Results 1 to 8 of 8

Thread: locked out

  1. #1
    Junior Member 69ctete294's Avatar
    Join Date
    Sep 2008
    Location
    southern oregon
    Posts
    10

    Default locked out

    My grandson installed something and tried to Uninstall. Now I cannot get to any websites that have to do with malware and none of the malware programs will run. I have tried CCleaner and JRT in safe mode with some success. spybot will not run because of no internet connection to update with safe mode. (Windows 10)

    Admin Edit.
    FYI: From the FAQ
    "Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources as our analysts assist people at several forums.
    Reading logs and the research involved takes time.

    Worse scenario would be to run fixes given at one site unbeknown to the person helping the same user elsewhere. If you have already requested help at another site choose where you wish to continue and advise all parties."
    Last edited by tashi; 2017-02-25 at 22:51. Reason: Edit

  2. #2
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    yikes!
    this could be a hard one here...

    let me throw out a couple of ideas to go over with first..

    Open a command prompt. https://www.tenforums.com/tutorials/...dows-10-a.html
    To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

    At a command prompt, type the following command, and then press ENTER:

    ipconfig /flushdns
    there is a space between g and /

    no internet try the next
    ~~~~~~~~~~~~~`

    At the command prompt, run the following commands in the listed order, and then check to see if that fixes your connection problem:

    Type netsh winsock reset and press Enter.
    Type netsh int ip reset and press Enter.
    Type ipconfig /release and press Enter.
    Type ipconfig /renew and press Enter.

    no internet try the next
    ~~~~

    Run the Network troubleshooter followed by networking commands
    https://support.microsoft.com/en-us/...nection-issues
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
    If need be can you download from a clean computer and transfer over using a USB drive?

    Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
    There are 6 different versions. If one of them won't run then download and try to run the other one.
    Vista and Win7 users need to right click and choose Run as Admin
    You only need to get one of them to run, not all of them.


    ~~

    Farbar Recovery Scan Tool (FRST) Scan
    • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) andsave the file to your Desktop.
    • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
    • Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member 69ctete294's Avatar
    Join Date
    Sep 2008
    Location
    southern oregon
    Posts
    10

    Default

    Thanks for the reply did the command prompt actions and will try to download the programs as soon as I can get the kids out of my hair

  4. #4
    Junior Member 69ctete294's Avatar
    Join Date
    Sep 2008
    Location
    southern oregon
    Posts
    10

    Default

    Did you need the rkill log also?

  5. #5
    Junior Member 69ctete294's Avatar
    Join Date
    Sep 2008
    Location
    southern oregon
    Posts
    10

    Default locked out

    Here are the FRST.txt and additions.txt:

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-02-2017
    Ran by Jim (administrator) on JIM-PC (24-02-2017 16:52:28)
    Running from C:\Users\Jim\Downloads
    Loaded Profiles: Jim (Available Profiles: Jim)
    Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Chrome)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (AMD) C:\Windows\System32\atiesrxx.exe
    (AMD) C:\Windows\System32\atieclxx.exe
    () C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
    (Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    (Digital Wave Ltd.) C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
    (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
    (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
    (windows 99) C:\Program Files (x86)\sorrier\equalized.exe
    (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
    (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
    (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
    () C:\Program Files (x86)\sorrier\harold.exe
    (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
    (© 2015 Microsoft Corporation) C:\Users\Jim\AppData\Local\Microsoft\BingSvc\BingSvc.exe
    () C:\Program Files (x86)\Enervate\apocalyptic.exe
    () C:\Program Files (x86)\shropshire\lobelia.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    () C:\Program Files (x86)\svcvmx\svcvmx.exe
    () C:\Program Files (x86)\svcvmx\vmxclient.exe
    () C:\Program Files (x86)\svcvmx\vmxclient.exe
    (Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    (qdcomsvc Inc.) C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe
    (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.ZuneMusic_3.6.25021.0_x64__8wekyb3d8bbwe\Music.UI.exe
    (Microsoft Corporation) C:\Windows\System32\smartscreen.exe
    () C:\Program Files (x86)\svcvmx\vmxclient.exe
    () C:\Program Files (x86)\svcvmx\vmxclient.exe
    () C:\Program Files (x86)\svcvmx\vmxclient.exe

    ==================== Registry (Whitelisted) ====================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-24] (Microsoft Corporation)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176440 2017-01-19] (Apple Inc.)
    HKLM\...\Run: [cutoauto] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
    HKLM\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
    HKLM\...\Run: [interpee] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
    HKLM\...\Run: [clears] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
    HKLM\...\Run: [autoauto] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [596504 2016-04-01] (Oracle Corporation)
    HKLM-x32\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
    HKLM-x32\...\Run: [svcvmx] => C:\Program Files (x86)\svcvmx\svcvmx.exe [896512 2017-01-13] ()
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
    HKLM-x32\...\RunOnce: [Lulopelona] => C:\WINDOWS\SysWoW64\wscript.exe /E:vbscript /B "C:\Users\Jim\AppData\Roaming\Manunagadoc"
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKLM\...\Policies\Explorer: [HideSCAHealth] 1
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [BingSvc] => C:\Users\Jim\AppData\Local\Microsoft\BingSvc\BingSvc.exe [144008 2015-11-05] (© 2015 Microsoft Corporation)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [Chromium] => c:\users\jim\appdata\local\chromium\application\chrome.exe [1068544 2016-03-18] (The Chromium Authors)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [toys] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [ok48036327] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [acupressure] => C:\Program Files (x86)\sorrier\equalized.exe [316416 2017-02-18] (windows 99)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [changed] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [lobelia] => C:\Program Files (x86)\shropshire\lobelia.exe [40342 2017-02-18] ()
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [apostrophes] => C:\Program Files (x86)\shropshire\alltime.exe [462336 2017-02-18] (wallah)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9363672 2017-02-07] (Piriform Ltd)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
    HKU\S-1-5-21-783448517-647833336-481893931-1001\...\MountPoints2: {fdd1f285-096e-11e6-824f-806e6f6e6963} - "D:\setup.exe"
    HKU\S-1-5-18\...\Run: [] => [X]
    ShellIconOverlayIdentifiers: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt64.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
    ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
    ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
    ShellIconOverlayIdentifiers-x32: [ DropboxExt01] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt02] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt03] -> {FB314EE1-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt04] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt05] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt06] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt07] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt08] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt09] -> {FB314EE2-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    ShellIconOverlayIdentifiers-x32: [ DropboxExt10] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Program Files (x86)\Dropbox\Client\DropboxExt.14.0.dll [2017-02-06] (Dropbox, Inc.)
    Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327.lnk [2017-02-23]
    ShortcutTarget: ok48036327.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
    Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ok48036327reisinger.lnk [2017-02-23]
    ShortcutTarget: ok48036327reisinger.lnk -> C:\Program Files (x86)\Enervate\apocalyptic.exe ()
    Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\reisinger.lnk [2017-02-23]
    ShortcutTarget: reisinger.lnk -> C:\Program Files (x86)\sorrier\equalized.exe (windows 99)
    BootExecute: autocheck autochk * sdnclean64.exe
    GroupPolicy: Restriction <======= ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
    ProxyEnable: [HKLM] => Proxy is enabled.
    ProxyEnable: [HKLM-x32] => Proxy is enabled.
    ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
    ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
    AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
    Tcpip\..\Interfaces\{5497f104-c6d0-41aa-8aec-fda2691bb19d}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
    HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM-x32 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> DefaultScope {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p10_serp_ie_us_display?ie=UTF8&tagbase=bds-p10&tbrId=v1_abb-channel-10_e89f1aa5_1201_1401_20160424_US_ie_ds_&tag=bds-p10-serp-us-ie-20&query={searchTerms}
    SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    BHO: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll [2016-03-28] (DVDVideoSoft Ltd.)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll [2016-04-24] (Oracle Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll [2016-04-24] (Oracle Corporation)
    StartMenuInternet: IEXPLORE.EXE - iexplore.exe

