anthropics
2018-01-09 09:03 - 2013-09-17 11:07 - 000004288 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2018-01-09 09:03 - 2013-08-22 10:36 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2018-01-09 09:03 - 2013-08-22 10:36 - 000000000 ____D C:\Windows\system32\Macromed

==================== Files in the root of some directories =======

2015-11-21 15:46 - 2016-09-02 16:49 - 000000132 _____ () C:\Users\Me\AppData\Roaming\Adobe BMP Format CS5 Prefs
2014-03-22 22:43 - 2017-06-02 11:35 - 000000132 _____ () C:\Users\Me\AppData\Roaming\Adobe GIF Format CS5 Prefs
2014-03-22 22:10 - 2017-06-08 21:29 - 000000132 _____ () C:\Users\Me\AppData\Roaming\Adobe PNG Format CS5 Prefs
2015-03-08 18:53 - 2015-03-08 18:53 - 000000345 _____ () C:\Users\Me\AppData\Roaming\com.nikonimagespace.uploader_state.xml
2014-07-10 12:23 - 2016-02-08 19:39 - 000000291 _____ () C:\Users\Me\AppData\Roaming\FotoSketcher.ini
2013-09-23 11:53 - 2013-09-23 11:53 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\People
2013-09-23 11:53 - 2013-09-23 12:27 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\Percussion Kit
2013-09-23 12:27 - 2013-09-23 12:27 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\Perl
2013-09-23 12:27 - 2013-09-23 12:27 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\Phaser
2017-10-18 15:40 - 2017-10-18 16:17 - 000000012 ____T () C:\Users\Me\AppData\Roaming\Samsung Magician Installer.lockfile
2013-11-22 21:13 - 2013-11-22 21:13 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\Treble Reduction
2013-11-22 21:14 - 2013-11-22 21:14 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\Tremolo
2013-11-22 21:13 - 2013-11-22 21:13 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\Tribal Masks
2013-11-22 21:13 - 2013-11-22 21:13 - 000000268 ___RH () C:\Users\Me\AppData\Roaming\Woodwind
2016-01-05 23:44 - 2017-11-16 19:41 - 000001456 _____ () C:\Users\Me\AppData\Local\Adobe Save for Web 12.0 Prefs
2014-03-22 23:05 - 2014-03-22 23:05 - 000001776 _____ () C:\Users\Me\AppData\Local\recently-used.xbel
2013-09-24 17:40 - 2015-09-09 15:53 - 000007659 _____ () C:\Users\Me\AppData\Local\Resmon.ResmonCfg

Files to move or delete:
====================
C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job
C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job
C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job
C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job
C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job


Some files in TEMP:
====================
2012-08-03 12:31 - 2012-08-03 12:31 - 000137128 _____ (TOSHIBA Corporation) C:\Users\ADMINI~1\AppData\Local\Temp\CreateToastShortcut.exe
2012-08-03 12:31 - 2012-08-03 12:31 - 000087976 _____ (TOSHIBA Corporation) C:\Users\ADMINI~1\AppData\Local\Temp\CreateToastShortcutDll.dll
2012-07-16 15:45 - 2012-07-16 15:45 - 000090024 _____ (TOSHIBA Corporation) C:\Users\ADMINI~1\AppData\Local\Temp\StartMenu.exe
2012-07-30 12:51 - 2012-07-30 12:51 - 000071592 _____ () C:\Users\ADMINI~1\AppData\Local\Temp\TosNoRestart.exe

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2018-01-28 00:03

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Me (28-01-2018 00:27:55)
Running from D:\D_Downloads
Windows 8.1 (Update) (X64) (2016-07-19 16:29:44)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4007766687-3714460472-3212241914-500 - Administrator - Disabled)
Camera_User (S-1-5-21-4007766687-3714460472-3212241914-1002 - Administrator - Enabled) => C:\Users\Camera_User
Guest (S-1-5-21-4007766687-3714460472-3212241914-501 - Limited - Enabled)
Me (S-1-5-21-4007766687-3714460472-3212241914-1001 - Administrator - Enabled) => C:\Users\Me

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Security (Enabled - Up to date) {30744133-1E94-7B35-F4A3-82A5AEF1CBAA}
AV: Malwarebytes (Enabled - Up to date) {23007AD3-69FE-687C-2629-D584AFFAF72B}
AS: Malwarebytes (Enabled - Up to date) {98619B37-4FC4-67F2-1C99-EEF6D47DBD96}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Security (Enabled - Up to date) {8B15A0D7-38AE-74BB-CE13-B9D7D5768117}
FW: Norton Security (Enabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

1 Moment of Time - Silentville (HKLM-x32\...\1 Moment of Time - Silentville_is1) (Version: 1.0 - MyPlayCity, Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
AbstractCurves x64 (HKLM\...\AbstractCurves AbstractCurves x64 1) (Version: 1.190 - AbstractCurves Software)
AC-3 ACM Codec 2.2 (HKLM-x32\...\AC3ACM) (Version: 2.2 - fccHandler)
ActivePresenter (HKLM-x32\...\{A2A40277-D807-4754-95A3-2F294C2C51D3}_is1) (Version: 5.5.3 - Atomi Systems, Inc.)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 18.009.20050 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 20.0.0.233 - Adobe Systems Incorporated)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.5.23 - Adobe Systems Incorporated.)
Adobe Connect 9 Add-in (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Adobe Connect 9 Add-in) (Version: 11.9.976.291 - Adobe Systems Incorporated)
Adobe Flash Player 28 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 28.0.0.137 - Adobe Systems Incorporated)
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe Photoshop CS5 (HKLM-x32\...\{15FEDA5F-141C-4127-8D7E-B962D1742728}) (Version: 12.0 - Adobe Systems Incorporated)
Aimersoft Video Editor(Build 3.5.0) (HKLM-x32\...\Aimersoft Video Editor_is1) (Version: - Aimersoft Software)
AIMP3 (HKLM-x32\...\AIMP3) (Version: v3.20.1165, 21.12.2012 - AIMP DevTeam)
Aiseesoft DVD Creator 5.1.58 (HKLM-x32\...\{094BCE17-69CE-45ce-A131-F674CE996B3F}_is1) (Version: 5.1.58 - Aiseesoft Studio)
AllMyNotes Organizer (HKLM-x32\...\AllMyNotes Organizer) (Version: 2.80 - Vladonai Software)
Amazon Kindle (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Amazon Kindle) (Version: 1.20.1.47037 - Amazon)
ANT Drivers Installer x64 (HKLM\...\{D7BFF9DB-7CD7-4F34-ADD9-D17481A91A82}) (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
AOMEI Backupper Professional (HKLM-x32\...\{A83692F5-3E9B-4E95-9E7E-B5DF5536CE9D}_is1) (Version: - AOMEI Technology Co., Ltd.)
AOMEI Partition Assistant Pro Edition 6.1 (HKLM-x32\...\{02F850ED-FD0E-4ED1-BE0B-5498165BF300}_is1) (Version: - AOMEI Technology Co., Ltd.)
Apowersoft Screen Recorder Pro V1.1.9 (HKLM-x32\...\{BADAA284-1D15-4EBB-B1E5-7C86603CDBBB}_is1) (Version: 1.1.9 - Apowersoft)
Ashampoo Burning Studio 2017 (HKLM-x32\...\{91B33C97-C878-6579-69BA-23E5405C7AAB}_is1) (Version: 18.0.0 - Ashampoo GmbH & Co. KG)
Ashampoo Privacy Protector 2015 v.1.0.1 (HKLM-x32\...\{91B33C97-1187-82D5-494C-E86DE5C5262D}_is1) (Version: 1.0.1 - Ashampoo GmbH & Co. KG)
Ashampoo Slideshow Studio 2015 v.1.0.0 (HKLM-x32\...\{91B33C97-4A6F-D11F-A387-040BB4E1094E}_is1) (Version: 1.0.0 - Ashampoo GmbH & Co. KG)
Ashampoo Snap 2017 (HKLM-x32\...\{0A11EA01-F22C-84C3-9723-53CA58DB6F9C}_is1) (Version: 1.0.0 - Ashampoo GmbH & Co. KG)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.6 - Atheros Communications Inc.)
Audacity 2.0.4 (HKLM-x32\...\Audacity_is1) (Version: 2.0.4 - Audacity Team)
AutoUpdate (HKLM-x32\...\{18D10072035C4515918F7E37EAFAACFC}) (Version: 1.1 - )
Big Fish: Game Manager (HKLM-x32\...\BFGC) (Version: 3.2.0.7 - )
Bluetooth Stack for Windows by Toshiba (HKLM\...\{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}) (Version: v9.10.32(T) - TOSHIBA CORPORATION)
Bonjour (HKLM\...\{E4F5E48E-7155-4CF9-88CD-7F377EC9AC54}) (Version: 2.0.4.0 - Apple Inc.)
Brother HL-4040CN (HKLM-x32\...\{1474AA57-F5E9-42EC-8E2E-F28C3AF00C56}) (Version: 1.00 - Brother)
BurnAware Premium 10.1 GAOTD (HKLM-x32\...\BurnAware Premium_is1) (Version: - Burnaware)
Canon Pro9000 Printer Driver (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_Pro9000) (Version: - )
Capture One 11.0 (HKLM\...\CaptureOne11_is1) (Version: 11.0.0.266 - Phase One A/S)
Capture One 9.3 (HKLM\...\CaptureOne9_is1) (Version: 9.3.0.85 - Phase One A/S)
CCleaner (HKLM\...\CCleaner) (Version: 4.05 - Piriform)
ChromecastApp (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\{079ede36-133d-44b0-8053-c7c1fa8d2e0d}_is1) (Version: 1.5.1693.0 - Google Inc.)
Citrix Online Launcher (HKLM-x32\...\{DB014C85-A264-4BCA-A66F-6DD1FCF8EC36}) (Version: 1.0.335 - Citrix)
Classic Shell (HKLM\...\{840C85B7-D3D6-4143-9AF9-DAE80FD54CFC}) (Version: 4.1.0 - IvoSoft)
Clone Files Checker (HKLM-x32\...\Clone Files Checker_is1) (Version: 3.0 - SORCIM Technologies Pvt Ltd)
ColorChecker Passport 1.0.2 (HKLM-x32\...\ColorChecker Passport_is1) (Version: - X-Rite)
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.0.4) (Version: 5.0.0.4 - Coupons.com Incorporated)
CPUBalance (HKLM-x32\...\ProBalance) (Version: 1.0.0.68 - Bitsum)
Cricut Design Space Client (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Cricut Design Space Client) (Version: 5.5.0.7 - Provo Craft)
CrystalDiskInfo 5.6.2 (HKLM-x32\...\CrystalDiskInfo_is1) (Version: 5.6.2 - Crystal Dew World)
Cut Out 4.0 (HKLM\...\Cut Out 4_is1) (Version: - Franzis.de)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Data Lifeguard Diagnostic for Windows 1.24 (HKLM-x32\...\{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1) (Version: - Western Digital Corporation)
Dell Printer Hub (HKLM-x32\...\{98F3B1BD-3D7C-42EC-8149-18E3FE9ECE22}) (Version: 2.0.0.47 - Dell Inc.) Hidden
Dell Printer Hub (HKLM-x32\...\InstallShield_{98F3B1BD-3D7C-42EC-8149-18E3FE9ECE22}) (Version: 2.0.0.47 - Dell Inc.)
Dell Printer Hub for Dell Printer E310dw (HKLM-x32\...\{F3963644-EA3A-4FDC-BF32-68D97F82AA49}) (Version: 1.16.0000 - Dell Inc.)
Demon Hunter version 1.5 (HKLM-x32\...\{A126A468-1ECF-40B3-9292-FE579CC5EE04}_is1) (Version: 1.5 - Immanitas Entertainment)
digiCamControl (HKLM-x32\...\{19D12628-7654-4354-A305-9AB0A3502683}) (Version: 1.2.99.12 - Duka Istvan)
digiCamControl (HKLM-x32\...\digiCamControl) (Version: 1.2.0 - Duka Istvan)
Digital Coupon Printer (HKLM-x32\...\{2095A496-250E-4A1F-90AD-691246819A9A}) (Version: 3.17.0.0 - Hopster, Inc. an Inmar company)
Digital Photo Software FotoMix 8.0 (HKLM-x32\...\FotoMix) (Version: 8.0 - Digital Photo Software)
DivX Codec (HKLM-x32\...\{7B63B2922B174135AFC0E1377DD81EC2}) (Version: 6.6.1 - DivX, Inc.)
DNG ProfileManager 1.0.3 (HKLM-x32\...\DNG ProfileManager_is1) (Version: - X-Rite)
Duplicate File Finder Plus 4.0 (HKLM-x32\...\Duplicate File Finder Plus_is1) (Version: - TriSun Software Inc.)
DVDFab Media Player 2 (HKLM-x32\...\DVDFab Media Player 2_is1) (Version: 2.2.0.0 - Fengtao Software Inc.)
DxO OpticsPro 11 (HKLM\...\{88CD09A5-EC52-474B-867F-0E147A9C4C6E}) (Version: 11.4.2 - DxO)
E514dw_E515dn_E515dw Scan Plugin (HKLM-x32\...\{AB72F66E-D98D-47F8-95A1-F5012E208A8F}) (Version: 2.0.0.31 - Dell Inc.) Hidden
E525w Scan Plugin (HKLM-x32\...\{A4378F49-96AF-48DE-BF40-5D9ED469AC33}) (Version: 2.0.0.31 - Dell Inc.) Hidden
EAGLE 7.1.0 (HKLM-x32\...\EAGLE 7.1.0) (Version: 7.1.0 - CadSoft Computer GmbH)
EaseUS Partition Master 10.2 Trial Edition (HKLM-x32\...\EaseUS Partition Master Trial Edition_is1) (Version: - EaseUS)
Easy Drive Data Recovery (HKLM-x32\...\Easy Drive Data Recovery) (Version: 3.0 - MunSoft)
Easy Photo Denoise 2.0 (HKLM-x32\...\Easy Photo Denoise_is1) (Version: 2.0 - SoftOrbits)
Elevated Installer (HKLM-x32\...\{B18AA903-4BA9-45C4-BE06-F90EE091CA01}) (Version: 6.0.0.0 - Garmin Ltd or its subsidiaries) Hidden
Exorcist (HKLM-x32\...\Exorcist_is1) (Version: 1.0 - MyPlayCity, Inc.)
Fall of the New Age (HKLM-x32\...\Fall of the New Age_is1) (Version: 1.0 - Playrix Entertainment)
Fast HTML Checker (HKLM\...\{2B75557A-B66B-4C26-8AFD-F1B752C1D4CB}) (Version: 3.0.700 - WebTweakTools.com)
Filter Forge 5.013 (HKLM-x32\...\Filter Forge 5_is1) (Version: - Filter Forge, Inc.)
FlashBoot 2.3g (promotional edition) (HKLM\...\FlashBoot_is1) (Version: - Mikhail Kupchik)
FOCUS projects professional (64-Bit) (HKLM\...\FOCUS_PROJECTS_1_3_EDC5B478_is1) (Version: 1.15 - Franzis Verlag GmbH)
FormatFactory 3.7.5.0 (HKLM-x32\...\FormatFactory) (Version: 3.7.5.0 - Free Time)
FotoSketcher 2.85 (HKLM-x32\...\{E7C6D565-2E48-4303-A114-AFE7B2E561AF}_is1) (Version: - David THOIRON)
Free RAR Extract Frog (HKLM-x32\...\Free RAR Extract Frog) (Version: 5.20 - Philipp Winterberg)
FTP Voyager 16.2.0 (HKLM\...\FTP Voyager_is1) (Version: 16.2.0.328 - SolarWinds Worldwide LLC)
Garmin Express (HKLM-x32\...\{5d118c52-30ad-455d-bc77-2b4dec81cce5}) (Version: 6.0.0.0 - Garmin Ltd or its subsidiaries)
Garmin Express (HKLM-x32\...\{5F35EB8B-5E1D-46A1-A5C3-FAA408AB61D4}) (Version: 6.0.0.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (HKLM-x32\...\{A1A340BC-E833-454E-9EBE-D3B8B147783E}) (Version: 6.0.0.0 - Garmin Ltd or its subsidiaries) Hidden
Google Talk Plugin (HKLM-x32\...\{F9B579C2-D854-300A-BE62-A09EB9D722E4}) (Version: 5.41.3.0 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.7 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.3 - Google Inc.) Hidden
GoToMeeting 7.19.0.5102 (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\GoToMeeting) (Version: 7.19.0.5102 - CitrixOnline)
Great Secrets - Da Vinci (HKLM-x32\...\Great Secrets - Da Vinci_is1) (Version: 1.0 - MyPlayCity, Inc.)
Greeting Card Builder 3.2.0 (HKLM-x32\...\{82647B93-3F9C-4BBA-8801-E54DEB46736A}_is1) (Version: - PearlMountain Technology Co., Ltd)
Haunting Mysteries The Island of Lost Souls (HKLM-x32\...\Haunting Mysteries The Island of Lost Souls_is1) (Version: 1.0 - Playrix Entertainment)
HD Video Converter Factory Pro (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\HDVideoConverterFactoryPro) (Version: - WonderFox Soft, Inc. All Rights Reserved.)
HitFilm 3 Express (HKLM\...\{AFD4EBF8-F2E9-47C8-BE6D-049A0E0CEC01}) (Version: 3.1.4724.15452 - FXhome)
HitFilm 4 Express (HKLM\...\{B266DF92-432D-4985-91C3-70148568AB79}) (Version: 4.0.5422.10801 - FXHOME)
Hornil StylePix Pro (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Hornil StylePix Pro) (Version: 1.14.2.2 - Hornil Co.)
House of 1000 Doors - Family Secrets (HKLM-x32\...\House of 1000 Doors - Family Secrets_is1) (Version: 1.0 - MyPlayCity, Inc.)
HTC Driver Installer (HKLM-x32\...\{4CEEE5D0-F905-4688-B9F9-ECC710507796}) (Version: 4.10.0.001 - HTC Corporation)
HTC Sync Manager (HKLM-x32\...\{368E4EF8-E840-40EE-A224-50B8D1DC2B12}) (Version: 2.4.36.0 - HTC)
i1Profiler (HKLM-x32\...\i1Profiler_is1) (Version: 1.7.1.2596 - X-Rite)
Incomedia WebSite X5 v9 - Evolution (HKLM-x32\...\{64392EEB-38EF-45FD-822D-5C75CA136860}_is1) (Version: 9.1.12.1975 - Incomedia s.r.l.)
Inkscape 0.92.1 (HKLM-x32\...\Inkscape) (Version: 0.92.1 - Inkscape Project)
Inpaint 6.0 (HKLM\...\{2AEDC172-479F-47AE-8A48-A0524D4AED5B}_is1) (Version: - Teorex)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3345 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel® WiDi (HKLM\...\{23D486D4-FBE0-40F3-A245-E4D56D094764}) (Version: 3.5.41.0 - Intel Corporation)
IPTInstaller (HKLM-x32\...\{08208143-777D-4A06-BB54-71BF0AD1BB70}) (Version: 4.0.9 - HTC)
Java 8 Update 161 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180161F0}) (Version: 8.0.1610.12 - Oracle Corporation)
Kerish Doctor 2016 (HKLM-x32\...\{EF70A54F-E09E-4570-8F21-C7674CDDB5B6}_is1) (Version: 4.60 - Kerish Products)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - )
LAV Filters 0.55.3 (HKLM-x32\...\lavfilters_is1) (Version: 0.55.3 - Hendrik Leppkes)
LibreOffice 4.1 Help Pack (English (United States)) (HKLM-x32\...\{846A2732-D5DB-48BA-AF00-158078C1E034}) (Version: 4.1.1.2 - The Document Foundation)
LibreOffice 4.1.1.2 (HKLM-x32\...\{F1EE568A-171F-4C06-9BE6-2395BED067A3}) (Version: 4.1.1.2 - The Document Foundation)
Living Legends Frozen Beauty (HKLM-x32\...\Living Legends Frozen Beauty_is1) (Version: 1.0 - Playrix Entertainment)
Living Legends Ice Rose (HKLM-x32\...\Living Legends Ice Rose_is1) (Version: 1.0 - Playrix Entertainment)
Macrorit Disk Partition Expert Professional 2016 (HKLM-x32\...\Macrorit_MDE) (Version: 2016 - Macrorit Inc.)
Magic Uneraser 3.8 (HKLM-x32\...\Magic Uneraser) (Version: - )
MakeUp Guide 1.4.2 (HKLM\...\MakeUp Guide_is1) (Version: 1.4.2 - Tint Guide)
Malwarebytes version 3.3.1.2183 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.3.1.2183 - Malwarebytes)
Mechanicus - Star Confrontation (HKLM-x32\...\Mechanicus - Star Confrontation_is1) (Version: 1.0 - MyPlayCity, Inc.)
Micrografx Picture Publisher 10 (HKLM-x32\...\{04AABF6D-55C5-4779-ABF9-992016E913A2}) (Version: 1.0.0.0 - Micrografx)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft RichCopy 4.0 (HKLM-x32\...\{86F4F32B-77C7-4951-B33C-05D41A8190C1}) (Version: 4.0.216 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\SkyDriveSetup.exe) (Version: 16.4.6010.0727 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4048 (HKLM\...\{91415F19-4C22-3609-A105-92ED3522D83C}) (Version: 9.0.30729.4048 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4048 (HKLM-x32\...\{5B1F2843-B379-3FF2-B0D3-64DD143ED53A}) (Version: 9.0.30729.4048 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM-x32\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x64) - 14.11.25325 (HKLM-x32\...\{6c6356fe-cbfa-4944-9bed-a9e99f45cb7a}) (Version: 14.11.25325.0 - Microsoft Corporation)
MiniAide Fat32 Formatter Home Edition version 1.05 (HKLM-x32\...\{C206CD7D-7CFE-4F0C-BC68-8873CDE3A5F5}_is1) (Version: 1.05 - MiniAide Tech Development Co., Ltd.)
Movie Maker (HKLM-x32\...\{5BABDA39-61CF-41EE-992D-4054B6649A9B}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{ED6C77F9-4D7E-447C-9EC0-9A212D075535}) (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 52.6.0 ESR (x64 en-US) (HKLM\...\Mozilla Firefox 52.6.0 ESR (x64 en-US)) (Version: 52.6.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 52.6.0.6592 - Mozilla)
Mozilla Thunderbird 52.5.2 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 52.5.2 (x86 en-US)) (Version: 52.5.2 - Mozilla)
MTP Porting Kit (HKLM-x32\...\{353B1E6D-7073-4450-8C80-699BD8FCFB49}) (Version: 12.0.0 - Microsoft Corp)
MyDraw 2.0.0 (HKLM-x32\...\{3F3EE940-69C2-42D0-AA46-033D4CA1F51D}_is1) (Version: 2.0.0 - Nevron Software)
Namariel Legends - Iron Lord Collector's Edition (HKLM-x32\...\Namariel Legends - Iron Lord Collector's Edition_is1) (Version: 1.0 - Playrix Entertainment)
Nearwood Collector's Edition (HKLM-x32\...\Nearwood Collector's Edition_is1) (Version: 1.0 - MyPlayCity, Inc.)
Nik Collection (HKLM-x32\...\Nik Collection) (Version: 1.2.11 - Google)
NIKON IMAGE SPACE UPLOADER (HKLM-x32\...\{FF16363A-46D4-914E-010A-27DF55793BCA}) (Version: 1.2 - NIKON CORPORATION) Hidden
NIKON IMAGE SPACE UPLOADER (HKLM-x32\...\com.nikonimagespace.uploader) (Version: 1.2 - NIKON CORPORATION)
Nikon Message Center 2 (HKLM-x32\...\{B014EE44-9197-4513-9613-71E6EB1B514E}) (Version: 2.1.0 - Nikon)
Nikon Movie Editor (HKLM-x32\...\{5CAD3393-EEC0-44CE-9F93-BCAA365B77FB}) (Version: 2.8.0 - Nikon)
Nitro PDF Express (HKLM\...\{E4C92C0A-9B54-11DE-B7F8-5A2256D89593}) (Version: 2.0.0.6 - Nitro PDF Software)
Norton PC Checkup (HKLM-x32\...\NortonPCCheckup) (Version: 2.0.18.15 - Symantec Corporation)
Norton Security (HKLM-x32\...\NS) (Version: 22.11.2.7 - Symantec Corporation)
Norton Security Dashboard (HKLM-x32\...\NortonSD) (Version: 1.1.1.9 - Symantec Corporation)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.9.1 - Notepad++ Team)
NTI Echo (HKLM-x32\...\{B8E4EADA-5427-4408-8C03-F1BCA5E3319C}) (Version: 3.0.0.62 - NTI Corporation) Hidden
NTI Echo (HKLM-x32\...\InstallShield_{B8E4EADA-5427-4408-8C03-F1BCA5E3319C}) (Version: 3.0.0.62 - NTI Corporation)
Nuance PaperPort 14 (HKLM-x32\...\{AEF2D1F4-0696-11D5-8E6A-00C04F7FA234}) (Version: 14.5.0000 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM-x32\...\{FC984E39-43D0-4AB2-ACC7-A7B87977B009}) (Version: 7.20.3274 - Nuance Communications, Inc.)
P@H-Protocol (HKLM-x32\...\{CF594DB8-CFB0-45B4-86DA-8BB4AC0941F8}) (Version: 3.0.7.0 - Valassis)
Pahelika Rrevelations (HKLM-x32\...\Pahelika Rrevelations_is1) (Version: 1.0 - Playrix Entertainment)
Pantone Color Manager 2.1.0 (HKLM-x32\...\Pantone Color Manager_is1) (Version: - PANTONE)
PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 14.00.0001 - Nuance Communications, Inc.)
PDF Settings CS5 (HKLM-x32\...\{A78FE97A-C0C8-49CE-89D0-EDD524A17392}) (Version: 10.0 - Adobe Systems Incorporated) Hidden
Perfect Effects 8 (HKLM-x32\...\{C982ACFF-5997-4B7D-B3E1-CF7273A06FB2}) (Version: 8.1.0 - onOne Software)
Photo BUZZER (64-Bit) (HKLM\...\EMOTION_PROJECTS_1_2_CDF5610E_is1) (Version: 1.14 - Franzis Verlag GmbH)
PHOTO projects 3 (64-Bit) (HKLM\...\COLOR_PROJECTS_3_3_C935FDA1_is1) (Version: 3.34 - Franzis Verlag GmbH)
Photo to Sketch Converter 1.4 (HKLM-x32\...\Photo to Sketch Converter_is1) (Version: 1.4 - SoftOrbits)
Picture Control Utility x64 (HKLM\...\{11953C65-BB4E-4CA4-B0F0-2600A4B20040}) (Version: 1.4.15 - Nikon)
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PortraitPro Body Studio 2.2 (HKLM\...\com.anthropics.portraitprobodystudio2_is1) (Version: 2.2 - Anthropics Technology Ltd)
PortraitPro Studio 17.1 (HKLM\...\com.anthropics.portraitprostudio17_is1) (Version: 17.1 - Anthropics Technology Ltd.)
Prism Video File Converter (HKLM-x32\...\Prism) (Version: 3.04 - NCH Software)
Process Hacker 2.33 (r5590) (HKLM\...\Process_Hacker2_is1) (Version: 2.33.0.5590 - wj32)
Process Lasso (HKLM-x32\...\ProcessLasso) (Version: 9.0.0.348 - Bitsum)
Project Dogwaffle Howler version 8.2 (HKLM-x32\...\{0DA77807-8CC9-4026-A318-64B863E34BAA}_is1) (Version: 8.2 - Daniel Ritchie)
PT Portrait - Studio Edition 4.1 (HKLM\...\{8E2D6BBF-8372-4B53-B006-E24DCE64753A}_is1) (Version: 4.1 - PHOTO-TOOLBOX.COM)
reaConverter 7 Standard (HKLM-x32\...\{659727C6-7267-4076-803B-351A467F6CAF}_is1) (Version: 7.1.51.0 - reaConverter LLC)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6794 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.2.8400.29029 - Realtek Semiconductor Corp.)
Remo Recover FREE Edition 1.0 (HKLM\...\{A6CD3589-2B65-44D1-B68D-E0E6C79EE639}_is1) (Version: 1.0.0.15 - Remo Software)
Remove Logo Now! 1.5 (HKLM-x32\...\Remove Logo Now!_is1) (Version: 1.5 - SoftOrbits)
RonyaSoft Poster Designer (Poster Forge) 2.02 (HKLM-x32\...\RonyaSoft Poster Designer (Poster Forge)) (Version: 2.02 - RonyaSoft)
Sacra Terra - Angelic Night (HKLM-x32\...\Sacra Terra - Angelic Night_is1) (Version: 1.0 - MyPlayCity, Inc.)
Samsung Data Migration (HKLM-x32\...\{3B304604-0BF5-488E-AB95-F2F2E31206F3}) (Version: 3.1 - Samsung)
Samsung Magician (HKLM-x32\...\{29AE3F9F-7158-4ca7-B1ED-28A73ECDB215}_is1) (Version: 5.0.0.790 - Samsung Electronics)
Scansoft PDF Professional (HKLM-x32\...\{068724F8-D8BE-4B43-8DDD-B9FE9E49FD76}) (Version: - ) Hidden
Secrets of the Past - Mother's Diary (HKLM-x32\...\Secrets of the Past - Mother's Diary_is1) (Version: 1.0 - MyPlayCity, Inc.)
SILVER projects professional (64-Bit) (HKLM\...\SILVER_PROJECTS_1_3_28B15F1D_is1) (Version: 1.14 - Franzis Verlag GmbH)
SimpleIDE version 1-0-2-RC2 (HKLM-x32\...\{CE380BA3-F51E-4DCB-A068-216961358E89}_is1) (Version: 1-0-2-RC2 - ParallaxInc)
SIW Pro Edition (GOTD) (HKLM-x32\...\{AB67580-257C-45FF-B8F4-C8C30682091A}_is1) (Version: 2014.01.30 - Topala Software Solutions)
Slingshot Puzzle (HKLM-x32\...\Slingshot Puzzle_is1) (Version: 1.0 - MyPlayCity, Inc.)
Snark Busters - Welcome to the Club (HKLM-x32\...\Snark Busters - Welcome to the Club_is1) (Version: 1.0 - MyPlayCity, Inc.)
SRS Premium Sound Control Panel (HKLM\...\{000A208E-1050-4181-AC37-E13DA9254B73}) (Version: 1.12.6000 - DTS, Inc.)
Summitsoft Website Creator - Evolution (HKLM-x32\...\Summitsoft Website Creator - Evolution) (Version: - Incomedia s.r.l.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.10.51 - Synaptics Incorporated)
The Book of Desires (HKLM-x32\...\The Book of Desires_is1) (Version: 1.0 - MyPlayCity, Inc.)
The Lake House - Children of Silence (HKLM-x32\...\The Lake House - Children of Silence_is1) (Version: 1.0 - MyPlayCity, Inc.)
The World's Legends - Kashchey the Immortal (HKLM-x32\...\The World's Legends - Kashchey the Immortal_is1) (Version: 1.0 - MyPlayCity, Inc.)
TOSHIBA Application Installer (HKLM-x32\...\{970472D0-F5F9-4158-A6E3-1AE49EFEF2D3}) (Version: 9.0.1.4 - TOSHIBA)
TOSHIBA Battery Check Utility (HKLM-x32\...\{5468E297-7EF8-4CB3-A091-F8714147793F}) (Version: 1.00.04.01 - Toshiba Client Solutions Co., Ltd.)
TOSHIBA Desktop Assist (HKLM\...\{95CCACF0-010D-45F0-82BF-858643D8BC02}) (Version: 1.02.01.6407 - Toshiba Corporation)
TOSHIBA eco Utility (HKLM\...\{5944B9D4-3C2A-48DE-931E-26B31714A2F7}) (Version: 2.2.0.6404 - Toshiba Corporation)
TOSHIBA Function Key (HKLM\...\{16562A90-71BC-41A0-B890-D91B0C267120}) (Version: 1.1.0002.6401 - Toshiba Corporation)
TOSHIBA HDD Accelerator (HKLM\...\{DB4D9937-0B14-4EF1-BF9A-BB7E3B9DCB04}) (Version: 1.1.0001 - Toshiba Corporation)
TOSHIBA HDD Protection (HKLM\...\{94A90C69-71C1-470A-88F5-AA47ECC96B40}) (Version: 2.5.0002.64002 - Toshiba Corporation)
TOSHIBA Password Utility (HKLM-x32\...\{B1786E63-2127-42C9-95A3-146E5F727BF1}) (Version: v1.0.0.9 - TOSHIBA Corporation)
TOSHIBA Quality Application (HKLM-x32\...\{E69992ED-A7F6-406C-9280-1C156417BC49}) (Version: 1.0.8 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.2.0.54043005 - Toshiba Corporation)
TOSHIBA Resolution+ Plug-in for Windows Media Player (HKLM-x32\...\{6CB76C9D-80C2-4CB3-A4CD-D96B239E3F94}) (Version: 1.2.2.00 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM\...\{B1F241E1-90BF-4201-8977-A0DF85A38EBB}) (Version: 2.6.16.0 - Toshiba Corporation)
TOSHIBA System Driver (HKLM-x32\...\{1E6A96A1-2BAB-43EF-8087-30437593C66C}) (Version: 1.00.0032 - Toshiba Corporation)
TOSHIBA System Settings (HKLM-x32\...\{05A55927-DB9B-4E26-BA44-828EBFF829F0}) (Version: 1.00.0002.32002 - Toshiba Corporation)
TOSHIBA User's Guide (HKLM-x32\...\{3384E1D9-3F18-4A98-8655-180FEF0DFC02}) (Version: 1.00.02 - TOSHIBA)
TOSHIBARegistration (HKLM-x32\...\{5AF550B4-BB67-4E7E-82F1-2C4300279050}) (Version: 1.1.6 - TOSHIBA)
TUSBAudio Driver v1.61.0 (HKLM-x32\...\TUSBAudio Driver v1.61.0) (Version: 1.61.0 - USBAudio)
TVCenter (HKLM\...\{18F703C3-32EC-4E5C-BC3C-C1BD72D35F5B}) (Version: 6.4.0.784 - PCTV Systems)
Video Converter Factory Pro (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\VideoConverterFactoryPro) (Version: - WonderFox Soft, Inc. All Rights Reserved.)
Video Converter Factory Pro 8.8 (HKLM-x32\...\Video Converter Factory Pro) (Version: 8.8 - WonderFox Soft, Inc.)
Video Enhancer 2.1.2 (HKLM-x32\...\Video Enhancer 2_is1) (Version: - Infognition Co. Ltd.)
Video to GIF 5.2 (HKLM-x32\...\Video to GIF) (Version: 5.2 - AoaoPhoto Digital Studio.)
Video to Video (HKLM-x32\...\{7F95A744-78DA-4AED-A8F0-A0AF330B8411}_is1) (Version: - Media Converters)
VideoPad Video Editor (HKLM-x32\...\VideoPad) (Version: 3.74 - NCH Software)
ViewMate 11.10 (HKLM-x32\...\{A89A9556-B6E3-4642-A8F7-64F5C580B48A}) (Version: 11.10.24 - PentaLogix) Hidden
ViewMate 11.10 (HKLM-x32\...\{D27CD252-05B6-4D97-8B32-B15F340F7B76}) (Version: 11.10.24 - PentaLogix)
ViewNX 2 (HKLM\...\{635BE602-BB9C-4C59-8CC5-93F9366E8A21}) (Version: 2.8.2 - Nikon)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.6 - VideoLAN)
VSDC Free Video Editor version 5.5.0.601 (HKLM-x32\...\VSDC Free Video Editor_is1) (Version: 5.5.0.601 - Flash-Integro LLC)
Wacom Tablet (HKLM\...\Wacom Tablet Driver) (Version: 6.3.21-10 - Wacom Technology Corp.)
WebTablet FB Plugin 32 bit (HKLM-x32\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.7 - Wacom Technology Corp.)
WebTablet FB Plugin 64 bit (HKLM\...\Wacom WebTabletPlugin for Internet Explorer and Netscape) (Version: 2.1.0.7 - Wacom Technology Corp.)
WinDirStat 1.1.2 (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\WinDirStat) (Version: - )
Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows Driver Package - FTDI CDM Driver Package - Bus/D2XX Driver (01/27/2014 2.10.00) (HKLM\...\A360E2EA788FFC586113AFE1F2AABF01EBE7A248) (Version: 01/27/2014 2.10.00 - FTDI)
Windows Driver Package - FTDI CDM Driver Package - VCP Driver (01/27/2014 2.10.00) (HKLM\...\42F5D8399C4B7EB9005D88E9045ABB1A715CD59A) (Version: 01/27/2014 2.10.00 - FTDI)
Windows Driver Package - Leaf Imaging Ltd. Image (02/11/2010 ) (HKLM\...\A35BD68D4A1B3E191138E3C9AA417190A9468F7E) (Version: 02/11/2010 - Leaf Imaging Ltd.)
Windows Driver Package - Leaf Imaging Ltd. Image (12/03/2014 1.2.0.0) (HKLM\...\B758007C752D28F7C3542875CEEBDADCAE5941AE) (Version: 12/03/2014 1.2.0.0 - Leaf Imaging Ltd.)
Windows Driver Package - Parallax Inc CDM Driver Package - Bus & VCP Driver (01/27/2014 2.10.00) (HKLM\...\C51FB38149BAA0158189B9101273139721600D21) (Version: 01/27/2014 2.10.00 - Parallax Inc)
Windows Driver Package - Phase One / Mamiya V-Grip USB Driver (09/28/2010 1.1.0.1) (HKLM\...\0F81152D3B5D40D8F497EC1750B8EFF11FEED116) (Version: 09/28/2010 1.1.0.1 - Phase One / Mamiya)
Windows Driver Package - Phase One / Mamiya V-Grip USB Driver (12/03/2014 1.2.0.0) (HKLM\...\3F504CC0B024052107934E093CC26DA720256A7A) (Version: 12/03/2014 1.2.0.0 - Phase One / Mamiya)
Windows Driver Package - Phase One A/S (WinUSB) USBDevice (05/30/2013 1.12.0.68182) (HKLM\...\1D6C98F8A5FED93B7C062B26DD383655CE271976) (Version: 05/30/2013 1.12.0.68182 - Phase One A/S)
Windows Driver Package - Phase One A/S (WinUSB) USBDevice (09/18/2017 1.14.0.0) (HKLM\...\5D536C8BAC29754ACD7E2AFB52D1C2B1EA169BE6) (Version: 09/18/2017 1.14.0.0 - Phase One A/S)
Windows Driver Package - Phase One A/S (WinUSB) USBDevice (12/03/2014 1.13.0.0) (HKLM\...\7C6570ABBEB2F08EFBC23ED7925AE72DA6167BD8) (Version: 12/03/2014 1.13.0.0 - Phase One A/S)
Windows Driver Package - Provo Craft & Novelty, Inc. (usbser) Ports (11/04/2015 2.0.0.0) (HKLM\...\F9008028528C059AEF07C6D89D45BB3C63057E83) (Version: 11/04/2015 2.0.0.0 - Provo Craft & Novelty, Inc.)
Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinToHDD version 2.5 (HKLM\...\WinToHDD_is1) (Version: 2.5 - Hasleo Software.)
WinUtilities Professional Edition 13.0 (HKLM-x32\...\{FC274982-5AAD-4C20-848D-4424A5043009}_is1) (Version: 13.0 - YL Computing, Inc)
WinX DVD Copy Pro 3.7.1 (HKLM\...\WinX DVD Copy Pro_is1) (Version: - Digiarty Software,Inc.)
WinX DVD Ripper Platinum 7.5.4 (HKLM-x32\...\WinX DVD Ripper Platinum_is1) (Version: - Digiarty Software, Inc.)
WinX HD Video Converter Deluxe 5.6.0 (HKLM-x32\...\WinX HD Video Converter Deluxe_is1) (Version: - Digiarty Software, Inc.)
Wise Care 365 3.41 (HKLM-x32\...\Wise Care 365_is1) (Version: 3.41 - WiseCleaner.com, Inc.)
Witches' Legacy - The Charleston Curse CE V2 (HKLM-x32\...\Witches' Legacy - The Charleston Curse CE V21.0) (Version: 1.0 - Your Company)
WonderFox DVD Ripper (HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\WonderFoxDVDRipper) (Version: - WonderFox Soft, Inc. All Rights Reserved.)
WonderFox DVD Ripper Pro 9.7 (HKLM-x32\...\WonderFox DVD Ripper Pro) (Version: 9.7 - WonderFox Soft, Inc.)
WonderFox DVD Video Converter 8.6 (HKLM-x32\...\WonderFox DVD Video Converter) (Version: 8.6 - WonderFox Soft, Inc.)
Wondershare DVD Slideshow Builder Deluxe(Build 6.1.14.0) (HKLM-x32\...\Wondershare DVD Slideshow Builder Deluxe_is1) (Version: 6.1.14.0 - WonderShare Software Co.,Ltd.)
Wondershare Player(Build 1.6.0) (HKLM-x32\...\Wondershare Player_is1) (Version: 1.6.0.3 - Wondershare)
X-Rite Device Services Manager (HKLM-x32\...\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}) (Version: 2.4.1 - X-Rite)
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
Yeti Legend - Mystery of the forest (HKLM-x32\...\Yeti Legend - Mystery of the forest_is1) (Version: 1.0 - MyPlayCity, Inc.)
YTD Video Downloader 4.7.2 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.7.2 - GreenTree Applications SRL) <==== ATTENTION

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Me\AppData\Local\Citrix\GoToMeeting\3019\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{91A41FCC-BC02-42D8-A36E-0D27FF9BFFC8}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\Me\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\Me\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.7\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\Me\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\Me\AppData\Local\Microsoft\SkyDrive\16.4.6010.0727\amd64\FileSyncApi64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => D:\Program Files\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers1: [AIMP] -> {1F77B17B-F531-44DB-ACA4-76ABB5010A28} => D:\Program Files (x86)\AIMP3\Modules\aimp_menu64.dll [2013-12-20] (AIMP DevTeam)
ContextMenuHandlers1: [ANotepad++64] -> {B298D29A-A6ED-11DE-BA8C-A68E55D89593} => D:\Program Files (x86)\Notepad++\NppShell_06.dll [2015-04-15] ()
ContextMenuHandlers1: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ContextMenuHandlers1: [FormatFactoryShell] -> {A3777921-CFD3-4A6B-89BF-08E6B95716E8} => D:\Program Files (x86)\FormatFactory\ShellEx64_103.dll -> No File
ContextMenuHandlers1: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => D:\Program Files (x86)\Glary Utilities 4\x64\ContextHandler.dll -> No File
ContextMenuHandlers1: [ISOWINDOWMENU] -> {3A05F453-60CA-4311-9DA3-FE348CB76056} => D:\Program Files\Digiarty\WinX_DVD_Copy_Pro\IsoWindowMenu64.dll [2013-11-19] (TODO: <Company name>)
ContextMenuHandlers1: [ReaConverter7_std] -> {0C83C06D-41F5-4666-B1C2-0923EA75EB10} => D:\Program Files (x86)\reaConverter 7 Standard\newcontext64.dll [2015-07-20] ()
ContextMenuHandlers1: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\NavShExt.dll [2017-11-10] (Symantec Corporation)
ContextMenuHandlers1: [tosBtShllExt] -> {6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1} => C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\sys\x64\TosBtShell.dll [2014-01-20] (TOSHIBA)
ContextMenuHandlers1: [WSPlayerFileOpreation] -> {85BCF0D6-C4BE-4468-B227-FF4B4297E627} => C:\windows\SysWOW64\WPShellExt64.dll [2013-07-30] ()
ContextMenuHandlers2: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => D:\Program Files (x86)\Glary Utilities 4\x64\ContextHandler.dll -> No File
ContextMenuHandlers2: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\NavShExt.dll [2017-11-10] (Symantec Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => D:\Program Files\7-Zip\7-zip.dll [2010-11-18] (Igor Pavlov)
ContextMenuHandlers4: [AIMP] -> {1F77B17B-F531-44DB-ACA4-76ABB5010A28} => D:\Program Files (x86)\AIMP3\Modules\aimp_menu64.dll [2013-12-20] (AIMP DevTeam)
ContextMenuHandlers4: [FormatFactoryShell] -> {A3777921-CFD3-4A6B-89BF-08E6B95716E8} => D:\Program Files (x86)\FormatFactory\ShellEx64_103.dll -> No File
ContextMenuHandlers4: [ReaConverter7_std] -> {0C83C06D-41F5-4666-B1C2-0923EA75EB10} => D:\Program Files (x86)\reaConverter 7 Standard\newcontext64.dll [2015-07-20] ()
ContextMenuHandlers4: [tosBtShllExt] -> {6BEF3D0B-53F0-4b0d-B91C-C19ED3D4C9D1} => C:\Program Files (x86)\Toshiba\Bluetooth Toshiba Stack\sys\x64\TosBtShell.dll [2014-01-20] (TOSHIBA)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => C:\WINDOWS\system32\igfxpph.dll [2013-11-04] (Intel Corporation)
ContextMenuHandlers6: [BUContextMenu] -> {F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\buShell.dll [2017-11-10] (Symantec Corporation)
ContextMenuHandlers6: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} => D:\Program Files (x86)\Glary Utilities 4\x64\ContextHandler.dll -> No File
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-11-01] (Malwarebytes)
ContextMenuHandlers6: [ReaConverter7_std] -> {0C83C06D-41F5-4666-B1C2-0923EA75EB10} => D:\Program Files (x86)\reaConverter 7 Standard\newcontext64.dll [2015-07-20] ()
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\WINDOWS\System32\StartMenuHelper64.dll [2014-04-20] (IvoSoft)
ContextMenuHandlers6: [Symantec.Norton.Antivirus.IEContextMenu] -> {FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\NavShExt.dll [2017-11-10] (Symantec Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {089B20A8-736D-49DC-97DD-04DD2B269B71} - System32\Tasks\Norton Security\Norton Security Error Analyzer => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\SymErr.exe [2017-11-10] (Symantec Corporation)
Task: {0CC5E24B-F2B8-4799-B7C9-2989C800CFCF} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Security\Upgrade.exe [2017-11-10] (Symantec Corporation)
Task: {0CE189DB-E8AC-41C2-AC45-C5A034341A9D} - \Microsoft\Windows\Setup\EOSNotify -> No File <==== ATTENTION
Task: {148F4752-0AE9-4E76-82B7-D54A9F240AC1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-03-24] (Google Inc.)
Task: {5B0E70AA-611A-40AA-8CBD-80E0764F37CD} - System32\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA} => C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exe <==== ATTENTION
Task: {5F918F7B-1F2D-4B77-93FC-5F809EBD4979} - System32\Tasks\Adobe Flash Player Updater => C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2018-01-09] (Adobe Systems Incorporated)
Task: {66BBF76F-C0E6-4AF8-9D40-D1157DFDDD91} - System32\Tasks\Norton WSC Integration => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\WSCStub.exe [2017-11-10] (Symantec Corporation)
Task: {6CBDEEE4-9088-46BC-8B79-FF4E2E657969} - System32\Tasks\Norton Security\Norton Security Error Processor => D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\SymErr.exe [2017-11-10] (Symantec Corporation)
Task: {732CBC23-0B8E-4D57-A375-D4817C2C8F18} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-09-27] (Adobe Systems Incorporated)
Task: {760D93BB-2DC8-40BD-88FB-2662260E10E8} - System32\Tasks\Norton Anti-Theft\Norton Error Analyzer => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.8.0.32\SymErr.exe
Task: {82BB1F60-58A9-4ADB-B829-6195CD5261CE} - System32\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70} => C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exe <==== ATTENTION
Task: {8C7052F5-B782-4EF6-9846-DFB54CE78B2E} - System32\Tasks\X-Rite Device Services Software Updater => C:\Program Files (x86)\X-Rite\Devices\Services\XRD Software Update.exe [2015-09-18] (X-Rite Inc.)
Task: {8FCFECDA-89C4-41C3-95EE-09D61B99A09A} - System32\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7} => C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exe <==== ATTENTION
Task: {962380D2-B9BA-42D2-8D22-832C9F4DD2D2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-03-24] (Google Inc.)
Task: {99A5B749-2D9F-4C2F-A38A-C2BD526C7B8E} - System32\Tasks\G2MUploadTask-S-1-5-21-4007766687-3714460472-3212241914-1001 => C:\Users\Me\AppData\Local\Citrix\GoToMeeting\5102\g2mupload.exe [2016-06-15] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {A009374C-CFB0-44BC-94BD-0DBFB5535E24} - System32\Tasks\CPUBalance => D:\Program Files\CPUBalance\ProBalance.exe [2017-08-01] (Bitsum LLC)
Task: {A3B70E95-DA90-4C53-882E-CD35309B1CEE} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4007766687-3714460472-3212241914-1001Core1d08fd02f4d456f => C:\Users\Me\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-18] (Google Inc.)
Task: {A3F5ED99-DAD8-4B00-8A96-4301FFAE45D5} - System32\Tasks\G2MUpdateTask-S-1-5-21-4007766687-3714460472-3212241914-1001 => C:\Users\Me\AppData\Local\Citrix\GoToMeeting\5102\g2mupdate.exe [2016-06-15] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {A7E5FED7-152B-4290-B7A6-F65A4AF3281C} - System32\Tasks\SamsungMagician => C:\Program Files (x86)\Samsung\Samsung Magician\SamsungMagician.exe [2017-02-22] (Samsung Electronics Co. Ltd.)
Task: {B3FF9712-55C1-47ED-AB98-BC8E34319BC7} - System32\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} => C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exe <==== ATTENTION
Task: {BE421432-0A3F-4F10-B939-D978AB56CB2B} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express SelfUpdater\ExpressSelfUpdater.exe [2018-01-10] ()
Task: {C7AB23F9-0838-46F7-86D0-64FC62117664} - System32\Tasks\AdobeAAMUpdater-1.0-Tosh-Me => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2010-03-06] (Adobe Systems Incorporated)
Task: {C93E36E3-EC32-4490-9F36-C61C7DBF59D7} - System32\Tasks\TOSHIBA\Service Station => C:\Program Files\TOSHIBA\Toshiba Service Station\ToshibaServiceStation.exe [2014-04-03] (TOSHIBA Corporation)
Task: {CF4B9774-17F7-4801-96BD-C87A3529188B} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-4007766687-3714460472-3212241914-1001UA => C:\Users\Me\AppData\Local\Google\Update\GoogleUpdate.exe [2017-03-18] (Google Inc.)
Task: {DC071672-6E4E-433F-99C1-A7285BDEB5B7} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2014-08-06] (Synaptics Incorporated)
Task: {E66CEE99-63F9-45ED-AA76-A02E9FE986CF} - System32\Tasks\Norton Anti-Theft\Norton Error Processor => C:\Program Files (x86)\Norton Anti-Theft\Engine\1.8.0.32\SymErr.exe
Task: {F457C393-4124-4F77-8710-B7FCC97DBB06} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-08-21] (Piriform Ltd)
Task: {F9C29B4B-0D0D-4400-8901-EA3C78B57FCD} - System32\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4} => C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exe <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-4007766687-3714460472-3212241914-1001.job => C:\Users\Me\AppData\Local\Citrix\GoToMeeting\5102\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-4007766687-3714460472-3212241914-1001.job => C:\Users\Me\AppData\Local\Citrix\GoToMeeting\5102\g2mupload.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4007766687-3714460472-3212241914-1001Core1cf8be44595b89b.job => C:\Users\Me\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4007766687-3714460472-3212241914-1001Core1d020974e2d9b1e.job => C:\Users\Me\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4007766687-3714460472-3212241914-1001Core1d07fc6ff0b708a.job => C:\Users\Me\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\X-Rite Device Services Software Updater.job => C:\Program Files (x86)\X-Rite\Devices\Services\XRD Software Update.exe
Task: C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job => C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job => C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={1AF468C2-19D6-44EE-88F4-724F8619FFB4} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job => C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={425E7005-9EC8-4CFC-818A-D3511CE343B7} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-05K11.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job => C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job => C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{425E7005-9EC8-4CFC-818A-D3511CE343B7}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={AC5E0CD0-F560-4504-B8C1-3D4F268AA7EF} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp <==== ATTENTION

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


Shortcut: C:\Users\Me\Favorites\NCH Software Download Site.lnk -> hxxp://www.nchsoftware.com/index.htm
Shortcut: C:\Users\Me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WonderFox Soft\WonderFox DVD Ripper\Buy WonderFox DVD Ripper on online.lnk -> hxxp:
Shortcut: C:\Users\Me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WonderFox Soft\WonderFox DVD Ripper\WonderFox DVD Ripper on the web.lnk -> hxxp:
Shortcut: C:\Users\Me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WonderFox Soft\Video Converter Factory Pro\Buy Video Converter Factory Pro on online.lnk -> hxxp:
Shortcut: C:\Users\Me\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WonderFox Soft\Video Converter Factory Pro\Video Converter Factory Pro on the web.lnk -> hxxp:

==================== Loaded Modules (Whitelisted) ==============

2018-01-27 15:38 - 2017-11-29 09:11 - 002358728 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MwacLib.dll
2018-01-27 15:38 - 2017-11-29 09:11 - 002301384 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2013-11-04 18:22 - 2013-11-04 18:22 - 000094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2016-11-13 23:16 - 2017-04-05 14:21 - 001658320 _____ () C:\Program Files\Tablet\Wacom\libxml2.dll
2012-08-04 17:01 - 2012-08-04 17:01 - 000213136 _____ () C:\Program Files (x86)\TOSHIBA\System Setting\TODDMain.exe
2012-07-18 18:38 - 2012-07-18 18:38 - 000020904 _____ () C:\Program Files\TOSHIBA\Hotkey\SmoothView.dll
2013-08-01 14:24 - 2013-08-01 14:24 - 000438112 _____ () C:\Program Files\TOSHIBA\Hotkey\Hotkey\TcrdKBB.exe
2017-05-08 09:35 - 2017-05-08 09:35 - 000325632 _____ () C:\Program Files (x86)\Garmin\Device Interaction Service\GpsImgWrapper.dll
2018-01-10 10:07 - 2018-01-10 10:07 - 000073216 _____ () C:\Program Files (x86)\Garmin\Device Interaction Service\FixBootSector.dll
2015-07-13 09:33 - 2015-07-13 09:33 - 001592832 _____ () C:\Program Files (x86)\X-Rite\Devices\rm200\GoldenEye.dll
2013-06-21 13:03 - 2013-06-21 13:03 - 002633728 _____ () C:\Program Files (x86)\X-Rite\Devices\colormunki\colormunki.dll
2013-08-02 14:03 - 2012-06-25 12:41 - 001198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns1 [4]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns2 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns3 [4]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns4 [5]
AlternateDataStreams: C:\ProgramData\TEMP:0BBF232A [442]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2E33E4A6 [150]
AlternateDataStreams: C:\ProgramData\TEMP:367BF129 [144]
AlternateDataStreams: C:\ProgramData\TEMP:737160C1 [436]
AlternateDataStreams: C:\ProgramData\TEMP:8E11CC80 [232]
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE [432]
AlternateDataStreams: C:\ProgramData\TEMP:FD9CE1F3 [510]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\com -> hxxp://*.Wondershare.com

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 00:26 - 2016-08-26 19:01 - 000000877 ____N C:\Windows\system32\Drivers\etc\hosts

192.168.1.9 LG-NAS LG-NAS
127.0.0.1 www.cricut.io

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\Control Panel\Desktop\\Wallpaper -> D:\My Pictures\Desert_Museum\Broadbill3_0110.JPG
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\StartupFolder: => "Check for Updates.lnk"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "BrStsWnd"
HKLM\...\StartupApproved\Run32: => "Nikon Message Center 2"
HKLM\...\StartupApproved\Run32: => "Aimersoft Helper Compact.exe"
HKLM\...\StartupApproved\Run32: => "PPort14reminder"
HKLM\...\StartupApproved\Run32: => "IndexSearch"
HKLM\...\StartupApproved\Run32: => "PaperPort PTD"
HKLM\...\StartupApproved\Run32: => "PDFProHook"
HKLM\...\StartupApproved\Run32: => "DelaypluginInstall"
HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe"
HKLM\...\StartupApproved\Run32: => "Digital Coupon Print Driver"
HKLM\...\StartupApproved\Run32: => "ABNotify"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\StartupApproved\StartupFolder: => "DING!.lnk"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\StartupApproved\Run: => "Messenger (Yahoo!)"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\StartupApproved\Run: => "GarminExpressTrayApp"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\StartupApproved\Run: => "AllMyNotes"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\StartupApproved\Run: => "Google Update"
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\StartupApproved\Run: => "FTPVoyagerSchedulerTrayIcon"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{B0A7D454-DB8C-430E-8897-B8E1962969F3}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS1E46.tmp\SymNRT.exe
FirewallRules: [{83A00BF7-4827-49BD-BD56-11EBD12CBD66}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS1E46.tmp\SymNRT.exe
FirewallRules: [{56249ADC-8662-4981-BAD9-58DD6A1614DC}] => (Allow) C:\windows\system32\hasplms.exe
FirewallRules: [{5EAE920B-66FD-41F0-BBEB-ABA6F2FCA973}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{06DD8F78-802E-4EEC-BB53-C0E5377E9F0A}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{AC944EDB-419F-41C8-B73F-2544A6B98D91}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{2126DD79-D9AF-4756-8D13-AE71944B413C}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{9AE214FC-4692-444D-B419-6505003CF609}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{D3921B72-43AB-47E4-A47E-528E46A2AE0D}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{4ED575F5-1FFD-4D13-87DF-A0B563DFBBC8}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{394F5715-F1B0-479E-8F6A-C31BBE3D09E6}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{E5899FD2-8A15-43B8-88FB-31E3038F2B2A}] => (Allow) d:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{C3CAEE34-DFE0-4102-9FBF-C9D483F26ECA}] => (Allow) d:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{B8BD06B2-FE5A-46A1-80DF-712F0EF80F18}] => (Allow) LPort=15600
FirewallRules: [{BBE066B5-2E75-466E-8B09-1B5CF67938C3}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{F145421C-272A-4F41-9279-22A043B25E38}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{1D121D5E-A48D-412F-9798-713F4E790FBB}] => (Allow) C:\windows\system32\hasplms.exe
FirewallRules: [{5723A7A0-851B-4AB8-86C5-7EB2B6F91B04}] => (Allow) D:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{C8FE9BAA-57DF-42A4-907E-BA067999FC2B}] => (Allow) D:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{2631E40E-ED8F-43A4-B143-1B3F4E6B02D7}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{07E4A8FA-05F9-402C-B8AE-06A2405FB918}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{E5E1FBF9-95B9-4CCC-9BA6-DAF2D191B1F3}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{E612036C-6B67-44C9-8C4C-0927E126E911}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{7FC2D80D-95CB-4A01-A65D-EC91CE51EE33}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{07E0F10A-BA91-452F-B1B3-420E1DB54BF6}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{37BC839A-07A1-4A4C-AD40-F44915639842}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{E4F78AF5-01ED-4FCA-8B97-4AAB247468A6}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{066C3A11-4E53-4BB2-B5F0-F9A98F773F52}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{8933889E-3D6C-42E0-9FAF-F7E69CD786B4}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{36B7D50B-8670-4BE3-804D-DBE426974CBF}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{25916C47-A883-4B2A-B262-579236C3FA85}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{41BA36C6-C3BF-44FA-B728-50CB74B1EBAC}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{347101F9-F1A1-410E-95C9-8FD7FAA2FDCF}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{2FD3BF8D-B800-4BBA-A6C9-DA08FC62B8A3}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{E840FAF6-C9FF-466C-BACA-6460E0DF6A6C}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{B60D9867-D12E-41A4-BC25-B2271E398AB5}] => (Allow) D:\Program Files (x86)\Pantone Color Manager\PantoneColorManager.exe
FirewallRules: [{0144A919-A935-4F12-8B4A-7797ACD32B86}] => (Allow) D:\Program Files (x86)\Pantone Color Manager\PantoneColorManager.exe
FirewallRules: [{388936EB-3BAC-4D21-A551-E4A15EF3E6A5}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS558A.tmp\SymNRT.exe
FirewallRules: [{0D0E1403-2909-46F7-8BE7-A52C171F9BCC}] => (Allow) C:\Users\Me\AppData\Local\Temp\7zS558A.tmp\SymNRT.exe
FirewallRules: [{7F227620-A0D7-4E4D-A772-EDC32B204815}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{A0EB6E0F-1D6A-4809-BFEC-C358BAB088F0}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlupdater.exe
FirewallRules: [{A890264E-3012-4BB1-B69C-E72B6EBB7865}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{69F0803D-B7FF-4291-8A16-41E3B453C1A3}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlactivator.exe
FirewallRules: [{B7838222-509A-4F54-B2F5-23B06479CC0A}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{9E61CFD7-9A1D-4AEB-A8E8-9423537BC7D6}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\rlhtmlrenderer.exe
FirewallRules: [{12F2D4CF-DF97-43F6-A79D-E28421050C25}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{596D3C08-AFE0-44DA-870B-4036C36970E7}] => (Allow) D:\Program Files (x86)\ATOMI\ActivePresenter\ActivePresenter.exe
FirewallRules: [{C56BE6C4-5544-4153-B689-6E07476B0972}] => (Allow) D:\Program Files (x86)\HTC\HTC Sync Manager\HTCSyncManager.exe
FirewallRules: [{6B0BBB45-AAFF-42B8-918D-134F8BD88242}] => (Allow) D:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro\Apowersoft Screen Recorder Pro.exe
FirewallRules: [{B5D49F8C-6FDA-427E-A351-B9859B8929D1}] => (Allow) D:\Program Files (x86)\Apowersoft\Apowersoft Screen Recorder Pro\Apowersoft Screen Recorder Pro.exe
FirewallRules: [{DD207CE7-6342-4859-A254-696CF45FCD31}] => (Allow) D:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{2F2C1F69-31F8-4F2A-9045-B4C4299827CA}] => (Allow) D:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{AA964E8E-FB2D-44EF-9024-15209CBE7F48}] => (Allow) LPort=1900
FirewallRules: [{E24222EE-AB4E-45C4-9E0F-B31831F1321D}] => (Allow) LPort=2869
FirewallRules: [{DF9CA35B-8BB2-42C0-8C5C-55F6CAA13B52}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{B441B582-31FB-4C59-AA46-F3C743500366}] => (Allow) C:\Program Files\Intel Corporation\Intel WiDi\WiDiApp.exe
FirewallRules: [{F7331C8C-1529-4ABC-B020-CFEC5944AB47}] => (Allow) LPort=5454
FirewallRules: [{A36899D1-8D25-48AD-AF69-4593ADE221AC}] => (Allow) C:\WINDOWS\system32\hasplms.exe
FirewallRules: [TCP Query User{63870AC5-1777-4AEE-A5FF-9321B6A6C2A4}C:\users\me\appdata\roaming\cricutdesignspace\bridge\cricutbridge.exe] => (Allow) C:\users\me\appdata\roaming\cricutdesignspace\bridge\cricutbridge.exe
FirewallRules: [UDP Query User{3A0238C4-B0B5-44AB-98A4-9E987D1AB671}C:\users\me\appdata\roaming\cricutdesignspace\bridge\cricutbridge.exe] => (Allow) C:\users\me\appdata\roaming\cricutdesignspace\bridge\cricutbridge.exe
FirewallRules: [{92B55ED1-9A2D-488A-AA83-31673BD63B1D}] => (Allow) D:\Program Files (x86)\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{EEA30F8C-3090-4BFC-BF6D-434BF91F395D}] => (Allow) D:\Program Files (x86)\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{03594F43-94CA-45DB-9286-9835A1DD672F}] => (Allow) D:\Program Files (x86)\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{8B4B588B-A00F-4491-9BF7-14B56AC55262}] => (Allow) D:\Program Files (x86)\FlashIntegro\VideoEditor\Activation.exe
FirewallRules: [{947A0322-28F1-4815-BB81-B49BE6FA632F}] => (Allow) D:\Program Files (x86)\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [{02899D89-3544-420E-814E-130CFA0AF9E3}] => (Allow) D:\Program Files (x86)\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [{FA3FE787-5607-4EB2-95AE-CDCB6BA8917B}] => (Allow) D:\Program Files (x86)\PCTV Systems\TVCenter\TVCenter.exe
FirewallRules: [{884176DA-EAA3-4A70-8158-1F386BF08336}] => (Allow) C:\Program Files (x86)\Common Files\PCTV Systems\PVR\VideoControl.exe
FirewallRules: [{DBC76F2C-97B6-40C7-94BC-FDE7428EB7F0}] => (Allow) C:\Program Files (x86)\Common Files\PCTV Systems\StreamingServer\StrmServer.exe
FirewallRules: [{3615AA21-3CD9-4A69-A8BC-29D099FC5436}] => (Allow) LPort=1900
FirewallRules: [{F585D834-C4A0-4E91-975A-BD9119257FB9}] => (Allow) LPort=2869
FirewallRules: [{9D39828E-41FE-40BE-A7BB-4161560136A6}] => (Allow) C:\WINDOWS\system32\hasplms.exe
FirewallRules: [TCP Query User{F2D855BA-2E5B-4954-91CC-08BB01E599E8}C:\users\me\appdata\roaming\cricutdesignspace3\bridge\cricutbridge4.exe] => (Allow) C:\users\me\appdata\roaming\cricutdesignspace3\bridge\cricutbridge4.exe
FirewallRules: [UDP Query User{D817A2DD-E2F2-4D5E-8324-0FB18CCE29AD}C:\users\me\appdata\roaming\cricutdesignspace3\bridge\cricutbridge4.exe] => (Allow) C:\users\me\appdata\roaming\cricutdesignspace3\bridge\cricutbridge4.exe

==================== Restore Points =========================

27-01-2018 20:53:14 Just_before_NPE

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/27/2018 08:50:09 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = D:\D_Downloads\NPE(2).exe /POSTADVSCAN /SERVICEPOSTADVSCAN; Description = Norton_Power_Eraser_20180127205009537; Error = 0x80070422).

Error: (01/27/2018 03:05:43 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).

Error: (01/27/2018 12:55:33 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbamservice.exe, version: 3.1.0.595, time stamp: 0x59f745cb
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00007ff95b765c6b
Faulting process id: 0x1570
Faulting application start time: 0x01d39797cadace3c
Faulting application path: C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
Faulting module path: unknown
Report Id: 44e746f3-038b-11e8-bf92-008cfa3784b5
Faulting package full name:
Faulting package-relative application ID:

Error: (01/27/2018 12:51:51 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).

Error: (01/27/2018 12:37:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DLDPHCM.exe, version: 2.0.0.45, time stamp: 0x57d90fa6
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18895, time stamp: 0x5a4b125e
Exception code: 0xe0434352
Fault offset: 0x00015608
Faulting process id: 0x18c0
Faulting application start time: 0x01d3978d27b5a8b6
Faulting application path: C:\Program Files (x86)\Dell Printers\Dell Printer Hub\DLDPHCM.exe
Faulting module path: C:\Windows\SYSTEM32\KERNELBASE.dll
Report Id: c63dedee-0388-11e8-bf91-008cfa3784b5
Faulting package full name:
Faulting package-relative application ID:

Error: (01/27/2018 07:42:31 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 29508844

Error: (01/27/2018 07:42:31 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 29508844

Error: (01/27/2018 07:42:31 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (01/26/2018 04:43:12 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DllHost.exe, version: 6.3.9600.17415, time stamp: 0x54504134
Faulting module name: msvcrt.dll, version: 7.0.9600.17415, time stamp: 0x545055fe
Exception code: 0xc0000005
Fault offset: 0x0000000000001889
Faulting process id: 0x1b28
Faulting application start time: 0x01d396eea7a27fc9
Faulting application path: C:\Windows\system32\DllHost.exe
Faulting module path: C:\Windows\system32\msvcrt.dll
Report Id: e7f8b80f-02e1-11e8-bf90-008cfa3784b5
Faulting package full name:
Faulting package-relative application ID:

Error: (01/26/2018 03:30:14 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Windows\system32\srtasks.exe ExecuteScheduledSPPCreation; Description = Scheduled Checkpoint; Error = 0x80070422).


System errors:
=============
Error: (01/27/2018 10:33:18 PM) (Source: ipnathlp) (EventID: 1233) (User: )
Description: The ICS_IPV6 failed to configure IPv6 stack.

Error: (01/27/2018 10:33:18 PM) (Source: ipnathlp) (EventID: 1233) (User: )
Description: The ICS_IPV6 failed to configure IPv6 stack.

Error: (01/27/2018 10:33:10 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Internet Pass-Through Service service failed to start due to the following error:
The system cannot find the file specified.

Error: (01/27/2018 10:32:58 PM) (Source: Microsoft-Windows-HAL) (EventID: 13) (User: NT AUTHORITY)
Description: The system watchdog timer was triggered.

Error: (01/27/2018 10:33:07 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:26:52 PM on ‎1/‎27/‎2018 was unexpected.

Error: (01/27/2018 10:27:06 PM) (Source: ipnathlp) (EventID: 1233) (User: )
Description: The ICS_IPV6 failed to configure IPv6 stack.

Error: (01/27/2018 10:27:06 PM) (Source: ipnathlp) (EventID: 1233) (User: )
Description: The ICS_IPV6 failed to configure IPv6 stack.

Error: (01/27/2018 10:26:58 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Internet Pass-Through Service service failed to start due to the following error:
The system cannot find the file specified.

Error: (01/27/2018 10:26:52 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 10:14:25 PM on ‎1/‎27/‎2018 was unexpected.

Error: (01/27/2018 10:14:38 PM) (Source: ipnathlp) (EventID: 1233) (User: )
Description: The ICS_IPV6 failed to configure IPv6 stack.


==================== Memory info ===========================

Processor: Intel® Core™ i7-3630QM CPU @ 2.40GHz
Percentage of memory in use: 27%
Total physical RAM: 16268.22 MB
Available physical RAM: 11807.21 MB
Total Virtual: 18700.22 MB
Available Virtual: 14228.39 MB

==================== Drives ================================

Drive c: (TI10658600D) (Fixed) (Total:464.94 GB) (Free:377.04 GB) NTFS
Drive d: (TI10658600D) (Fixed) (Total:930.68 GB) (Free:298.16 GB) NTFS
Drive e: (NBRT) (CDROM) (Total:0.85 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 6B8B4567)

Partition: GPT.

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 05317A62)

Partition: GPT.

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 29 January 2018 - 07:54 PM.


BC AdBot (Login to Remove)

 


#2 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 28 January 2018 - 03:52 PM

Running Norton full scan this morning "seems" slower than in the past.

It completes with 996,728 total items scanned, 0 risks detected.

I wonder if it has been compromised.

Running it again, it ran for 2 hours before completing, checked 998,301 and found 0 risks.



#3 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 28 January 2018 - 04:20 PM

I tried to save the 4 page Norton History file by using Export as a .txt   

20 minutes later I had to close the window it had still not completed saving the file.

I strongly suspect Norton Security is not working properly.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:26 PM

Posted 29 January 2018 - 10:25 PM

Greetings BobbyA and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

In addition to providing steps I must advise you of the following.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan. In your case it is the Sality Virus.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Please let me know if you have already noticed evidences of financial institution irregularities. Those accounts should be monitored from this point forward.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.
 

Here are some thoughts I have put together for people who ask what they should do in light of the infection. Ultimately each user must decide for themselves what to do and the below are things you might want to consider.

It is necessary for us to at least make you aware of the worse case scenario. This is because of the potential Backdoor Trojans bring with them, but it is not a determination on our part that your situation currently falls within this worse case scenario.

Ultimately it is a personal decision whether to reformat or not. What decision should you make to let you sleep well at night? It is different for different people. I will say whether rightly or wrongly most people decide to clean and not reformat, at least initially.

The only insight I can offer is how I evaluate the issue personally even though I have never had a Backdoor Trojan on my computer. One of the primary purposes for malicious software is to somehow separate you from your money. It seems reasonable to assume that a thief trying to take your money via a Backdoor Trojan will hit you hard, and quickly. Once your computer starts to act up and you become suspicious you have the opportunity to eliminate access to your computer and change the information taken, namely account and password information. The key to this, in my opinion, is whether or not you have noticed any irregularities in your banking or other financial institutions, or things like email and social network accounts (i.e. Facebook). If you have not seen any evidence of that then you may question whether your information has truly been stolen. If it seems it hasn't, and your critical information has been changed, it is reasonable to be more confident you are safe but you must stop short of claiming an absolute guarantee.

If, after careful consideration you decide not to reformat your computer it would be wise to continue monitoring your sensitive data and don't wait to address future symptoms on your computer which seem to be malware related.

The bottom line, the only way to be absolutely sure to be rid of a Backdoor Trojan is to reformat. The decision is yours.

Oh My!


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

If you decide you would like to clean your computer please do this.

Do you recognize the below?


HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\StartupApproved\StartupFolder: => "DING!.lnk"


===================================================

Uninstalling a Program using Add/Remove Program

--------------------

I recommend the uninstalling of the below listed program(s). If you desire to keep the program I would ask that you reinstall it following our efforts here.
  • Press Windows Key + R on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

YTD Video Downloader 4.7.2

  • Reboot your computer
===================================================

AVG Sality Fix

--------------------
  • Download AVG Sality Fix and save it to your Desktop
  • Right click on the icon and select Run as administrator
  • Allow the lengthy process to complete
  • Click File, Save log...
  • Save the file onto your Desktop as VirusRemover.log but do not post the log
  • If a virus is found restart your computer as requested
===================================================

Kaspersky Sality Killer

--------------------
  • Download Kaspersky Sality Killer and save it to your Desktop
  • Right click on the icon and select Run as administrator
  • Allow the lengthy process to complete
  • When completed report the findings and hit any key to continue and close the program
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Run: [AdobeBridge] => [X]
SearchScopes: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001 -> DefaultScope {EAF15F91-F3C0-449A-97AB-ED9D45EF30D8} URL =
SearchScopes: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001 -> {EAF15F91-F3C0-449A-97AB-ED9D45EF30D8} URL =
Handler: WSIEChrome - {6D02ED5F-FD0D-4C4C - No File
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\Exts\Chrome.crx <not found>
S3 BrYNSvc; "C:\Program Files (x86)\Browny02\BrYNSvc.exe" [X]
S2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [X]
S3 WinRing0_1_2_0; \??\D:\Program Files (x86)\AnVir Task Manager\OpenHardwareMonitor\OpenHardwareMonitor.sys
2018-01-27 22:33 - 2016-07-19 12:05 - 000001398 ____H C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job
2018-01-27 22:33 - 2016-02-10 18:19 - 000001398 ____H C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job
2018-01-27 22:33 - 2015-05-29 22:29 - 000001398 ____H C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job
2018-01-27 22:33 - 2014-07-14 10:16 - 000001398 ____H C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job
2018-01-27 22:33 - 2014-07-10 12:52 - 000001398 ____H C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {0CE189DB-E8AC-41C2-AC45-C5A034341A9D} - \Microsoft\Windows\Setup\EOSNotify
Task: {5B0E70AA-611A-40AA-8CBD-80E0764F37CD} - System32\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA} => C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp
Task: {82BB1F60-58A9-4ADB-B829-6195CD5261CE} - System32\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70} => C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-05K11.tmp
Task: {8FCFECDA-89C4-41C3-95EE-09D61B99A09A} - System32\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7} => C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp
Task: {B3FF9712-55C1-47ED-AB98-BC8E34319BC7} - System32\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} => C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp
Task: {F9C29B4B-0D0D-4400-8901-EA3C78B57FCD} - System32\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4} => C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp
Task: C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job => C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp
D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}
Task: C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job => C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={1AF468C2-19D6-44EE-88F4-724F8619FFB4} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp 
Task: C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job => C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={425E7005-9EC8-4CFC-818A-D3511CE343B7} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-05K11.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job => C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job => C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{425E7005-9EC8-4CFC-818A-D3511CE343B7}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={AC5E0CD0-F560-4504-B8C1-3D4F268AA7EF} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp <==== ATTENTION
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns1 [4]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns2 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns3 [4]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns4 [5]
AlternateDataStreams: C:\ProgramData\TEMP:0BBF232A [442]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2E33E4A6 [150]
AlternateDataStreams: C:\ProgramData\TEMP:367BF129 [144]
AlternateDataStreams: C:\ProgramData\TEMP:737160C1 [436]
AlternateDataStreams: C:\ProgramData\TEMP:8E11CC80 [232]
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE [432]
AlternateDataStreams: C:\ProgramData\TEMP:FD9CE1F3 [510]
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Wish to continue?
  • Recognize entry?
  • Program uninstall?
  • AVG report
  • Kaspersky report
  • Fixlog
  • Computer performance?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 29 January 2018 - 11:35 PM

Hi Gary, Thank you. I am retired and in east coast time zone. I can usually respond fairly quickly, and will try to do so. I would like to try to clean the computer, as well as learn if anything was able to infect other machines in the house. Determining if the other machines are infected too is very important. I have a 3 wireless laptops in my home network, an LG NAS configured raid 1 and a Dell  printer. The printer & the NAS are ethernet wired to the router. One of the laptops is an older machine running XP, and is connected to the TV. Not trusting the usb .mp3 device (I also format any new SD cards in my camera before going into any computer)  I first plugged the .mp3 device into the xp machine, to look at the content. All I could see was labeled .mp3 but with all other characters in the names in Chinese. I played a few of the files and felt okay to move to my laptop. I created a folder on the laptop to preserve the .mp3 files in case there was something needed later. I copied them, then deleted the highlighted files on the device. At the end of that operation a couple files remained, one of which was labeled ms-dos file(I think ?). The next things happened very quickly so my memory of them may not be completely accurate. When I tried to right click on that file to have Norton scan it the computer black screened.  I quickly shut it down by holding the power switch down, and it was either at this moment I unplugged the device usb cable and the NAS from the router. Or right after I rebooted and ran a system scan with Norton and saw the one trojan found. Norton never finished that scan as the cpu and memory were being consumed by malwaybytes. I eventually uninstalled malwarebytes and reinstalled the fixed version. Mine and my wife's laptop have been on the net since.  The older laptop has remained off, and the NAS has remained disconnected. The Quote appears to be a registry entry to start a program, I don't recall having seen it before.  I have set Norton to do a full scan at 3 am and last night the files count was 1.1 million, zero risks found. My laptop is wireless, so will putting it in airplane mode be enough to take it off the net ? I have been avoiding transaction the might of interest to others, although the mail program will have logged into the mail server as usual. If I can't determine if wife's laptop is also infected, then would it even help to change passwords from there ? Her's also runs Norton and malwarebytes. Her's had started running slower about a week prior to this. I did a restore point from about three weeks prior and that seemed to correct hers slowness. Sorry if this is too much info, trying to error on the side of you having all the data available. Thanks again, Bobby


Edited by BobbyA, 29 January 2018 - 11:42 PM.


#6 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 29 January 2018 - 11:38 PM

Between my post and your reply, late yesterday I had installed and run, avg_remover_slt and tdskiller

BTW I'm okay to wipe the xp machine if we can't determine if it is clean.


Edited by BobbyA, 29 January 2018 - 11:44 PM.


#7 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 30 January 2018 - 12:27 AM

Hi Gary, I started avg sality fix running,  When I ran it last night it found nothing, but hung eventually reporting about 40 windows files: Can't open.

It's now gotten about 18% through with nothing found, but has over 100 files listed as "Can't open" and is reporting it exited due to an internal error.  

The can't open file paths all start with C:\Users\Me\AppData\Local\Packages\WinStore_cw5n1h2txyewy\LocalState\Cache\0\0-ProductTileEx...

As it's after midnight I'm going restart it and go to bed.

 

Update: It again gaked with an enternal error. Reporting 186,225 objects found, 184911 clean, 0 0 0 0

This time while scanning ...\Me\AppData\Roaming\Adobe\AIR\Updater\Background\updater

 

Can some of these programs and services be causing a problem because the computer is in airplane mode and they can't reach the net ?

 

Going to start Kespersky and go to bed.

 

Good night.

 

Tuesday morning update: Answering above question on performance, I have been able to still edit in photoshop without a noticeable lag, however for the last few months I will sometimes get a " Not responding" banner for a few moments above firefox only sometimes. I attributed this to usually having 10 or more tabs open.  

 

Kespersky completed with Infected files 0, Infected processes 0, Infected threads 0, Cured files 0, Will be cured on reboot 0, Executed registry scripts 1.

 

Content of Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Me (30-01-2018 08:31:31) Run:1
Running from C:\Users\Me\Desktop
Loaded Profiles: Me (Available Profiles: Me & Camera_User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\...\Run: [AdobeBridge] => [X]
SearchScopes: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001 -> DefaultScope {EAF15F91-F3C0-449A-97AB-ED9D45EF30D8} URL =
SearchScopes: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001 -> {EAF15F91-F3C0-449A-97AB-ED9D45EF30D8} URL =
Handler: WSIEChrome - {6D02ED5F-FD0D-4C4C - No File
CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\Exts\Chrome.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - D:\Program Files (x86)\Norton Security\Engine\22.11.2.7\Exts\Chrome.crx <not found>
S3 BrYNSvc; "C:\Program Files (x86)\Browny02\BrYNSvc.exe" [X]
S2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [X]
S3 WinRing0_1_2_0; \??\D:\Program Files (x86)\AnVir Task Manager\OpenHardwareMonitor\OpenHardwareMonitor.sys
2018-01-27 22:33 - 2016-07-19 12:05 - 000001398 ____H C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job
2018-01-27 22:33 - 2016-02-10 18:19 - 000001398 ____H C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job
2018-01-27 22:33 - 2015-05-29 22:29 - 000001398 ____H C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job
2018-01-27 22:33 - 2014-07-14 10:16 - 000001398 ____H C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job
2018-01-27 22:33 - 2014-07-10 12:52 - 000001398 ____H C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Me\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {0CE189DB-E8AC-41C2-AC45-C5A034341A9D} - \Microsoft\Windows\Setup\EOSNotify
Task: {5B0E70AA-611A-40AA-8CBD-80E0764F37CD} - System32\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA} => C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp
Task: {82BB1F60-58A9-4ADB-B829-6195CD5261CE} - System32\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70} => C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-05K11.tmp
Task: {8FCFECDA-89C4-41C3-95EE-09D61B99A09A} - System32\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7} => C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp
Task: {B3FF9712-55C1-47ED-AB98-BC8E34319BC7} - System32\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} => C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp
Task: {F9C29B4B-0D0D-4400-8901-EA3C78B57FCD} - System32\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4} => C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exe
C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp
Task: C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job => C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp
D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}
Task: C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job => C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={1AF468C2-19D6-44EE-88F4-724F8619FFB4} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp
Task: C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job => C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={425E7005-9EC8-4CFC-818A-D3511CE343B7} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-05K11.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-05K11.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job => C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp <==== ATTENTION
Task: C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job => C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exeȰ/exenoupdates /noprereqs /qr AI_RESUME=1 ADDLOCAL=MainFeature,XRDdrivers64 ACTION=INSTALL EXECUTEACTION=INSTALL ROOTDRIVE D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{425E7005-9EC8-4CFC-818A-D3511CE343B7}\drivers64.msi AI_PREREQDIRS=C:\Users\Me\AppData\Local\Temp OLDPRODUCTS={AC5E0CD0-F560-4504-B8C1-3D4F268AA7EF} AI_SETUPEXEPATH=C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp\XRD Manager.exe SETUPEXEDIR=C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp <==== ATTENTION
AlternateDataStreams: C:\Windows:nlsPreferences [386]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns1 [4]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns2 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns3 [4]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns4 [5]
AlternateDataStreams: C:\ProgramData\TEMP:0BBF232A [442]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
AlternateDataStreams: C:\ProgramData\TEMP:2E33E4A6 [150]
AlternateDataStreams: C:\ProgramData\TEMP:367BF129 [144]
AlternateDataStreams: C:\ProgramData\TEMP:737160C1 [436]
AlternateDataStreams: C:\ProgramData\TEMP:8E11CC80 [232]
AlternateDataStreams: C:\ProgramData\TEMP:A02025CE [432]
AlternateDataStreams: C:\ProgramData\TEMP:FD9CE1F3 [510]
emptytemp:

*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EAF15F91-F3C0-449A-97AB-ED9D45EF30D8}" => removed successfully
HKLM\Software\Classes\CLSID\{EAF15F91-F3C0-449A-97AB-ED9D45EF30D8} => key not found
"HKLM\Software\Classes\PROTOCOLS\Handler\WSIEChrome" => removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe" => removed successfully
"HKLM\System\CurrentControlSet\Services\BrYNSvc" => removed successfully
BrYNSvc => service removed successfully
"HKLM\System\CurrentControlSet\Services\PassThru Service" => removed successfully
PassThru Service => service removed successfully
"HKLM\System\CurrentControlSet\Services\WinRing0_1_2_0" => removed successfully
WinRing0_1_2_0 => service removed successfully
C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job => moved successfully
C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job => moved successfully
C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job => moved successfully
C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job => moved successfully
C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job => moved successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{144DF3B2-2402-47AE-9583-5A045929A8D4}" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => removed successfully
"HKU\S-1-5-21-4007766687-3714460472-3212241914-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0CE189DB-E8AC-41C2-AC45-C5A034341A9D} => could not remove key. ErrorCode1: 0x00000002
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0CE189DB-E8AC-41C2-AC45-C5A034341A9D}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5B0E70AA-611A-40AA-8CBD-80E0764F37CD}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5B0E70AA-611A-40AA-8CBD-80E0764F37CD}" => removed successfully
C:\Windows\System32\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}" => removed successfully
"C:\Users\Me\AppData\Local\Temp\is-1AH7P.tmp" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{82BB1F60-58A9-4ADB-B829-6195CD5261CE}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{82BB1F60-58A9-4ADB-B829-6195CD5261CE}" => removed successfully
C:\Windows\System32\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}" => removed successfully
"C:\Users\Me\AppData\Local\Temp\is-05K11.tmp" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8FCFECDA-89C4-41C3-95EE-09D61B99A09A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8FCFECDA-89C4-41C3-95EE-09D61B99A09A}" => removed successfully
C:\Windows\System32\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{425E7005-9EC8-4CFC-818A-D3511CE343B7}" => removed successfully
"C:\Users\Me\AppData\Local\Temp\is-SN1GJ.tmp" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B3FF9712-55C1-47ED-AB98-BC8E34319BC7}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B3FF9712-55C1-47ED-AB98-BC8E34319BC7}" => removed successfully
C:\Windows\System32\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}" => removed successfully
"C:\Users\Me\AppData\Local\Temp\is-4SJ9V.tmp" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F9C29B4B-0D0D-4400-8901-EA3C78B57FCD}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F9C29B4B-0D0D-4400-8901-EA3C78B57FCD}" => removed successfully
C:\Windows\System32\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}" => removed successfully
"C:\Users\Me\AppData\Local\Temp\is-LK1C2.tmp" => not found
"C:\Windows\Tasks\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}.job" => not found
"D:\ AI_PREREQFILES=C:\Users\Me\AppData\Local\Temp\{1AF468C2-19D6-44EE-88F4-724F8619FFB4}" => not found
"C:\Windows\Tasks\{1E18A923-CDF1-4D1C-93B2-AD4CC5BD33EA}.job" => not found
"C:\Windows\Tasks\{2ECE8EE0-2DBB-444F-92F1-D7C7637CCF70}.job" => not found
"C:\Windows\Tasks\{36E19D34-6BA7-4BD1-B5CB-7B0DA85713C4}.job" => not found
"C:\Windows\Tasks\{425E7005-9EC8-4CFC-818A-D3511CE343B7}.job" => not found
C:\Windows => ":nlsPreferences" ADS removed successfully
C:\ProgramData\Nalpeiron => ":user.ns1" ADS removed successfully
C:\ProgramData\Nalpeiron => ":user.ns2" ADS removed successfully
C:\ProgramData\Nalpeiron => ":user.ns3" ADS removed successfully
C:\ProgramData\Nalpeiron => ":user.ns4" ADS removed successfully
C:\ProgramData\TEMP => ":0BBF232A" ADS removed successfully
C:\ProgramData\TEMP => ":2CB9631F" ADS removed successfully
C:\ProgramData\TEMP => ":2E33E4A6" ADS removed successfully
C:\ProgramData\TEMP => ":367BF129" ADS removed successfully
C:\ProgramData\TEMP => ":737160C1" ADS removed successfully
C:\ProgramData\TEMP => ":8E11CC80" ADS removed successfully
C:\ProgramData\TEMP => ":A02025CE" ADS removed successfully
C:\ProgramData\TEMP => ":FD9CE1F3" ADS removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 175939959 B
Java, Flash, Steam htmlcache => 5452 B
Windows/system/drivers => 9225 B
Edge => 0 B
Chrome => 0 B
Firefox => 530396786 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 16899128 B
NetworkService => 0 B
Me => 1016912468 B
Camera_User => 67497 B

RecycleBin => 0 B
EmptyTemp: => 1.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 08:32:09 ====


Edited by BobbyA, 30 January 2018 - 08:53 AM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:26 PM

Posted 30 January 2018 - 09:52 AM

Good morning Bobby.

Regarding your other computers, a topic is restricted to one computer so if you want assistance with the other computer(s) they will require separate topics. In order to avoid confusion I would suggest we deal with this one before you start dealing with the others.

-----
 

mp3 but with all other characters in the names in Chinese.

If you don't yet know what the Chinese characters mean you can use Google Translate to get the English equivalent.

-----
 

will putting it in airplane mode be enough to take it off the net ?

Yes.

-----

If you are going to change passwords it is good to do so from a known clean computer.

-----

At this point I am not concerned about Firefox stalling. It routinely happens to me as well. Having said that we will keep our eye on it.

-----

Do you have the error code for AVG? Because of the nature of this infection I would still like to try to get through the scan. Boot into Safe Mode and run it to see if we can get through the full scan.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 30 January 2018 - 10:49 AM

Good morning Gary,

Booting into safe mode did not get AVG to finish. It stopped at:  Scanned 170423, Clean 169441, 0,0,0,0 Would it be safe (or possible ?) to just delete that winstore folder ? BTW I don't use the app versions of windows, using the classic interface.

 

Not sure if it is normal, but malwarebytes reported all real time protection off during the period computer was in safe mode. Upon rebooting out of safe mode MB appears to have returned to normal functioning.

 

Also a full system scan was run by Norton during the night with 1,154,051 scanned zero risks found.

 

My daughter has sent me a suggestion to try crowdstrike crowdinspect, any insight or opinion ?

 

These are the last few lines from the AVG log.

 

C:\Users\Me\AppData\Local\Packages\WinStore_cw5n1h2txyewy\LocalState\Cache\4\4-http???wscont2.apps.microsoft.com?winstore?1x?ef348bb5-4e3f-414f-b642-7e29c29821fc?AppTile.1.1152921504653491268.1.png.dat Can't open
C:\Users\Me\AppData\Local\Packages\WinStore_cw5n1h2txyewy\LocalState\Cache\4\4-http???wscont2.apps.microsoft.com?winstore?1x?ef5c45f2-fbbd-402c-b829-c48e5dcbe9f5?Icon.249965.png.dat Can't open
C:\Users\Me\AppData\Local\Packages\WinStore_cw5n1h2txyewy\LocalState\Cache\4\4-http???wscont2.apps.microsoft.com?winstore?1x?ef93c6fd-035d-4109-83e6-a884017a21a4?AppTile.1.1152921504654281782.1.png.dat Can't open
C:\Users\Me\AppData\Local\Packages\WinStore_cw5n1h2txyewy\LocalState\Cache\4\4-http???wscont2.apps.microsoft.com?winstore?1x?efad04b1-ec03-46e2-b8a5-e28799d69119?AppTile.1.1152921504654454740.1.png.dat Can't open
C:\Users\Me\AppData\Local\Packages\WinStore_cw5n1h2txyewy\LocalState\Cache\4\4-http???wscont2.apps.microsoft.com?winstore?1x?efbd094a-27d0-462f-962b-037d4e52dcdc?AppTile.1.243908.1.png.dat Can't open
C:\Users\Me\AppData\Local\Packages\WinStore_cw5n1h2txyewy\LocalState\Cache\4\4-http???wscont2.apps.microsoft.com?winstore?1x?effa0216-727c-4524-94eb-2e659d3002f3?AppTile.1.518009.1.png.dat Can't open
Virus remover exited because of an internal error.

 

 

Update: Tuesday noon. In an effort to see if I could find any error code in the AVG report window, I reran it. It is currently still running with about 400K objects currently scanned. Will update again when it stops.

 

Update Tuesday afternoon.  AVG completed, result:   Scanned 763602, Clean 761839, 0,0,0,0 Work complete.


Edited by BobbyA, 30 January 2018 - 02:27 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:26 PM

Posted 30 January 2018 - 02:54 PM

Hi Bobby.

Never heard of CrowdStrike so I would be reluctant to use it.

Please zip and upload the VirusRemover.log here.

How is your computer running?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 30 January 2018 - 03:52 PM

Uploaded as requested.

If it weren't for the previous wacky scan results (like increasing number of files, and the literal dozens of trojan downloaders blocked on the 27th), the inability to complete the avg scan.

I would think all is perfectly normal comparing the functioning today to it's functioning last Tuesday.  All the Norton full scans for the last couple nights have had no finds, I'm not much good at reading the details of the FRST,  Kaspersky, and AVG scans but nothing has recently reported "I'm screwed" as far as I can tell. Is there any deterministic way to test or monitor the machine ?

Your thoughts ?



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:26 PM

Posted 30 January 2018 - 04:54 PM

Greetings Bobby.

As stated previously, with this type of infection there is no way to be 100% sure you are clean. So far things are not looking too bad. If you haven't had any irregular banking or password related incidents and you have changed your passwords I think there is little to worry about at this point.

Please do this as we continue to investigate.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Launch FRST
  • Copy/paste the following in the Search: box
SearchAll: *hasplms*
  • Click Search File(s) button
  • When completed click OK and a Search.txt document will open on your desktop
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 30 January 2018 - 05:36 PM

As requested.

 

Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Me (30-01-2018 17:28:09)
Running from C:\Users\Me\Desktop
Boot Mode: Normal

================== Search Files: "SearchAll: *hasplms*" =============

File:
========
C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_f6c4895db5f8d307\hasplms.exe
[2015-05-29 22:29][2014-11-27 09:04] 004608320 _____ (SafeNet Inc.) 18D67C77703FE9BEFC0C275423AF676F [File is digitally signed]

C:\Windows\System32\DriverStore\FileRepository\akshhl.inf_amd64_91269b69ad69a978\hasplms.exe
[2015-05-29 22:29][2014-11-27 09:04] 004608320 _____ (SafeNet Inc.) 18D67C77703FE9BEFC0C275423AF676F [File is digitally signed]


folder:
========

Registry:
========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\hasplms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\hasplms]
"EventMessageFile"="C:\windows\system32\hasplms.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hasplms]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hasplms]
"ImagePath"="C:\windows\system32\hasplms.exe  -run"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{56249ADC-8662-4981-BAD9-58DD6A1614DC}"="v2.20|Action=Allow|Active=TRUE|Dir=In|App=C:\windows\system32\hasplms.exe|Name=Sentinel License Manager|Desc=Sentinel License Manager|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1D121D5E-A48D-412F-9798-713F4E790FBB}"="v2.20|Action=Allow|Active=TRUE|Dir=In|App=C:\windows\system32\hasplms.exe|Name=Sentinel License Manager|Desc=Sentinel License Manager|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{A36899D1-8D25-48AD-AF69-4593ADE221AC}"="v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\WINDOWS\system32\hasplms.exe|Name=Sentinel License Manager|Desc=Sentinel License Manager|"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{9D39828E-41FE-40BE-A7BB-4161560136A6}"="v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\WINDOWS\system32\hasplms.exe|Name=Sentinel License Manager|Desc=Sentinel License Manager|"


====== End of Search ======



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,720 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:26 PM

Posted 30 January 2018 - 07:06 PM

Thank you.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
Start::
Replace: C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_f6c4895db5f8d307\hasplms.exe C:\windows\system32\hasplms.exe
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • ESET log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 BobbyA

BobbyA
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:04:26 PM

Posted 30 January 2018 - 10:46 PM

Hi Gary,

As requested:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 27.01.2018
Ran by Me (30-01-2018 19:17:49) Run:2
Running from C:\Users\Me\Desktop
Loaded Profiles: Me (Available Profiles: Me & Camera_User)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Replace: C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_f6c4895db5f8d307\hasplms.exe C:\windows\system32\hasplms.exe

*****************

"C:\windows\system32\hasplms.exe" => Could not move.
C:\Windows\System32\DriverStore\FileRepository\aksusb.inf_amd64_f6c4895db5f8d307\hasplms.exe copied successfully to C:\windows\system32\hasplms.exe

==== End of Fixlog 19:17:49 ====

 

ESET.txt

 

C:\Program Files (x86)\NCH Software\VideoPad\videopad.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    cleaned by deleting
C:\Program Files (x86)\NCH Software\VideoPad\videopadsetup_v3.14.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted
C:\Program Files (x86)\NCH Software\VideoPad\videopadsetup_v3.74.exe    a variant of Win32/Bundled.Toolbar.Google.C potentially unsafe application    deleted
C:\Users\Me\AppData\LocalLow\Sun\Java\jre1.7.0_51\java_sp.dll    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    cleaned by deleting
C:\Windows\CouponPrinter.ocx    a variant of Win32/Adware.Coupons.AA application    cleaned by deleting
D:\D_Downloads\FFSetup3.7.5.0.exe    a variant of Win32/Toptools.A potentially unwanted application    cleaned by deleting
D:\D_Downloads\rs-recover-windows.exe    Win32/MyPCBackup.C potentially unwanted application    cleaned by deleting
D:\D_Downloads\855_SD\NIKON D80\download\unzip\app-signed.apk    Android/Plankton.H trojan    deleted
D:\D_Downloads\855_SD\NIKON D80\download\unzip\app.apk    Android/Plankton.H trojan    deleted
D:\D_Downloads\855_SD\NIKON D80\download\unzip\unzip\classes.dex    Android/Plankton.H trojan    cleaned by deleting
D:\D_Downloads\Halloween2011\ManyCam.exe    a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application    cleaned by deleting
D:\HTC_Backup\Internal\Download\show_box.apk    a variant of Android/AdDisplay.RevMob.A potentially unwanted application    deleted
D:\Program Files (x86)\Mozilla Firefox\browser\plugins\npMozCouponPrinter.dll    a variant of Win32/Adware.Coupons.AA application    cleaned by deleting
D:\SD_Cards\Shars_LG\TitaniumBackup\eu.chainfire.gingerbreak-20110614-172314.tar.gz    Android/Exploit.Lotoor.AJ trojan    deleted

 

Computer still appears to be running okay, but it's mostly been running scanners today so I haven't used it much. lol

 

Bobby
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users