Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Hacked browser slow

  1. #1
    Junior Member
    Join Date
    Nov 2014
    Posts
    19

    Default Hacked browser slow

    Hi, I've had various warnings over the past few weeks that my accounts have been accessed from a different location. I've also noticed my PC is slower and not operating like it used to.

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
    Ran by Amin (administrator) on PC (23-05-2019 14:21:50)
    Running from C:\Users\paul\Desktop
    Loaded Profiles: Amin (Available Profiles: Amin)
    Platform: Windows 10 Pro Version 1803 17134.766 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Chrome)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    Failed to access process -> Registry
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Iain Patterson) C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe
    (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
    (Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1904.1-0\MsMpEng.exe
    () C:\Program Files (x86)\ExpressVPN\expressvpnd\expressvpnd.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1904.1-0\NisSrv.exe
    (Microsoft Corporation) C:\Program Files\rempl\sedsvc.exe
    (Microsoft Corporation) C:\Windows\System32\SgrmBroker.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (Microsoft Corporation) C:\Program Files\rempl\sedlauncher.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
    (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
    (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe
    (f.lux Software LLC) C:\Users\paul\AppData\Local\FluxSoftware\Flux\flux.exe
    (Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (ExpressVPN) C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (ExpressVPN) C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\Video.UI.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-12] (Microsoft Corporation)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-07-14] (Apple Inc.)
    HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES/MALWAREBYTES/ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
    HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-12] (Microsoft Corporation)
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4174464 2017-05-23] (Safer-Networking Ltd.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [601424 2018-10-06] (Oracle Corporation)
    HKLM-x32\...\Run: [ExpressVPNNotificationService] => C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe [776320 2019-04-27] (ExpressVPN)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-19\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-12] (Microsoft Corporation)
    HKU\S-1-5-20\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-12] (Microsoft Corporation)
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [f.lux] => C:\Users\paul\AppData\Local\FluxSoftware\Flux\flux.exe [1378824 2019-05-07] (f.lux Software LLC)
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3503088 2016-09-26] (Electronic Arts)
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [WhatsApp] => C:\Users\paul\AppData\Local\WhatsApp\Update.exe [2206640 2019-04-17] ()
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [ExpressVPN4] => C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe [799360 2019-04-27] (ExpressVPN)
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Tcpip\..\Interfaces\{8d4b710d-72f5-4894-8cf1-7c188bb6df8a}: [DhcpNameServer] 192.168.1.1
    Tcpip\..\Interfaces\{8ffb0387-866f-4d7a-a141-eb54099418c1}: [DhcpNameServer] 192.168.1.1

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-gb/?ocid=iehp
    BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2018-09-30] (LastPass)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\ssv.dll [2018-11-20] (Oracle Corporation)
    BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2018-09-30] (LastPass)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2ssv.dll [2018-11-20] (Oracle Corporation)
    Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2018-09-30] (LastPass)
    Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2018-09-30] (LastPass)

    FireFox:
    ========
    FF DefaultProfile: sj8zeqrc.default
    FF ProfilePath: C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default [2019-05-23]
    FF Extension: (Anti-Paywall) - C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default\Extensions\{e5322648-dfe4-4c45-b02d-44c61d545f2b}.xpi [2018-09-20]
    FF Extension: (Baidu Search Update) - C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default\features\{d7c12642-4ff0-471c-9d41-62f70956a568}\baidu-code-update@mozillaonline.com.xpi [2019-05-09]
    FF Extension: (Firefox Monitor) - C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default\features\{d7c12642-4ff0-471c-9d41-62f70956a568}\fxmonitor@mozilla.org.xpi [2019-05-09]
    FF Extension: (WebCompat Reporter) - C:\Program Files (x86)\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi [2019-03-25] [not signed]
    FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2018-09-30] (LastPass)
    FF Plugin-x32: @java.com/DTPlugin,version=11.191.2 -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\dtplugin\npDeployJava1.dll [2018-11-20] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.191.2 -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\plugin2\npjp2.dll [2018-11-20] (Oracle Corporation)
    FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2018-09-30] (LastPass)
    FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-12-29] (NVIDIA Corporation)
    FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-12-29] (NVIDIA Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [2019-05-15] (Google LLC)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [2019-05-15] (Google LLC)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2019-05-03] (Adobe Systems Inc.)

    Chrome:
    =======
    CHR DefaultProfile: Profile 3
    CHR HomePage: Profile 3 -> hxxps://auctions.yahoo.co.jp/
    CHR DefaultSearchURL: Profile 3 -> hxxps://uk.search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
    CHR DefaultSearchKeyword: Profile 3 -> Yahoo
    CHR DefaultSuggestURL: Profile 3 -> hxxps://uk.search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\Guest Profile [2018-09-21]
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3 [2019-05-23]
    CHR Extension: (Slides) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-09-21]
    CHR Extension: (Docs) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\aohghmighlieiainnegkcijnfilokake [2018-09-21]
    CHR Extension: (Google Drive) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-10-20]
    CHR Extension: (YouTube) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-09-21]
    CHR Extension: (Adblock Plus - free ad blocker) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2019-04-28]
    CHR Extension: (Do Not Track) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\ckdcpbflcbeillmamogkpmdhnbeggfja [2018-09-21]
    CHR Extension: (Adobe Acrobat) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2019-05-15]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\fabhkdeopjkcpkmofliimbjckmocfiom [2019-05-17]
    CHR Extension: (Sheets) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-09-21]
    CHR Extension: (Google Docs Offline) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-09-21]
    CHR Extension: (LastPass: Free Password Manager) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2019-05-17]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\kpdmjodecdegfglgaapafjleomjjlpnh [2019-05-10]
    CHR Extension: (Notifier for Gmail™) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\mlcdlmnipofbmhgjajfobpeeikdejibj [2018-09-21]
    CHR Extension: (Ghostery – Privacy Ad Blocker) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2019-05-10]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-09-21]
    CHR Extension: (Zoom for Twitter®) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\nnpfigodphdaapfmkbgmkljndjckkegk [2019-04-12]
    CHR Extension: (Browsec VPN - Free and Unlimited VPN) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\omghfjlpggmjjaagoclmmobgdodcjboh [2019-04-12]
    CHR Extension: (Gmail) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-04-28]
    CHR Extension: (Chrome Media Router) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-05-23]
    CHR Extension: (Privacy Badger) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\pkehgijcmpdhfbdbbnkijodmdjhbjlgp [2019-02-21]
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4 [2018-09-21]
    CHR Extension: (Slides) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-09-21]
    CHR Extension: (Docs) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aohghmighlieiainnegkcijnfilokake [2018-09-21]
    CHR Extension: (Google Drive) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-09-21]
    CHR Extension: (YouTube) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-09-21]
    CHR Extension: (Adblock Plus) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2018-09-21]
    CHR Extension: (Notifier for Gmail™) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\dcjichoefijpinlfnjghokpkojhlhkgl [2018-09-21]
    CHR Extension: (Adobe Acrobat) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2018-09-21]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fabhkdeopjkcpkmofliimbjckmocfiom [2018-09-21]
    CHR Extension: (Sheets) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-09-21]
    CHR Extension: (Google Docs Offline) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-09-21]
    CHR Extension: (LastPass: Free Password Manager) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2018-09-21]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\kpdmjodecdegfglgaapafjleomjjlpnh [2018-09-21]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-09-21]
    CHR Extension: (Gmail) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-09-21]
    CHR Extension: (Chrome Media Router) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-09-21]
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile [2018-09-21]
    CHR Extension: (Google Slides) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-26]
    CHR Extension: (Google Docs) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-26]
    CHR Extension: (Google Drive) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-04-26]
    CHR Extension: (YouTube) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-04-26]
    CHR Extension: (Google Search) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-04-26]
    CHR Extension: (Google Sheets) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-26]
    CHR Extension: (Gmail) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-26]
    CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [kpdmjodecdegfglgaapafjleomjjlpnh] - hxxps://clients2.google.com/service/update2/crx

    ==================== Services (Whitelisted) ====================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [335416 2019-05-15] (Adobe)
    R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
    S3 BcastDVRUserService; C:\WINDOWS\System32\BcastDVRUserService.dll [1364992 2019-05-17] (Microsoft Corporation)
    S3 BcastDVRUserService_3e46a6f; C:\WINDOWS\system32\svchost.exe [85472 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 BcastDVRUserService_3e46a6f; C:\WINDOWS\SysWOW64\svchost.exe [71456 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 BluetoothUserService; C:\WINDOWS\System32\Microsoft.Bluetooth.UserService.dll [464384 2018-04-12] (Microsoft Corporation)
    S3 BluetoothUserService_3e46a6f; C:\WINDOWS\system32\svchost.exe [85472 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 BluetoothUserService_3e46a6f; C:\WINDOWS\SysWOW64\svchost.exe [71456 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    R3 BTAGService; C:\WINDOWS\System32\BTAGService.dll [514048 2018-11-09] (Microsoft Corporation)
    R3 BthAvctpSvc; C:\WINDOWS\System32\BthAvctpSvc.dll [399872 2018-11-09] (Microsoft Corporation)
    S3 CaptureService; C:\WINDOWS\System32\CaptureService.dll [125952 2018-04-12] (Microsoft Corporation)
    S3 CaptureService_3e46a6f; C:\WINDOWS\system32\svchost.exe [85472 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 CaptureService_3e46a6f; C:\WINDOWS\SysWOW64\svchost.exe [71456 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 DevicePickerUserSvc; C:\WINDOWS\System32\Windows.Devices.Picker.dll [400896 2018-04-12] (Microsoft Corporation)
    S3 DevicePickerUserSvc; C:\WINDOWS\SysWOW64\Windows.Devices.Picker.dll [312832 2018-04-12] (Microsoft Corporation)
    R2 ExpressVPNService; C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe [368640 2019-04-27] (Iain Patterson) [File not signed]
    S3 GoogleChromeElevationService; C:\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\elevation_service.exe [1267696 2019-05-21] (Google Inc.)
    S3 LxpSvc; C:\WINDOWS\System32\LanguageOverlayServer.dll [199680 2018-04-12] (Microsoft Corporation)
    R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes)
    R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [518080 2017-10-11] (NVIDIA Corporation)
    S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [518080 2017-10-11] (NVIDIA Corporation)
    S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2142728 2016-09-26] (Electronic Arts)
    R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2209296 2016-09-26] (Electronic Arts)
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1776864 2017-05-23] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2131760 2017-05-23] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [233936 2017-05-23] (Safer-Networking Ltd.)
    R2 sedsvc; C:\Program Files\rempl\sedsvc.exe [362296 2019-05-11] (Microsoft Corporation)
    S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5074120 2019-03-14] (Microsoft Corporation)
    R2 SgrmBroker; C:\WINDOWS\system32\SgrmBroker.exe [163336 2018-04-12] (Microsoft Corporation)
    S4 ssh-agent; C:\WINDOWS\System32\OpenSSH\ssh-agent.exe [495616 2018-03-10] ()
    S4 tzautoupdate; C:\WINDOWS\SysWOW64\tzautoupdate.dll [72192 2018-04-12] (Microsoft Corporation)
    S3 VacSvc; C:\WINDOWS\System32\vac.dll [411256 2018-04-12] (Microsoft Corporation)
    S3 WaaSMedicSvc; C:\WINDOWS\System32\WaaSMedicSvc.dll [392704 2019-01-09] (Microsoft Corporation)
    R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\NisSrv.exe [3851264 2019-04-23] (Microsoft Corporation)
    R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\MsMpEng.exe [118144 2019-04-23] (Microsoft Corporation)
    S3 wisvc; C:\WINDOWS\SysWOW64\flightsettings.dll [729088 2018-06-08] (Microsoft Corporation)
    S3 WpcMonSvc; C:\WINDOWS\System32\WpcDesktopMonSvc.dll [1456640 2018-05-20] (Microsoft Corporation)
    R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem"
    R2 NvTelemetryContainer; "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\plugins" -r

    ===================== Drivers (Whitelisted) ======================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R1 afunix; C:\WINDOWS\system32\drivers\afunix.sys [39424 2018-04-12] (Microsoft Corporation)
    R1 afunix; C:\Windows\SysWOW64\drivers\afunix.sys [29696 2018-04-12] (Microsoft Corporation)
    S3 bindflt; C:\WINDOWS\system32\drivers\bindflt.sys [92704 2019-01-09] (Microsoft Corporation)
    S3 expressvpnsplittunnel; C:\Program Files (x86)\ExpressVPN\splittunnel\expressvpnsplittunnel.sys [28160 2019-04-27] ()
    S3 ffusb2audio; C:\WINDOWS\system32\DRIVERS\ffusb2audio.sys [127280 2013-09-25] (Focusrite Audio Engineering Limited.)
    S4 hvcrash; C:\WINDOWS\System32\drivers\hvcrash.sys [33184 2018-04-12] (Microsoft Corporation)
    S0 iaStorAVC; C:\WINDOWS\System32\drivers\iaStorAVC.sys [885144 2018-04-12] (Intel Corporation)
    S0 ItSas35i; C:\WINDOWS\System32\drivers\ItSas35i.sys [145816 2018-04-12] (Avago Technologies)
    R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [251832 2019-05-21] (Malwarebytes)
    S0 megasas35i; C:\WINDOWS\System32\drivers\megasas35i.sys [82328 2018-04-12] (Avago Technologies)
    S3 nvdimm; C:\WINDOWS\System32\drivers\nvdimm.sys [104448 2018-04-12] (Microsoft Corporation)
    R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvakwu.inf_amd64_0b3c1a15295d17ee\nvlddmkm.sys [14190520 2017-01-17] (NVIDIA Corporation)
    S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30144 2017-10-11] (NVIDIA Corporation)
    R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [50624 2017-10-11] (NVIDIA Corporation)
    R3 nvvhci; C:\WINDOWS\System32\drivers\nvvhci.sys [57792 2017-10-11] (NVIDIA Corporation)
    R0 SgrmAgent; C:\WINDOWS\System32\drivers\SgrmAgent.sys [63896 2018-04-12] (Microsoft Corporation)
    S3 tapexpressvpn; C:\WINDOWS\System32\drivers\tapexpressvpn.sys [45440 2019-04-27] (The OpenVPN Project)
    S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46472 2019-04-23] (Microsoft Corporation)
    R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [344544 2019-04-23] (Microsoft Corporation)
    S3 WdmCompanionFilter; C:\WINDOWS\System32\drivers\WdmCompanionFilter.sys [21408 2018-04-12] (Microsoft Corporation)
    R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [60896 2019-04-23] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    NETSVC: LxpSvc -> C:\Windows\System32\LanguageOverlayServer.dll (Microsoft Corporation)

    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2019-05-23 14:16 - 2019-05-23 14:16 - 000040830 ____C C:\Users\paul\Desktop\Addition.txt
    2019-05-23 14:15 - 2019-05-23 14:22 - 000028385 ____C C:\Users\paul\Desktop\FRST.txt
    2019-05-20 14:58 - 2019-05-17 13:10 - 001364992 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcastdvruserservice.dll
    2019-05-20 14:58 - 2019-05-17 10:16 - 001008640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.MixedRealityCapture.dll
    2019-05-20 14:58 - 2019-05-17 09:12 - 000868864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.MixedRealityCapture.dll
    2019-05-20 14:58 - 2019-05-17 07:49 - 001035040 _____ (Microsoft Corporation) C:\WINDOWS\system32\ApplyTrustOffline.exe
    2019-05-20 14:58 - 2019-05-17 07:43 - 000076088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hvservice.sys
    2019-05-20 14:58 - 2019-05-17 07:42 - 005625160 _____ (Microsoft Corporation) C:\WINDOWS\system32\StartTileData.dll
    2019-05-20 14:58 - 2019-05-17 07:42 - 001027384 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe
    2019-05-20 14:58 - 2019-05-17 07:41 - 001220112 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe
    2019-05-20 14:58 - 2019-05-17 07:41 - 000568320 _____ (Microsoft Corporation) C:\WINDOWS\system32\tcblaunch.exe
    2019-05-20 14:58 - 2019-05-17 07:41 - 000135184 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvloader.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 009084216 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
    2019-05-20 14:58 - 2019-05-17 07:39 - 007519896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 002768952 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 001459120 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
    2019-05-20 14:58 - 2019-05-17 07:39 - 001260272 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
    2019-05-20 14:58 - 2019-05-17 07:39 - 001140992 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
    2019-05-20 14:58 - 2019-05-17 07:39 - 001098064 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvproc.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 000983424 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
    2019-05-20 14:58 - 2019-05-17 07:22 - 006568016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll
    2019-05-20 14:58 - 2019-05-17 07:22 - 002256560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2019-05-20 14:58 - 2019-05-17 07:21 - 001130784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvproc.dll
    2019-05-20 14:58 - 2019-05-17 07:07 - 003400192 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
    2019-05-20 14:58 - 2019-05-17 07:06 - 001307648 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSVPXENC.dll
    2019-05-20 14:58 - 2019-05-17 07:06 - 000209408 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXApplicabilityBlob.dll
    2019-05-20 14:58 - 2019-05-17 07:04 - 002175488 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.onecore.dll
    2019-05-20 14:58 - 2019-05-17 07:04 - 001826816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.CloudStore.dll
    2019-05-20 14:58 - 2019-05-17 07:04 - 001708544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSPhotography.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 005307392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d2d1.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 004937728 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 001560576 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.desktop.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 001361408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSPhotography.dll
    2019-05-20 14:58 - 2019-05-17 07:01 - 000507392 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgeIso.dll
    2019-05-20 14:58 - 2019-05-17 07:00 - 001295360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVPXENC.dll
    2019-05-20 14:58 - 2019-05-17 07:00 - 000333824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgeIso.dll
    2019-05-20 14:58 - 2019-05-17 06:59 - 004516352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
    2019-05-20 14:58 - 2019-05-17 06:57 - 000251904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msIso.dll
    2019-05-20 14:58 - 2019-05-17 05:44 - 000001310 _____ C:\WINDOWS\system32\tcbres.wim
    2019-05-20 12:15 - 2019-05-20 12:15 - 000552478 _____ C:\Users\paul\Downloads\Statement_31Mar2019.pdf
    2019-05-20 10:06 - 2019-05-20 10:06 - 000002160 _____ C:\Users\Public\Desktop\ExpressVPN.lnk
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ___DC C:\Users\paul\AppData\Local\IsolatedStorage
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ___DC C:\Users\paul\AppData\Local\ExpressVPN
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ____D C:\ProgramData\ExpressVPN
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ____D C:\Program Files (x86)\ExpressVPN
    2019-05-20 10:05 - 2019-05-20 10:06 - 026179112 _____ (ExpressVPN) C:\Users\paul\Downloads\expressvpn_7.1.0.7514.exe
    2019-05-17 08:13 - 2019-05-17 08:13 - 004062599 _____ C:\Users\paul\Downloads\THT_PatternsOfMotion_KYDerby2019.pdf
    2019-05-14 20:15 - 2019-05-03 13:14 - 000790208 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
    2019-05-14 20:15 - 2019-05-03 13:14 - 000304144 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mssecflt.sys
    2019-05-14 20:15 - 2019-05-03 13:13 - 001376472 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
    2019-05-14 20:15 - 2019-05-03 13:13 - 000396088 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
    2019-05-14 20:15 - 2019-05-03 12:55 - 000123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontsub.dll
    2019-05-14 20:15 - 2019-05-03 12:54 - 000177664 _____ (Microsoft Corporation) C:\WINDOWS\system32\t2embed.dll
    2019-05-14 20:15 - 2019-05-03 12:52 - 000119808 _____ (Microsoft Corporation) C:\WINDOWS\system32\wercplsupport.dll
    2019-05-14 20:15 - 2019-05-03 12:51 - 003613696 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
    2019-05-14 20:15 - 2019-05-03 12:50 - 004054528 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
    2019-05-14 20:15 - 2019-05-03 12:50 - 001663488 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
    2019-05-14 20:15 - 2019-05-03 12:49 - 001288704 _____ (Microsoft Corporation) C:\WINDOWS\system32\werconcpl.dll
    2019-05-14 20:15 - 2019-05-03 12:49 - 000488448 _____ (Microsoft Corporation) C:\WINDOWS\system32\werui.dll
    2019-05-14 20:15 - 2019-05-03 12:49 - 000210944 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWWIN.EXE
    2019-05-14 20:15 - 2019-05-03 12:43 - 001027008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
    2019-05-14 20:15 - 2019-05-03 12:43 - 000662328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
    2019-05-14 20:15 - 2019-05-03 12:30 - 000138752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\t2embed.dll
    2019-05-14 20:15 - 2019-05-03 12:30 - 000098304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontsub.dll
    2019-05-14 20:15 - 2019-05-03 12:28 - 002882048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
    2019-05-14 20:15 - 2019-05-03 12:28 - 000089600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
    2019-05-14 20:15 - 2019-05-03 12:27 - 000176640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWWIN.EXE
    2019-05-14 20:15 - 2019-05-03 12:26 - 000425472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werui.dll
    2019-05-14 20:15 - 2019-05-03 12:25 - 004055040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
    2019-05-14 20:15 - 2019-05-03 12:25 - 001471488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
    2019-05-14 20:15 - 2019-05-03 07:43 - 000177128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\intelpep.sys
    2019-05-14 20:15 - 2019-05-03 07:34 - 000159864 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFaultSecure.exe
    2019-05-14 20:15 - 2019-05-03 07:33 - 000709720 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
    2019-05-14 20:15 - 2019-05-03 07:33 - 000063072 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptdll.dll
    2019-05-14 20:15 - 2019-05-03 07:32 - 000793640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
    2019-05-14 20:15 - 2019-05-03 07:32 - 000776784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
    2019-05-14 20:15 - 2019-05-03 07:32 - 000493880 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
    2019-05-14 20:15 - 2019-05-03 07:32 - 000438984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
    2019-05-14 20:15 - 2019-05-03 07:32 - 000209208 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
    2019-05-14 20:15 - 2019-05-03 07:32 - 000170296 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
    2019-05-14 20:15 - 2019-05-03 07:32 - 000164664 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wfplwfs.sys
    2019-05-14 20:15 - 2019-05-03 07:31 - 007436536 _____ (Microsoft Corporation) C:\WINDOWS\system32\windows.storage.dll
    2019-05-14 20:15 - 2019-05-03 07:31 - 002811192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
    2019-05-14 20:15 - 2019-05-03 07:31 - 000545808 _____ (Microsoft Corporation) C:\WINDOWS\system32\hal.dll
    2019-05-14 20:15 - 2019-05-03 07:31 - 000412984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
    2019-05-14 20:15 - 2019-05-03 07:31 - 000115728 _____ (Microsoft Corporation) C:\WINDOWS\system32\kdnet.dll
    2019-05-14 20:15 - 2019-05-03 07:20 - 000434704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
    2019-05-14 20:15 - 2019-05-03 07:20 - 000384976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
    2019-05-14 20:15 - 2019-05-03 07:20 - 000192016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
    2019-05-14 20:15 - 2019-05-03 07:20 - 000146920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFaultSecure.exe
    2019-05-14 20:15 - 2019-05-03 07:19 - 006043712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\windows.storage.dll
    2019-05-14 20:15 - 2019-05-03 07:19 - 000665224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
    2019-05-14 20:15 - 2019-05-03 07:19 - 000056288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cryptdll.dll
    2019-05-14 20:15 - 2019-05-03 07:12 - 025855488 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
    2019-05-14 20:15 - 2019-05-03 07:10 - 022017024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
    2019-05-14 20:15 - 2019-05-03 07:05 - 022716416 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2019-05-14 20:15 - 2019-05-03 07:02 - 019401216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2019-05-14 20:15 - 2019-05-03 07:02 - 004866048 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
    2019-05-14 20:15 - 2019-05-03 07:01 - 008189440 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
    2019-05-14 20:15 - 2019-05-03 07:00 - 006661632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
    2019-05-14 20:15 - 2019-05-03 07:00 - 000120832 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-kernel-processor-power-events.dll
    2019-05-14 20:15 - 2019-05-03 07:00 - 000099328 _____ (Microsoft Corporation) C:\WINDOWS\system32\utcutil.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 007593472 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 005788672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 003710976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 000514560 _____ (Microsoft Corporation) C:\WINDOWS\system32\nltest.exe
    2019-05-14 20:15 - 2019-05-03 06:59 - 000204288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wersvc.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 000154112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
    2019-05-14 20:15 - 2019-05-03 06:58 - 000894464 _____ (Microsoft Corporation) C:\WINDOWS\system32\webplatstorageserver.dll
    2019-05-14 20:15 - 2019-05-03 06:58 - 000726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9diag.dll
    2019-05-14 20:15 - 2019-05-03 06:58 - 000462336 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcdedit.exe
    2019-05-14 20:15 - 2019-05-03 06:58 - 000074240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dtdump.exe
    2019-05-14 20:15 - 2019-05-03 06:57 - 001549824 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
    2019-05-14 20:15 - 2019-05-03 06:57 - 000808448 _____ (Microsoft Corporation) C:\WINDOWS\system32\EdgeManager.dll
    2019-05-14 20:15 - 2019-05-03 06:57 - 000608768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\EdgeManager.dll
    2019-05-14 20:15 - 2019-05-03 06:57 - 000561152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9diag.dll
    2019-05-14 20:15 - 2019-05-03 06:56 - 001803776 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
    2019-05-14 20:15 - 2019-05-03 06:56 - 000773632 _____ (Microsoft Corporation) C:\WINDOWS\system32\netlogon.dll
    2019-05-14 20:15 - 2019-05-03 06:56 - 000578560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webplatstorageserver.dll
    2019-05-14 20:15 - 2019-05-03 06:55 - 003090432 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
    2019-05-14 20:15 - 2019-05-03 06:55 - 002166784 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
    2019-05-14 20:15 - 2019-05-03 06:55 - 000659968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netlogon.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 001628672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 001097728 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthport.sys
    2019-05-14 20:15 - 2019-05-03 06:54 - 000961024 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorSvc.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000845824 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000778752 _____ (Microsoft Corporation) C:\WINDOWS\system32\BFE.DLL
    2019-05-14 20:15 - 2019-05-03 06:54 - 000776192 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000669184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000667136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fveapi.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000543744 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000535552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
    2019-05-14 20:15 - 2019-05-03 06:53 - 000204800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\intelppm.sys
    2019-05-14 20:15 - 2019-05-03 06:53 - 000186880 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\amdk8.sys
    2019-05-14 20:15 - 2019-05-03 06:53 - 000184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\amdppm.sys
    2019-05-14 20:15 - 2019-05-03 06:53 - 000181760 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\processr.sys
    2019-05-14 20:15 - 2019-04-19 11:55 - 001634920 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32full.dll
    2019-05-14 20:15 - 2019-04-19 11:54 - 000720200 _____ (Microsoft Corporation) C:\WINDOWS\system32\kernel32.dll
    2019-05-14 20:15 - 2019-04-19 11:40 - 000064000 _____ (Microsoft Corporation) C:\WINDOWS\system32\iemigplugin.dll
    2019-05-14 20:15 - 2019-04-19 11:39 - 012754944 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
    2019-05-14 20:15 - 2019-04-19 11:38 - 000058368 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDSPnf.exe
    2019-05-14 20:15 - 2019-04-19 11:38 - 000040960 _____ (Microsoft Corporation) C:\WINDOWS\system32\perfproc.dll
    2019-05-14 20:15 - 2019-04-19 11:36 - 000346112 _____ (Microsoft Corporation) C:\WINDOWS\system32\AcGenral.dll
    2019-05-14 20:15 - 2019-04-19 11:34 - 000522240 _____ (Microsoft Corporation) C:\WINDOWS\system32\winspool.drv
    2019-05-14 20:15 - 2019-04-19 10:44 - 001454648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32full.dll
    2019-05-14 20:15 - 2019-04-19 10:37 - 000607960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kernel32.dll
    2019-05-14 20:15 - 2019-04-19 10:30 - 000036864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\perfproc.dll
    2019-05-14 20:15 - 2019-04-19 10:28 - 011940864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
    2019-05-14 20:15 - 2019-04-19 10:26 - 002405888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AcGenral.dll
    2019-05-14 20:15 - 2019-04-19 10:25 - 000423936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winspool.drv
    2019-05-14 20:15 - 2019-04-19 06:07 - 000985400 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe
    2019-05-14 20:15 - 2019-04-19 06:06 - 002571632 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000798520 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000713264 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSVideoDSP.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000436024 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000274232 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserbroker.dll
    2019-05-14 20:15 - 2019-04-19 06:02 - 000831800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe
    2019-05-14 20:15 - 2019-04-19 06:01 - 001982008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
    2019-05-14 20:15 - 2019-04-19 06:01 - 000581592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVideoDSP.dll
    2019-05-14 20:15 - 2019-04-19 06:01 - 000576016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
    2019-05-14 20:15 - 2019-04-19 06:01 - 000380728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
    2019-05-14 20:15 - 2019-04-19 05:43 - 000150016 _____ (Microsoft Corporation) C:\WINDOWS\system32\fcon.dll
    2019-05-14 20:15 - 2019-04-19 05:42 - 004384256 _____ (Microsoft Corporation) C:\WINDOWS\system32\EdgeContent.dll
    2019-05-14 20:15 - 2019-04-19 05:41 - 000140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmmigrator.dll
    2019-05-14 20:15 - 2019-04-19 05:41 - 000095232 _____ (Microsoft Corporation) C:\WINDOWS\system32\EduPrintProv.exe
    2019-05-14 20:15 - 2019-04-19 05:40 - 000342528 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserexport.exe
    2019-05-14 20:15 - 2019-04-19 05:40 - 000243712 _____ (Microsoft Corporation) C:\WINDOWS\system32\JpnServiceDS.dll
    2019-05-14 20:15 - 2019-04-19 05:40 - 000172544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\enrollmentapi.dll
    2019-05-14 20:15 - 2019-04-19 05:40 - 000167936 _____ (Microsoft Corporation) C:\WINDOWS\system32\FilterDS.dll
    2019-05-14 20:15 - 2019-04-19 05:40 - 000081408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetDriverInstall.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000567296 _____ (Microsoft Corporation) C:\WINDOWS\system32\daxexec.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000425472 _____ (Microsoft Corporation) C:\WINDOWS\system32\SDDS.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000374784 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingASDS.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000361472 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceEnroller.exe
    2019-05-14 20:15 - 2019-04-19 05:39 - 000204288 _____ (Microsoft Corporation) C:\WINDOWS\system32\enrollmentapi.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 002368512 _____ (Microsoft Corporation) C:\WINDOWS\system32\WebRuntimeManager.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000593408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.Management.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000391680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\daxexec.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000304128 _____ (Microsoft Corporation) C:\WINDOWS\system32\domgmt.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000300544 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmenterprisediagnostics.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000953856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncCore.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000445952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dmenrollengine.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000397312 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000381952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FirewallAPI.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000366080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieproxy.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000221184 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmregistration.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000118272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 002909696 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 001300992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AzureSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000827392 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Management.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000814592 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieproxy.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000546816 _____ (Microsoft Corporation) C:\WINDOWS\system32\FirewallAPI.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000357888 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapibase.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000186368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mdmregistration.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001938944 _____ (Microsoft Corporation) C:\WINDOWS\system32\AzureSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001458688 _____ (Microsoft Corporation) C:\WINDOWS\system32\dosvc.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001175552 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncCore.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001156608 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcss.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000784896 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngcsvc.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000607232 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatehandlers.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000535040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneDriveSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000523776 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmenrollengine.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000312320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fveapibase.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000935936 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasmans.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000899584 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000885760 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPSSVC.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000778240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000653312 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneDriveSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 04:18 - 000806360 _____ C:\WINDOWS\SysWOW64\locale.nls
    2019-05-14 20:15 - 2019-04-19 04:18 - 000806360 _____ C:\WINDOWS\system32\locale.nls
    2019-05-14 20:15 - 2019-04-09 02:48 - 001311744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msjet40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000376320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mspbde40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000353280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msrd3x40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000341504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msexcl40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000240640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msltus40.dll
    2019-05-08 16:49 - 2019-05-15 07:44 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2019-04-27 19:01 - 2019-04-27 19:01 - 000045440 _____ (The OpenVPN Project) C:\WINDOWS\system32\Drivers\tapexpressvpn.sys
    2019-04-25 10:04 - 2019-04-25 10:04 - 000566875 ____C C:\Users\paul\Desktop\Hometiffin 3MM Bleed.pdf

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2019-05-23 14:21 - 2016-12-13 20:43 - 000000000 ____D C:\FRST
    2019-05-23 14:12 - 2016-09-08 12:10 - 000000000 ____D C:\ProgramData\Origin
    2019-05-23 14:10 - 2017-01-09 15:40 - 000000000 ___DC C:\Users\paul\AppData\LocalLow\Mozilla
    2019-05-23 13:35 - 2018-04-12 00:38 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
    2019-05-23 12:25 - 2016-10-07 03:42 - 000000000 ____D C:\ProgramData\NVIDIA
    2019-05-23 11:24 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\AppReadiness
    2019-05-23 08:54 - 2018-05-14 21:22 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
    2019-05-23 08:21 - 2018-02-22 20:43 - 000000000 ___DC C:\Users\paul\AppData\Roaming\WhatsApp
    2019-05-22 21:00 - 2018-04-12 00:30 - 000000000 ____D C:\WINDOWS\CbsTemp
    2019-05-22 20:34 - 2017-10-10 14:04 - 000000021 _____ C:\Users\paul\Downloads\b (1) (2).txt
    2019-05-22 08:35 - 2015-04-24 00:49 - 000002301 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2019-05-22 08:35 - 2015-04-24 00:49 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
    2019-05-22 08:34 - 2018-04-12 00:38 - 000000000 ___HD C:\Program Files\WindowsApps
    2019-05-21 21:01 - 2017-10-10 14:04 - 000003896 _____ C:\Users\paul\Downloads\today (1) (2).txt
    2019-05-21 08:39 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\LiveKernelReports
    2019-05-21 08:36 - 2018-05-14 23:09 - 000793700 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2019-05-21 08:36 - 2018-04-12 00:36 - 000000000 ____D C:\WINDOWS\INF
    2019-05-21 08:32 - 2018-05-14 23:05 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2019-05-21 08:32 - 2018-04-11 22:04 - 000524288 _____ C:\WINDOWS\system32\config\BBI
    2019-05-21 08:32 - 2016-12-14 23:38 - 000251832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\zu-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\yo-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\xh-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\wo-SN
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\uz-Latn-UZ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\tn-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ti-ET
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\tg-Cyrl-TJ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\sr-Cyrl-RS
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\sr-Cyrl-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\sd-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\rw-RW
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\quc-Latn-GT
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\pa-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\nso-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ku-Arab-IQ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ig-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ha-Latn-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\chr-CHER-US
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ca-ES-valencia
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\bs-Latn-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\az-Latn-AZ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\zu-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\yo-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\xh-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\wo-SN
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\uz-Latn-UZ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\tn-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ti-ET
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\tg-Cyrl-TJ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-RS
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\sd-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\rw-RW
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\quc-Latn-GT
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\pa-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\nso-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ku-Arab-IQ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ig-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ha-Latn-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\chr-CHER-US
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ca-ES-valencia
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\bs-Latn-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\az-Latn-AZ
    2019-05-21 08:31 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\TextInput
    2019-05-21 08:31 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\bcastdvr
    2019-05-20 10:06 - 2016-09-08 12:10 - 000000000 ____D C:\ProgramData\Package Cache
    2019-05-17 16:39 - 2018-01-13 08:08 - 000000000 ____D C:\Program Files\rempl
    2019-05-17 07:24 - 2013-08-22 16:44 - 000407740 __RSH C:\bootmgr
    2019-05-16 23:00 - 2018-05-14 21:24 - 000000000 ____D C:\Users\paul
    2019-05-16 16:49 - 2017-07-05 08:54 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
    2019-05-16 15:01 - 2018-05-14 23:05 - 000003352 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1912528622-4210353072-3792142533-1001
    2019-05-16 15:01 - 2018-05-14 21:24 - 000002364 ____C C:\Users\paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
    2019-05-16 15:01 - 2016-02-08 19:46 - 000000000 ___RD C:\Users\paul\OneDrive
    2019-05-15 19:44 - 2019-04-07 18:51 - 000000000 ____D C:\WINDOWS\Minidump
    2019-05-15 07:49 - 2018-05-14 23:05 - 000003418 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
    2019-05-15 07:49 - 2018-05-14 23:05 - 000003294 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
    2019-05-15 07:48 - 2018-05-14 23:05 - 000004572 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
    2019-05-15 07:48 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
    2019-05-15 07:48 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\system32\Macromed
    2019-05-15 07:45 - 2018-05-14 21:22 - 000233856 _____ C:\WINDOWS\system32\FNTCACHE.DAT
    2019-05-15 07:44 - 2016-04-27 14:16 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2019-05-14 21:40 - 2018-04-12 00:38 - 000000000 ___SD C:\WINDOWS\system32\DiagSvcs
    2019-05-14 21:40 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\ShellExperiences
    2019-05-14 21:40 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
    2019-05-14 20:15 - 2015-04-26 18:07 - 000000000 ____D C:\WINDOWS\system32\MRT
    2019-05-14 20:13 - 2015-04-26 18:07 - 132445408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2019-05-09 13:02 - 2017-10-18 07:20 - 000002155 ____C C:\Users\paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\f.lux.lnk
    2019-05-09 08:51 - 2016-04-27 14:16 - 000001232 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
    2019-05-07 17:22 - 2016-12-19 11:05 - 000000000 ___DC C:\Users\paul\AppData\Local\CrashDumps
    2019-05-04 00:53 - 2018-04-12 00:41 - 000835688 _____ (Adobe) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
    2019-05-04 00:53 - 2018-04-12 00:41 - 000179816 _____ (Adobe) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
    2019-05-01 14:49 - 2018-02-17 08:18 - 000000000 ___DC C:\Users\paul\AppData\Local\Packages
    2019-04-23 17:42 - 2018-02-19 23:11 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd

    ==================== Files in the root of some directories =======

    2015-06-11 09:54 - 2015-06-11 09:54 - 000000093 ____C () C:\Users\paul\AppData\Roaming\ARCompanion.log

    Some files in TEMP:
    ====================
    2019-05-20 10:06 - 2019-05-20 10:06 - 000264320 ____C (ExpressVPN) C:\Users\paul\AppData\Local\Temp\ExpressVpn.Client.Setup.Helper.exe

    ==================== Bamital & volsnap ======================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2018-05-14 21:22

    ==================== End of FRST.txt ============================

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
    Ran by Amin (23-05-2019 14:22:16)
    Running from C:\Users\paul\Desktop
    Windows 10 Pro Version 1803 17134.766 (X64) (2018-05-14 22:05:12)
    Boot Mode: Normal
    ==========================================================


    ==================== Accounts: =============================

    Administrator (S-1-5-21-1912528622-4210353072-3792142533-500 - Administrator - Disabled)
    Amin (S-1-5-21-1912528622-4210353072-3792142533-1001 - Administrator - Enabled) => C:\Users\paul
    DefaultAccount (S-1-5-21-1912528622-4210353072-3792142533-503 - Limited - Disabled)
    Guest (S-1-5-21-1912528622-4210353072-3792142533-501 - Limited - Disabled)
    WDAGUtilityAccount (S-1-5-21-1912528622-4210353072-3792142533-504 - Limited - Disabled)

    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Spybot - Search and Destroy (Enabled - Out of date) {4C1D9672-63FE-5C90-371E-8FDA591C5B75}
    AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    µTorrent (HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\uTorrent) (Version: 3.5.0.43916 - BitTorrent Inc.)
    Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 19.012.20034 - Adobe Systems Incorporated)
    Adobe Flash Player 32 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 32.0.0.192 - Adobe)
    Ansel (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel) (Version: 376.19 - NVIDIA Corporation) Hidden
    Apple Application Support (32-bit) (HKLM-x32\...\{D2FE6376-E549-4F63-A2C5-CA24DA035DE4}) (Version: 5.6 - Apple Inc.)
    Apple Application Support (64-bit) (HKLM\...\{BB109E24-EE90-485B-A28B-ADDEFB40540B}) (Version: 5.6 - Apple Inc.)
    Apple Mobile Device Support (HKLM\...\{0A596141-97D5-45FA-9281-98DFAF48D579}) (Version: 10.3.2.3 - Apple Inc.)
    Apple Software Update (HKLM-x32\...\{52D87F32-70E4-4348-8148-C0B9F35B1314}) (Version: 2.3.0.177 - Apple Inc.)
    Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
    Classic Shell (HKLM\...\{7C129CF8-199F-4269-AAEE-60B5D8D716E2}) (Version: 4.2.1 - IvoSoft)
    ExpressVPN (HKLM-x32\...\{49c9ffce-2d6d-4b59-9fc0-672088cdb033}) (Version: 7.1.0.7514 - ExpressVPN)
    ExpressVPN (HKLM-x32\...\{E5B9C3E5-889C-4F22-A959-F4B846DD858B}) (Version: 7.1.0.7514 - ExpressVPN) Hidden
    f.lux (HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Flux) (Version: - f.lux Software LLC)
    FIFA 16 (HKLM-x32\...\{28FA2805-7992-4A28-844B-040C57204718}) (Version: 1.44.20513.9 - Electronic Arts)
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 74.0.3729.169 - Google Inc.)
    Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.34.11 - Google LLC) Hidden
    iTunes (HKLM\...\{02F95875-9527-49CC-B32F-970ADAEBD1EF}) (Version: 12.6.2.20 - Apple Inc.)
    Java 8 Update 191 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180191F0}) (Version: 8.0.1910.12 - Oracle Corporation)
    LastPass (uninstall only) (HKLM-x32\...\LastPass) (Version: - LastPass)
    Malwarebytes version 3.0.5.1299 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.5.1299 - Malwarebytes)
    Microsoft OneDrive (HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\OneDriveSetup.exe) (Version: 19.070.0410.0005 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
    Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
    Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
    Mozilla Firefox 66.0.5 (x64 en-US) (HKLM\...\Mozilla Firefox 66.0.5 (x64 en-US)) (Version: 66.0.5 - Mozilla)
    Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 66.0.5.7066 - Mozilla)
    NVIDIA 3D Vision Controller Driver 369.04 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 369.04 - NVIDIA Corporation)
    NVIDIA 3D Vision Driver 376.54 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 376.54 - NVIDIA Corporation)
    NVIDIA GeForce Experience 3.10.0.95 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.10.0.95 - NVIDIA Corporation)
    NVIDIA Graphics Driver 376.54 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 376.54 - NVIDIA Corporation)
    NVIDIA HD Audio Driver 1.3.34.17 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.17 - NVIDIA Corporation)
    NVIDIA PhysX System Software 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
    Origin (HKLM-x32\...\Origin) (Version: 10.1.1.35466 - Electronic Arts, Inc.)
    SopCast 4.0.0 (HKLM-x32\...\SopCast) (Version: 4.0.0 - www.sopcast.com)
    Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.6.46 - Safer-Networking Ltd.)
    Update for Windows 10 for x64-based Systems (KB4023057) (HKLM\...\{C3ACFCEA-240F-4DCC-A0C3-DD55FEE6C3C2}) (Version: 2.58.0.0 - Microsoft Corporation)
    Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
    WhatsApp (HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\WhatsApp) (Version: 0.3.2848 - WhatsApp)
    Windows Setup Remediations (x64) (KB4023057) (HKLM\...\{5534e02f-0f5d-40dd-ba92-bea38d22384d}.sdb) (Version: - )

    ==================== Custom CLSID (Whitelisted): ==========================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)
    ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)
    ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2016-11-29] (Malwarebytes)
    ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\WINDOWS\system32\nvshext.dll [2016-12-29] (NVIDIA Corporation)
    ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2016-11-29] (Malwarebytes)
    ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)
    ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2017-05-23] (Safer-Networking Ltd.)

    ==================== Scheduled Tasks (Whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    Task: {00BF3446-1DEB-4289-9F82-91E31A60676B} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2017-05-23] (Safer-Networking Ltd.)
    Task: {0A7AA876-862F-4F81-AA4B-B73950FA632C} - System32\Tasks\Microsoft\Windows\InstallService\WakeUpAndScanForUpdates
    Task: {1BFDCCFD-C9D6-49B0-9562-47767E28658E} - System32\Tasks\Microsoft\Windows\WaaSMedic\PerformRemediation
    Task: {1C4B5B7B-E943-4A1B-BC96-55686E07F2CF} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\MpCmdRun.exe [2019-04-23] (Microsoft Corporation)
    Task: {26473DB7-52AF-4A01-AD2A-E22470DE61CF} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [2017-10-11] (NVIDIA Corporation)
    Task: {2C79D7B6-E009-4BBB-98FF-65945168A52B} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-04-24] (Google Inc.)
    Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\WINDOWS\System32\AutoWorkplace.exe
    Task: {430852CB-A87C-492E-A659-075C7BF1710C} - System32\Tasks\Microsoft\Windows\InstallService\WakeUpAndContinueUpdates
    Task: {457D7BE4-AEE1-4178-80EE-7E492469AC77} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    Task: {4A305334-B4E7-4FD0-BEFB-F306F90EAAF8} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2017-05-23] (Safer-Networking Ltd.)
    Task: {5314D702-6A2B-47CA-AF3A-023AFC47168D} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-10-11] (NVIDIA Corporation)
    Task: {541BA5BF-1736-4A3E-B1E5-CE1C9EE13043} - System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdates
    Task: {65A34F07-723D-4150-B109-13BD1AE3DFAA} - System32\Tasks\Microsoft\Windows\InstallService\SmartRetry
    Task: {65B85F6F-35B3-4459-A179-28255D5B7B25} - System32\Tasks\Microsoft\Windows\HelloFace\FODCleanupTask => C:\WINDOWS\System32\WinBioPlugIns\FaceFodUninstaller.exe [2018-04-12] ()
    Task: {6CAE2CC9-DD3C-4031-881C-8F806B3042BF} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2017-05-23] (Safer-Networking Ltd.)
    Task: {78BABCCD-20B8-49B7-B4F8-87490C41C875} - System32\Tasks\Microsoft\Windows\InstallService\ScanForUpdatesAsUser
    Task: {7A3A4AE3-93C1-45E6-983C-2124C46C0D7A} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2019-05-15] (Adobe)
    Task: {80725B8D-8C27-4D64-88A6-9CF87E886CA4} - System32\Tasks\Microsoft\Windows\Flighting\FeatureConfig\ReconcileFeatures
    Task: {87E18B8C-19BA-4670-80F7-6EAAF965FFB7} - System32\Tasks\Microsoft\Windows\rempl\shell => C:\Program Files\rempl\sedlauncher.exe [2019-05-11] (Microsoft Corporation)
    Task: {8C93EB24-D8A4-4C88-9A52-3263569B8870} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Verification => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\MpCmdRun.exe [2019-04-23] (Microsoft Corporation)
    Task: {8F255F88-A87A-495F-B828-A4AFEC70BDB0} - System32\Tasks\Microsoft\Windows\DirectX\DXGIAdapterCache => C:\WINDOWS\system32\dxgiadaptercache.exe [2018-04-12] (Microsoft Corporation)
    Task: {955A8F2E-0F73-41ED-B330-9813574F93D9} - System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [2017-10-11] (NVIDIA Corporation)
    Task: {9DD0AD76-43F6-4F2A-B1FC-ED358DBE04EE} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-12-16] (Adobe Systems Incorporated)
    Task: {9F6AD30A-A061-4A24-B9BA-EA5CD0E2D9A7} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Cleanup => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\MpCmdRun.exe [2019-04-23] (Microsoft Corporation)
    Task: {A143755E-AB1C-4D63-8CA0-8A838729C6A2} - System32\Tasks\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan => C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\MpCmdRun.exe [2019-04-23] (Microsoft Corporation)
    Task: {AA274D7F-4BF3-4B76-A5CD-4F5A2279A15E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-04-24] (Google Inc.)
    Task: {AB27660D-D4C3-4346-AD03-85AEFDE3DDE9} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-10-11] (NVIDIA Corporation)
    Task: {AFA30094-1CCE-477E-BB41-EE1693A8351D} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_32_0_0_192_pepper.exe [2019-05-15] (Adobe)
    Task: {C2098BE2-A29A-4EB1-97F6-F0C57E086D4F} - System32\Tasks\Microsoft\Windows\Speech\HeadsetButtonPress => C:\WINDOWS\system32\speech_onecore\common\SpeechRuntime.exe [2018-05-20] (Microsoft Corporation)
    Task: {D04A58F2-34C0-4A93-8E54-919BC98E3D8B} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [2017-10-11] (NVIDIA Corporation)
    Task: {D1CC320B-9A47-4DB4-AFE4-2BCE1A964E7A} - System32\Tasks\Microsoft\Windows\LanguageComponentsInstaller\ReconcileLanguageResources
    Task: {EED664C0-3622-4F3B-B876-05FFB48E7968} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2019-05-14] (Microsoft Corporation)
    Task: {F2AFA405-E1EE-4B57-8692-B4D9F8C496A1} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [2017-10-11] (NVIDIA Corporation)
    Task: {F4FDB19B-35D0-4E76-8443-8A6EECD4964C} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [2017-10-11] (NVIDIA Corporation)
    Task: {F812199A-D6B1-4932-B233-7BF0DA6EADE4} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [2017-10-11] (NVIDIA Corporation)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


    ==================== Shortcuts & WMI ========================

    (The entries could be listed to be restored or removed.)


    ShortcutWithArgument: C:\Users\paul\Desktop\J - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 4"
    ShortcutWithArgument: C:\Users\paul\Desktop\simon - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3"
    ShortcutWithArgument: C:\Users\paul\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 2"

    ==================== Loaded Modules (Whitelisted) ==============

    2018-04-12 00:34 - 2018-04-12 00:34 - 000491744 _____ () C:\Windows\System32\InputHost.dll
    2017-07-13 20:50 - 2017-07-13 20:50 - 000092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
    2017-07-13 20:50 - 2017-07-13 20:50 - 001354040 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
    2016-12-14 23:38 - 2017-04-19 11:15 - 002271520 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
    2016-12-14 11:42 - 2017-10-11 02:05 - 001267136 _____ () C:\Program Files\NVIDIA Corporation\NvContainer\libprotobuf.dll
    2019-04-27 19:02 - 2019-04-27 19:02 - 010007680 _____ () C:\Program Files (x86)\ExpressVPN\expressvpnd\expressvpnd.exe
    2017-08-15 20:28 - 2016-12-29 14:16 - 000134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
    2018-04-12 00:34 - 2018-04-12 00:34 - 000472064 _____ () C:\Windows\ShellExperiences\TileControl.dll
    2018-12-12 19:04 - 2018-11-09 03:17 - 002759680 _____ () C:\Windows\ShellComponents\TaskFlowUI.dll
    2019-05-20 14:58 - 2019-05-17 07:04 - 002185728 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
    2017-07-14 10:27 - 2017-07-14 10:27 - 000092472 _____ () C:\Program Files\iTunes\zlib1.dll
    2017-07-14 10:26 - 2017-07-14 10:26 - 001354040 _____ () C:\Program Files\iTunes\libxml2.dll
    2019-04-17 08:55 - 2019-04-17 08:55 - 001840560 ____C () C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\ffmpeg.dll
    2019-05-23 08:21 - 2019-05-23 08:21 - 000497152 ____C () \\?\C:\Users\paul\AppData\Local\Temp\56b413ec-375d-4291-94fa-fdbb1ebefd41.tmp.node
    2019-04-17 08:55 - 2019-04-17 08:55 - 003861936 ____C () C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\libglesv2.dll
    2019-04-17 08:55 - 2019-04-17 08:55 - 000027056 ____C () C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\libegl.dll
    2019-05-23 08:21 - 2019-05-23 08:21 - 000497152 ____C () \\?\C:\Users\paul\AppData\Local\Temp\e9112175-cf5c-411b-a106-2bf5d02a582b.tmp.node
    2019-05-22 08:35 - 2019-05-21 01:51 - 005523440 _____ () C:\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\libglesv2.dll
    2019-05-22 08:35 - 2019-05-21 01:51 - 000138224 _____ () C:\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\libegl.dll
    2019-05-09 16:21 - 2019-05-09 16:21 - 000481280 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
    2019-05-09 16:21 - 2019-05-09 16:21 - 081356800 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
    2017-10-10 11:38 - 2017-10-10 11:38 - 002523136 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\UnityEngineDelegates.dll
    2019-05-09 16:21 - 2019-05-09 16:21 - 000012288 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\RenderingPlugin.dll
    2019-05-09 16:21 - 2019-05-09 16:21 - 003707904 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\MediaEngineCSWrapper.dll
    2019-05-09 16:21 - 2019-05-09 16:21 - 013491200 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\PhotosApp.Windows.dll
    2019-05-09 16:21 - 2019-05-09 16:21 - 002867712 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\AppCore.Windows.dll
    2019-05-09 16:21 - 2019-05-09 16:21 - 001014784 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\RuntimeConfiguration.dll
    2019-05-09 16:21 - 2019-05-09 16:21 - 000120320 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\AppSettingsCppCX.dll
    2018-12-07 19:22 - 2018-12-07 19:22 - 004380232 _____ () C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
    2019-04-04 14:35 - 2019-04-04 14:35 - 026138624 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\Video.UI.exe
    2019-04-04 14:35 - 2019-04-04 14:35 - 000289280 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\SharedUI.dll
    2017-12-01 08:36 - 2017-12-01 08:36 - 000902656 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl.UI.Xaml.dll
    2018-11-29 10:34 - 2018-11-29 10:34 - 004202208 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
    2019-04-04 14:35 - 2019-04-04 14:35 - 005709824 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\EntCommon.dll
    2019-04-04 14:35 - 2019-04-04 14:35 - 008948224 _____ () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\EntPlat.dll
    2016-09-15 09:03 - 2016-09-15 17:19 - 002493440 _____ () C:\Program Files (x86)\Origin\libGLESv2.dll
    2018-03-31 17:10 - 2017-05-12 11:36 - 000507464 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
    2018-03-31 17:10 - 2016-09-13 14:00 - 000109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
    2018-03-31 17:10 - 2016-09-13 14:00 - 000167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
    2018-03-31 17:10 - 2016-09-13 14:00 - 000416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
    2019-04-27 19:02 - 2019-04-27 19:02 - 010886984 _____ () C:\Program Files (x86)\ExpressVPN\expressvpnd\libxvclient.dll
    2019-04-27 19:05 - 2019-04-27 19:05 - 000080512 _____ () C:\Program Files (x86)\ExpressVPN\expressvpnd\windows\ExpressVPN.NetworkUtils.dll
    2019-04-27 19:01 - 2019-04-27 19:01 - 000303104 _____ () C:\Program Files (x86)\ExpressVPN\expressvpnd\windows\ExpressVPN.SplitTunnel.dll
    2019-04-27 19:05 - 2019-04-27 19:05 - 000444032 _____ () C:\Program Files (x86)\ExpressVPN\expressvpnd\windows\ExpressVPN.FilterManager.dll
    2016-12-14 11:42 - 2017-10-11 02:05 - 001040320 _____ () C:\Program Files (x86)\NVIDIA Corporation\NvContainer\libprotobuf.dll

    ==================== Alternate Data Streams (Whitelisted) =========

    (If an entry is included in the fixlist, only the ADS will be removed.)


    ==================== Safe Mode (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AudioEndpointBuilder => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AudioSrv => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HdAudAddService.Sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HdAudBus.Sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\usbaudio.sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318} => ""="Media"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96C-E325-11CE-BFC1-08002BE10318} => "SafeBootDrivers"="1"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AudioEndpointBuilder => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AudioSrv => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HdAudAddService.Sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\HdAudBus.Sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\usbaudio.sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96C-E325-11CE-BFC1-08002BE10318} => ""="Media"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96C-E325-11CE-BFC1-08002BE10318} => "SafeBootDrivers"="1"

    ==================== Association (Whitelisted) ===============

    (If an entry is included in the fixlist, the registry item will be restored to default or removed.)


    ==================== Internet Explorer trusted/restricted ===============

    (If an entry is included in the fixlist, it will be removed from the registry.)


    ==================== Hosts content: ===============================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2013-08-22 14:25 - 2016-12-14 12:56 - 000000027 _____ C:\WINDOWS\system32\Drivers\etc\hosts

    127.0.0.1 localhost

    ==================== Other Areas ============================

    (Currently there is no automatic fix for this section.)

    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Windows\img0.jpg
    DNS Servers: 192.168.1.1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
    Windows Firewall is enabled.

    ==================== MSCONFIG/TASK MANAGER disabled items ==


    ==================== FirewallRules (Whitelisted) ===============

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    FirewallRules: [UDP Query User{B387EA42-E3F4-484D-BDB3-BAF6CA5637E1}C:\program files (x86)\sopcast\sopcast.exe] => (Block) C:\program files (x86)\sopcast\sopcast.exe
    FirewallRules: [TCP Query User{211BB0D0-90BC-4B16-BA1E-12E54835B526}C:\program files (x86)\sopcast\sopcast.exe] => (Block) C:\program files (x86)\sopcast\sopcast.exe
    FirewallRules: [{A039CE38-D9FD-4D08-BD5D-FEF166D903EF}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
    FirewallRules: [{28E7D674-C8B2-47DE-B21D-4FCE9BF0535C}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
    FirewallRules: [{B888C126-15EF-4FE8-AAA6-3CB7EE23CCB9}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
    FirewallRules: [{832254BC-67E0-45CA-A1D3-E3BEEB8828B8}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
    FirewallRules: [{A8935B67-AF16-446B-B8EB-B1664AD96A8B}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
    FirewallRules: [{0BD6780F-CA42-4800-B9B4-C60BEE4E1262}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
    FirewallRules: [{AAD27CE5-3BAF-437F-B300-05443B2DCEE6}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
    FirewallRules: [{732B1A2E-983F-4423-83DF-F412CA7F742C}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
    FirewallRules: [{A176E4BB-2F21-48B8-8B1E-BCB78C766539}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
    FirewallRules: [{E48987FB-13EA-4C6E-A32E-FE834F7ED99C}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
    FirewallRules: [{6D21C8FE-1D7E-4B3D-8A20-54B9ECA8924D}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
    FirewallRules: [TCP Query User{2D0EC3F9-BBA3-4131-AD5C-BF2C6636CF0A}C:\program files (x86)\sopcast\sopcast.exe] => (Allow) C:\program files (x86)\sopcast\sopcast.exe
    FirewallRules: [UDP Query User{8B6A3E59-3824-41AD-979F-811CDD306BFD}C:\program files (x86)\sopcast\sopcast.exe] => (Allow) C:\program files (x86)\sopcast\sopcast.exe
    FirewallRules: [{6100EF83-3BE3-4148-BBE9-B9D84C76A864}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{BE6B7C25-4EA9-4443-8DE2-93FEEDD522DB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    FirewallRules: [{756CF036-D922-4D87-B56B-5283FACA09E9}] => (Allow) C:\Users\paul\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{E9A1F67A-5CD7-410D-9DF3-581B9895020E}] => (Allow) C:\Users\paul\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{4B885034-1613-44DC-8DB5-4DA6BD66C50E}] => (Allow) C:\Users\paul\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{FC768EB2-80FC-45BC-B89E-0BF1F7ABF3AD}] => (Allow) C:\Users\paul\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{0465D5DE-C3BA-4BD6-8EA7-A5736C39F0A4}] => (Allow) C:\Users\paul\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{9A572F84-6E6E-4E4A-9D51-D92BE2739935}] => (Allow) C:\Users\paul\AppData\Roaming\uTorrent\uTorrent.exe
    FirewallRules: [{4BC7F880-1382-40CD-B271-646FA4DACC72}] => (Allow) D:\Fifa\FIFA 16\fifasetup\fifaconfig.exe
    FirewallRules: [{CD47A016-B34E-4D3B-BE60-B83352CD05A3}] => (Allow) D:\Fifa\FIFA 16\fifasetup\fifaconfig.exe
    FirewallRules: [TCP Query User{CB63752A-2592-4114-90FC-FFCFB642EB3B}D:\fifa\fifa 16\fifa16.exe] => (Allow) D:\fifa\fifa 16\fifa16.exe
    FirewallRules: [UDP Query User{60437F7B-0548-4BAA-A7BD-2B6E6DA463C9}D:\fifa\fifa 16\fifa16.exe] => (Allow) D:\fifa\fifa 16\fifa16.exe
    FirewallRules: [{50F16C94-CF0D-4747-8115-C6FB916A6C85}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
    FirewallRules: [{E2F1D5A8-BD1E-4DAC-A7EB-2FAB48F048A5}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
    FirewallRules: [{22089C45-1D87-4679-B766-9787664EA129}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    FirewallRules: [{8FC50749-0017-4875-AFD8-6168EA4F8225}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    FirewallRules: [{432821ED-1C90-4FCF-9725-7638C303A3C5}] => (Allow) C:\Program Files\iTunes\iTunes.exe
    FirewallRules: [{78021B60-51EE-406E-9A23-F62AE416A3DD}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
    StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

    ==================== Restore Points =========================

    ATTENTION: System Restore is disabled

    ==================== Faulty Device Manager Devices =============

    Name: ExpressVPN TAP Adapter
    Description: ExpressVPN TAP Adapter
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: ExpressVPN
    Service: tapexpressvpn
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (05/18/2019 11:08:54 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 14531

    Error: (05/18/2019 11:08:54 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 14531

    Error: (05/18/2019 11:08:54 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (05/18/2019 11:08:52 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 12593

    Error: (05/18/2019 11:08:52 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 12593

    Error: (05/18/2019 11:08:52 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (05/18/2019 11:08:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 11093

    Error: (05/18/2019 11:08:51 PM) (Source: Bonjour Service) (EventID: 100) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 11093


    System errors:
    =============
    Error: (05/23/2019 08:21:46 AM) (Source: DCOM) (EventID: 10016) (User: PC)
    Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {D63B10C5-BB46-4990-A94F-E40B9D520160}
    and APPID
    {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
    to the user PC\Amin SID (S-1-5-21-1912528622-4210353072-3792142533-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    Error: (05/23/2019 08:21:44 AM) (Source: DCOM) (EventID: 10016) (User: PC)
    Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {D63B10C5-BB46-4990-A94F-E40B9D520160}
    and APPID
    {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
    to the user PC\Amin SID (S-1-5-21-1912528622-4210353072-3792142533-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    Error: (05/23/2019 08:21:29 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
    Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
    and APPID
    {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
    to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    Error: (05/23/2019 08:21:29 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
    Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
    and APPID
    {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
    to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    Error: (05/22/2019 08:31:28 AM) (Source: DCOM) (EventID: 10016) (User: PC)
    Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {D63B10C5-BB46-4990-A94F-E40B9D520160}
    and APPID
    {9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
    to the user PC\Amin SID (S-1-5-21-1912528622-4210353072-3792142533-1001) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    Error: (05/22/2019 08:31:03 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
    Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
    and APPID
    {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
    to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    Error: (05/22/2019 08:31:03 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
    Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
    {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
    and APPID
    {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
    to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

    Error: (05/21/2019 06:34:07 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
    Description: 4


    Windows Defender:
    ===================================
    Date: 2019-05-16 17:50:30.992
    Description:
    Windows Defender Antivirus scan has been stopped before completion.
    Scan ID: {327283DF-25CC-4FBC-A295-81EECADBB781}
    Scan Type: Antimalware
    Scan Parameters: Quick Scan

    Date: 2019-05-15 16:10:55.995
    Description:
    Windows Defender Antivirus scan has been stopped before completion.
    Scan ID: {ED9B96B9-A0D6-4DC8-88B6-17DFE8B4A572}
    Scan Type: Antimalware
    Scan Parameters: Quick Scan

    Date: 2019-05-15 15:51:06.879
    Description:
    Windows Defender Antivirus scan has been stopped before completion.
    Scan ID: {08F0F01E-E055-427A-9364-8C6C5EDB9622}
    Scan Type: Antimalware
    Scan Parameters: Quick Scan

    Date: 2019-05-15 15:03:01.886
    Description:
    Windows Defender Antivirus scan has been stopped before completion.
    Scan ID: {6B46F500-D2DF-4C74-B4B5-E676F460CC2A}
    Scan Type: Antimalware
    Scan Parameters: Quick Scan

    Date: 2019-05-15 14:15:30.323
    Description:
    Windows Defender Antivirus scan has been stopped before completion.
    Scan ID: {C496E73F-27E9-4368-B22A-FC705C9F5151}
    Scan Type: Antimalware
    Scan Parameters: Quick Scan

    CodeIntegrity:
    ===================================

    Date: 2019-05-20 12:37:13.530
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    Date: 2019-05-20 12:37:13.502
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    Date: 2019-05-20 12:37:13.304
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    Date: 2019-05-20 12:37:13.283
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    Date: 2019-05-20 12:37:13.085
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    Date: 2019-05-20 12:37:13.064
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    Date: 2019-05-20 12:37:12.775
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    Date: 2019-05-20 12:37:12.756
    Description:
    Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe) attempted to load \Device\HarddiskVolume3\Windows\System32\nvspcap64.dll that did not meet the Store signing level requirements.

    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz
    Percentage of memory in use: 72%
    Total physical RAM: 8168.81 MB
    Available physical RAM: 2284.68 MB
    Total Virtual: 12008.81 MB
    Available Virtual: 4405.55 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:54.9 GB) (Free:4.6 GB) NTFS ==>[drive with boot components (obtained from BCD)]
    Drive d: () (Fixed) (Total:465.76 GB) (Free:450.2 GB) NTFS
    Drive e: () (Fixed) (Total:931.51 GB) (Free:931.26 GB) NTFS

    \\?\Volume{fd722ce2-0000-0000-0000-20c00d000000}\ () (Fixed) (Total:0.46 GB) (Free:0.07 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 0E5F4CBD)
    Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (MBR Code: Windows 7/8/10) (Size: 931.5 GB) (Disk ID: 6B99E331)
    Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (MBR Code: Windows 7/8/10) (Size: 55.9 GB) (Disk ID: FD722CE2)
    Partition 1: (Active) - (Size=54.9 GB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=467 MB) - (Type=27)

    ==================== End of Addition.txt ============================

  2. #2
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,777

    Default

    FirewallRules: [{0BD6780F-CA42-4800-B9B4-C60BEE4E1262}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
    FirewallRules: [{AAD27CE5-3BAF-437F-B300-05443B2DCEE6}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
    FirewallRules: [{732B1A2E-983F-4423-83DF-F412CA7F742C}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
    FirewallRules: [{A176E4BB-2F21-48B8-8B1E-BCB78C766539}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
    FirewallRules: [{E48987FB-13EA-4C6E-A32E-FE834F7ED99C}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
    FirewallRules: [{6D21C8FE-1D7E-4B3D-8A20-54B9ECA8924D}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe

    KMSpico is the Windows 10 and Microsoft Office 2016 Activator, that is used to illegally activate copies of Windows or Microsoft office products.
    Tools you will be asked to use will remove these from your computer. It would be in your best interest to uninstall these tools first.

    ~~~~~~~~


    I see you have peer-to-peer (P2P) file sharing software installed on your computer (uTorrent). I advise you avoid P2P file sharing programmes; they are a security risk which can make your computer susceptible to malware. File sharing networks are thoroughly infested with malware - worms, backdoor Trojans, IRCBots, and rootkits propagate via P2P file sharing networks, gaming, and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install malware. The best way to reduce the risk of infection is to avoid these types of web sites and P2P programmes. Please read the following articles for more information.


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


    How to enable System Restore on Windows 10

    Open Start.
    Search for Create a restore point, and click the top result to open the System Properties experience.
    Under the "Protection Settings" section, select the main "System" drive, and click the Configure button.
    Select the Turn on system protection option.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Start Farbar Recovery Scan Tool with Administrator privileges
    (Right click on the FRST icon and select Run as administrator)

    highlight on the text below and select Copy.
    beginning with Start:: and finishing with End::
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Highlight the entire content of the quote box below and select Copy.


    Start::
    CloseProcesses:
    CreateRestorePoint:
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    CHR DefaultSearchURL: Profile 3 -> hxxps://uk.search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
    CHR DefaultSearchKeyword: Profile 3 -> Yahoo
    CHR DefaultSuggestURL: Profile 3 -> hxxps://uk.search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
    2019-05-20 10:06 - 2019-05-20 10:06 - 000264320 ____C (ExpressVPN) C:\Users\paul\AppData\Local\Temp\ExpressVpn.Client.Setup.Helper.exe
    Task: {457D7BE4-AEE1-4178-80EE-7E492469AC77} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    ShortcutWithArgument: C:\Users\paul\Desktop\J - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 4"
    ShortcutWithArgument: C:\Users\paul\Desktop\simon - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3"
    ShortcutWithArgument: C:\Users\paul\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 2"
    C:\Windows\Temp\*.*
    End::
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Start FRST (FRST64) with Administrator privileges
    Press the Fix button. FRST will process the lines copied above from the clipboard.
    When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

    Please copy and paste its contents in your next reply.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    AdwCleaner - Fix Mode
    • Download AdwCleaner and move it to your Desktop
    • Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
    • Accept the EULA (I accept), then click on Scan
    • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean & Repair button. This will kill all the active processes
    • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
    • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    RogueKiller
    • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
    • Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
    • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
    • Wait for the scan to complete
    • On completion, the results will be displayed
    • Check every single entry (threat found), and click on the Remove Selected button
    • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
    • This will open the report in Notepad. Copy/paste its content in your next reply
    created by Aura

    Please post these logs when finished.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #3
    Junior Member
    Join Date
    Nov 2014
    Posts
    19

    Default

    Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14.03.2018
    Ran by Amin (administrator) on PC (23-05-2019 14:21:50)
    Running from C:\Users\paul\Desktop
    Loaded Profiles: Amin (Available Profiles: Amin)
    Platform: Windows 10 Pro Version 1803 17134.766 (X64) Language: English (United States)
    Internet Explorer Version 11 (Default browser: Chrome)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    Failed to access process -> Registry
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Iain Patterson) C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe
    (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
    (Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
    (Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1904.1-0\MsMpEng.exe
    () C:\Program Files (x86)\ExpressVPN\expressvpnd\expressvpnd.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
    (Microsoft Corporation) C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.1904.1-0\NisSrv.exe
    (Microsoft Corporation) C:\Program Files\rempl\sedsvc.exe
    (Microsoft Corporation) C:\Windows\System32\SgrmBroker.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (Microsoft Corporation) C:\Program Files\rempl\sedlauncher.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
    (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
    (Microsoft Corporation) C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\LockApp.exe
    (f.lux Software LLC) C:\Users\paul\AppData\Local\FluxSoftware\Flux\flux.exe
    (Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (ExpressVPN) C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (WhatsApp) C:\Users\paul\AppData\Local\WhatsApp\app-0.3.2848\WhatsApp.exe
    (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (ExpressVPN) C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
    () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19031.17720.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    () C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19031.11411.0_x64__8wekyb3d8bbwe\Video.UI.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

    ==================== Registry (Whitelisted) ===========================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [SecurityHealth] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-12] (Microsoft Corporation)
    HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [303928 2017-07-14] (Apple Inc.)
    HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES/MALWAREBYTES/ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes)
    HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [638872 2018-04-12] (Microsoft Corporation)
    HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4174464 2017-05-23] (Safer-Networking Ltd.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [601424 2018-10-06] (Oracle Corporation)
    HKLM-x32\...\Run: [ExpressVPNNotificationService] => C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPNNotificationService.exe [776320 2019-04-27] (ExpressVPN)
    Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
    HKU\S-1-5-19\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-12] (Microsoft Corporation)
    HKU\S-1-5-20\...\RunOnce: [WAB Migrate] => C:\Program Files\Windows Mail\wab.exe [518144 2018-04-12] (Microsoft Corporation)
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [f.lux] => C:\Users\paul\AppData\Local\FluxSoftware\Flux\flux.exe [1378824 2019-05-07] (f.lux Software LLC)
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3503088 2016-09-26] (Electronic Arts)
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [WhatsApp] => C:\Users\paul\AppData\Local\WhatsApp\Update.exe [2206640 2019-04-17] ()
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\...\Run: [ExpressVPN4] => C:\Program Files (x86)\ExpressVPN\expressvpn-ui\ExpressVPN.exe [799360 2019-04-27] (ExpressVPN)
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
    Tcpip\..\Interfaces\{8d4b710d-72f5-4894-8cf1-7c188bb6df8a}: [DhcpNameServer] 192.168.1.1
    Tcpip\..\Interfaces\{8ffb0387-866f-4d7a-a141-eb54099418c1}: [DhcpNameServer] 192.168.1.1

    Internet Explorer:
    ==================
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    HKU\S-1-5-21-1912528622-4210353072-3792142533-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/en-gb/?ocid=iehp
    BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2018-09-30] (LastPass)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\ssv.dll [2018-11-20] (Oracle Corporation)
    BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2018-09-30] (LastPass)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\jp2ssv.dll [2018-11-20] (Oracle Corporation)
    Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2018-09-30] (LastPass)
    Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2018-09-30] (LastPass)

    FireFox:
    ========
    FF DefaultProfile: sj8zeqrc.default
    FF ProfilePath: C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default [2019-05-23]
    FF Extension: (Anti-Paywall) - C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default\Extensions\{e5322648-dfe4-4c45-b02d-44c61d545f2b}.xpi [2018-09-20]
    FF Extension: (Baidu Search Update) - C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default\features\{d7c12642-4ff0-471c-9d41-62f70956a568}\baidu-code-update@mozillaonline.com.xpi [2019-05-09]
    FF Extension: (Firefox Monitor) - C:\Users\paul\AppData\Roaming\Mozilla\Firefox\Profiles\sj8zeqrc.default\features\{d7c12642-4ff0-471c-9d41-62f70956a568}\fxmonitor@mozilla.org.xpi [2019-05-09]
    FF Extension: (WebCompat Reporter) - C:\Program Files (x86)\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi [2019-03-25] [not signed]
    FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2018-09-30] (LastPass)
    FF Plugin-x32: @java.com/DTPlugin,version=11.191.2 -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\dtplugin\npDeployJava1.dll [2018-11-20] (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.191.2 -> C:\Program Files (x86)\Java\jre1.8.0_191\bin\plugin2\npjp2.dll [2018-11-20] (Oracle Corporation)
    FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2018-09-30] (LastPass)
    FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2016-12-29] (NVIDIA Corporation)
    FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2016-12-29] (NVIDIA Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [2019-05-15] (Google LLC)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.34.11\npGoogleUpdate3.dll [2019-05-15] (Google LLC)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2019-05-03] (Adobe Systems Inc.)

    Chrome:
    =======
    CHR DefaultProfile: Profile 3
    CHR HomePage: Profile 3 -> hxxps://auctions.yahoo.co.jp/
    CHR DefaultSearchURL: Profile 3 -> hxxps://uk.search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
    CHR DefaultSearchKeyword: Profile 3 -> Yahoo
    CHR DefaultSuggestURL: Profile 3 -> hxxps://uk.search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\Guest Profile [2018-09-21]
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3 [2019-05-23]
    CHR Extension: (Slides) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-09-21]
    CHR Extension: (Docs) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\aohghmighlieiainnegkcijnfilokake [2018-09-21]
    CHR Extension: (Google Drive) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-10-20]
    CHR Extension: (YouTube) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-09-21]
    CHR Extension: (Adblock Plus - free ad blocker) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2019-04-28]
    CHR Extension: (Do Not Track) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\ckdcpbflcbeillmamogkpmdhnbeggfja [2018-09-21]
    CHR Extension: (Adobe Acrobat) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2019-05-15]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\fabhkdeopjkcpkmofliimbjckmocfiom [2019-05-17]
    CHR Extension: (Sheets) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-09-21]
    CHR Extension: (Google Docs Offline) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-09-21]
    CHR Extension: (LastPass: Free Password Manager) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2019-05-17]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\kpdmjodecdegfglgaapafjleomjjlpnh [2019-05-10]
    CHR Extension: (Notifier for Gmail™) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\mlcdlmnipofbmhgjajfobpeeikdejibj [2018-09-21]
    CHR Extension: (Ghostery – Privacy Ad Blocker) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2019-05-10]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-09-21]
    CHR Extension: (Zoom for Twitter®) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\nnpfigodphdaapfmkbgmkljndjckkegk [2019-04-12]
    CHR Extension: (Browsec VPN - Free and Unlimited VPN) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\omghfjlpggmjjaagoclmmobgdodcjboh [2019-04-12]
    CHR Extension: (Gmail) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2019-04-28]
    CHR Extension: (Chrome Media Router) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2019-05-23]
    CHR Extension: (Privacy Badger) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\pkehgijcmpdhfbdbbnkijodmdjhbjlgp [2019-02-21]
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4 [2018-09-21]
    CHR Extension: (Slides) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2018-09-21]
    CHR Extension: (Docs) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\aohghmighlieiainnegkcijnfilokake [2018-09-21]
    CHR Extension: (Google Drive) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\apdfllckaahabafndbhieahigkjlhalf [2018-09-21]
    CHR Extension: (YouTube) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2018-09-21]
    CHR Extension: (Adblock Plus) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2018-09-21]
    CHR Extension: (Notifier for Gmail™) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\dcjichoefijpinlfnjghokpkojhlhkgl [2018-09-21]
    CHR Extension: (Adobe Acrobat) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2018-09-21]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\fabhkdeopjkcpkmofliimbjckmocfiom [2018-09-21]
    CHR Extension: (Sheets) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2018-09-21]
    CHR Extension: (Google Docs Offline) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2018-09-21]
    CHR Extension: (LastPass: Free Password Manager) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2018-09-21]
    CHR Extension: (Yahoo Partner) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\kpdmjodecdegfglgaapafjleomjjlpnh [2018-09-21]
    CHR Extension: (Chrome Web Store Payments) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-09-21]
    CHR Extension: (Gmail) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2018-09-21]
    CHR Extension: (Chrome Media Router) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-09-21]
    CHR Profile: C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile [2018-09-21]
    CHR Extension: (Google Slides) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-26]
    CHR Extension: (Google Docs) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-26]
    CHR Extension: (Google Drive) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-04-26]
    CHR Extension: (YouTube) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-04-26]
    CHR Extension: (Google Search) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-04-26]
    CHR Extension: (Google Sheets) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-26]
    CHR Extension: (Gmail) - C:\Users\paul\AppData\Local\Google\Chrome\User Data\System Profile\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-26]
    CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [fabhkdeopjkcpkmofliimbjckmocfiom] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [kpdmjodecdegfglgaapafjleomjjlpnh] - hxxps://clients2.google.com/service/update2/crx

    ==================== Services (Whitelisted) ====================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    S3 AdobeFlashPlayerUpdateSvc; C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [335416 2019-05-15] (Adobe)
    R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-04-03] (Apple Inc.)
    S3 BcastDVRUserService; C:\WINDOWS\System32\BcastDVRUserService.dll [1364992 2019-05-17] (Microsoft Corporation)
    S3 BcastDVRUserService_3e46a6f; C:\WINDOWS\system32\svchost.exe [85472 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 BcastDVRUserService_3e46a6f; C:\WINDOWS\SysWOW64\svchost.exe [71456 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 BluetoothUserService; C:\WINDOWS\System32\Microsoft.Bluetooth.UserService.dll [464384 2018-04-12] (Microsoft Corporation)
    S3 BluetoothUserService_3e46a6f; C:\WINDOWS\system32\svchost.exe [85472 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 BluetoothUserService_3e46a6f; C:\WINDOWS\SysWOW64\svchost.exe [71456 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    R3 BTAGService; C:\WINDOWS\System32\BTAGService.dll [514048 2018-11-09] (Microsoft Corporation)
    R3 BthAvctpSvc; C:\WINDOWS\System32\BthAvctpSvc.dll [399872 2018-11-09] (Microsoft Corporation)
    S3 CaptureService; C:\WINDOWS\System32\CaptureService.dll [125952 2018-04-12] (Microsoft Corporation)
    S3 CaptureService_3e46a6f; C:\WINDOWS\system32\svchost.exe [85472 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 CaptureService_3e46a6f; C:\WINDOWS\SysWOW64\svchost.exe [71456 2019-01-09] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
    S3 DevicePickerUserSvc; C:\WINDOWS\System32\Windows.Devices.Picker.dll [400896 2018-04-12] (Microsoft Corporation)
    S3 DevicePickerUserSvc; C:\WINDOWS\SysWOW64\Windows.Devices.Picker.dll [312832 2018-04-12] (Microsoft Corporation)
    R2 ExpressVPNService; C:\Program Files (x86)\ExpressVPN\bootstrap\amd64\nssm.exe [368640 2019-04-27] (Iain Patterson) [File not signed]
    S3 GoogleChromeElevationService; C:\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\elevation_service.exe [1267696 2019-05-21] (Google Inc.)
    S3 LxpSvc; C:\WINDOWS\System32\LanguageOverlayServer.dll [199680 2018-04-12] (Microsoft Corporation)
    R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes)
    R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [518080 2017-10-11] (NVIDIA Corporation)
    S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [518080 2017-10-11] (NVIDIA Corporation)
    S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2142728 2016-09-26] (Electronic Arts)
    R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2209296 2016-09-26] (Electronic Arts)
    R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1776864 2017-05-23] (Safer-Networking Ltd.)
    R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2131760 2017-05-23] (Safer-Networking Ltd.)
    R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [233936 2017-05-23] (Safer-Networking Ltd.)
    R2 sedsvc; C:\Program Files\rempl\sedsvc.exe [362296 2019-05-11] (Microsoft Corporation)
    S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [5074120 2019-03-14] (Microsoft Corporation)
    R2 SgrmBroker; C:\WINDOWS\system32\SgrmBroker.exe [163336 2018-04-12] (Microsoft Corporation)
    S4 ssh-agent; C:\WINDOWS\System32\OpenSSH\ssh-agent.exe [495616 2018-03-10] ()
    S4 tzautoupdate; C:\WINDOWS\SysWOW64\tzautoupdate.dll [72192 2018-04-12] (Microsoft Corporation)
    S3 VacSvc; C:\WINDOWS\System32\vac.dll [411256 2018-04-12] (Microsoft Corporation)
    S3 WaaSMedicSvc; C:\WINDOWS\System32\WaaSMedicSvc.dll [392704 2019-01-09] (Microsoft Corporation)
    R3 WdNisSvc; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\NisSrv.exe [3851264 2019-04-23] (Microsoft Corporation)
    R2 WinDefend; C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1904.1-0\MsMpEng.exe [118144 2019-04-23] (Microsoft Corporation)
    S3 wisvc; C:\WINDOWS\SysWOW64\flightsettings.dll [729088 2018-06-08] (Microsoft Corporation)
    S3 WpcMonSvc; C:\WINDOWS\System32\WpcDesktopMonSvc.dll [1456640 2018-05-20] (Microsoft Corporation)
    R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem"
    R2 NvTelemetryContainer; "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\plugins" -r

    ===================== Drivers (Whitelisted) ======================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    R1 afunix; C:\WINDOWS\system32\drivers\afunix.sys [39424 2018-04-12] (Microsoft Corporation)
    R1 afunix; C:\Windows\SysWOW64\drivers\afunix.sys [29696 2018-04-12] (Microsoft Corporation)
    S3 bindflt; C:\WINDOWS\system32\drivers\bindflt.sys [92704 2019-01-09] (Microsoft Corporation)
    S3 expressvpnsplittunnel; C:\Program Files (x86)\ExpressVPN\splittunnel\expressvpnsplittunnel.sys [28160 2019-04-27] ()
    S3 ffusb2audio; C:\WINDOWS\system32\DRIVERS\ffusb2audio.sys [127280 2013-09-25] (Focusrite Audio Engineering Limited.)
    S4 hvcrash; C:\WINDOWS\System32\drivers\hvcrash.sys [33184 2018-04-12] (Microsoft Corporation)
    S0 iaStorAVC; C:\WINDOWS\System32\drivers\iaStorAVC.sys [885144 2018-04-12] (Intel Corporation)
    S0 ItSas35i; C:\WINDOWS\System32\drivers\ItSas35i.sys [145816 2018-04-12] (Avago Technologies)
    R0 MBAMSwissArmy; C:\WINDOWS\System32\drivers\MBAMSwissArmy.sys [251832 2019-05-21] (Malwarebytes)
    S0 megasas35i; C:\WINDOWS\System32\drivers\megasas35i.sys [82328 2018-04-12] (Avago Technologies)
    S3 nvdimm; C:\WINDOWS\System32\drivers\nvdimm.sys [104448 2018-04-12] (Microsoft Corporation)
    R3 nvlddmkm; C:\WINDOWS\System32\DriverStore\FileRepository\nvakwu.inf_amd64_0b3c1a15295d17ee\nvlddmkm.sys [14190520 2017-01-17] (NVIDIA Corporation)
    S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30144 2017-10-11] (NVIDIA Corporation)
    R3 nvvad_WaveExtensible; C:\WINDOWS\system32\drivers\nvvad64v.sys [50624 2017-10-11] (NVIDIA Corporation)
    R3 nvvhci; C:\WINDOWS\System32\drivers\nvvhci.sys [57792 2017-10-11] (NVIDIA Corporation)
    R0 SgrmAgent; C:\WINDOWS\System32\drivers\SgrmAgent.sys [63896 2018-04-12] (Microsoft Corporation)
    S3 tapexpressvpn; C:\WINDOWS\System32\drivers\tapexpressvpn.sys [45440 2019-04-27] (The OpenVPN Project)
    S0 WdBoot; C:\WINDOWS\System32\drivers\wd\WdBoot.sys [46472 2019-04-23] (Microsoft Corporation)
    R0 WdFilter; C:\WINDOWS\System32\drivers\wd\WdFilter.sys [344544 2019-04-23] (Microsoft Corporation)
    S3 WdmCompanionFilter; C:\WINDOWS\System32\drivers\WdmCompanionFilter.sys [21408 2018-04-12] (Microsoft Corporation)
    R3 WdNisDrv; C:\WINDOWS\System32\drivers\wd\WdNisDrv.sys [60896 2019-04-23] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

    NETSVC: LxpSvc -> C:\Windows\System32\LanguageOverlayServer.dll (Microsoft Corporation)

    ==================== One Month Created files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2019-05-23 14:16 - 2019-05-23 14:16 - 000040830 ____C C:\Users\paul\Desktop\Addition.txt
    2019-05-23 14:15 - 2019-05-23 14:22 - 000028385 ____C C:\Users\paul\Desktop\FRST.txt
    2019-05-20 14:58 - 2019-05-17 13:10 - 001364992 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcastdvruserservice.dll
    2019-05-20 14:58 - 2019-05-17 10:16 - 001008640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.MixedRealityCapture.dll
    2019-05-20 14:58 - 2019-05-17 09:12 - 000868864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.MixedRealityCapture.dll
    2019-05-20 14:58 - 2019-05-17 07:49 - 001035040 _____ (Microsoft Corporation) C:\WINDOWS\system32\ApplyTrustOffline.exe
    2019-05-20 14:58 - 2019-05-17 07:43 - 000076088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\hvservice.sys
    2019-05-20 14:58 - 2019-05-17 07:42 - 005625160 _____ (Microsoft Corporation) C:\WINDOWS\system32\StartTileData.dll
    2019-05-20 14:58 - 2019-05-17 07:42 - 001027384 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvax64.exe
    2019-05-20 14:58 - 2019-05-17 07:41 - 001220112 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvix64.exe
    2019-05-20 14:58 - 2019-05-17 07:41 - 000568320 _____ (Microsoft Corporation) C:\WINDOWS\system32\tcblaunch.exe
    2019-05-20 14:58 - 2019-05-17 07:41 - 000135184 _____ (Microsoft Corporation) C:\WINDOWS\system32\hvloader.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 009084216 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
    2019-05-20 14:58 - 2019-05-17 07:39 - 007519896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.Protection.PlayReady.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 002768952 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 001459120 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
    2019-05-20 14:58 - 2019-05-17 07:39 - 001260272 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
    2019-05-20 14:58 - 2019-05-17 07:39 - 001140992 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
    2019-05-20 14:58 - 2019-05-17 07:39 - 001098064 _____ (Microsoft Corporation) C:\WINDOWS\system32\msvproc.dll
    2019-05-20 14:58 - 2019-05-17 07:39 - 000983424 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
    2019-05-20 14:58 - 2019-05-17 07:22 - 006568016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.Protection.PlayReady.dll
    2019-05-20 14:58 - 2019-05-17 07:22 - 002256560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2019-05-20 14:58 - 2019-05-17 07:21 - 001130784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msvproc.dll
    2019-05-20 14:58 - 2019-05-17 07:07 - 003400192 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
    2019-05-20 14:58 - 2019-05-17 07:06 - 001307648 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSVPXENC.dll
    2019-05-20 14:58 - 2019-05-17 07:06 - 000209408 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXApplicabilityBlob.dll
    2019-05-20 14:58 - 2019-05-17 07:04 - 002175488 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.onecore.dll
    2019-05-20 14:58 - 2019-05-17 07:04 - 001826816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.CloudStore.dll
    2019-05-20 14:58 - 2019-05-17 07:04 - 001708544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSPhotography.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 005307392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d2d1.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 004937728 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 001560576 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.desktop.dll
    2019-05-20 14:58 - 2019-05-17 07:03 - 001361408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSPhotography.dll
    2019-05-20 14:58 - 2019-05-17 07:01 - 000507392 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgeIso.dll
    2019-05-20 14:58 - 2019-05-17 07:00 - 001295360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVPXENC.dll
    2019-05-20 14:58 - 2019-05-17 07:00 - 000333824 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgeIso.dll
    2019-05-20 14:58 - 2019-05-17 06:59 - 004516352 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
    2019-05-20 14:58 - 2019-05-17 06:57 - 000251904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msIso.dll
    2019-05-20 14:58 - 2019-05-17 05:44 - 000001310 _____ C:\WINDOWS\system32\tcbres.wim
    2019-05-20 12:15 - 2019-05-20 12:15 - 000552478 _____ C:\Users\paul\Downloads\Statement_31Mar2019.pdf
    2019-05-20 10:06 - 2019-05-20 10:06 - 000002160 _____ C:\Users\Public\Desktop\ExpressVPN.lnk
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ___DC C:\Users\paul\AppData\Local\IsolatedStorage
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ___DC C:\Users\paul\AppData\Local\ExpressVPN
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExpressVPN
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ____D C:\ProgramData\ExpressVPN
    2019-05-20 10:06 - 2019-05-20 10:06 - 000000000 ____D C:\Program Files (x86)\ExpressVPN
    2019-05-20 10:05 - 2019-05-20 10:06 - 026179112 _____ (ExpressVPN) C:\Users\paul\Downloads\expressvpn_7.1.0.7514.exe
    2019-05-17 08:13 - 2019-05-17 08:13 - 004062599 _____ C:\Users\paul\Downloads\THT_PatternsOfMotion_KYDerby2019.pdf
    2019-05-14 20:15 - 2019-05-03 13:14 - 000790208 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontdrvhost.exe
    2019-05-14 20:15 - 2019-05-03 13:14 - 000304144 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mssecflt.sys
    2019-05-14 20:15 - 2019-05-03 13:13 - 001376472 _____ (Microsoft Corporation) C:\WINDOWS\system32\ole32.dll
    2019-05-14 20:15 - 2019-05-03 13:13 - 000396088 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
    2019-05-14 20:15 - 2019-05-03 12:55 - 000123392 _____ (Microsoft Corporation) C:\WINDOWS\system32\fontsub.dll
    2019-05-14 20:15 - 2019-05-03 12:54 - 000177664 _____ (Microsoft Corporation) C:\WINDOWS\system32\t2embed.dll
    2019-05-14 20:15 - 2019-05-03 12:52 - 000119808 _____ (Microsoft Corporation) C:\WINDOWS\system32\wercplsupport.dll
    2019-05-14 20:15 - 2019-05-03 12:51 - 003613696 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
    2019-05-14 20:15 - 2019-05-03 12:50 - 004054528 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
    2019-05-14 20:15 - 2019-05-03 12:50 - 001663488 _____ (Microsoft Corporation) C:\WINDOWS\system32\GdiPlus.dll
    2019-05-14 20:15 - 2019-05-03 12:49 - 001288704 _____ (Microsoft Corporation) C:\WINDOWS\system32\werconcpl.dll
    2019-05-14 20:15 - 2019-05-03 12:49 - 000488448 _____ (Microsoft Corporation) C:\WINDOWS\system32\werui.dll
    2019-05-14 20:15 - 2019-05-03 12:49 - 000210944 _____ (Microsoft Corporation) C:\WINDOWS\system32\DWWIN.EXE
    2019-05-14 20:15 - 2019-05-03 12:43 - 001027008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ole32.dll
    2019-05-14 20:15 - 2019-05-03 12:43 - 000662328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontdrvhost.exe
    2019-05-14 20:15 - 2019-05-03 12:30 - 000138752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\t2embed.dll
    2019-05-14 20:15 - 2019-05-03 12:30 - 000098304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fontsub.dll
    2019-05-14 20:15 - 2019-05-03 12:28 - 002882048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
    2019-05-14 20:15 - 2019-05-03 12:28 - 000089600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\olepro32.dll
    2019-05-14 20:15 - 2019-05-03 12:27 - 000176640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DWWIN.EXE
    2019-05-14 20:15 - 2019-05-03 12:26 - 000425472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werui.dll
    2019-05-14 20:15 - 2019-05-03 12:25 - 004055040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
    2019-05-14 20:15 - 2019-05-03 12:25 - 001471488 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GdiPlus.dll
    2019-05-14 20:15 - 2019-05-03 07:43 - 000177128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\intelpep.sys
    2019-05-14 20:15 - 2019-05-03 07:34 - 000159864 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFaultSecure.exe
    2019-05-14 20:15 - 2019-05-03 07:33 - 000709720 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
    2019-05-14 20:15 - 2019-05-03 07:33 - 000063072 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptdll.dll
    2019-05-14 20:15 - 2019-05-03 07:32 - 000793640 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms2.sys
    2019-05-14 20:15 - 2019-05-03 07:32 - 000776784 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
    2019-05-14 20:15 - 2019-05-03 07:32 - 000493880 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
    2019-05-14 20:15 - 2019-05-03 07:32 - 000438984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
    2019-05-14 20:15 - 2019-05-03 07:32 - 000209208 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
    2019-05-14 20:15 - 2019-05-03 07:32 - 000170296 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
    2019-05-14 20:15 - 2019-05-03 07:32 - 000164664 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wfplwfs.sys
    2019-05-14 20:15 - 2019-05-03 07:31 - 007436536 _____ (Microsoft Corporation) C:\WINDOWS\system32\windows.storage.dll
    2019-05-14 20:15 - 2019-05-03 07:31 - 002811192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgkrnl.sys
    2019-05-14 20:15 - 2019-05-03 07:31 - 000545808 _____ (Microsoft Corporation) C:\WINDOWS\system32\hal.dll
    2019-05-14 20:15 - 2019-05-03 07:31 - 000412984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dxgmms1.sys
    2019-05-14 20:15 - 2019-05-03 07:31 - 000115728 _____ (Microsoft Corporation) C:\WINDOWS\system32\kdnet.dll
    2019-05-14 20:15 - 2019-05-03 07:20 - 000434704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
    2019-05-14 20:15 - 2019-05-03 07:20 - 000384976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
    2019-05-14 20:15 - 2019-05-03 07:20 - 000192016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
    2019-05-14 20:15 - 2019-05-03 07:20 - 000146920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFaultSecure.exe
    2019-05-14 20:15 - 2019-05-03 07:19 - 006043712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\windows.storage.dll
    2019-05-14 20:15 - 2019-05-03 07:19 - 000665224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
    2019-05-14 20:15 - 2019-05-03 07:19 - 000056288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cryptdll.dll
    2019-05-14 20:15 - 2019-05-03 07:12 - 025855488 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
    2019-05-14 20:15 - 2019-05-03 07:10 - 022017024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
    2019-05-14 20:15 - 2019-05-03 07:05 - 022716416 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2019-05-14 20:15 - 2019-05-03 07:02 - 019401216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2019-05-14 20:15 - 2019-05-03 07:02 - 004866048 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
    2019-05-14 20:15 - 2019-05-03 07:01 - 008189440 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
    2019-05-14 20:15 - 2019-05-03 07:00 - 006661632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
    2019-05-14 20:15 - 2019-05-03 07:00 - 000120832 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-kernel-processor-power-events.dll
    2019-05-14 20:15 - 2019-05-03 07:00 - 000099328 _____ (Microsoft Corporation) C:\WINDOWS\system32\utcutil.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 007593472 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 005788672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 003710976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 000514560 _____ (Microsoft Corporation) C:\WINDOWS\system32\nltest.exe
    2019-05-14 20:15 - 2019-05-03 06:59 - 000204288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wersvc.dll
    2019-05-14 20:15 - 2019-05-03 06:59 - 000154112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakradiag.dll
    2019-05-14 20:15 - 2019-05-03 06:58 - 000894464 _____ (Microsoft Corporation) C:\WINDOWS\system32\webplatstorageserver.dll
    2019-05-14 20:15 - 2019-05-03 06:58 - 000726528 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9diag.dll
    2019-05-14 20:15 - 2019-05-03 06:58 - 000462336 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcdedit.exe
    2019-05-14 20:15 - 2019-05-03 06:58 - 000074240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dtdump.exe
    2019-05-14 20:15 - 2019-05-03 06:57 - 001549824 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
    2019-05-14 20:15 - 2019-05-03 06:57 - 000808448 _____ (Microsoft Corporation) C:\WINDOWS\system32\EdgeManager.dll
    2019-05-14 20:15 - 2019-05-03 06:57 - 000608768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\EdgeManager.dll
    2019-05-14 20:15 - 2019-05-03 06:57 - 000561152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9diag.dll
    2019-05-14 20:15 - 2019-05-03 06:56 - 001803776 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
    2019-05-14 20:15 - 2019-05-03 06:56 - 000773632 _____ (Microsoft Corporation) C:\WINDOWS\system32\netlogon.dll
    2019-05-14 20:15 - 2019-05-03 06:56 - 000578560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webplatstorageserver.dll
    2019-05-14 20:15 - 2019-05-03 06:55 - 003090432 _____ (Microsoft Corporation) C:\WINDOWS\system32\diagtrack.dll
    2019-05-14 20:15 - 2019-05-03 06:55 - 002166784 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
    2019-05-14 20:15 - 2019-05-03 06:55 - 000659968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\netlogon.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 001628672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 001097728 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\bthport.sys
    2019-05-14 20:15 - 2019-05-03 06:54 - 000961024 _____ (Microsoft Corporation) C:\WINDOWS\system32\StorSvc.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000845824 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000778752 _____ (Microsoft Corporation) C:\WINDOWS\system32\BFE.DLL
    2019-05-14 20:15 - 2019-05-03 06:54 - 000776192 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000669184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000667136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fveapi.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000543744 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
    2019-05-14 20:15 - 2019-05-03 06:54 - 000535552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
    2019-05-14 20:15 - 2019-05-03 06:53 - 000204800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\intelppm.sys
    2019-05-14 20:15 - 2019-05-03 06:53 - 000186880 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\amdk8.sys
    2019-05-14 20:15 - 2019-05-03 06:53 - 000184320 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\amdppm.sys
    2019-05-14 20:15 - 2019-05-03 06:53 - 000181760 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\processr.sys
    2019-05-14 20:15 - 2019-04-19 11:55 - 001634920 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32full.dll
    2019-05-14 20:15 - 2019-04-19 11:54 - 000720200 _____ (Microsoft Corporation) C:\WINDOWS\system32\kernel32.dll
    2019-05-14 20:15 - 2019-04-19 11:40 - 000064000 _____ (Microsoft Corporation) C:\WINDOWS\system32\iemigplugin.dll
    2019-05-14 20:15 - 2019-04-19 11:39 - 012754944 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
    2019-05-14 20:15 - 2019-04-19 11:38 - 000058368 _____ (Microsoft Corporation) C:\WINDOWS\system32\RDSPnf.exe
    2019-05-14 20:15 - 2019-04-19 11:38 - 000040960 _____ (Microsoft Corporation) C:\WINDOWS\system32\perfproc.dll
    2019-05-14 20:15 - 2019-04-19 11:36 - 000346112 _____ (Microsoft Corporation) C:\WINDOWS\system32\AcGenral.dll
    2019-05-14 20:15 - 2019-04-19 11:34 - 000522240 _____ (Microsoft Corporation) C:\WINDOWS\system32\winspool.drv
    2019-05-14 20:15 - 2019-04-19 10:44 - 001454648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32full.dll
    2019-05-14 20:15 - 2019-04-19 10:37 - 000607960 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kernel32.dll
    2019-05-14 20:15 - 2019-04-19 10:30 - 000036864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\perfproc.dll
    2019-05-14 20:15 - 2019-04-19 10:28 - 011940864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
    2019-05-14 20:15 - 2019-04-19 10:26 - 002405888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AcGenral.dll
    2019-05-14 20:15 - 2019-04-19 10:25 - 000423936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winspool.drv
    2019-05-14 20:15 - 2019-04-19 06:07 - 000985400 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe
    2019-05-14 20:15 - 2019-04-19 06:06 - 002571632 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000798520 _____ (Microsoft Corporation) C:\WINDOWS\system32\NetSetupEngine.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000713264 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSVideoDSP.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000436024 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
    2019-05-14 20:15 - 2019-04-19 06:06 - 000274232 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserbroker.dll
    2019-05-14 20:15 - 2019-04-19 06:02 - 000831800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe
    2019-05-14 20:15 - 2019-04-19 06:01 - 001982008 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
    2019-05-14 20:15 - 2019-04-19 06:01 - 000581592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVideoDSP.dll
    2019-05-14 20:15 - 2019-04-19 06:01 - 000576016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetSetupEngine.dll
    2019-05-14 20:15 - 2019-04-19 06:01 - 000380728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
    2019-05-14 20:15 - 2019-04-19 05:43 - 000150016 _____ (Microsoft Corporation) C:\WINDOWS\system32\fcon.dll
    2019-05-14 20:15 - 2019-04-19 05:42 - 004384256 _____ (Microsoft Corporation) C:\WINDOWS\system32\EdgeContent.dll
    2019-05-14 20:15 - 2019-04-19 05:41 - 000140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmmigrator.dll
    2019-05-14 20:15 - 2019-04-19 05:41 - 000095232 _____ (Microsoft Corporation) C:\WINDOWS\system32\EduPrintProv.exe
    2019-05-14 20:15 - 2019-04-19 05:40 - 000342528 _____ (Microsoft Corporation) C:\WINDOWS\system32\browserexport.exe
    2019-05-14 20:15 - 2019-04-19 05:40 - 000243712 _____ (Microsoft Corporation) C:\WINDOWS\system32\JpnServiceDS.dll
    2019-05-14 20:15 - 2019-04-19 05:40 - 000172544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\enrollmentapi.dll
    2019-05-14 20:15 - 2019-04-19 05:40 - 000167936 _____ (Microsoft Corporation) C:\WINDOWS\system32\FilterDS.dll
    2019-05-14 20:15 - 2019-04-19 05:40 - 000081408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\NetDriverInstall.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000567296 _____ (Microsoft Corporation) C:\WINDOWS\system32\daxexec.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000425472 _____ (Microsoft Corporation) C:\WINDOWS\system32\SDDS.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000374784 _____ (Microsoft Corporation) C:\WINDOWS\system32\BingASDS.dll
    2019-05-14 20:15 - 2019-04-19 05:39 - 000361472 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceEnroller.exe
    2019-05-14 20:15 - 2019-04-19 05:39 - 000204288 _____ (Microsoft Corporation) C:\WINDOWS\system32\enrollmentapi.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 002368512 _____ (Microsoft Corporation) C:\WINDOWS\system32\WebRuntimeManager.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000593408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.Management.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000391680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\daxexec.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000304128 _____ (Microsoft Corporation) C:\WINDOWS\system32\domgmt.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000300544 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmenterprisediagnostics.dll
    2019-05-14 20:15 - 2019-04-19 05:38 - 000140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000953856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncCore.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000445952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dmenrollengine.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000397312 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000381952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FirewallAPI.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000366080 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieproxy.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000221184 _____ (Microsoft Corporation) C:\WINDOWS\system32\mdmregistration.dll
    2019-05-14 20:15 - 2019-04-19 05:37 - 000118272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 002909696 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 001300992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AzureSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000827392 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.Management.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000814592 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieproxy.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000546816 _____ (Microsoft Corporation) C:\WINDOWS\system32\FirewallAPI.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000357888 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapibase.dll
    2019-05-14 20:15 - 2019-04-19 05:36 - 000186368 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mdmregistration.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001938944 _____ (Microsoft Corporation) C:\WINDOWS\system32\AzureSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001458688 _____ (Microsoft Corporation) C:\WINDOWS\system32\dosvc.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001175552 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncCore.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 001156608 _____ (Microsoft Corporation) C:\WINDOWS\system32\rpcss.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000784896 _____ (Microsoft Corporation) C:\WINDOWS\system32\ngcsvc.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000607232 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatehandlers.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000535040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\OneDriveSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000523776 _____ (Microsoft Corporation) C:\WINDOWS\system32\dmenrollengine.dll
    2019-05-14 20:15 - 2019-04-19 05:35 - 000312320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\fveapibase.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000935936 _____ (Microsoft Corporation) C:\WINDOWS\system32\rasmans.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000899584 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000885760 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPSSVC.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000778240 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
    2019-05-14 20:15 - 2019-04-19 05:34 - 000653312 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneDriveSettingSyncProvider.dll
    2019-05-14 20:15 - 2019-04-19 04:18 - 000806360 _____ C:\WINDOWS\SysWOW64\locale.nls
    2019-05-14 20:15 - 2019-04-19 04:18 - 000806360 _____ C:\WINDOWS\system32\locale.nls
    2019-05-14 20:15 - 2019-04-09 02:48 - 001311744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msjet40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000376320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mspbde40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000353280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msrd3x40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000341504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msexcl40.dll
    2019-05-14 20:15 - 2019-04-09 02:48 - 000240640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msltus40.dll
    2019-05-08 16:49 - 2019-05-15 07:44 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
    2019-04-27 19:01 - 2019-04-27 19:01 - 000045440 _____ (The OpenVPN Project) C:\WINDOWS\system32\Drivers\tapexpressvpn.sys
    2019-04-25 10:04 - 2019-04-25 10:04 - 000566875 ____C C:\Users\paul\Desktop\Hometiffin 3MM Bleed.pdf

    ==================== One Month Modified files and folders ========

    (If an entry is included in the fixlist, the file/folder will be moved.)

    2019-05-23 14:21 - 2016-12-13 20:43 - 000000000 ____D C:\FRST
    2019-05-23 14:12 - 2016-09-08 12:10 - 000000000 ____D C:\ProgramData\Origin
    2019-05-23 14:10 - 2017-01-09 15:40 - 000000000 ___DC C:\Users\paul\AppData\LocalLow\Mozilla
    2019-05-23 13:35 - 2018-04-12 00:38 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
    2019-05-23 12:25 - 2016-10-07 03:42 - 000000000 ____D C:\ProgramData\NVIDIA
    2019-05-23 11:24 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\AppReadiness
    2019-05-23 08:54 - 2018-05-14 21:22 - 000000000 ____D C:\WINDOWS\system32\SleepStudy
    2019-05-23 08:21 - 2018-02-22 20:43 - 000000000 ___DC C:\Users\paul\AppData\Roaming\WhatsApp
    2019-05-22 21:00 - 2018-04-12 00:30 - 000000000 ____D C:\WINDOWS\CbsTemp
    2019-05-22 20:34 - 2017-10-10 14:04 - 000000021 _____ C:\Users\paul\Downloads\b (1) (2).txt
    2019-05-22 08:35 - 2015-04-24 00:49 - 000002301 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
    2019-05-22 08:35 - 2015-04-24 00:49 - 000002260 _____ C:\Users\Public\Desktop\Google Chrome.lnk
    2019-05-22 08:34 - 2018-04-12 00:38 - 000000000 ___HD C:\Program Files\WindowsApps
    2019-05-21 21:01 - 2017-10-10 14:04 - 000003896 _____ C:\Users\paul\Downloads\today (1) (2).txt
    2019-05-21 08:39 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\LiveKernelReports
    2019-05-21 08:36 - 2018-05-14 23:09 - 000793700 _____ C:\WINDOWS\system32\PerfStringBackup.INI
    2019-05-21 08:36 - 2018-04-12 00:36 - 000000000 ____D C:\WINDOWS\INF
    2019-05-21 08:32 - 2018-05-14 23:05 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT
    2019-05-21 08:32 - 2018-04-11 22:04 - 000524288 _____ C:\WINDOWS\system32\config\BBI
    2019-05-21 08:32 - 2016-12-14 23:38 - 000251832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\zu-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\yo-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\xh-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\wo-SN
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\uz-Latn-UZ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\tn-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ti-ET
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\tg-Cyrl-TJ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\sr-Cyrl-RS
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\sr-Cyrl-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\sd-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\rw-RW
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\quc-Latn-GT
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\pa-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\nso-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ku-Arab-IQ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ig-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ha-Latn-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\chr-CHER-US
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\ca-ES-valencia
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\bs-Latn-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\SysWOW64\az-Latn-AZ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\zu-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\yo-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\xh-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\wo-SN
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\uz-Latn-UZ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\tn-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ti-ET
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\tg-Cyrl-TJ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-RS
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\sr-Cyrl-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\sd-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\rw-RW
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\quc-Latn-GT
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\pa-Arab-PK
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\nso-ZA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ku-Arab-IQ
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ig-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ha-Latn-NG
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\chr-CHER-US
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\ca-ES-valencia
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\bs-Latn-BA
    2019-05-21 08:31 - 2018-04-12 10:19 - 000000000 ____D C:\WINDOWS\system32\az-Latn-AZ
    2019-05-21 08:31 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\TextInput
    2019-05-21 08:31 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\bcastdvr
    2019-05-20 10:06 - 2016-09-08 12:10 - 000000000 ____D C:\ProgramData\Package Cache
    2019-05-17 16:39 - 2018-01-13 08:08 - 000000000 ____D C:\Program Files\rempl
    2019-05-17 07:24 - 2013-08-22 16:44 - 000407740 __RSH C:\bootmgr
    2019-05-16 23:00 - 2018-05-14 21:24 - 000000000 ____D C:\Users\paul
    2019-05-16 16:49 - 2017-07-05 08:54 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
    2019-05-16 15:01 - 2018-05-14 23:05 - 000003352 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1912528622-4210353072-3792142533-1001
    2019-05-16 15:01 - 2018-05-14 21:24 - 000002364 ____C C:\Users\paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
    2019-05-16 15:01 - 2016-02-08 19:46 - 000000000 ___RD C:\Users\paul\OneDrive
    2019-05-15 19:44 - 2019-04-07 18:51 - 000000000 ____D C:\WINDOWS\Minidump
    2019-05-15 07:49 - 2018-05-14 23:05 - 000003418 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
    2019-05-15 07:49 - 2018-05-14 23:05 - 000003294 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
    2019-05-15 07:48 - 2018-05-14 23:05 - 000004572 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
    2019-05-15 07:48 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed
    2019-05-15 07:48 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\system32\Macromed
    2019-05-15 07:45 - 2018-05-14 21:22 - 000233856 _____ C:\WINDOWS\system32\FNTCACHE.DAT
    2019-05-15 07:44 - 2016-04-27 14:16 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
    2019-05-14 21:40 - 2018-04-12 00:38 - 000000000 ___SD C:\WINDOWS\system32\DiagSvcs
    2019-05-14 21:40 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\ShellExperiences
    2019-05-14 21:40 - 2018-04-12 00:38 - 000000000 ____D C:\WINDOWS\PolicyDefinitions
    2019-05-14 20:15 - 2015-04-26 18:07 - 000000000 ____D C:\WINDOWS\system32\MRT
    2019-05-14 20:13 - 2015-04-26 18:07 - 132445408 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2019-05-09 13:02 - 2017-10-18 07:20 - 000002155 ____C C:\Users\paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\f.lux.lnk
    2019-05-09 08:51 - 2016-04-27 14:16 - 000001232 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
    2019-05-07 17:22 - 2016-12-19 11:05 - 000000000 ___DC C:\Users\paul\AppData\Local\CrashDumps
    2019-05-04 00:53 - 2018-04-12 00:41 - 000835688 _____ (Adobe) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
    2019-05-04 00:53 - 2018-04-12 00:41 - 000179816 _____ (Adobe) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
    2019-05-01 14:49 - 2018-02-17 08:18 - 000000000 ___DC C:\Users\paul\AppData\Local\Packages
    2019-04-23 17:42 - 2018-02-19 23:11 - 000000000 ____D C:\WINDOWS\system32\Drivers\wd

    ==================== Files in the root of some directories =======

    2015-06-11 09:54 - 2015-06-11 09:54 - 000000093 ____C () C:\Users\paul\AppData\Roaming\ARCompanion.log

    Some files in TEMP:
    ====================
    2019-05-20 10:06 - 2019-05-20 10:06 - 000264320 ____C (ExpressVPN) C:\Users\paul\AppData\Local\Temp\ExpressVpn.Client.Setup.Helper.exe

    ==================== Bamital & volsnap ======================

    (There is no automatic fix for files that do not pass verification.)

    C:\WINDOWS\system32\winlogon.exe => File is digitally signed
    C:\WINDOWS\system32\wininit.exe => File is digitally signed
    C:\WINDOWS\explorer.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
    C:\WINDOWS\system32\svchost.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
    C:\WINDOWS\system32\services.exe => File is digitally signed
    C:\WINDOWS\system32\User32.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
    C:\WINDOWS\system32\userinit.exe => File is digitally signed
    C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
    C:\WINDOWS\system32\rpcss.dll => File is digitally signed
    C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
    C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
    C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2018-05-14 21:22

    ==================== End of FRST.txt ============================

    # -------------------------------
    # Malwarebytes AdwCleaner 7.3.0.0
    # -------------------------------
    # Build: 04-04-2019
    # Database: 2019-04-29.1 (Cloud)
    # Support: https://www.malwarebytes.com/support
    #
    # -------------------------------
    # Mode: Clean
    # -------------------------------
    # Start: 05-24-2019
    # Duration: 00:00:00
    # OS: Windows 10 Pro
    # Cleaned: 3
    # Failed: 0


    ***** [ Services ] *****

    No malicious services cleaned.

    ***** [ Folders ] *****

    Deleted C:\Program Files (x86)\Yahoo!\yset

    ***** [ Files ] *****

    No malicious files cleaned.

    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****

    No malicious tasks cleaned.

    ***** [ Registry ] *****

    Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\chatango.com
    Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\chatango.com

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries cleaned.

    ***** [ Chromium URLs ] *****

    No malicious Chromium URLs cleaned.

    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries cleaned.

    ***** [ Firefox URLs ] *****

    No malicious Firefox URLs cleaned.


    *************************

    [+] Delete Tracing Keys
    [+] Reset Winsock

    *************************

    AdwCleaner[S00].txt - [1705 octets] - [24/05/2019 08:42:28]

    ########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

    RogueKiller Anti-Malware V13.2.1.0 (x64) [May 22 2019] (Free) by Adlice Software
    mail : https://adlice.com/contact/
    Website : https://adlice.com/download/roguekiller/
    Operating System : Windows 10 (10.0.17134) 64 bits
    Started in : Normal mode
    User : Amin [Administrator]
    Started from : C:\Users\paul\Downloads\RogueKiller_portable64.exe
    Signatures : 20190523_102638, Driver : Loaded
    Mode : Standard Scan, Delete -- Date : 2019/05/24 09:02:34 (Duration : 00:08:47)

    ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Delete ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤
    [PUP.HackTool (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{0BD6780F-CA42-4800-B9B4-C60BEE4E1262} -- [%ProgramFiles%\KMSpico\Service_KMS.exe] -> Deleted
    [PUP.HackTool (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{AAD27CE5-3BAF-437F-B300-05443B2DCEE6} -- [%ProgramFiles%\KMSpico\Service_KMS.exe] -> Deleted
    [PUP.HackTool (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{732B1A2E-983F-4423-83DF-F412CA7F742C} -- [%ProgramFiles%\KMSpico\AutoPico.exe] -> Deleted
    [PUP.HackTool (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{A176E4BB-2F21-48B8-8B1E-BCB78C766539} -- [%ProgramFiles%\KMSpico\AutoPico.exe] -> Deleted
    [PUP.HackTool (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{6D21C8FE-1D7E-4B3D-8A20-54B9ECA8924D} -- [%ProgramFiles%\KMSpico\KMSELDI.exe] -> Deleted
    [PUP.HackTool (Potentially Malicious)] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{E48987FB-13EA-4C6E-A32E-FE834F7ED99C} -- [%ProgramFiles%\KMSpico\KMSELDI.exe] -> Deleted
    [PUP.HackTool (Potentially Malicious)] KMSpico -- %ProgramFiles%\KMSpico -> Deleted

  4. #4
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,777

    Default

    Were you able to run the script I created?

    Start Farbar Recovery Scan Tool with Administrator privileges
    (Right click on the FRST icon and select Run as administrator)

    highlight on the text below and select Copy.
    beginning with Start:: and finishing with End::
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Highlight the entire content of the quote box below and select Copy.


    Start::
    CloseProcesses:
    CreateRestorePoint:
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    CHR DefaultSearchURL: Profile 3 -> hxxps://uk.search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
    CHR DefaultSearchKeyword: Profile 3 -> Yahoo
    CHR DefaultSuggestURL: Profile 3 -> hxxps://uk.search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
    2019-05-20 10:06 - 2019-05-20 10:06 - 000264320 ____C (ExpressVPN) C:\Users\paul\AppData\Local\Temp\ExpressVpn.Client.Setup.Helper.exe
    Task: {457D7BE4-AEE1-4178-80EE-7E492469AC77} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    ShortcutWithArgument: C:\Users\paul\Desktop\J - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 4"
    ShortcutWithArgument: C:\Users\paul\Desktop\simon - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3"
    ShortcutWithArgument: C:\Users\paul\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 2"
    C:\Windows\Temp\*.*
    End::
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Start FRST (FRST64) with Administrator privileges
    Press the Fix button. FRST will process the lines copied above from the clipboard.
    When finished, a log file Fixlog.txt will pop up and saved in the same location the tool was ran from.

    Please copy and paste its contents in your next reply.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    What you posted was a scan run using Farbar Recovery Scan Tool (FRST)
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  5. #5
    Junior Member
    Join Date
    Nov 2014
    Posts
    19

    Default

    Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
    Ran by Amin (24-05-2019 14:27:11) Run:3
    Running from C:\Users\paul\Desktop
    Loaded Profiles: Amin (Available Profiles: Amin)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CloseProcesses:
    CreateRestorePoint:
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
    CHR DefaultSearchURL: Profile 3 -> hxxps://uk.search.yahoo.com/search?p={searchTerms}&fr=yset_chr_syc_oracle&type=default
    CHR DefaultSearchKeyword: Profile 3 -> Yahoo
    CHR DefaultSuggestURL: Profile 3 -> hxxps://uk.search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
    2019-05-20 10:06 - 2019-05-20 10:06 - 000264320 ____C (ExpressVPN) C:\Users\paul\AppData\Local\Temp\ExpressVpn.Client.Setup.Helper.exe
    Task: {457D7BE4-AEE1-4178-80EE-7E492469AC77} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
    ShortcutWithArgument: C:\Users\paul\Desktop\J - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 4"
    ShortcutWithArgument: C:\Users\paul\Desktop\simon - Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 3"
    ShortcutWithArgument: C:\Users\paul\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> --profile-directory="Profile 2"
    C:\Windows\Temp\*.*

    *****************

    Processes closed successfully.
    Restore point was successfully created.
    HKLM\SOFTWARE\Policies\Google => not found
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => not found
    "Chrome DefaultSearchURL" => removed successfully
    "Chrome DefaultSearchKeyword" => removed successfully
    "Chrome DefaultSuggestURL" => removed successfully
    "C:\Users\paul\AppData\Local\Temp\ExpressVpn.Client.Setup.Helper.exe" => not found
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{457D7BE4-AEE1-4178-80EE-7E492469AC77} => could not remove. Access Denied.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => could not remove. Access Denied.
    C:\Users\paul\Desktop\J - Chrome.lnk => Shortcut argument removed successfully
    C:\Users\paul\Desktop\simon - Chrome.lnk => Shortcut argument removed successfully
    C:\Users\paul\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9501e18d7c2ab92e\Google Chrome.lnk => Shortcut argument removed successfully

    =========== "C:\Windows\Temp\*.*" ==========

    C:\Windows\Temp\BitDefender Threat Scanner.dmp => moved successfully
    C:\Windows\Temp\MpCmdRun.log => moved successfully

    ========= End -> "C:\Windows\Temp\*.*" ========


    Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 24-05-2019 14:29:02)


    Result of scheduled keys to remove after reboot:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{457D7BE4-AEE1-4178-80EE-7E492469AC77} => could not remove. Access Denied.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => could not remove. Access Denied.

    ==== End of Fixlog 14:29:02 ====

  6. #6
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,777

    Default

    Let's check for remnants.

    Open Malwarebytes Anti-Malware
    click the Settings tab,at the top choose Protection and tick Scan for rootkits.
    Click the Dashboard tab, choose Scan, Threat Scan is checked and click Start Scan.
    If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
    Upon completion of the scan (or after the reboot), click the Reports tab.
    Double-click the Scan Log.
    At the bottom click Export and choose Text file.

    Save the file to your desktop and include its content in your next reply.

    You can access the logs by going in the "Reports" tab, clicking on the latest "Scan" entry (the one with detections), then clicking on the "Export" button in the bottom-left corner and select "Copy to clipboard". After that, all you have to do is paste it here.


    ~~

    Follow the instructions below to run a scan using the Emsisoft Emergency Kit.
    • Download the Emsisoft Emergency Kit and execute it. From there, click on the Install button to extract the program in the EEK folder;
    • Once the extraction is complete, the EEK folder will open. Right-click on start emergency kit scanner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
    • EEK will suggest that you run an online update before using the program. Click on Yes to launch it.
    • After the update, click on Malware Scan under 2. Scan and accept to let EEK detect PUPs (click on Yes).
    • Once the scan is complete, make sure that every item in the list is checked, and click on the Quarantine selected button;
    • If it asks you for a reboot to delete some items, click on Ok to reboot automatically;
    • After the restart, open EEK again (in the C:\EEK folder);
    • This time, click on Logs;
    • From there, go under the Quarantine Log tab, and click on the Export button;
    • Save the log on your desktop, then open it, and copy/paste its content in your next reply;

    Please post these 2 logs when finished.

    Also, tell me how the computer is now.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #7
    Junior Member
    Join Date
    Nov 2014
    Posts
    19

    Default

    Hi, nothing detected on the scans. PC running quicker now.

    I use Chrome Extensions Ad Block, Privacy Badger, Ghostery and Gmail notifier. Are these add ons ok?

  8. #8
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,777

    Default

    Quote Originally Posted by jackwil View Post
    Hi, nothing detected on the scans. PC running quicker now.

    I use Chrome Extensions Ad Block, Privacy Badger, Ghostery and Gmail notifier. Are these add ons ok?
    It's all good news.

    I think the addons/extensions you have are good, even tho I've never used Ghostery and GMail notifier.
    I've tried to lead people into installing NoScript.
    NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
    Google Chrome
    https://chrome.google.com/webstore/d...jecmcbfeoakpjm

    I think people get annoyed with the tool but, I find that if I leave the addons window open, I enable/disable it as needed.

    ~~~~~~~~~~~~~~~~~~~~~~

    let me know if your ready to remove tools and quarantine folders.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #9
    Junior Member
    Join Date
    Nov 2014
    Posts
    19

    Default

    Read

  10. #10
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,777

    Default

    • Please download DelFix or from Here and save the file to your Desktop.
    • Double-click DelFix.exe to run the programme.
    • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Click the Run button.
    • -- This will remove the specialized tools we used to disinfect your system.
      Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete
      ).

    ***************
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •