69ctete294
2017-02-24, 22:21
My grandson installed something and tried to Uninstall. Now I cannot get to any websites that have to do with malware and none of the malware programs will run. I have tried CCleaner and JRT in safe mode with some success. spybot will not run because of no internet connection to update with safe mode. (Windows 10)
Admin Edit.
FYI: From the FAQ (https://forums.spybot.info/showthread.php?288-quot-BEFORE-You-POST-quot-(Please-read-this-Procedure-Before-Requesting-Assistance)-Updated)
"Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources as our analysts assist people at several forums.
Reading logs and the research involved takes time.
Worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere. If you have already requested help at another site choose where you wish to continue and advise all parties." :)
yikes!
this could be a hard one here...
let me throw out a couple of ideas to go over with first..
Open a command prompt. https://www.tenforums.com/tutorials/72407-elevated-command-prompt-shortcut-create-windows-10-a.html
To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
At a command prompt, type the following command, and then press ENTER:
ipconfig /flushdns
there is a space between g and /
no internet try the next
~~~~~~~~~~~~~`
At the command prompt, run the following commands in the listed order, and then check to see if that fixes your connection problem:
Type netsh winsock reset and press Enter.
Type netsh int ip reset and press Enter.
Type ipconfig /release and press Enter.
Type ipconfig /renew and press Enter.
no internet try the next
~~~~
Run the Network troubleshooter followed by networking commands
https://support.microsoft.com/en-us/help/10741/windows-10-fix-network-connection-issues
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
If need be can you download from a clean computer and transfer over using a USB drive?
Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 6 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.
rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
rkill.pif (http://download.bleepingcomputer.com/grinler/rkill.pif)
WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)
~~
http://i.imgur.com/xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan
Please download Farbar Recovery Scan Tool (x32) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/) or Farbar Recovery Scan Tool (x64) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save the file to your Desktop.
Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
69ctete294
2017-02-25, 01:31
Thanks for the reply did the command prompt actions and will try to download the programs as soon as I can get the kids out of my hair
69ctete294
2017-02-25, 01:58
Did you need the rkill log also?
69ctete294
2017-02-25, 02:09
Here are the FRST.txt and additions.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
Ran by Jim (administrator) on JIM-PC (24-02-2017 16:52:28)
Running from C:\Users\Jim\Downloads
Loaded Profiles: Jim (Available Profiles: Jim)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Digital Wave Ltd.) C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(windows 99) C:\Program Files (x86)\sorrier\equalized.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\sorrier\harold.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(© 2015 Microsoft Corporation) C:\Users\Jim\AppData\Local\Microsoft\BingSvc\BingSvc.exe
() C:\Program Files (x86)\Enervate\apocalyptic.exe
() C:\Program Files (x86)\shropshire\lobelia.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files (x86)\svcvmx\svcvmx.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneMusic_3.6.25021.0_x64__8wekyb3d8bbwe\Music.UI.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
() C:\Program Files (x86)\svcvmx\vmxclient.exe
==================== Registry (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-24] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2017-01-19] (Apple Inc.)
HKLM\...\Run: [cutoauto] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
HKLM\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM\...\Run: [interpee] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
HKLM\...\Run: [clears] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM\...\Run: [autoauto] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
HKLM-x32\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM-x32\...\RunOnce: [Lulopelona] => C:\WINDOWS\SysWoW64\wscript.exe /E:vbscript /B "C:\Users\Jim\AppData\Roaming\Manunagadoc"
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [BingSvc] => C:\Users\Jim\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [Chromium] => c:\users\jim\appdata\local\chromium\application\chrome.exe [1068544 2016-03-18] (The Chromium Authors)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [ok48036327] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [acupressure] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [changed] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [lobelia] => C:\Program Files (x86)\shropshire\lobelia.exe [40342 2017-02-18] ()
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [apostrophes] => C:\Program Files (x86)\shropshire\alltime.exe [462336 2017-02-18] (wallah)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9363672 2017-02-07] (Piriform Ltd)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-783448517-647833336-481893931-1001\...\MountPoints2: {fdd1f285-096e-11e6-824f-806e6f6e6963} - "D:\setup.exe"
HKU\S-1-5-18\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ShellIconOverlayIdentifiers-x32: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327.lnk [2017-02-23]
ShortcutTarget: ok48036327.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327reisinger.lnk [2017-02-23]
ShortcutTarget: ok48036327reisinger.lnk -> C:\Program Files (x86)\Enervate\apocalyptic.exe ()
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reisinger.lnk [2017-02-23]
ShortcutTarget: reisinger.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
BootExecute: autocheck autochk * sdnclean64.exe
GroupPolicy: Restriction <======= ATTENTION
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{5497f104-c6d0-41aa-8aec-fda2691bb19d}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> DefaultScope {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p10_serp_ie_us_display?ie=UTF8&tagbase=bds-p10&tbrId=v1_abb-channel-10_e89f1aa5_1201_1401_20160424_US_ie_ds_&tag=bds-p10-serp-us-ie-20&query={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
BHO: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll [2016-03-28] (DVDVideoSoft Ltd.)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-24] (Oracle Corporation)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-24] (Oracle Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
Edge:
======
Edge HomeButtonPage: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> hxxp://foxnews.com/
FireFox:
========
FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-24] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
Chrome:
=======
CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
CHR StartupUrls: Default -> "hxxp://foxnews.com/"
CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default [2017-02-24]
CHR Extension: (Google Slides) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-23]
CHR Extension: (Google Docs) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-23]
CHR Extension: (Google Drive) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-23]
CHR Extension: (Safer Search Results) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\begnofcbcefcedmomgdlmgcpmjafablp [2016-08-25]
CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2017-01-29]
CHR Extension: (YouTube) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-23]
CHR Extension: (Ebates Cash Back) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhjbpecpncaggjpdakmflnfcopglcmi [2017-02-22]
CHR Extension: (Bing) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-08-31]
CHR Extension: (Google Sheets) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-23]
CHR Extension: (Google Docs Offline) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-23]
CHR Extension: (Planetarium) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gheikhdfflhlbemfmhcfpeblehemeklp [2016-04-23]
CHR Extension: (Muzik Fury) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdapiklnfpdonfeopollmlpfjaphcb [2016-10-05]
CHR Extension: (CouponXplorer) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmjjokfbcjicbibeadflnnhdaglbbga [2017-01-13]
CHR Extension: (Skype) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2017-02-24]
CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2016-04-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Gmail) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-23]
CHR Extension: (Chrome Media Router) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]
CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\System Profile [2017-02-24]
CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 Amazon Assistant Service; C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe [100528 2017-02-17] ()
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [351944 2015-11-04] (Advanced Micro Devices, Inc.)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
S2 bottling; C:\WINDOWS\shortsightedness.exe [9728 2017-02-18] (emboldens) [File not signed]
S2 darkening; C:\WINDOWS\uniter.exe [13824 2017-02-18] (munger) [File not signed]
S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [46400 2017-02-06] (Dropbox, Inc.)
R2 DigitalWave.Update.Service; C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe [389544 2016-07-12] (Digital Wave Ltd.)
R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 VumaaService; C:\ProgramData\Vumaa\Vumaa.Service.exe [22952 2016-03-30] (Vumaa)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-07-21] (Advanced Micro Devices)
R3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed]
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek )
R3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
U0 aswVmm; no ImagePath
S3 dbx; system32\DRIVERS\dbx.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-02-24 16:52 - 2017-02-24 16:53 - 00029495 _____ C:\Users\Jim\Downloads\FRST.txt
2017-02-24 16:51 - 2017-02-24 16:52 - 00000000 ____D C:\FRST
2017-02-24 16:50 - 2017-02-24 16:50 - 00000000 ____D C:\Users\Jim\Desktop\rkill
2017-02-24 16:49 - 2017-02-24 16:50 - 00004796 _____ C:\Users\Jim\Desktop\Rkill.txt
2017-02-24 16:49 - 2017-02-24 16:47 - 02423296 ____N (Farbar) C:\Users\Jim\Downloads\FRST64.exe
2017-02-24 16:49 - 2017-02-24 16:32 - 02030536 ____N (Bleeping Computer, LLC) C:\Users\Jim\Downloads\rkill.exe
2017-02-24 12:29 - 2017-02-24 12:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-02-24 12:29 - 2017-02-24 12:32 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-02-24 12:29 - 2017-02-24 12:29 - 00001456 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2017-02-24 12:29 - 2017-02-24 12:29 - 00001444 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2017-02-24 12:29 - 2017-02-24 12:29 - 00000656 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000628 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000458 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
2017-02-24 12:29 - 2017-02-24 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2017-02-24 12:29 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
2017-02-24 12:25 - 2017-02-24 12:22 - 46525608 ____N (Safer-Networking Ltd. ) C:\Users\Jim\Downloads\spybot-2.4.exe
2017-02-24 12:06 - 2017-02-24 12:06 - 00250290 _____ C:\Users\Jim\Documents\cc_20170224_120620.reg
2017-02-24 11:57 - 2017-02-24 11:57 - 00000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\Program Files\CCleaner
2017-02-24 11:54 - 2017-02-24 12:28 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-02-24 11:51 - 2017-02-24 11:51 - 00000000 ____D C:\WINDOWS\pss
2017-02-24 09:52 - 2017-02-24 09:36 - 09261616 _____ (Piriform Ltd) C:\Users\Jim\Downloads\ccsetup527.exe
2017-02-24 09:52 - 2017-02-24 09:36 - 01663040 _____ (Malwarebytes) C:\Users\Jim\Downloads\JRT.exe
2017-02-24 09:51 - 2017-02-24 09:51 - 00000552 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive (2).lnk
2017-02-24 05:11 - 2017-02-24 11:35 - 00004140 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{36D55AF4-5ADB-451B-899E-3C12B4B42C3E}
2017-02-23 21:17 - 2017-02-23 21:17 - 00000000 ____D C:\Program Files (x86)\GUM80B4.tmp
2017-02-23 21:14 - 2017-02-23 21:17 - 00002340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-02-23 21:13 - 2017-02-23 21:13 - 00000000 ____D C:\Program Files (x86)\GUM174A.tmp
2017-02-23 19:28 - 2017-02-23 19:28 - 00003244 _____ C:\WINDOWS\System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3}
2017-02-23 18:21 - 2017-02-23 19:29 - 00000000 ____D C:\Users\Jim\AppData\Local\llssoft
2017-02-23 18:21 - 2017-02-23 19:29 - 00000000 ____D C:\Program Files (x86)\svcvmx
2017-02-23 17:21 - 2017-02-23 17:21 - 00000000 ____D C:\Program Files (x86)\winscr
2017-02-23 17:20 - 2017-02-24 16:54 - 00003842 _____ C:\WINDOWS\System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1
2017-02-23 17:20 - 2017-02-24 16:49 - 00004404 _____ C:\WINDOWS\System32\Tasks\76656282
2017-02-23 17:20 - 2017-02-24 15:34 - 00004014 _____ C:\WINDOWS\System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1
2017-02-23 17:20 - 2017-02-23 19:16 - 00000000 ____D C:\Program Files (x86)\S5
2017-02-23 17:20 - 2017-02-23 19:16 - 00000000 ____D C:\Program Files (x86)\AnonymizerGadget
2017-02-23 17:20 - 2017-02-23 17:21 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
2017-02-23 17:20 - 2017-02-23 17:20 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
2017-02-23 17:20 - 2017-02-23 17:20 - 00000001 _____ C:\Users\Jim\AppData\Local\setupsuccessful.txt
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\c
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\AGData
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\1487895640
2017-02-23 17:19 - 2017-02-24 15:34 - 00003858 _____ C:\WINDOWS\System32\Tasks\213879593
2017-02-23 17:19 - 2017-02-24 15:34 - 00003686 _____ C:\WINDOWS\System32\Tasks\113879593
2017-02-23 17:19 - 2017-02-23 17:20 - 00000000 ____D C:\Program Files (x86)\sorrier
2017-02-23 17:19 - 2017-02-23 17:19 - 01397594 _____ C:\Users\Jim\AppData\Local\setupone.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 00003850 _____ C:\WINDOWS\System32\Tasks\966848
2017-02-23 17:19 - 2017-02-23 17:19 - 00003696 _____ C:\WINDOWS\System32\Tasks\Da966848966848
2017-02-23 17:19 - 2017-02-23 17:19 - 00000055 _____ C:\WINDOWS\key.ini
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\shropshire
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\Enervate
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\daugherty
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\tr5b.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\stxtname.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\run.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\aatxtname.txt
2017-02-23 17:16 - 2017-02-23 17:16 - 00006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
2017-02-19 12:47 - 2017-02-19 12:47 - 00000000 ____D C:\Users\Jim\.ssh
2017-02-18 23:50 - 2017-02-18 23:50 - 00491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00316416 _____ (windows 99) C:\WINDOWS\motorized.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00041196 _____ C:\WINDOWS\peddle.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00013824 _____ (munger) C:\WINDOWS\uniter.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00009728 _____ (emboldens) C:\WINDOWS\shortsightedness.exe
2017-02-18 22:22 - 2017-02-18 22:22 - 00080956 _____ C:\Users\Jim\Downloads\Document.pdf
2017-02-18 22:19 - 2017-02-18 22:19 - 00039150 _____ C:\Users\Jim\Downloads\SKM_284e17021410491.pdf
2017-02-12 19:09 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\Documents\TurboTax
2017-02-12 18:48 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Intuit
2017-02-12 18:47 - 2017-02-12 18:48 - 00000319 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2017-02-12 18:47 - 2017-02-12 18:47 - 00002547 _____ C:\Users\Public\Desktop\TurboTax 2016.lnk
2017-02-12 18:47 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2016
2017-02-12 18:46 - 2017-02-12 18:46 - 00000000 ____D C:\Program Files (x86)\TurboTax
2017-02-12 18:45 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Intuit
2017-02-08 16:37 - 2017-02-08 16:37 - 00034293 _____ C:\Users\Jim\Downloads\PastBills.pdf
2017-02-07 17:41 - 2017-02-07 17:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-02-07 11:10 - 2017-02-07 11:10 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iTunes
2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iPod
2017-02-07 02:08 - 2017-02-07 02:08 - 00002221 _____ C:\Users\Public\Desktop\Google Earth.lnk
2017-02-07 02:08 - 2017-02-07 02:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
2017-02-06 21:38 - 2017-02-06 21:38 - 00046400 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
2017-02-06 17:33 - 2017-02-06 17:33 - 00020823 _____ C:\Users\Jim\Downloads\Dec 01, 2016 to Dec 20, 2016.pdf
2017-02-06 17:32 - 2017-02-06 17:32 - 00020815 _____ C:\Users\Jim\Downloads\Dec 22, 2016 to Jan 20, 2017.pdf
2017-02-06 17:26 - 2017-02-06 17:26 - 00526149 _____ C:\Users\Jim\Downloads\Owner_1099_2016.pdf
2017-01-25 13:32 - 2017-01-25 13:32 - 02314240 _____ C:\Users\Jim\Downloads\MinecraftInstaller.msi
2017-01-25 09:20 - 2017-01-25 09:20 - 00337425 _____ C:\Users\Jim\Downloads\2454.pdf
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-02-24 15:34 - 2016-04-23 11:48 - 00000000 ___RD C:\Users\Jim\Google Drive
2017-02-24 15:33 - 2016-09-24 04:55 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-02-24 15:32 - 2016-07-15 23:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI
2017-02-24 15:32 - 2016-05-11 18:07 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-02-24 15:08 - 2016-09-24 04:37 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-02-24 12:01 - 2016-09-24 05:36 - 00000000 ___DC C:\WINDOWS\Panther
2017-02-24 12:01 - 2016-07-16 04:45 - 00000000 ____D C:\WINDOWS\INF
2017-02-24 12:00 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-02-24 10:00 - 2016-04-23 11:09 - 00000000 ___RD C:\Users\Jim\OneDrive
2017-02-24 09:22 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-02-23 21:12 - 2016-04-23 11:10 - 00000000 ____D C:\Users\Jim\AppData\Local\MicrosoftEdge
2017-02-23 19:26 - 2016-09-24 04:37 - 00206352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-02-23 19:25 - 2016-09-24 04:44 - 00000000 ____D C:\Users\Jim
2017-02-23 19:24 - 2016-05-06 16:31 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype
2017-02-23 18:06 - 2016-04-24 18:57 - 00000000 ____D C:\Users\Jim\AppData\Roaming\.minecraft
2017-02-18 17:32 - 2016-04-24 18:57 - 00000000 ____D C:\Program Files (x86)\Amazon
2017-02-15 15:59 - 2016-04-23 11:09 - 00002353 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-02-12 18:45 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-02-10 15:36 - 2016-04-23 11:45 - 00000000 ___RD C:\Users\Jim\Dropbox
2017-02-10 12:05 - 2016-04-23 11:29 - 00000000 ____D C:\Users\Jim\AppData\Roaming\DVDVideoSoft
2017-02-09 08:48 - 2016-04-23 09:35 - 00000000 ____D C:\Users\Jim\AppData\Local\ElevatedDiagnostics
2017-02-07 17:42 - 2016-04-23 11:42 - 00000000 ____D C:\Program Files (x86)\Dropbox
2017-02-07 11:14 - 2016-04-23 11:42 - 00000916 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
2017-02-07 11:14 - 2016-04-23 11:42 - 00000912 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
2017-02-07 11:10 - 2016-05-15 11:07 - 00000000 ____D C:\Program Files\Recuva
2017-02-07 11:09 - 2016-05-15 12:02 - 00000000 ____D C:\Program Files\Common Files\Apple
2017-02-07 02:08 - 2016-04-23 11:14 - 00000000 ____D C:\Program Files (x86)\Google
2017-01-27 13:15 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-01-27 13:15 - 2016-04-23 09:27 - 00000000 ____D C:\Users\Jim\AppData\Local\Packages
2017-01-27 12:17 - 2016-07-17 12:41 - 00000000 ____D C:\Users\Jim\AppData\Roaming\vlc
==================== Files in the root of some directories =======
2016-10-19 15:10 - 2016-10-19 15:10 - 0018070 _____ () C:\Users\Jim\AppData\Roaming\Manunagadoc
2016-10-08 00:04 - 2016-10-08 00:04 - 0000043 _____ () C:\Users\Jim\AppData\Roaming\WB.CFG
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\aatxtname.txt
2017-02-18 23:50 - 2017-02-18 23:50 - 0491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
2017-02-23 17:16 - 2017-02-23 17:16 - 0006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\run.txt
2016-10-04 07:33 - 2016-10-04 07:33 - 0006144 _____ () C:\Users\Jim\AppData\Local\sc446872423.exe
2016-10-04 07:33 - 2016-10-04 07:33 - 0005632 _____ () C:\Users\Jim\AppData\Local\sc46872423.exe
2017-02-23 17:19 - 2017-02-23 17:19 - 1397594 _____ () C:\Users\Jim\AppData\Local\setupone.exe
2017-02-23 17:20 - 2017-02-23 17:20 - 0000001 _____ () C:\Users\Jim\AppData\Local\setupsuccessful.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\stxtname.txt
2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\tr5b.txt
2017-02-12 18:47 - 2017-02-12 18:48 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2016-10-08 21:04 - 2016-10-08 21:04 - 1134592 _____ () C:\ProgramData\TrezaaSetupx30044.msi
2016-10-08 17:04 - 2016-10-08 17:04 - 0533504 _____ () C:\ProgramData\Vumaa.msi
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2017-02-22 07:31
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
Ran by Jim (24-02-2017 16:55:16)
Running from C:\Users\Jim\Downloads
Windows 10 Home Version 1607 (X64) (2016-09-24 12:08:15)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-783448517-647833336-481893931-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-783448517-647833336-481893931-503 - Limited - Disabled)
Guest (S-1-5-21-783448517-647833336-481893931-501 - Limited - Disabled)
Jim (S-1-5-21-783448517-647833336-481893931-1001 - Administrator - Enabled) => C:\Users\Jim
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Amazon Assistant (HKLM-x32\...\{C8D184AC-D6E2-411E-838C-468CB0E91DBF}) (Version: 10.17.0216 - Amazon) <==== ATTENTION
AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
AnyBurn (HKLM-x32\...\AnyBurn) (Version: 3.5 - Power Software Ltd)
Apple Application Support (32-bit) (HKLM-x32\...\{9BA1A894-B42F-4805-BC8C-349C905A3930}) (Version: 5.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{7EAC8A42-9FAC-4F6B-AABF-C08C9F2E0F13}) (Version: 5.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.27 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
Dropbox (HKLM-x32\...\Dropbox) (Version: 19.4.13 - Dropbox, Inc.)
Dropbox Update Helper (x32 Version: 1.3.65.1 - Dropbox, Inc.) Hidden
Free Image Editor 2.4 (HKLM-x32\...\Free Image Editor 2.4_is1) (Version: - AskedFiles)
Free YouTube To MP3 Converter (HKLM-x32\...\Free YouTube To MP3 Converter_is1) (Version: 4.1.21.610 - Digital Wave Ltd)
GoldWave v6.24 (HKLM\...\GoldWave v6.24) (Version: 6.24 - GoldWave Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
Google Drive (HKLM-x32\...\{07A12123-B717-496B-B471-48AF6407B433}) (Version: 1.32.4066.7445 - Google, Inc.)
Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
iTunes (HKLM\...\{9D0D2A8B-7E7B-4D88-8D50-24286ED6A5EB}) (Version: 12.5.5.5 - Apple Inc.)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Microsoft OneDrive (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\OneDriveSetup.exe) (Version: 17.3.6764.0111 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
PhotoFiltre 7 (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\PhotoFiltre 7) (Version: - )
Recuva (HKLM\...\Recuva) (Version: 1.52 - Piriform)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vumaa (x32 Version: 1.0.0 - Vumaa) Hidden
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {09D89F8B-AB1A-4DF0-982F-9875236E49B1} - System32\Tasks\213879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
Task: {0D37BA10-AB65-4EB1-BF12-0FDBE5A35A77} - System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
Task: {0E17C043-3086-425B-A76B-57A75E993E8F} - System32\Tasks\966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] () <==== ATTENTION
Task: {15CF4540-72E0-46B0-970B-EA1B12CFCB5F} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {19D74E7E-D9D4-4A92-A050-D5969F5C56A4} - System32\Tasks\MSFT_TaskSettings3\CaesarsSlots => powershell.exe -NoProfile -WindowStyle Hidden -command cmd.exe /c if exist C:\Users\Jim\AppData\Local\Packages\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2 start explorer.exe shell:appsFolder\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2!App
Task: {1DF06365-6B2C-4E45-AB8A-0338D5438DF6} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {296562E1-B097-463C-AB39-9523796F8761} - \DistromaticSearchProtect-logon -> No File <==== ATTENTION
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => %SystemRoot%\System32\AutoWorkplace.exe
Task: {4B66409F-528C-4CC6-9E98-D9F5C4D563A3} - System32\Tasks\Da966848966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] ()
Task: {4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} - \{E93B1D8E-7144-43CF-AED7-90E7FE9B5827} -> No File <==== ATTENTION
Task: {6E0AC03E-AD18-4883-BBC5-BA77053C033C} - \DistromaticUpdater-logon -> No File <==== ATTENTION
Task: {766C52A9-B31F-4C2C-B26C-1176E17586FA} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {783288D9-2E79-48D0-9E4A-AE2BB1271C46} - System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
Task: {78FBCF49-A629-44CF-82AE-74B9266D059B} - \{17D1B85F-0859-46E2-A8B6-00B63052A523} -> No File <==== ATTENTION
Task: {799231D8-D492-4E80-B400-64B3642849D2} - System32\Tasks\113879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
Task: {8594B015-CF2B-4C8E-807E-48A2F3C5638E} - \{5EA21E3C-C6DF-4FAF-BF0A-C897623B028D} -> No File <==== ATTENTION
Task: {95C50509-4001-4D3E-9A2D-F57A90A0EA3E} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {980A9FE3-D226-4BF6-A3DB-54055266C29A} - \Optimize Start Menu Cache Files-S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} - \WPD\SqmUpload_S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} - \DistromaticUpdater-periodic -> No File <==== ATTENTION
Task: {A6353DBB-3230-4E67-9F61-038F628ADCE4} - System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3} => pcalua.exe -a "C:\Program Files (x86)\MaxInternet\dotuninstall.exe"
Task: {B0D68E36-3241-4912-BB9D-A8C965703C51} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
Task: {D6266248-323A-4BE8-B51A-461073D7F22D} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
Task: {DF8DFE89-E913-445D-A854-ABB727ED8442} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
Task: {EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {ED004583-CB32-4C6B-882A-CE92F3ECDB0B} - \DistromaticSearchProtect-hourly -> No File <==== ATTENTION
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job =>
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job =>
Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job =>
==================== Shortcuts =============================
(The entries could be listed to be restored or removed.)
==================== Loaded Modules (Whitelisted) ==============
2016-07-16 04:42 - 2016-07-16 04:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2017-02-17 11:24 - 2017-02-17 11:24 - 00100528 _____ () C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
2016-10-05 18:17 - 2016-10-05 18:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-01-13 13:56 - 2017-01-13 13:56 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-09-24 05:32 - 2016-09-24 05:32 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-09-29 17:33 - 2016-09-15 09:39 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-09-29 17:34 - 2016-09-15 09:24 - 09760256 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 01401344 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-09-29 17:34 - 2016-09-15 09:17 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-09-29 17:34 - 2016-09-15 09:18 - 02424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-09-29 17:34 - 2016-09-15 09:20 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-02-18 23:50 - 2017-02-18 23:50 - 00041196 _____ () C:\Program Files (x86)\sorrier\harold.exe
2017-02-18 23:49 - 2017-02-18 23:49 - 00010752 _____ () C:\Program Files (x86)\Enervate\apocalyptic.exe
2017-02-18 23:50 - 2017-02-18 23:50 - 00040342 _____ () C:\Program Files (x86)\shropshire\lobelia.exe
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
2016-04-23 11:30 - 2016-07-12 21:32 - 00112552 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\zlib1.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00105896 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_filesystem-vc120-mt-1_56.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00021928 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_system-vc120-mt-1_56.dll
2016-04-23 11:30 - 2016-07-12 21:33 - 00045992 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_date_time-vc120-mt-1_56.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00011264 _____ () C:\Users\Jim\AppData\Local\Temp\nsh9DA8.tmp\System.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00098816 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32api.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00110080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pywintypes27.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00364544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pythoncom27.dll
2017-02-24 15:34 - 2017-02-24 15:34 - 00320512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32com.shell.shell.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00914432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_hashlib.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 01176576 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._core_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00806400 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._gdi_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00816128 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._windows_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 01067008 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._controls_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00733184 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._misc_.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00682496 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pysqlite2._sqlite.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_ctypes.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00686080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\unicodedata.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00119808 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32file.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00108544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32security.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00007168 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\hashobjs_ext.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00017920 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\thumbnails_ext.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\usb_ext.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00012800 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\common.time34.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00018432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32event.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00167936 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32gui.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00046080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_socket.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 01303552 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_ssl.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00128512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_elementtree.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00127488 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pyexpat.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00038912 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32inet.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00036864 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_psutil_windows.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00524248 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\windows._lib_cacheinvalidation.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00011264 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32crypt.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00123392 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._wizard.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00077312 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._html2.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00027648 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_multiprocessing.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00020480 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_yappi.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00035840 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32process.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00078848 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._animate.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00024064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32pipe.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00010240 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\select.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00025600 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32pdh.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00017408 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32profile.pyd
2017-02-24 15:34 - 2017-02-24 15:34 - 00022528 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32ts.pyd
2017-01-14 19:40 - 2017-01-14 19:40 - 53460992 _____ () C:\Program Files (x86)\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 06:25 - 2017-02-23 17:19 - 00000947 ____A C:\WINDOWS\system32\Drivers\etc\hosts
162.222.194.13 cocomo.tremorhub.com
162.222.194.13 www.virustotal.com
162.222.194.13 virustotal.com
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-783448517-647833336-481893931-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Jim\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\win8img.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
MSCONFIG\Services: WSearch => 2
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{879D9F3D-0A73-45F1-A2DA-12ED46127E80}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{2B008137-5F84-4809-9070-5950BCA6C76A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{250B2D45-23D5-4B74-AED0-658047E5C530}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{473AD362-1498-4AF7-9580-060C363D3A79}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{04715A09-8533-4395-83BD-24E52FF0D711}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [UDP Query User{41669055-1B9D-457D-AA0C-D7AF68CB7D9D}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [TCP Query User{073CB8C7-5E33-4D29-9682-2EE6C072F931}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
FirewallRules: [{57951344-6AF1-4839-9FA2-E4F1221AEA6D}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{B7B48F01-2D5E-485B-BFBA-C63F4FF753CB}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
FirewallRules: [{D2BDBA2D-DC75-4777-8FD2-78F67E962DBC}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{8C82BE9B-F00B-4C5E-9551-C0DEB0DFBB56}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{A6978D68-7287-4C1C-A946-1178C1F65B8F}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{81416A4B-3733-45DC-8A14-2483830BC6E2}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{09D983AE-6554-4983-A380-C15E860307AF}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{FA9E2551-4FD5-4A84-903F-0F9F0123B69B}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{C5C3CC3D-9D56-4B4E-8FD8-22868FFC7E5A}] => (Allow) C:\Users\Jim\AppData\Local\Temp\1129491421\ic-0.9e6a431f3f96b8.exe
FirewallRules: [{BD81FB30-E202-4974-9CF8-EE2F49A1B93C}] => (Allow) C:\Users\Jim\AppData\Local\sc446872423.exe
FirewallRules: [{6A7A9303-0C3C-484D-9FEC-1862F82E24CD}] => (Allow) C:\Users\Jim\AppData\Local\ddnow4.exe
FirewallRules: [{5ECE3246-505E-4145-8ECE-356A488BE3C8}] => (Allow) C:\Program Files (x86)\sorrier\equalized.exe
FirewallRules: [{350422A7-6665-4018-B69A-C42A97BED256}] => (Allow) C:\Program Files (x86)\sorrier\harold.exe
FirewallRules: [{844CF719-23E4-4324-BE33-1E9523540E12}] => (Allow) C:\Program Files (x86)\shropshire\alltime.exe
FirewallRules: [{436E5307-CA7B-4E20-9F5B-A3B7F9D65B8B}] => (Allow) C:\Program Files (x86)\Enervate\apocalyptic.exe
FirewallRules: [{5E5BF097-B4F3-494E-9A44-5C210FD57D0C}] => (Allow) C:\WINDOWS\uniter.exe
FirewallRules: [TCP Query User{F567F884-272F-45FB-8141-EA51BDF61B3B}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [UDP Query User{7432D085-E847-4C62-9209-7922D1B8CBD7}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
FirewallRules: [{A6E8CA20-02D4-4B21-BA4B-2EBD42C99386}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
==================== Restore Points =========================
04-02-2017 08:16:53 Scheduled Checkpoint
12-02-2017 18:46:39 Installed TurboTax 2016 wrapper
19-02-2017 19:40:25 Scheduled Checkpoint
23-02-2017 19:58:25 JRT Pre-Junkware Removal
24-02-2017 15:16:43 JRT Pre-Junkware Removal
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (02/24/2017 03:34:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
Dependent Assembly 51.0.2683.0,language="*",type="win32",version="51.0.2683.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (02/24/2017 03:33:47 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.
Error: (02/24/2017 03:16:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
.
Error: (02/24/2017 12:42:20 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
Dependent Assembly 51.0.2683.0,language="*",type="win32",version="51.0.2683.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (02/24/2017 12:41:52 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.
Error: (02/24/2017 12:28:34 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: JIM-PC)
Description: Activation of app Microsoft.Getstarted_4.0.12.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
Error: (02/24/2017 12:12:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MicrosoftEdge.exe, version: 11.0.14393.206, time stamp: 0x57dacb16
Faulting module name: eModel.dll, version: 11.0.14393.206, time stamp: 0x57dacc2a
Exception code: 0xc0000409
Fault offset: 0x00000000000d54e0
Faulting process id: 0x1f04
Faulting application start time: 0x01d28ed1fa752c36
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll
Report Id: 425fdbf1-4e99-4cb8-addd-0d24a1da9528
Faulting package full name: Microsoft.MicrosoftEdge_38.14393.0.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge
Error: (02/24/2017 12:11:15 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
Dependent Assembly 51.0.2683.0,language="*",type="win32",version="51.0.2683.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (02/24/2017 12:10:44 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.
Error: (02/24/2017 11:55:16 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Jim\AppData\Local\Temp\jrt\CreateRestorePoint.exe "JRT Pre-Junkware Removal"; Description = JRT Pre-Junkware Removal; Error = 0x8007043c).
System errors:
=============
Error: (02/24/2017 04:49:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The kolb service terminated unexpectedly. It has done this 1 time(s).
Error: (02/24/2017 04:49:40 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The moviemaking service terminated unexpectedly. It has done this 1 time(s).
Error: (02/24/2017 04:49:37 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
Error: (02/24/2017 04:49:28 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
Error: (02/24/2017 04:49:19 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
Error: (02/24/2017 04:49:10 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
Error: (02/24/2017 04:49:01 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
Error: (02/24/2017 04:48:52 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
Error: (02/24/2017 03:43:16 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
Error: (02/24/2017 03:43:07 PM) (Source: cdrom) (EventID: 7) (User: )
Description: The device, \Device\CdRom0, has a bad block.
CodeIntegrity:
===================================
Date: 2017-02-23 17:19:17.158
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-02-23 17:19:17.157
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-02-20 09:46:50.391
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-02-20 09:46:50.387
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-01-31 10:41:20.190
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-01-31 10:41:20.189
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-01-31 10:41:03.403
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-01-31 10:41:03.401
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-01-07 11:49:55.645
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2017-01-07 11:49:55.639
Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
==================== Memory info ===========================
Processor: AMD A8-5500 APU with Radeon(tm) HD Graphics
Percentage of memory in use: 35%
Total physical RAM: 7645.61 MB
Available physical RAM: 4957.28 MB
Total Virtual: 8861.61 MB
Available Virtual: 6143.27 MB
==================== Drives ================================
Drive c: () (Fixed) (Total:930.97 GB) (Free:878.3 GB) NTFS
Drive f: () (Removable) (Total:0.96 GB) (Free:0.77 GB) FAT
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 1667168B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)
========================================================
Disk: 1 (Size: 979.8 MB) (Disk ID: 00000000)
Partition: GPT.
==================== End of Addition.txt ============================
This is bad.
There will be several steps to attempt, do the best you can do.
Programs to remove Uninstall/delete
Amazon Assistant (HKLM-x32\...\{C8D184AC-D6E2-411E-838C-468CB0E91DBF}) (Version: 10.17.0216 - Amazon) <==== ATTENTION
Online.io Application
Please download and install Revo Uninstaller Free (http://www.revouninstaller.com/start_freeware_download.html)
Double click Revo Uninstaller to run it.
From the list of programs double click on Amazon Assistant - Online.io Application - Traffic Exchange
When prompted if you want to uninstall click Yes.
Be sure the Moderate option is selected then click Next.
The program will run, If prompted again click Yes
when the built-in uninstaller is finished click on Next.
Once the program has searched for leftovers click Next.
Check/tick the bolded items only on the list then click Delete
when prompted click on Yes and then on next.
put a check on any folders that are found and select delete
when prompted select yes then on next
Once done click Finish
And PC restart now
~~~~~
Here's how to display hidden files and folders.
Windows 10
In the search box on the taskbar, type folder, and then select Show hidden files and folders from the search results.
Under Advanced settings, select Show hidden files, folders, and drives, and then select OK.
Please go to one of the below sites to scan the following files:
Virus Total (Recommended) (http://www.virustotal.com/)
jotti.org (http://virusscan.jotti.org/)
VirScan (http://virscan.org/)
click on Browse, and upload the following file for analysis:
C:\Program Files (x86)\svcvmx\svcvmx.exe
Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.
Please also have these scanned
C:\WINDOWS\uniter.exe
C:\ProgramData\Vumaa\Vumaa.Service.exe
~~~
Running from C:\Users\Jim\Downloads
It's best we move Farbar's to desktop.
Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Or use this method Press the windows key http://i1106.photobucket.com/albums/h363/debojyotidas/Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
start
CreateRestorePoint:
CloseProcesses:
ProxyEnable: [HKLM] => Proxy is enabled.
ProxyEnable: [HKLM-x32] => Proxy is enabled.
ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
HKLM\...\Run: [cutoauto] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
KLM\...\Run: => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
C:\Program Files (x86)\sorrier
C:\Program Files (x86)\Enervate
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKLM-x32 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> DefaultScope {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p10_serp_ie_us_display?ie=UTF8&tagbase=bds-p10&tbrId=v1_abb-channel-10_e89f1aa5_1201_1401_20160424_US_ie_ds_&tag=bds-p10-serp-us-ie-20&query={searchTerms}
SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04¶m1=1¶m2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
U0 aswVmm; no ImagePath
C:\Program Files (x86)\AnonymizerGadget
Task: {09D89F8B-AB1A-4DF0-982F-9875236E49B1} - System32\Tasks\213879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
C:\Program Files (x86)\Enervate\apocalyptic.exe
Task: {0E17C043-3086-425B-A76B-57A75E993E8F} - System32\Tasks\966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] () <==== ATTENTION
Task: {15CF4540-72E0-46B0-970B-EA1B12CFCB5F} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {19D74E7E-D9D4-4A92-A050-D5969F5C56A4} - System32\Tasks\MSFT_TaskSettings3\CaesarsSlots => powershell.exe -NoProfile -WindowStyle Hidden -command cmd.exe /c if exist C:\Users\Jim\AppData\Local\Packages\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2 start explorer.exe shell:appsFolder\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2!App
Task: {296562E1-B097-463C-AB39-9523796F8761} - \DistromaticSearchProtect-logon -> No File <==== ATTENTION
Task: {4B66409F-528C-4CC6-9E98-D9F5C4D563A3} - System32\Tasks\Da966848966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] ()
Task: {4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} - \{E93B1D8E-7144-43CF-AED7-90E7FE9B5827} -> No File <==== ATTENTION
Task: {6E0AC03E-AD18-4883-BBC5-BA77053C033C} - \DistromaticUpdater-logon -> No File <==== ATTENTION
Task: {766C52A9-B31F-4C2C-B26C-1176E17586FA} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {78FBCF49-A629-44CF-82AE-74B9266D059B} - \{17D1B85F-0859-46E2-A8B6-00B63052A523} -> No File <==== ATTENTION
Task: {799231D8-D492-4E80-B400-64B3642849D2} - System32\Tasks\113879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
Task: {8594B015-CF2B-4C8E-807E-48A2F3C5638E} - \{5EA21E3C-C6DF-4FAF-BF0A-C897623B028D} -> No File <==== ATTENTION
Task: {95C50509-4001-4D3E-9A2D-F57A90A0EA3E} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {980A9FE3-D226-4BF6-A3DB-54055266C29A} - \Optimize Start Menu Cache Files-S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} - \WPD\SqmUpload_S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
Task: {9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} - \DistromaticUpdater-periodic -> No File <==== ATTENTION
Task: {D6266248-323A-4BE8-B51A-461073D7F22D} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
Task: {DF8DFE89-E913-445D-A854-ABB727ED8442} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
Task: {EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {ED004583-CB32-4C6B-882A-CE92F3ECDB0B} - \DistromaticSearchProtect-hourly -> No File <==== ATTENTION
HKLM\...\Run: => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
EmptyTemp:
Hosts:
End
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``
http://i.imgur.com/BY4dvz9.png AdwCleaner
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and save the file to your Desktop.
In order to use AdwCleaner, you have to agree the Eula:
Right-click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click http://i.imgur.com/A49sxPr.png Scan.
Upon completion, click http://i.imgur.com/6cyn5v5.png Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you [i]know to be legitimate.
Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
Click http://i.imgur.com/MqHawIb.png Clean.
Follow the prompts and allow your computer to reboot.
After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.
[i]-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
~~~~~~~~~
please post
Files requested scanned
Fixlog.txt
AdwCleaner[C1].txt
JRT.txt
Also receiving help here
Jpen10
https://forums.malwarebytes.com/topic/196815-locked-out/
This topic will be closed.