    Edge:
    ======
    Edge HomeButtonPage: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> hxxp://foxnews.com/

    FireFox:
    ========
    FF Plugin-x32: @java.com/DTPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\dtplugin\npDeployJava1.dll [2016-04-24] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.91.2 -> C:\Program Files (x86)\Java\jre1.8.0_91\bin\plugin2\npjp2.dll [2016-04-24] (Oracle Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
    FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)

    Chrome:
    =======
    CHR HomePage: Default -> msn.com/?pc=__PARAM__&ocid=__PARAM__DHP&osmkt=en-us
    CHR StartupUrls: Default -> "hxxp://foxnews.com/"
    CHR DefaultSearchURL: Default -> hxxp://www.bing.com/search?FORM=__PARAM__DF&PC=__PARAM__&q={searchTerms}
    CHR DefaultSearchKeyword: Default -> bing.com
    CHR DefaultSuggestURL: Default -> hxxp://www.bing.com/osjson.aspx?FORM=__PARAM__DF&PC=__PARAM__&query={searchTerms}
    CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default [2017-02-24]
    CHR Extension: (Google Slides) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-23]
    CHR Extension: (Google Docs) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-23]
    CHR Extension: (Google Drive) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-23]
    CHR Extension: (Safer Search Results) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\begnofcbcefcedmomgdlmgcpmjafablp [2016-08-25]
    CHR Extension: (WOT: Web of Trust, Website Reputation Ratings) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\bhmmomiinigofkjcapegjjndpbikblnp [2017-01-29]
    CHR Extension: (YouTube) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-23]
    CHR Extension: (Ebates Cash Back) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhjbpecpncaggjpdakmflnfcopglcmi [2017-02-22]
    CHR Extension: (Bing) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\fcfenmboojpjinhpgggodefccipikbpd [2016-08-31]
    CHR Extension: (Google Sheets) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-23]
    CHR Extension: (Google Docs Offline) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-23]
    CHR Extension: (Planetarium) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\gheikhdfflhlbemfmhcfpeblehemeklp [2016-04-23]
    CHR Extension: (Muzik Fury) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmgdapiklnfpdonfeopollmlpfjaphcb [2016-10-05]
    CHR Extension: (CouponXplorer) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnmjjokfbcjicbibeadflnnhdaglbbga [2017-01-13]
    CHR Extension: (Skype) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2017-02-24]
    CHR Extension: (Application Launcher for Drive (by Google)) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2016-04-23]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
    CHR Extension: (Gmail) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-23]
    CHR Extension: (Chrome Media Router) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]
    CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\System Profile [2017-02-24]
    CHR HKLM\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
    CHR HKU\S-1-5-21-783448517-647833336-481893931-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [pilplloabdedfmialnfchjomjmpjcoej] - hxxps://clients2.google.com/service/update2/crx

    ==================== Services (Whitelisted) ====================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 Amazon Assistant Service; C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe [100528 2017-02-17] ()
    R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [351944 2015-11-04] (Advanced Micro Devices, Inc.)
    R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-09-22] (Apple Inc.)
    S2 bottling; C:\WINDOWS\shortsightedness.exe [9728 2017-02-18] (emboldens) [File not signed]
    S2 darkening; C:\WINDOWS\uniter.exe [13824 2017-02-18] (munger) [File not signed]
    S2 dbupdate; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
    S3 dbupdatem; C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [143144 2016-04-23] (Dropbox, Inc.)
    R2 DbxSvc; C:\WINDOWS\system32\DbxSvc.exe [46400 2017-02-06] (Dropbox, Inc.)
    R2 DigitalWave.Update.Service; C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe [389544 2016-07-12] (Digital Wave Ltd.)
    R2 qdcomsvc; C:\Program Files (x86)\qdcomsvc\qdcomsvc.exe [755712 2017-02-23] (qdcomsvc Inc.) [File not signed]
    S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
    S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
    S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
    S3 VumaaService; C:\ProgramData\Vumaa\Vumaa.Service.exe [22952 2016-03-30] (Vumaa)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

    ===================== Drivers (Whitelisted) ======================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
    R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [102912 2015-07-21] (Advanced Micro Devices)
    R3 dg_ssudbus; C:\WINDOWS\system32\DRIVERS\ssudbus.sys [131712 2016-09-05] (Samsung Electronics Co., Ltd.)
    R1 drmkpro64; C:\WINDOWS\System32\drivers\drmkpro64.sys [51784 2017-02-22] () [File not signed]
    S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
    R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek )
    R3 ssudmdm; C:\WINDOWS\system32\DRIVERS\ssudmdm.sys [165504 2016-09-05] (Samsung Electronics Co., Ltd.)
    S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
    S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
    S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
    U0 aswVmm; no ImagePath
    S3 dbx; system32\DRIVERS\dbx.sys [X]

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2017-02-24 16:52 - 2017-02-24 16:53 - 00029495 _____ C:\Users\Jim\Downloads\FRST.txt
    2017-02-24 16:51 - 2017-02-24 16:52 - 00000000 ____D C:\FRST
    2017-02-24 16:50 - 2017-02-24 16:50 - 00000000 ____D C:\Users\Jim\Desktop\rkill
    2017-02-24 16:49 - 2017-02-24 16:50 - 00004796 _____ C:\Users\Jim\Desktop\Rkill.txt
    2017-02-24 16:49 - 2017-02-24 16:47 - 02423296 ____N (Farbar) C:\Users\Jim\Downloads\FRST64.exe
    2017-02-24 16:49 - 2017-02-24 16:32 - 02030536 ____N (Bleeping Computer, LLC) C:\Users\Jim\Downloads\rkill.exe
    2017-02-24 12:29 - 2017-02-24 12:32 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
    2017-02-24 12:29 - 2017-02-24 12:32 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
    2017-02-24 12:29 - 2017-02-24 12:29 - 00001456 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
    2017-02-24 12:29 - 2017-02-24 12:29 - 00001444 _____ C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
    2017-02-24 12:29 - 2017-02-24 12:29 - 00000656 _____ C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job
    2017-02-24 12:29 - 2017-02-24 12:29 - 00000628 _____ C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job
    2017-02-24 12:29 - 2017-02-24 12:29 - 00000458 _____ C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job
    2017-02-24 12:29 - 2017-02-24 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
    2017-02-24 12:29 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\WINDOWS\system32\sdnclean64.exe
    2017-02-24 12:25 - 2017-02-24 12:22 - 46525608 ____N (Safer-Networking Ltd. ) C:\Users\Jim\Downloads\spybot-2.4.exe
    2017-02-24 12:06 - 2017-02-24 12:06 - 00250290 _____ C:\Users\Jim\Documents\cc_20170224_120620.reg
    2017-02-24 11:57 - 2017-02-24 11:57 - 00000863 _____ C:\Users\Public\Desktop\CCleaner.lnk
    2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
    2017-02-24 11:57 - 2017-02-24 11:57 - 00000000 ____D C:\Program Files\CCleaner
    2017-02-24 11:54 - 2017-02-24 12:28 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
    2017-02-24 11:51 - 2017-02-24 11:51 - 00000000 ____D C:\WINDOWS\pss
    2017-02-24 09:52 - 2017-02-24 09:36 - 09261616 _____ (Piriform Ltd) C:\Users\Jim\Downloads\ccsetup527.exe
    2017-02-24 09:52 - 2017-02-24 09:36 - 01663040 _____ (Malwarebytes) C:\Users\Jim\Downloads\JRT.exe
    2017-02-24 09:51 - 2017-02-24 09:51 - 00000552 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive (2).lnk
    2017-02-24 05:11 - 2017-02-24 11:35 - 00004140 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{36D55AF4-5ADB-451B-899E-3C12B4B42C3E}
    2017-02-23 21:17 - 2017-02-23 21:17 - 00000000 ____D C:\Program Files (x86)\GUM80B4.tmp
    2017-02-23 21:14 - 2017-02-23 21:17 - 00002340 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2017-02-23 21:13 - 2017-02-23 21:13 - 00000000 ____D C:\Program Files (x86)\GUM174A.tmp
    2017-02-23 19:28 - 2017-02-23 19:28 - 00003244 _____ C:\WINDOWS\System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3}
    2017-02-23 18:21 - 2017-02-23 19:29 - 00000000 ____D C:\Users\Jim\AppData\Local\llssoft
    2017-02-23 18:21 - 2017-02-23 19:29 - 00000000 ____D C:\Program Files (x86)\svcvmx
    2017-02-23 17:21 - 2017-02-23 17:21 - 00000000 ____D C:\Program Files (x86)\winscr
    2017-02-23 17:20 - 2017-02-24 16:54 - 00003842 _____ C:\WINDOWS\System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1
    2017-02-23 17:20 - 2017-02-24 16:49 - 00004404 _____ C:\WINDOWS\System32\Tasks\76656282
    2017-02-23 17:20 - 2017-02-24 15:34 - 00004014 _____ C:\WINDOWS\System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1
    2017-02-23 17:20 - 2017-02-23 19:16 - 00000000 ____D C:\Program Files (x86)\S5
    2017-02-23 17:20 - 2017-02-23 19:16 - 00000000 ____D C:\Program Files (x86)\AnonymizerGadget
    2017-02-23 17:20 - 2017-02-23 17:21 - 00000000 ____D C:\Program Files (x86)\qdcomsvc
    2017-02-23 17:20 - 2017-02-23 17:20 - 01852928 _____ (splsrv Corp.) C:\WINDOWS\SysWOW64\splsrv.exe
    2017-02-23 17:20 - 2017-02-23 17:20 - 00000001 _____ C:\Users\Jim\AppData\Local\setupsuccessful.txt
    2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\c
    2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Jim\AppData\Roaming\AGData
    2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default\AppData\Local\AdvinstAnalytics
    2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\Users\Default User\AppData\Local\AdvinstAnalytics
    2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnonymizerGadget
    2017-02-23 17:20 - 2017-02-23 17:20 - 00000000 ____D C:\ProgramData\1487895640
    2017-02-23 17:19 - 2017-02-24 15:34 - 00003858 _____ C:\WINDOWS\System32\Tasks\213879593
    2017-02-23 17:19 - 2017-02-24 15:34 - 00003686 _____ C:\WINDOWS\System32\Tasks\113879593
    2017-02-23 17:19 - 2017-02-23 17:20 - 00000000 ____D C:\Program Files (x86)\sorrier
    2017-02-23 17:19 - 2017-02-23 17:19 - 01397594 _____ C:\Users\Jim\AppData\Local\setupone.exe
    2017-02-23 17:19 - 2017-02-23 17:19 - 00003850 _____ C:\WINDOWS\System32\Tasks\966848
    2017-02-23 17:19 - 2017-02-23 17:19 - 00003696 _____ C:\WINDOWS\System32\Tasks\Da966848966848
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000055 _____ C:\WINDOWS\key.ini
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\shropshire
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\Enervate
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 ____D C:\Program Files (x86)\daugherty
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\tr5b.txt
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\stxtname.txt
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\run.txt
    2017-02-23 17:19 - 2017-02-23 17:19 - 00000000 _____ C:\Users\Jim\AppData\Local\aatxtname.txt
    2017-02-23 17:16 - 2017-02-23 17:16 - 00006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
    2017-02-22 17:12 - 2017-02-22 17:12 - 00051784 _____ C:\WINDOWS\system32\Drivers\drmkpro64.sys
    2017-02-19 12:47 - 2017-02-19 12:47 - 00000000 ____D C:\Users\Jim\.ssh
    2017-02-18 23:50 - 2017-02-18 23:50 - 00491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
    2017-02-18 23:50 - 2017-02-18 23:50 - 00316416 _____ (windows 99) C:\WINDOWS\motorized.exe
    2017-02-18 23:50 - 2017-02-18 23:50 - 00041196 _____ C:\WINDOWS\peddle.exe
    2017-02-18 23:50 - 2017-02-18 23:50 - 00013824 _____ (munger) C:\WINDOWS\uniter.exe
    2017-02-18 23:50 - 2017-02-18 23:50 - 00009728 _____ (emboldens) C:\WINDOWS\shortsightedness.exe
    2017-02-18 22:22 - 2017-02-18 22:22 - 00080956 _____ C:\Users\Jim\Downloads\Document.pdf
    2017-02-18 22:19 - 2017-02-18 22:19 - 00039150 _____ C:\Users\Jim\Downloads\SKM_284e17021410491.pdf
    2017-02-12 19:09 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\Documents\TurboTax
    2017-02-12 18:48 - 2017-02-12 19:09 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Intuit
    2017-02-12 18:47 - 2017-02-12 18:48 - 00000319 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
    2017-02-12 18:47 - 2017-02-12 18:47 - 00002547 _____ C:\Users\Public\Desktop\TurboTax 2016.lnk
    2017-02-12 18:47 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2016
    2017-02-12 18:46 - 2017-02-12 18:46 - 00000000 ____D C:\Program Files (x86)\TurboTax
    2017-02-12 18:45 - 2017-02-12 18:47 - 00000000 ____D C:\ProgramData\Intuit
    2017-02-08 16:37 - 2017-02-08 16:37 - 00034293 _____ C:\Users\Jim\Downloads\PastBills.pdf
    2017-02-07 17:41 - 2017-02-07 17:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dropbox
    2017-02-07 11:10 - 2017-02-07 11:10 - 00001822 _____ C:\Users\Public\Desktop\iTunes.lnk
    2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
    2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iTunes
    2017-02-07 11:10 - 2017-02-07 11:10 - 00000000 ____D C:\Program Files\iPod
    2017-02-07 02:08 - 2017-02-07 02:08 - 00002221 _____ C:\Users\Public\Desktop\Google Earth.lnk
    2017-02-07 02:08 - 2017-02-07 02:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth
    2017-02-06 21:38 - 2017-02-06 21:38 - 00046400 _____ (Dropbox, Inc.) C:\WINDOWS\system32\DbxSvc.exe
    2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-stable.sys
    2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-dev.sys
    2017-02-06 21:38 - 2017-02-06 21:38 - 00046192 _____ (Dropbox, Inc.) C:\WINDOWS\system32\Drivers\dbx-canary.sys
    2017-02-06 17:33 - 2017-02-06 17:33 - 00020823 _____ C:\Users\Jim\Downloads\Dec 01, 2016 to Dec 20, 2016.pdf
    2017-02-06 17:32 - 2017-02-06 17:32 - 00020815 _____ C:\Users\Jim\Downloads\Dec 22, 2016 to Jan 20, 2017.pdf
    2017-02-06 17:26 - 2017-02-06 17:26 - 00526149 _____ C:\Users\Jim\Downloads\Owner_1099_2016.pdf
    2017-01-25 13:32 - 2017-01-25 13:32 - 02314240 _____ C:\Users\Jim\Downloads\MinecraftInstaller.msi
    2017-01-25 09:20 - 2017-01-25 09:20 - 00337425 _____ C:\Users\Jim\Downloads\2454.pdf

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2017-02-24 15:34 - 2016-04-23 11:48 - 00000000 ___RD C:\Users\Jim\Google Drive
    2017-02-24 15:33 - 2016-09-24 04:55 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2017-02-24 15:32 - 2016-07-15 23:04 - 01310720 _____ C:\WINDOWS\system32\config\BBI
    2017-02-24 15:32 - 2016-05-11 18:07 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
    2017-02-24 15:08 - 2016-09-24 04:37 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
    2017-02-24 12:01 - 2016-09-24 05:36 - 00000000 ___DC C:\WINDOWS\Panther
    2017-02-24 12:01 - 2016-07-16 04:45 - 00000000 ____D C:\WINDOWS\INF
    2017-02-24 12:00 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
    2017-02-24 10:00 - 2016-04-23 11:09 - 00000000 ___RD C:\Users\Jim\OneDrive
    2017-02-24 09:22 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\system32\NDF
    2017-02-23 21:12 - 2016-04-23 11:10 - 00000000 ____D C:\Users\Jim\AppData\Local\MicrosoftEdge
    2017-02-23 19:26 - 2016-09-24 04:37 - 00206352 _____ C:\WINDOWS\system32\FNTCACHE.DAT
    2017-02-23 19:25 - 2016-09-24 04:44 - 00000000 ____D C:\Users\Jim
    2017-02-23 19:24 - 2016-05-06 16:31 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype
    2017-02-23 18:06 - 2016-04-24 18:57 - 00000000 ____D C:\Users\Jim\AppData\Roaming\.minecraft
    2017-02-18 17:32 - 2016-04-24 18:57 - 00000000 ____D C:\Program Files (x86)\Amazon
    2017-02-15 15:59 - 2016-04-23 11:09 - 00002353 _____ C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
    2017-02-12 18:45 - 2016-07-16 04:47 - 00000000 ____D C:\WINDOWS\AppReadiness
    2017-02-10 15:36 - 2016-04-23 11:45 - 00000000 ___RD C:\Users\Jim\Dropbox
    2017-02-10 12:05 - 2016-04-23 11:29 - 00000000 ____D C:\Users\Jim\AppData\Roaming\DVDVideoSoft
    2017-02-09 08:48 - 2016-04-23 09:35 - 00000000 ____D C:\Users\Jim\AppData\Local\ElevatedDiagnostics
    2017-02-07 17:42 - 2016-04-23 11:42 - 00000000 ____D C:\Program Files (x86)\Dropbox
    2017-02-07 11:14 - 2016-04-23 11:42 - 00000916 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job
    2017-02-07 11:14 - 2016-04-23 11:42 - 00000912 _____ C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job
    2017-02-07 11:10 - 2016-05-15 11:07 - 00000000 ____D C:\Program Files\Recuva
    2017-02-07 11:09 - 2016-05-15 12:02 - 00000000 ____D C:\Program Files\Common Files\Apple
    2017-02-07 02:08 - 2016-04-23 11:14 - 00000000 ____D C:\Program Files (x86)\Google
    2017-01-27 13:15 - 2016-07-16 04:47 - 00000000 ___HD C:\Program Files\WindowsApps
    2017-01-27 13:15 - 2016-04-23 09:27 - 00000000 ____D C:\Users\Jim\AppData\Local\Packages
    2017-01-27 12:17 - 2016-07-17 12:41 - 00000000 ____D C:\Users\Jim\AppData\Roaming\vlc

    ==================== Files in the root of some directories =======

    2016-10-19 15:10 - 2016-10-19 15:10 - 0018070 _____ () C:\Users\Jim\AppData\Roaming\Manunagadoc
    2016-10-08 00:04 - 2016-10-08 00:04 - 0000043 _____ () C:\Users\Jim\AppData\Roaming\WB.CFG
    2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\aatxtname.txt
    2017-02-18 23:50 - 2017-02-18 23:50 - 0491520 _____ (cabinet) C:\Users\Jim\AppData\Local\cement.exe
    2017-02-23 17:16 - 2017-02-23 17:16 - 0006656 _____ (mimic) C:\Users\Jim\AppData\Local\ddnow4.exe
    2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\run.txt
    2016-10-04 07:33 - 2016-10-04 07:33 - 0006144 _____ () C:\Users\Jim\AppData\Local\sc446872423.exe
    2016-10-04 07:33 - 2016-10-04 07:33 - 0005632 _____ () C:\Users\Jim\AppData\Local\sc46872423.exe
    2017-02-23 17:19 - 2017-02-23 17:19 - 1397594 _____ () C:\Users\Jim\AppData\Local\setupone.exe
    2017-02-23 17:20 - 2017-02-23 17:20 - 0000001 _____ () C:\Users\Jim\AppData\Local\setupsuccessful.txt
    2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\stxtname.txt
    2017-02-23 17:19 - 2017-02-23 17:19 - 0000000 _____ () C:\Users\Jim\AppData\Local\tr5b.txt
    2017-02-12 18:47 - 2017-02-12 18:48 - 0000319 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
    2016-10-08 21:04 - 2016-10-08 21:04 - 1134592 _____ () C:\ProgramData\TrezaaSetupx30044.msi
    2016-10-08 17:04 - 2016-10-08 17:04 - 0533504 _____ () C:\ProgramData\Vumaa.msi

    ==================== Bamital & volsnap ======================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2017-02-22 07:31

    ==================== End of FRST.txt ============================

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-02-2017
    Ran by Jim (24-02-2017 16:55:16)
    Running from C:\Users\Jim\Downloads
    Windows 10 Home Version 1607 (X64) (2016-09-24 12:08:15)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-783448517-647833336-481893931-500 - Administrator - Disabled)
    DefaultAccount (S-1-5-21-783448517-647833336-481893931-503 - Limited - Disabled)
    Guest (S-1-5-21-783448517-647833336-481893931-501 - Limited - Disabled)
    Jim (S-1-5-21-783448517-647833336-481893931-1001 - Administrator - Enabled) => C:\Users\Jim

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    Amazon Assistant (HKLM-x32\...\{C8D184AC-D6E2-411E-838C-468CB0E91DBF}) (Version: 10.17.0216 - Amazon) <==== ATTENTION
    AMD Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
    AnyBurn (HKLM-x32\...\AnyBurn) (Version: 3.5 - Power Software Ltd)
    Apple Application Support (32-bit) (HKLM-x32\...\{9BA1A894-B42F-4805-BC8C-349C905A3930}) (Version: 5.3.1 - Apple Inc.)
    Apple Application Support (64-bit) (HKLM\...\{7EAC8A42-9FAC-4F6B-AABF-C08C9F2E0F13}) (Version: 5.3.1 - Apple Inc.)
    Apple Mobile Device Support (HKLM\...\{55BB2110-FB43-49B3-93F4-945A0CFB0A6C}) (Version: 10.0.1.3 - Apple Inc.)
    Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
    Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
    CCleaner (HKLM\...\CCleaner) (Version: 5.27 - Piriform)
    Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6514.5001 - Microsoft Corporation)
    Dropbox (HKLM-x32\...\Dropbox) (Version: 19.4.13 - Dropbox, Inc.)
    Dropbox Update Helper (x32 Version: 1.3.65.1 - Dropbox, Inc.) Hidden
    Free Image Editor 2.4 (HKLM-x32\...\Free Image Editor 2.4_is1) (Version: - AskedFiles)
    Free YouTube To MP3 Converter (HKLM-x32\...\Free YouTube To MP3 Converter_is1) (Version: 4.1.21.610 - Digital Wave Ltd)
    GoldWave v6.24 (HKLM\...\GoldWave v6.24) (Version: 6.24 - GoldWave Inc.)
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 56.0.2924.87 - Google Inc.)
    Google Drive (HKLM-x32\...\{07A12123-B717-496B-B471-48AF6407B433}) (Version: 1.32.4066.7445 - Google, Inc.)
    Google Earth (HKLM-x32\...\{F6430171-B86B-4639-839E-374913E7911D}) (Version: 7.1.8.3036 - Google)
    Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
    iTunes (HKLM\...\{9D0D2A8B-7E7B-4D88-8D50-24286ED6A5EB}) (Version: 12.5.5.5 - Apple Inc.)
    Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
    Microsoft OneDrive (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\OneDriveSetup.exe) (Version: 17.3.6764.0111 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
    Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
    Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
    Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{4fcf070a-daac-45e9-a8b0-6850941f7ed8}) (Version: 12.0.21005.1 - Microsoft Corporation)
    Online.io Application (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
    PhotoFiltre 7 (HKU\S-1-5-21-783448517-647833336-481893931-1001\...\PhotoFiltre 7) (Version: - )
    Recuva (HKLM\...\Recuva) (Version: 1.52 - Piriform)
    Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
    Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
    Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
    Traffic Exchange (x32 Version: 2.1.0 - Microleaves) Hidden <==== ATTENTION
    TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc)
    VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
    Vumaa (x32 Version: 1.0.0 - Vumaa) Hidden

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {09D89F8B-AB1A-4DF0-982F-9875236E49B1} - System32\Tasks\213879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
    Task: {0D37BA10-AB65-4EB1-BF12-0FDBE5A35A77} - System32\Tasks\aA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
    Task: {0E17C043-3086-425B-A76B-57A75E993E8F} - System32\Tasks\966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] () <==== ATTENTION
    Task: {15CF4540-72E0-46B0-970B-EA1B12CFCB5F} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
    Task: {19D74E7E-D9D4-4A92-A050-D5969F5C56A4} - System32\Tasks\MSFT_TaskSettings3\CaesarsSlots => powershell.exe -NoProfile -WindowStyle Hidden -command cmd.exe /c if exist C:\Users\Jim\AppData\Local\Packages\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2 start explorer.exe shell:appsFolder\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2!App
    Task: {1DF06365-6B2C-4E45-AB8A-0338D5438DF6} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
    Task: {296562E1-B097-463C-AB39-9523796F8761} - \DistromaticSearchProtect-logon -> No File <==== ATTENTION
    Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => %SystemRoot%\System32\AutoWorkplace.exe
    Task: {4B66409F-528C-4CC6-9E98-D9F5C4D563A3} - System32\Tasks\Da966848966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] ()
    Task: {4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} - \{E93B1D8E-7144-43CF-AED7-90E7FE9B5827} -> No File <==== ATTENTION
    Task: {6E0AC03E-AD18-4883-BBC5-BA77053C033C} - \DistromaticUpdater-logon -> No File <==== ATTENTION
    Task: {766C52A9-B31F-4C2C-B26C-1176E17586FA} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
    Task: {783288D9-2E79-48D0-9E4A-AE2BB1271C46} - System32\Tasks\dA01A1vNCA6Ny4prQNRW5-ni-2017-02-23-ni-99991-ni-1 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99)
    Task: {78FBCF49-A629-44CF-82AE-74B9266D059B} - \{17D1B85F-0859-46E2-A8B6-00B63052A523} -> No File <==== ATTENTION
    Task: {799231D8-D492-4E80-B400-64B3642849D2} - System32\Tasks\113879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
    Task: {8594B015-CF2B-4C8E-807E-48A2F3C5638E} - \{5EA21E3C-C6DF-4FAF-BF0A-C897623B028D} -> No File <==== ATTENTION
    Task: {95C50509-4001-4D3E-9A2D-F57A90A0EA3E} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
    Task: {980A9FE3-D226-4BF6-A3DB-54055266C29A} - \Optimize Start Menu Cache Files-S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
    Task: {9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} - \WPD\SqmUpload_S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
    Task: {9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} - \DistromaticUpdater-periodic -> No File <==== ATTENTION
    Task: {A6353DBB-3230-4E67-9F61-038F628ADCE4} - System32\Tasks\{625E8CAE-F725-4474-A26F-742B8720C4F3} => pcalua.exe -a "C:\Program Files (x86)\MaxInternet\dotuninstall.exe"
    Task: {B0D68E36-3241-4912-BB9D-A8C965703C51} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
    Task: {D6266248-323A-4BE8-B51A-461073D7F22D} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
    Task: {DF8DFE89-E913-445D-A854-ABB727ED8442} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
    Task: {EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
    Task: {ED004583-CB32-4C6B-882A-CE92F3ECDB0B} - \DistromaticSearchProtect-hourly -> No File <==== ATTENTION

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\WINDOWS\Tasks\Check for updates (Spybot - Search & Destroy).job =>
    Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => C:\WINDOWS\explorer.exe
    Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
    Task: C:\WINDOWS\Tasks\Refresh immunization (Spybot - Search & Destroy).job =>
    Task: C:\WINDOWS\Tasks\Scan the system (Spybot - Search & Destroy).job =>

    ==================== Shortcuts =============================

    (The entries could be listed to be restored or removed.)

    ==================== Loaded Modules (Whitelisted) ==============

    2016-07-16 04:42 - 2016-07-16 04:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
    2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
    2017-02-17 11:24 - 2017-02-17 11:24 - 00100528 _____ () C:\Program Files (x86)\Amazon\Amazon Assistant\amazonAssistantService.exe
    2016-10-05 18:17 - 2016-10-05 18:17 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    2017-01-13 13:56 - 2017-01-13 13:56 - 01353528 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
    2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
    2016-09-24 05:32 - 2016-09-24 05:32 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
    2016-09-29 17:33 - 2016-09-15 09:39 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
    2016-09-29 17:34 - 2016-09-15 09:24 - 09760256 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
    2016-09-29 17:34 - 2016-09-15 09:18 - 01401344 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
    2016-09-29 17:34 - 2016-09-15 09:17 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
    2016-09-29 17:34 - 2016-09-15 09:18 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
    2016-09-29 17:34 - 2016-09-15 09:18 - 02424832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
    2016-09-29 17:34 - 2016-09-15 09:20 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
    2017-02-18 23:50 - 2017-02-18 23:50 - 00041196 _____ () C:\Program Files (x86)\sorrier\harold.exe
    2017-02-18 23:49 - 2017-02-18 23:49 - 00010752 _____ () C:\Program Files (x86)\Enervate\apocalyptic.exe
    2017-02-18 23:50 - 2017-02-18 23:50 - 00040342 _____ () C:\Program Files (x86)\shropshire\lobelia.exe
    2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Program Files (x86)\svcvmx\svcvmx.exe
    2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Program Files (x86)\svcvmx\vmxclient.exe
    2016-04-23 11:30 - 2016-07-12 21:32 - 00112552 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\zlib1.dll
    2016-04-23 11:30 - 2016-07-12 21:33 - 00105896 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_filesystem-vc120-mt-1_56.dll
    2016-04-23 11:30 - 2016-07-12 21:33 - 00021928 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_system-vc120-mt-1_56.dll
    2016-04-23 11:30 - 2016-07-12 21:33 - 00045992 _____ () C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\boost_date_time-vc120-mt-1_56.dll
    2017-02-24 15:34 - 2017-02-24 15:34 - 00011264 _____ () C:\Users\Jim\AppData\Local\Temp\nsh9DA8.tmp\System.dll
    2017-02-24 15:34 - 2017-02-24 15:34 - 00098816 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32api.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00110080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pywintypes27.dll
    2017-02-24 15:34 - 2017-02-24 15:34 - 00364544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pythoncom27.dll
    2017-02-24 15:34 - 2017-02-24 15:34 - 00320512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32com.shell.shell.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00914432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_hashlib.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 01176576 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._core_.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00806400 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._gdi_.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00816128 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._windows_.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 01067008 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._controls_.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00733184 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._misc_.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00682496 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pysqlite2._sqlite.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_ctypes.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00686080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\unicodedata.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00119808 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32file.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00108544 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32security.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00007168 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\hashobjs_ext.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00017920 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\thumbnails_ext.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00088064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\usb_ext.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00012800 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\common.time34.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00018432 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32event.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00167936 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32gui.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00046080 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_socket.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 01303552 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_ssl.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00128512 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_elementtree.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00127488 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\pyexpat.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00038912 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32inet.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00036864 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_psutil_windows.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00524248 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\windows._lib_cacheinvalidation.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00011264 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32crypt.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00123392 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._wizard.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00077312 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._html2.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00027648 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_multiprocessing.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00020480 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\_yappi.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00035840 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32process.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00078848 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\wx._animate.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00024064 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32pipe.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00010240 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\select.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00025600 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32pdh.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00017408 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32profile.pyd
    2017-02-24 15:34 - 2017-02-24 15:34 - 00022528 ____R () C:\Users\Jim\AppData\Local\Temp\_MEI57002\win32ts.pyd
    2017-01-14 19:40 - 2017-01-14 19:40 - 53460992 _____ () C:\Program Files (x86)\svcvmx\libcef.dll
    2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Program Files (x86)\svcvmx\libglesv2.dll
    2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Program Files (x86)\svcvmx\libegl.dll
    2016-09-29 17:34 - 2016-09-15 10:25 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
    2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Program Files (x86)\svcvmx\pepflashplayer.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)


    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2013-08-22 06:25 - 2017-02-23 17:19 - 00000947 ____A C:\WINDOWS\system32\Drivers\etc\hosts

    162.222.194.13 cocomo.tremorhub.com
    162.222.194.13 www.virustotal.com
    162.222.194.13 virustotal.com

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-783448517-647833336-481893931-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Jim\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\win8img.jpg
    DNS Servers: 68.105.28.11 - 68.105.29.11
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==

    MSCONFIG\Services: WSearch => 2

    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
    FirewallRules: [{879D9F3D-0A73-45F1-A2DA-12ED46127E80}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    FirewallRules: [{2B008137-5F84-4809-9070-5950BCA6C76A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    FirewallRules: [{250B2D45-23D5-4B74-AED0-658047E5C530}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
    FirewallRules: [{473AD362-1498-4AF7-9580-060C363D3A79}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
    FirewallRules: [{04715A09-8533-4395-83BD-24E52FF0D711}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
    FirewallRules: [UDP Query User{41669055-1B9D-457D-AA0C-D7AF68CB7D9D}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
    FirewallRules: [TCP Query User{073CB8C7-5E33-4D29-9682-2EE6C072F931}C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe] => (Block) C:\program files (x86)\java\jre1.8.0_91\bin\javaw.exe
    FirewallRules: [{57951344-6AF1-4839-9FA2-E4F1221AEA6D}] => (Allow) C:\Program Files\iTunes\iTunes.exe
    FirewallRules: [{B7B48F01-2D5E-485B-BFBA-C63F4FF753CB}] => (Allow) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe
    FirewallRules: [{D2BDBA2D-DC75-4777-8FD2-78F67E962DBC}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
    FirewallRules: [{8C82BE9B-F00B-4C5E-9551-C0DEB0DFBB56}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    FirewallRules: [{A6978D68-7287-4C1C-A946-1178C1F65B8F}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    FirewallRules: [{81416A4B-3733-45DC-8A14-2483830BC6E2}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    FirewallRules: [{09D983AE-6554-4983-A380-C15E860307AF}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    FirewallRules: [{FA9E2551-4FD5-4A84-903F-0F9F0123B69B}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
    FirewallRules: [{C5C3CC3D-9D56-4B4E-8FD8-22868FFC7E5A}] => (Allow) C:\Users\Jim\AppData\Local\Temp\1129491421\ic-0.9e6a431f3f96b8.exe
    FirewallRules: [{BD81FB30-E202-4974-9CF8-EE2F49A1B93C}] => (Allow) C:\Users\Jim\AppData\Local\sc446872423.exe
    FirewallRules: [{6A7A9303-0C3C-484D-9FEC-1862F82E24CD}] => (Allow) C:\Users\Jim\AppData\Local\ddnow4.exe
    FirewallRules: [{5ECE3246-505E-4145-8ECE-356A488BE3C8}] => (Allow) C:\Program Files (x86)\sorrier\equalized.exe
    FirewallRules: [{350422A7-6665-4018-B69A-C42A97BED256}] => (Allow) C:\Program Files (x86)\sorrier\harold.exe
    FirewallRules: [{844CF719-23E4-4324-BE33-1E9523540E12}] => (Allow) C:\Program Files (x86)\shropshire\alltime.exe
    FirewallRules: [{436E5307-CA7B-4E20-9F5B-A3B7F9D65B8B}] => (Allow) C:\Program Files (x86)\Enervate\apocalyptic.exe
    FirewallRules: [{5E5BF097-B4F3-494E-9A44-5C210FD57D0C}] => (Allow) C:\WINDOWS\uniter.exe
    FirewallRules: [TCP Query User{F567F884-272F-45FB-8141-EA51BDF61B3B}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
    FirewallRules: [UDP Query User{7432D085-E847-4C62-9209-7922D1B8CBD7}C:\program files (x86)\google\chrome\application\chrome334.exe] => (Block) C:\program files (x86)\google\chrome\application\chrome334.exe
    FirewallRules: [{A6E8CA20-02D4-4B21-BA4B-2EBD42C99386}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

    ==================== Restore Points =========================

    04-02-2017 08:16:53 Scheduled Checkpoint
    12-02-2017 18:46:39 Installed TurboTax 2016 wrapper
    19-02-2017 19:40:25 Scheduled Checkpoint
    23-02-2017 19:58:25 JRT Pre-Junkware Removal
    24-02-2017 15:16:43 JRT Pre-Junkware Removal

    ==================== Faulty Device Manager Devices =============


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (02/24/2017 03:34:15 PM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
    Dependent Assembly 51.0.2683.0,language="&#x2a;",type="win32",version="51.0.2683.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.

    Error: (02/24/2017 03:33:47 PM) (Source: DbxSvc) (EventID: 320) (User: )
    Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

    Error: (02/24/2017 03:16:59 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
    Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

    Details:
    AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

    System Error:
    Access is denied.
    .

    Error: (02/24/2017 12:42:20 PM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
    Dependent Assembly 51.0.2683.0,language="&#x2a;",type="win32",version="51.0.2683.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.

    Error: (02/24/2017 12:41:52 PM) (Source: DbxSvc) (EventID: 320) (User: )
    Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

    Error: (02/24/2017 12:28:34 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: JIM-PC)
    Description: Activation of app Microsoft.Getstarted_4.0.12.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

    Error: (02/24/2017 12:12:48 PM) (Source: Application Error) (EventID: 1000) (User: )
    Description: Faulting application name: MicrosoftEdge.exe, version: 11.0.14393.206, time stamp: 0x57dacb16
    Faulting module name: eModel.dll, version: 11.0.14393.206, time stamp: 0x57dacc2a
    Exception code: 0xc0000409
    Fault offset: 0x00000000000d54e0
    Faulting process id: 0x1f04
    Faulting application start time: 0x01d28ed1fa752c36
    Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    Faulting module path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\eModel.dll
    Report Id: 425fdbf1-4e99-4cb8-addd-0d24a1da9528
    Faulting package full name: Microsoft.MicrosoftEdge_38.14393.0.0_neutral__8wekyb3d8bbwe
    Faulting package-relative application ID: MicrosoftEdge

    Error: (02/24/2017 12:11:15 PM) (Source: SideBySide) (EventID: 33) (User: )
    Description: Activation context generation failed for "C:\Users\Jim\AppData\Local\chromium\Application\chrome.exe".
    Dependent Assembly 51.0.2683.0,language="&#x2a;",type="win32",version="51.0.2683.0" could not be found.
    Please use sxstrace.exe for detailed diagnosis.

    Error: (02/24/2017 12:10:44 PM) (Source: DbxSvc) (EventID: 320) (User: )
    Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

    Error: (02/24/2017 11:55:16 AM) (Source: System Restore) (EventID: 8193) (User: )
    Description: Failed to create restore point (Process = C:\Users\Jim\AppData\Local\Temp\jrt\CreateRestorePoint.exe "JRT Pre-Junkware Removal"; Description = JRT Pre-Junkware Removal; Error = 0x8007043c).


    System errors:
    =============
    Error: (02/24/2017 04:49:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The kolb service terminated unexpectedly. It has done this 1 time(s).

    Error: (02/24/2017 04:49:40 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The moviemaking service terminated unexpectedly. It has done this 1 time(s).

    Error: (02/24/2017 04:49:37 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.

    Error: (02/24/2017 04:49:28 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.

    Error: (02/24/2017 04:49:19 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.

    Error: (02/24/2017 04:49:10 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.

    Error: (02/24/2017 04:49:01 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.

    Error: (02/24/2017 04:48:52 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.

    Error: (02/24/2017 03:43:16 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.

    Error: (02/24/2017 03:43:07 PM) (Source: cdrom) (EventID: 7) (User: )
    Description: The device, \Device\CdRom0, has a bad block.


    CodeIntegrity:
    ===================================
    Date: 2017-02-23 17:19:17.158
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-02-23 17:19:17.157
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-02-20 09:46:50.391
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-02-20 09:46:50.387
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-01-31 10:41:20.190
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-01-31 10:41:20.189
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-01-31 10:41:03.403
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-01-31 10:41:03.401
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-01-07 11:49:55.645
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2017-01-07 11:49:55.639
    Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.


    ==================== Memory info ===========================

    Processor: AMD A8-5500 APU with Radeon(tm) HD Graphics
    Percentage of memory in use: 35%
    Total physical RAM: 7645.61 MB
    Available physical RAM: 4957.28 MB
    Total Virtual: 8861.61 MB
    Available Virtual: 6143.27 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:930.97 GB) (Free:878.3 GB) NTFS
    Drive f: () (Removable) (Total:0.96 GB) (Free:0.77 GB) FAT

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 1667168B)
    Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

    ========================================================
    Disk: 1 (Size: 979.8 MB) (Disk ID: 00000000)

    Partition: GPT.

    ==================== End of Addition.txt ============================

  6. #6
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    This is bad.
    There will be several steps to attempt, do the best you can do.

    Programs to remove Uninstall/delete
    Amazon Assistant (HKLM-x32\...\{C8D184AC-D6E2-411E-838C-468CB0E91DBF}) (Version: 10.17.0216 - Amazon) <==== ATTENTION
    Online.io Application

    • Please download and install Revo Uninstaller Free
    • Double click Revo Uninstaller to run it.
    • From the list of programs double click on Amazon Assistant - Online.io Application - Traffic Exchange
    • When prompted if you want to uninstall click Yes.
    • Be sure the Moderate option is selected then click Next.
    • The program will run, If prompted again click Yes
    • when the built-in uninstaller is finished click on Next.
    • Once the program has searched for leftovers click Next.
    • Check/tick the bolded items only on the list then click Delete
    • when prompted click on Yes and then on next.
    • put a check on any folders that are found and select delete
    • when prompted select yes then on next
    • Once done click Finish
    • And PC restart now


    ~~~~~

    Here's how to display hidden files and folders.
    Windows 10
    
    In the search box on the taskbar, type folder, and then select Show hidden files and folders from the search results.
    Under Advanced settings, select Show hidden files, folders, and drives, and then select OK.

    Please go to one of the below sites to scan the following files:
    Virus Total (Recommended)
    jotti.org
    VirScan
    click on Browse, and upload the following file for analysis:

    C:\Program Files (x86)\svcvmx\svcvmx.exe

    Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
    If it says already scanned -- click "reanalyze now"
    Please post the results in your next reply.

    Please also have these scanned


    C:\WINDOWS\uniter.exe
    C:\ProgramData\Vumaa\Vumaa.Service.exe

    ~~~

    Running from C:\Users\Jim\Downloads

    It's best we move Farbar's to desktop.

    Please go to your downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
    Go to an open spot on your desktop, right click and select PASTE
    You should now have Farbar Recovery Scan Tool on your desktop.


    Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
    Or use this method Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.
    Type Notepad and and click the OK key.

    To do this highlight the contents of the box and right click on it and select copy.
    Paste this into the open notepad. save it to the Desktop as fixlist.txt
    NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
    It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)





    start
    CreateRestorePoint:
    CloseProcesses:
    ProxyEnable: [HKLM] => Proxy is enabled.
    ProxyEnable: [HKLM-x32] => Proxy is enabled.
    ProxyServer: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
    ProxyServer: [HKLM-x32] => http=127.0.0.1:8877;https=127.0.0.1:8877
    AutoConfigURL: [HKLM] => http=127.0.0.1:8877;https=127.0.0.1:8877
    HKLM\...\Run: [cutoauto] => C:\Program Files (x86)\sorrier\harold.exe [41196 2017-02-18] ()
    KLM\...\Run: [interpee] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
    C:\Program Files (x86)\sorrier
    C:\Program Files (x86)\Enervate
    GroupPolicy: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <======= ATTENTION (Restriction - ProxySettings)
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
    HKU\S-1-5-21-783448517-647833336-481893931-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D1%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome
    SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_16_40&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCyByEtCtN1L2XzutAtFtByEtFtByDtFyDyCtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyC0CyDtDzz0AtAyBtGtBtD0FtCtGyC0DzyyEtGyE0F0F0AtGzy0AyCzyyC0E0DyB0E0EtCyE2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyEtN1B2Z1V1T1S1NzutCtDyEtCtB%26cr%3D310687501%26a%3Dwbf_mncrfprj_16_40%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKLM-x32 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> DefaultScope {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {2211d4a5-48d0-47f5-a7cd-81e861470f7f} URL = hxxps://www.amazon.com/gp/bit/amazonserp/ref=bit_bds-p10_serp_ie_us_display?ie=UTF8&tagbase=bds-p10&tbrId=v1_abb-channel-10_e89f1aa5_1201_1401_20160424_US_ie_ds_&tag=bds-p10-serp-us-ie-20&query={searchTerms}
    SearchScopes: HKU\S-1-5-21-783448517-647833336-481893931-1001 -> {B3B3A6AC-74EC-BD56-BCDB-EFA4799FB9DF} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_mncrfprj_17_04&param1=1&param2=f%3D4%26b%3DIE%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutDzzyCtDyC0EyEzzyDyBtA0EyDzytByBtN0D0Tzu0StCzzyEzytN1L2XzutAtFtByDtFtCtFtCtDzztN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyEtCzyyE0CyByB0FtGtAzy0AyEtGtBtDzz0CtGtA0E0D0DtGyC0F0BtByBzyyB0FtAzzyB0C2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAzy0F0F0ByByD0DtGtDtA0CyBtGyEtB0D0CtG0AyBtAyEtG0A0F0Dzy0F0B0CtByEyCzyyC2QtN0A0LzuyE%26cr%3D1357470261%26a%3Dwbf_mncrfprj_17_04%26os_ver%3D10.0%26os%3DWindows%2B10%2BHome&p={searchTerms}
    U0 aswVmm; no ImagePath
    C:\Program Files (x86)\AnonymizerGadget
    Task: {09D89F8B-AB1A-4DF0-982F-9875236E49B1} - System32\Tasks\213879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
    C:\Program Files (x86)\Enervate\apocalyptic.exe
    Task: {0E17C043-3086-425B-A76B-57A75E993E8F} - System32\Tasks\966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] () <==== ATTENTION
    Task: {15CF4540-72E0-46B0-970B-EA1B12CFCB5F} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
    Task: {19D74E7E-D9D4-4A92-A050-D5969F5C56A4} - System32\Tasks\MSFT_TaskSettings3\CaesarsSlots => powershell.exe -NoProfile -WindowStyle Hidden -command cmd.exe /c if exist C:\Users\Jim\AppData\Local\Packages\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2 start explorer.exe shell:appsFolder\Playtika.CaesarsSlotsFreeCasino_7vjeg68vnncd2!App
    Task: {296562E1-B097-463C-AB39-9523796F8761} - \DistromaticSearchProtect-logon -> No File <==== ATTENTION
    Task: {4B66409F-528C-4CC6-9E98-D9F5C4D563A3} - System32\Tasks\Da966848966848 => C:\Program Files (x86)\Enervate\apocalyptic.exe [2017-02-18] ()
    Task: {4CEF4553-58C3-4512-8E35-E20BCCCAE4BF} - \{E93B1D8E-7144-43CF-AED7-90E7FE9B5827} -> No File <==== ATTENTION
    Task: {6E0AC03E-AD18-4883-BBC5-BA77053C033C} - \DistromaticUpdater-logon -> No File <==== ATTENTION
    Task: {766C52A9-B31F-4C2C-B26C-1176E17586FA} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
    Task: {78FBCF49-A629-44CF-82AE-74B9266D059B} - \{17D1B85F-0859-46E2-A8B6-00B63052A523} -> No File <==== ATTENTION
    Task: {799231D8-D492-4E80-B400-64B3642849D2} - System32\Tasks\113879593 => C:\Program Files (x86)\shropshire\alltime.exe [2017-02-18] (wallah) <==== ATTENTION
    Task: {8594B015-CF2B-4C8E-807E-48A2F3C5638E} - \{5EA21E3C-C6DF-4FAF-BF0A-C897623B028D} -> No File <==== ATTENTION
    Task: {95C50509-4001-4D3E-9A2D-F57A90A0EA3E} - \DropboxUpdateTaskMachineCore -> No File <==== ATTENTION
    Task: {980A9FE3-D226-4BF6-A3DB-54055266C29A} - \Optimize Start Menu Cache Files-S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
    Task: {9DEE923E-1D8E-4ECA-9A31-7EE01AA62187} - \WPD\SqmUpload_S-1-5-21-783448517-647833336-481893931-1001 -> No File <==== ATTENTION
    Task: {9E11E09C-7C0E-43B8-9372-FE62CDBD3F01} - \DistromaticUpdater-periodic -> No File <==== ATTENTION
    Task: {D6266248-323A-4BE8-B51A-461073D7F22D} - System32\Tasks\76656282 => C:\Program Files (x86)\sorrier\equalized.exe [2017-02-18] (windows 99) <==== ATTENTION
    Task: {DF8DFE89-E913-445D-A854-ABB727ED8442} - \OneDrive Standalone Update Task v2 -> No File <==== ATTENTION
    Task: {EAC768E5-6FB2-4E5D-8B80-0AD7A8F4CA6A} - \DropboxUpdateTaskMachineUA -> No File <==== ATTENTION
    Task: {ED004583-CB32-4C6B-882A-CE92F3ECDB0B} - \DistromaticSearchProtect-hourly -> No File <==== ATTENTION
    HKLM\...\Run: [interpee] => C:\Program Files (x86)\Enervate\apocalyptic.exe [10752 2017-02-18] ()
    EmptyTemp:
    Hosts:
    End
    Open FRST/FRST64 and press the > Fix < button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

    AdwCleaner
    • Please download AdwCleaner and save the file to your Desktop.
      In order to use AdwCleaner, you have to agree the Eula:
    • Right-click AdwCleaner.exe and select Run as administrator to run the programme.
    • Follow the prompts.
    • Click Scan.
    • Upon completion, click Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
    • Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
    • Click Clean.
    • Follow the prompts and allow your computer to reboot.
    • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

    -- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Please download Junkware Removal Tool
    or from here http://downloads.malwarebytes.org/file/jrt
    to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    ~~~~~~~~~
    please post
    Files requested scanned
    Fixlog.txt
    AdwCleaner[C1].txt
    JRT.txt
    Last edited by Juliet; 2017-02-25 at 13:01.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #7
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Also receiving help here
    Jpen10
    https://forums.malwarebytes.com/topi...15-locked-out/

    This topic will be closed.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  8. #8
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Thank you Juliet.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •