Go Back   Web User Forums > Security > Malware Removal Help & Analysis

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 03-11-17, 13:10
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Chrome: Yahoo redirection malware.

I had Chrome opening with www.google.co.uk and every new tab opened with that. Suddenly that changed to a similar looking page but without the Google logo, and also with Opera type speed dial thumbs. Searching using the search field or the address bar uses yahoo.

I have changed back to opening with Google but still each new tab has this 'fake' page with the yahoo redirection. There is no way to change that in settings now. I have 'managed search engines' and deleted Yahoo (on the occasion that it was there), to no avail.

I have uninstalled Chrome various times, using Windows, Ccleaner and IObit uninstaller. I have manually deleted Google files and folders.

I have tried the following:
Avast
Avast Boottime scan
Malwarebytes anti malware
ADWcleaner
Ccleaner
Trend Micro Homecall
Rkill
Hitman Pro

I'm currently trying an old favourite of mine. Spybot Search and Destroy but it seems to have a problem updating definitions.

Can anyone offer any advice? I'm not averse to reinstalling Windows, or upgrading from 8.1 to 10, but that's overkill, and also I have about 200GB of audiobooks I really need to save first, which means buying an extarnal HDD.

I'm using Opera but would really like to go back to Chrome.
Reply With Quote
  #2  
Old 03-11-17, 13:14
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Re: Chrome: Yahoo redirection malware.

In settings and Manage Search Engines (I think) there is an option to chose a search engine for the address bar. This has the word 'WEB' in it and is greyed out.

Also, I've tried the Chrome Clean up tool, which didn't work.

I'm in no doubt that there is an evil virus somewhere.
Reply With Quote
  #3  
Old 03-11-17, 13:54
Hello_There's Avatar
Hello_There Hello_There is offline
Global Moderator
 
Join Date: Aug 2003
Posts: 9,323
Default Re: Chrome: Yahoo redirection malware.

Hi J0HN, can you please follow the instructions here so that Kevin can help you out. Thanks.
Reply With Quote
  #4  
Old 03-11-17, 22:26
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Re: Chrome: Yahoo redirection malware.

OK here goes:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-11-2017
Ran by John (administrator) on JOHNS (02-11-2017 16:01:44)
Running from C:\Users\John\AppData\Local\Temp\scoped_dir2140_15 887
Loaded Profiles: John (Available Profiles: John)
Platform: Windows 8.1 Pro (Update) (X64) Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.ex e
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64. exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE
(IObit) C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
(Opera Software) C:\Program Files (x86)\Opera\48.0.2685.52\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\48.0.2685.52\opera_crashreporter.exe
(Opera Software) C:\Program Files (x86)\Opera\48.0.2685.52\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\48.0.2685.52\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\48.0.2685.52\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\48.0.2685.52\opera.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [1796056 2014-08-19] (NVIDIA Corporation)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163800 2016-11-02] (IvoSoft)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [253344 2017-10-11] (AVAST Software)
HKLM-x32\...\Run: [ProductUpdater] => C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIHME. EXE [283232 2017-02-20] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [10021040 2017-10-18] (Piriform Ltd)
Startup: C:\Users\John\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Startup\Send to OneNote.lnk [2017-08-01]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{85925E73-D1D4-467F-8264-89DFB16D3ED4}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp:www.yardood.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp:www.yardood.com
HKU\S-1-5-21-3092938066-71598384-3575754765-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp:www.yardood.com
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2017-10-29] (Microsoft Corporation)
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2017-10-29] (Microsoft Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2016-07-30] (IvoSoft)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2017-10-19] (Microsoft Corporation)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2017-10-11] (AVAST Software)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2017-10-29] (Microsoft Corporation)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-29] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-29] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-29] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2017-10-29] (Microsoft Corporation)

FireFox:
========
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2017-04-07] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.5.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2017-04-07] (VideoLAN)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2017-10-19] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2017-10-19] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-11-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-11-02] (Google Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.co.uk/
CHR Profile: C:\Users\John\AppData\Local\Google\Chrome\User Data\Default [2017-11-02]
CHR Extension: (Slides) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhon fmgoek [2017-11-02]
CHR Extension: (Docs) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfi lokake [2017-11-02]
CHR Extension: (Google Drive) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigk jlhalf [2017-11-02]
CHR Extension: (YouTube) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldk acnbeo [2017-11-02]
CHR Extension: (Sheets) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpeb giejap [2017-11-02]
CHR Extension: (Google Docs Offline) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdl olhkhi [2017-11-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccm gmieda [2017-11-02]
CHR Extension: (Gmail) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoe jaedia [2017-11-02]
CHR Extension: (Chrome Media Router) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcj beemfm [2017-11-02]

Opera:
=======
OPR Session Restore: -> is enabled.

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2017-09-07] (Apple Inc.)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7446024 2017-10-11] (AVAST Software s.r.o.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [281416 2017-10-11] (AVAST Software)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [7923880 2017-10-23] (Microsoft Corporation)
S3 FreemakeVideoCapture; C:\Program Files (x86)\Freemake\CaptureLib\CaptureLibService.exe [9216 2017-05-24] (Ellora Assets Corp.) [File not signed]
R2 IObitUnSvr; C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe [360736 2016-11-05] (IObit)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6058960 2017-08-07] (Malwarebytes)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [361824 2017-04-12] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [119872 2017-04-12] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 aswbidsdriver; C:\Windows\system32\drivers\aswbidsdrivera.sys [321032 2017-10-11] (AVAST Software s.r.o.)
R0 aswbidsh; C:\Windows\system32\drivers\aswbidsha.sys [198976 2017-10-11] (AVAST Software s.r.o.)
R0 aswblog; C:\Windows\system32\drivers\aswbloga.sys [343288 2017-10-11] (AVAST Software s.r.o.)
R0 aswbuniv; C:\Windows\system32\drivers\aswbuniva.sys [57736 2017-10-11] (AVAST Software s.r.o.)
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [47008 2017-10-11] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [41832 2017-09-06] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [147776 2017-10-11] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [110376 2017-10-11] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\drivers\aswRvrt.sys [84416 2017-10-11] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1029872 2017-10-26] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [587168 2017-10-11] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [201352 2017-10-11] (AVAST Software)
R0 aswVmm; C:\Windows\system32\drivers\aswVmm.sys [363440 2017-10-11] (AVAST Software)
R0 FSProFilter2; C:\Windows\System32\Drivers\FSPFltd2.sys [57648 2016-12-06] (FSPro Labs)
R0 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [252232 2017-10-30] (Malwarebytes)
R3 MTsensor; C:\Windows\system32\DRIVERS\ASACPI.sys [17280 2013-05-17] ()
R2 npf; C:\Windows\System32\drivers\npf.sys [35344 2011-02-11] (CACE Technologies, Inc.)
S3 tapSF0901; C:\Windows\system32\DRIVERS\tapSF0901.sys [39104 2017-01-02] (Spotflux, Inc.)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [46600 2017-04-12] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [274776 2017-04-12] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [117592 2017-04-12] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-11-02 16:01 - 2017-11-02 16:01 - 002403328 _____ (Farbar) C:\Users\John\Desktop\FRST64.exe
2017-11-02 16:01 - 2017-11-02 16:01 - 000000000 ____D C:\ProgramData\SWCUTemp
2017-11-02 16:01 - 2017-11-02 16:01 - 000000000 ____D C:\FRST
2017-11-02 11:22 - 2017-11-02 11:23 - 003934840 _____ (Google) C:\Users\John\Downloads\chrome_cleanup_tool (1).exe
2017-11-02 02:25 - 2017-11-02 02:25 - 000002287 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-11-02 02:25 - 2017-11-02 02:25 - 000002275 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-11-02 02:24 - 2017-11-02 11:23 - 000003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineU A
2017-11-02 02:24 - 2017-11-02 11:23 - 000003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineC ore
2017-11-02 02:24 - 2017-11-02 11:23 - 000000000 ____D C:\Users\John\AppData\Local\Google
2017-11-02 02:24 - 2017-11-02 02:24 - 000000000 ____D C:\Program Files (x86)\Google
2017-11-02 02:23 - 2017-11-02 02:23 - 001130328 _____ (Google Inc.) C:\Users\John\Desktop\ChromeSetup.exe
2017-11-02 01:45 - 2017-11-02 15:38 - 000000000 ____D C:\AdwCleaner
2017-11-02 01:44 - 2017-11-02 01:44 - 008261584 _____ (Malwarebytes) C:\Users\John\Downloads\adwcleaner_7.0.4.0.exe
2017-10-30 21:52 - 2017-10-30 21:53 - 000000000 ____D C:\Program Files (x86)\GUM74ED.tmp
2017-10-30 21:50 - 2017-10-30 21:50 - 003934840 _____ (Google) C:\Users\John\Downloads\chrome_cleanup_tool.exe
2017-10-30 17:07 - 2017-10-30 17:07 - 000252232 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2017-10-30 17:07 - 2017-10-30 17:07 - 000192952 ____N (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2017-10-30 17:07 - 2017-10-30 17:07 - 000001883 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-10-30 17:07 - 2017-10-30 17:07 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-10-30 17:07 - 2017-10-30 17:07 - 000000000 ____D C:\Program Files\Malwarebytes
2017-10-30 17:07 - 2017-10-04 13:15 - 000077440 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-10-30 17:04 - 2017-10-30 17:05 - 071535032 _____ (Malwarebytes ) C:\Users\John\Downloads\mb3-setup-consumer-3.2.2.2029-1.0.212-1.0.2951.exe
2017-10-30 16:10 - 2017-10-30 16:38 - 000000000 ____D C:\Users\John\Desktop\TOMMYS TEXTS
2017-10-30 16:08 - 2017-10-30 16:08 - 000000000 ____D C:\Users\John\Desktop\New folder (3)
2017-10-30 13:59 - 2017-10-30 13:59 - 000001726 __RSH C:\ProgramData\ntuser.pol
2017-10-30 13:29 - 2017-10-30 13:29 - 000000000 ____D C:\Users\John\AppData\Roaming\{2A82324E-1E3C-4E88-A68A-8BA11B0417FE}
2017-10-30 13:28 - 2017-10-30 14:03 - 000000000 ____D C:\Users\John\AppData\Local\Wide Angle Software
2017-10-30 13:28 - 2017-10-30 13:28 - 000000000 ____D C:\Users\John\AppData\Local\Wide_Angle_Software
2017-10-30 13:26 - 2017-10-30 13:26 - 000000000 ____D C:\ProgramData\Caphyon
2017-10-30 13:25 - 2017-10-30 13:25 - 000000000 ____D C:\Users\John\AppData\Roaming\Wide Angle Software
2017-10-30 05:55 - 2017-10-30 13:29 - 000000000 ____D C:\Users\John\AppData\Roaming\Apple Computer
2017-10-30 05:53 - 2017-10-30 05:54 - 000000000 ____D C:\Program Files\Common Files\Apple
2017-10-30 05:51 - 2017-10-30 05:54 - 000000000 ____D C:\ProgramData\Apple
2017-10-30 05:45 - 2017-10-30 05:45 - 010309028 _____ C:\Users\John\Downloads\CopyTransDriversInstallerv 2.044.zip
2017-10-30 05:41 - 2017-10-30 05:54 - 000000000 ____D C:\Users\John\AppData\Roaming\WindSolutions
2017-10-30 05:41 - 2017-10-30 05:46 - 000000000 ____D C:\ProgramData\WindSolutions
2017-10-30 05:41 - 2017-10-30 05:41 - 000001378 _____ C:\Users\John\Desktop\CopyTrans Control Center.lnk
2017-10-30 05:41 - 2017-10-30 05:41 - 000000000 ____D C:\Users\John\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\CopyTrans Control Center
2017-10-30 05:40 - 2017-10-30 05:41 - 008046792 _____ (WindSolutions) C:\Users\John\Downloads\Install_CopyTransControlCe nter.exe
2017-10-30 05:03 - 2017-11-01 20:16 - 000000144 _____ C:\Users\John\Desktop\yorkshire.txt
2017-10-29 22:26 - 2017-10-29 22:26 - 010427120 _____ (Piriform Ltd) C:\Users\John\Downloads\ccsetup536.exe
2017-10-29 22:26 - 2017-10-29 22:26 - 000003872 _____ C:\Windows\System32\Tasks\CCleaner Update
2017-10-27 19:39 - 2017-10-27 19:39 - 000000775 _____ C:\Users\John\Desktop\sats bets.txt
2017-10-24 19:46 - 2017-10-24 19:46 - 000015349 _____ C:\Users\John\Downloads\Fees Payment Record - For Board - July 17.odt
2017-10-22 19:21 - 2017-10-22 19:23 - 000000000 ____D C:\Users\John\Downloads\Gong - Camembert Electrique
2017-10-22 19:17 - 2017-10-22 19:19 - 000000000 ____D C:\Users\John\Downloads\Genesis - And Then There Were Three-1978 [MP3 @ 320] (oan)
2017-10-22 12:25 - 2017-10-22 12:26 - 000000000 ____D C:\Users\John\Downloads\slumdog millionare
2017-10-22 12:24 - 2017-10-22 12:25 - 000000000 ____D C:\Users\John\Downloads\The Satan Bug
2017-10-22 12:23 - 2017-10-23 20:58 - 000000000 ____D C:\Users\John\Downloads\1 Borderlands
2017-10-21 01:05 - 2017-10-21 01:11 - 000000000 ____D C:\Users\John\Downloads\G. J. Meyer - The Tudors - mp3
2017-10-21 00:57 - 2017-10-21 01:07 - 000000000 ____D C:\Users\John\Downloads\ANDY McNAB ~ [Nick Stone 19] - Line Of Fire
2017-10-21 00:57 - 2017-10-21 01:04 - 000000000 ____D C:\Users\John\Downloads\BERNARD CORNWELL - Fools And Mortals
2017-10-21 00:55 - 2017-10-21 00:57 - 000000000 ____D C:\Users\John\Downloads\The Preacher
2017-10-21 00:55 - 2017-10-21 00:57 - 000000000 ____D C:\Users\John\Downloads\John Denver - Take Me Home, An Autobiography [Audiobook]
2017-10-21 00:51 - 2017-10-21 00:55 - 000000000 ____D C:\Users\John\Downloads\Stephen King - Joyland (2013) - mp3
2017-10-21 00:51 - 2017-10-21 00:52 - 000000000 ____D C:\Users\John\Downloads\Stephen King - The Colorado Kid (2005)
2017-10-19 19:03 - 2017-10-19 19:03 - 000738624 _____ C:\Users\John\Desktop\ticketdirect1052845969.pdf
2017-10-19 18:57 - 2017-10-19 18:57 - 000738624 _____ C:\Users\John\Downloads\ticketdirect1052845969.pdf
2017-10-16 18:54 - 2017-10-16 18:55 - 000000000 ____D C:\Users\John\Desktop\107APPLE
2017-10-15 01:17 - 2017-10-15 01:18 - 000000000 ____D C:\Users\John\Downloads\Night Without End
2017-10-14 19:58 - 2017-10-14 19:58 - 000000308 _____ C:\Users\John\Desktop\CORBRIDGR NEW BIT.txt
2017-10-13 20:01 - 2017-10-13 20:03 - 000000000 ____D C:\Users\John\Downloads\Where Eagles Dare
2017-10-13 19:59 - 2017-10-13 20:05 - 000000000 ____D C:\Users\John\Downloads\Edwin Thomas - The Chains Of Albion
2017-10-13 19:58 - 2017-10-13 19:59 - 000000000 ____D C:\Users\John\Downloads\Haunted - James Patterson (MP3)
2017-10-13 19:50 - 2017-10-13 19:57 - 000000000 ____D C:\Users\John\Downloads\Claudius - Douglas Jackson
2017-10-13 15:16 - 2017-10-13 15:17 - 000000000 ____D C:\Users\John\Downloads\Santorini
2017-10-12 20:44 - 2017-10-23 02:59 - 000000000 ____D C:\Users\John\Downloads\Conn Iggulden - Wolf Of The Plains
2017-10-12 19:43 - 2017-10-12 19:46 - 000000000 ____D C:\Users\John\Downloads\ROBERT HARRIS - Munich
2017-10-12 19:35 - 2017-10-23 03:00 - 000000000 ____D C:\Users\John\Downloads\EDWIN THOMAS ~ [Martin Jerrold 01] - The Blighted Cliffs
2017-10-12 00:30 - 2017-10-23 02:59 - 000000000 ____D C:\Users\John\Downloads\Conn Iggulden - The Field Of Swords
2017-10-12 00:13 - 2017-10-12 00:13 - 126925120 ____C (Microsoft Corporation) C:\Windows\system32\MRT-KB890830.exe
2017-10-11 23:06 - 2017-10-23 02:59 - 000000000 ____D C:\Users\John\Downloads\Conn Iggulden - Conqueror 05
2017-10-11 22:04 - 2017-10-11 22:21 - 000000000 ____D C:\Users\John\Downloads\Conn Iggulden
2017-10-11 21:44 - 2017-10-11 21:56 - 000000000 ____D C:\Users\John\Downloads\Bones of the Hills
2017-10-11 21:32 - 2017-10-23 21:00 - 000000000 ____D C:\Users\John\Downloads\+Genghius Birth of an Empire
2017-10-11 21:24 - 2017-10-11 21:30 - 000000000 ____D C:\Users\John\Downloads\Lords of the Bow
2017-10-11 21:08 - 2017-10-11 21:16 - 000000000 ____D C:\Users\John\Downloads\CONN IGGULDEN ~ [Wars of the Roses 04] - Ravenspur
2017-10-11 20:58 - 2017-10-23 02:59 - 000000000 ____D C:\Users\John\Downloads\DAVID CHURCHILL ~ [Leopards of Normandy 01] - Devil
2017-10-11 20:53 - 2017-10-11 21:15 - 000000000 ____D C:\Users\John\Downloads\CONN IGGULDEN ~ [Conqueror 05] - Conqueror
2017-10-11 20:48 - 2017-10-11 20:56 - 000000000 ____D C:\Users\John\Downloads\CONN IGGULDEN ~ [War Of The Roses 01] - Stormbird
2017-10-11 20:44 - 2017-10-11 20:52 - 000000000 ____D C:\Users\John\Downloads\CONN IGGULDEN ~ [War Of The Roses 02] - Trinity
2017-10-11 20:38 - 2017-10-11 20:46 - 000000000 ____D C:\Users\John\Downloads\CONN IGGULDEN ~ [Emperor 01] - The Gates Of Rome - Mine
2017-10-11 20:37 - 2017-10-11 21:03 - 000000000 ____D C:\Users\John\Downloads\CONN IGGULDEN ~ [Emperor 02] - The Death Of Kings - Mine
2017-10-11 20:37 - 2017-10-11 20:43 - 000000000 ____D C:\Users\John\Downloads\CONN IGGULDEN ~ [Emperor 04] - The Gods Of War - Mine
2017-10-11 19:35 - 2017-10-11 19:35 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qBittorrent
2017-10-11 19:35 - 2017-10-11 19:35 - 000000000 ____D C:\Program Files (x86)\qBittorrent
2017-10-11 19:34 - 2017-10-11 19:34 - 016524964 _____ (The qBittorrent project) C:\Users\John\Downloads\qbittorrent_3.3.16_setup.e xe
2017-10-11 17:20 - 2017-09-14 19:30 - 007439704 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2017-10-11 17:20 - 2017-09-14 19:30 - 001737600 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2017-10-11 17:20 - 2017-09-14 19:29 - 001502000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2017-10-11 17:20 - 2017-09-14 01:18 - 001384216 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2017-10-11 17:20 - 2017-09-14 01:14 - 001124384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msctf.dll
2017-10-11 17:20 - 2017-09-13 13:32 - 000445952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\nwifi.sys
2017-10-11 17:20 - 2017-09-13 13:31 - 000445952 _____ (Microsoft Corporation) C:\Windows\system32\wlansec.dll
2017-10-11 17:20 - 2017-09-13 13:27 - 000384000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wlansec.dll
2017-10-11 17:20 - 2017-09-09 18:53 - 022361864 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2017-10-11 17:20 - 2017-09-09 17:55 - 019790760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2017-10-11 17:20 - 2017-09-09 17:38 - 000154112 _____ (Microsoft Corporation) C:\Windows\system32\TabSvc.dll
2017-10-11 17:20 - 2017-09-09 16:10 - 003631616 _____ (Microsoft Corporation) C:\Windows\system32\tquery.dll
2017-10-11 17:20 - 2017-09-09 15:49 - 002749952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tquery.dll
2017-10-11 17:20 - 2017-09-09 15:47 - 014466560 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2017-10-11 17:20 - 2017-09-09 15:21 - 012879360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2017-10-11 17:20 - 2017-09-09 13:13 - 000640512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mswstr10.dll
2017-10-11 17:20 - 2017-09-09 13:13 - 000345088 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msexcl40.dll
2017-10-11 17:20 - 2017-09-09 13:13 - 000008704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msjint40.dll
2017-10-11 17:20 - 2017-09-09 03:50 - 002013016 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ntfs.sys
2017-10-11 17:20 - 2017-09-09 03:50 - 001364552 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2017-10-11 17:20 - 2017-09-08 18:21 - 004168192 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2017-10-11 17:20 - 2017-09-08 18:15 - 000148480 _____ (Microsoft Corporation) C:\Windows\system32\t2embed.dll
2017-10-11 17:20 - 2017-09-08 17:39 - 000113152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\t2embed.dll
2017-10-11 17:20 - 2017-09-08 16:57 - 001084928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2017-10-11 17:20 - 2017-09-07 21:33 - 000686592 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv2.sys
2017-10-11 17:20 - 2017-09-07 21:33 - 000415744 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2017-10-11 17:20 - 2017-09-07 21:32 - 000285184 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2017-10-11 17:20 - 2017-09-07 21:32 - 000243200 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2017-10-11 17:20 - 2017-09-07 21:17 - 000576512 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2017-10-11 17:20 - 2017-09-07 21:17 - 000088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2017-10-11 17:20 - 2017-09-07 21:15 - 002902528 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2017-10-11 17:20 - 2017-09-07 21:08 - 025729536 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2017-10-11 17:20 - 2017-09-07 21:00 - 000817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2017-10-11 17:20 - 2017-09-07 20:40 - 005982208 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2017-10-11 17:20 - 2017-09-07 20:32 - 000092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2017-10-11 17:20 - 2017-09-07 20:31 - 000145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll
2017-10-11 17:20 - 2017-09-07 20:29 - 000315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2017-10-11 17:20 - 2017-09-07 20:21 - 001033216 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2017-10-11 17:20 - 2017-09-07 20:13 - 000262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2017-10-11 17:20 - 2017-09-07 20:11 - 000380416 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2017-10-11 17:20 - 2017-09-07 20:10 - 000807936 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2017-10-11 17:20 - 2017-09-07 20:10 - 000726528 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2017-10-11 17:20 - 2017-09-07 20:08 - 002134528 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2017-10-11 17:20 - 2017-09-07 20:08 - 000656896 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2017-10-11 17:20 - 2017-09-07 19:54 - 000329216 _____ (Microsoft Corporation) C:\Windows\system32\srvsvc.dll
2017-10-11 17:20 - 2017-09-07 19:44 - 015262720 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2017-10-11 17:20 - 2017-09-07 19:40 - 003240960 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2017-10-11 17:20 - 2017-09-07 19:27 - 001548288 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2017-10-11 17:20 - 2017-09-07 19:17 - 000800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2017-10-11 17:20 - 2017-09-07 19:10 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2017-10-11 17:20 - 2017-09-07 19:09 - 000064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2017-10-11 17:20 - 2017-09-07 19:04 - 020267008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2017-10-11 17:20 - 2017-09-07 19:03 - 002292736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2017-10-11 17:20 - 2017-09-07 18:58 - 000663040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2017-10-11 17:20 - 2017-09-07 18:39 - 000076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2017-10-11 17:20 - 2017-09-07 18:38 - 000128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2017-10-11 17:20 - 2017-09-07 18:37 - 000279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2017-10-11 17:20 - 2017-09-07 18:33 - 000880640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2017-10-11 17:20 - 2017-09-07 18:29 - 004547072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2017-10-11 17:20 - 2017-09-07 18:29 - 000230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2017-10-11 17:20 - 2017-09-07 18:27 - 000331776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2017-10-11 17:20 - 2017-09-07 18:26 - 000694784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2017-10-11 17:20 - 2017-09-07 18:25 - 002058752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2017-10-11 17:20 - 2017-09-07 18:24 - 000499200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2017-10-11 17:20 - 2017-09-07 18:17 - 013677568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2017-10-11 17:20 - 2017-09-07 18:01 - 002767872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2017-10-11 17:20 - 2017-09-07 17:57 - 001316864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2017-10-11 17:20 - 2017-09-07 17:57 - 000710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2017-10-11 17:20 - 2017-08-13 19:48 - 000202592 _____ (Microsoft Corporation) C:\Windows\system32\basecsp.dll
2017-10-11 17:20 - 2017-08-13 17:52 - 000174944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\basecsp.dll
2017-10-11 17:20 - 2017-08-13 17:10 - 000277504 _____ (Microsoft Corporation) C:\Windows\system32\scksp.dll
2017-10-11 17:20 - 2017-08-13 16:33 - 000252416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scksp.dll
2017-10-11 17:20 - 2017-08-11 21:19 - 000482304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrptadm.dll
2017-10-11 17:20 - 2017-08-11 21:14 - 000566784 _____ (Microsoft Corporation) C:\Windows\system32\scrptadm.dll
2017-10-11 17:20 - 2017-08-11 02:54 - 000445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2017-10-11 17:20 - 2017-08-11 02:22 - 000324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2017-10-11 17:20 - 2017-08-11 02:20 - 001436672 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2017-10-11 17:20 - 2017-08-11 02:16 - 000275968 _____ (Microsoft Corporation) C:\Windows\system32\authz.dll
2017-10-11 17:20 - 2017-08-11 01:57 - 000180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authz.dll
2017-10-11 17:20 - 2017-08-06 21:50 - 001080320 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2017-10-11 17:20 - 2017-08-06 21:20 - 000542720 _____ (Microsoft Corporation) C:\Windows\system32\rasmans.dll
2017-10-11 17:20 - 2017-08-06 21:13 - 000713216 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2017-10-11 17:20 - 2017-08-06 07:08 - 000561664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2017-10-11 17:20 - 2017-08-02 02:19 - 000358912 _____ (Microsoft Corporation) C:\Windows\system32\Wldap32.dll
2017-10-11 17:20 - 2017-08-01 08:25 - 000324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\Wldap32.dll
2017-10-11 16:57 - 2017-10-11 16:57 - 000401488 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2017-10-11 02:09 - 2017-10-11 02:09 - 000000000 ____D C:\Users\John\Downloads\7 Let the Dead Speak
2017-10-11 02:01 - 2017-10-11 02:09 - 000000000 ____D C:\Users\John\Downloads\6 After the Fire
2017-10-11 01:59 - 2017-10-11 01:59 - 000000000 ____D C:\Users\John\Downloads\5 The Kill
2017-10-11 01:56 - 2017-10-11 01:56 - 000000000 ____D C:\Users\John\Downloads\4 The Srtanger You Know
2017-10-11 01:45 - 2017-10-11 01:54 - 000000000 ____D C:\Users\John\Downloads\2 The Reckoning
2017-10-11 01:45 - 2017-10-11 01:45 - 000000000 ____D C:\Users\John\Downloads\3 The Last Girl
2017-10-11 01:44 - 2017-10-11 01:53 - 000000000 ____D C:\Users\John\Downloads\1 The Burning
2017-10-10 17:25 - 2017-10-10 17:34 - 000000000 ____D C:\Users\John\Downloads\ANDY McDERMOTT ~ [Wilde and Chase 13] - King Solomon's Curse
2017-10-10 17:14 - 2017-10-10 17:17 - 000000000 ____D C:\Users\John\Downloads\Diane Ackerman -The Zookeeper's Wife - mp3
2017-10-10 17:10 - 2017-10-10 17:23 - 000000000 ____D C:\Users\John\Downloads\1 Shadow of the Serpent
2017-10-10 17:09 - 2017-10-10 17:14 - 000000000 ____D C:\Users\John\Downloads\2 Fall from Grace
2017-10-10 16:57 - 2017-10-10 17:05 - 000000000 ____D C:\Users\John\Downloads\3 Trick of thje Light
2017-10-10 16:57 - 2017-10-10 17:04 - 000000000 ____D C:\Users\John\Downloads\4 Nor Will He Sleep
2017-10-10 16:56 - 2017-10-10 17:02 - 000000000 ____D C:\Users\John\Downloads\ANDY McDERMOTT ~ [Wilde and Chase 06] - The Sacred Vault
2017-10-10 14:40 - 2017-10-10 14:40 - 000000000 ____D C:\Users\John\Desktop\SHAUNS STUFF
2017-10-09 10:21 - 2017-10-09 10:31 - 000000000 ____D C:\Users\John\Downloads\Warren Zanes - Petty; The Biography [Audiobook]
2017-10-09 10:20 - 2017-10-09 10:24 - 000000000 ____D C:\Users\John\Downloads\River of Death
2017-10-09 10:20 - 2017-10-09 10:24 - 000000000 ____D C:\Users\John\Downloads\Michael Crichton - The Great Train Robbery
2017-10-07 10:40 - 2017-10-07 10:40 - 009809688 _____ (Piriform Ltd) C:\Users\John\Downloads\ccsetup535.exe
2017-10-05 21:21 - 2017-10-05 21:22 - 000000000 ____D C:\Users\John\Downloads\Matt Lucas - Little Me My Life from A-Z (Unabridged)
2017-10-04 18:24 - 2017-10-04 18:24 - 000000051 _____ C:\Users\John\Downloads\lionheart.m3u
2017-10-04 18:01 - 2017-10-04 18:06 - 000000000 ____D C:\Users\John\Downloads\Anne Rivers Siddons-Burnt Mountain
2017-10-03 21:18 - 2017-10-03 21:28 - 000000000 ____D C:\Users\John\Downloads\SIMON SCARROW ~ [Eagles 04] - The Eagle and the Wolves
2017-10-03 21:18 - 2017-10-03 21:26 - 000000000 ____D C:\Users\John\Downloads\DAN BROWN ~ [Langdon 05] - Origin
2017-10-03 21:18 - 2017-10-03 21:25 - 000000000 ____D C:\Users\John\Downloads\Ralph Cotton-Bad Day at Willow creek
2017-10-03 19:34 - 2017-10-03 19:34 - 000000000 ____D C:\Users\John\Desktop\CONN IGGULDEN - Dunstan
2017-10-03 00:38 - 2017-10-03 00:51 - 000000000 ____D C:\Users\John\Downloads\Jeff Shaara - The Smoke at Dawn A Novel of the Civil War (Unabridged)
2017-10-03 00:14 - 2017-10-03 00:43 - 000000000 ____D C:\Users\John\Downloads\Jeff Shaara - The Fateful Lightning A Novel of the Civil War (Unabridged)
2017-10-03 00:14 - 2017-10-03 00:23 - 000000000 ____D C:\Users\John\Downloads\Stephen King - The Shining
2017-10-03 00:13 - 2017-10-03 00:24 - 000000000 ____D C:\Users\John\Downloads\Gyles Brandreth - Oscar Wilde and the Dead Man's Smile (Read by Bill Wallis) (2010 BBC Audiobooks Ltd UK)

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-11-02 15:38 - 2016-11-02 02:29 - 000000000 ____D C:\Users\John\AppData\Local\ClassicShell
2017-11-02 11:36 - 2016-11-01 20:05 - 000003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3092938066-71598384-3575754765-1001
2017-11-02 11:28 - 2016-11-01 20:04 - 000000000 ___DO C:\Users\John\OneDrive
2017-11-02 11:25 - 2016-11-01 20:12 - 000000000 ____D C:\ProgramData\NVIDIA
2017-11-02 11:25 - 2013-08-22 14:45 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-11-02 10:50 - 2016-11-01 21:10 - 000003910 _____ C:\Windows\System32\Tasks\User_Feed_Synchronizatio n-{96E6826C-8D89-4F92-8B80-90DA4208F6FB}
2017-11-02 04:23 - 2016-11-13 14:39 - 000684544 ___SH C:\Users\John\Desktop\Thumbs.db
2017-11-02 02:45 - 2016-11-05 05:00 - 000000288 _____ C:\Windows\Tasks\Uninstaller_SkipUac_John.job
2017-11-02 01:51 - 2013-08-22 13:25 - 000262144 ___SH C:\Windows\system32\config\BBI
2017-11-02 01:50 - 2016-11-05 05:00 - 000000000 ____D C:\Users\John\AppData\LocalLow\IObit
2017-11-01 16:07 - 2014-11-22 01:00 - 001114978 _____ C:\Windows\system32\PerfStringBackup.INI
2017-11-01 16:07 - 2013-08-22 13:36 - 000000000 ____D C:\Windows\Inf
2017-10-31 00:02 - 2016-11-05 05:00 - 000000000 ____D C:\ProgramData\ProductData
2017-10-30 14:03 - 2017-02-27 20:28 - 000000000 ____D C:\Users\John\AppData\Local\Adobe
2017-10-30 13:59 - 2013-08-22 15:36 - 000000000 ___HD C:\Windows\system32\GroupPolicy
2017-10-30 13:59 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2017-10-29 22:26 - 2016-11-04 21:48 - 000000000 ____D C:\Program Files\CCleaner
2017-10-29 11:05 - 2013-08-22 15:36 - 000000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-10-29 11:03 - 2016-11-03 21:45 - 000000000 ____D C:\Program Files (x86)\Microsoft Office
2017-10-28 23:51 - 2016-11-01 19:59 - 000000000 ____D C:\Users\John\AppData\Local\Packages
2017-10-26 18:48 - 2017-06-30 19:18 - 000001063 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera browser.lnk
2017-10-26 18:48 - 2017-02-09 00:25 - 000003840 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1486599902
2017-10-26 18:48 - 2017-02-09 00:25 - 000000000 ____D C:\Program Files (x86)\Opera
2017-10-26 16:58 - 2016-11-01 22:23 - 001029872 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2017-10-24 20:11 - 2016-12-30 17:51 - 000000000 ____D C:\Users\John\Desktop\dons docs
2017-10-24 19:56 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\system32\FxsTmp
2017-10-23 21:20 - 2017-07-18 18:01 - 000000000 ____D C:\Users\John\AppData\Roaming\qBittorrent
2017-10-23 02:59 - 2017-09-25 15:57 - 000000000 ____D C:\Users\John\Downloads\BBC Audio - Fawlty Towers - The Complete Collection (2015 BBC Worldwide Ltd)
2017-10-22 19:25 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\AppReadiness
2017-10-22 11:11 - 2017-02-09 00:27 - 000004418 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2017-10-22 11:11 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2017-10-22 11:11 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\system32\Macromed
2017-10-18 17:44 - 2013-08-22 15:20 - 000000000 ____D C:\Windows\CbsTemp
2017-10-14 18:03 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\rescache
2017-10-12 23:10 - 2013-08-22 14:44 - 000474840 _____ C:\Windows\system32\FNTCACHE.DAT
2017-10-12 22:25 - 2017-04-15 16:08 - 000835576 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-10-12 22:25 - 2017-04-15 16:08 - 000177656 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-10-12 21:21 - 2013-08-22 15:36 - 000000000 ___RD C:\Windows\ToastData
2017-10-12 21:21 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\SysWOW64\en-GB
2017-10-12 21:21 - 2013-08-22 15:36 - 000000000 ____D C:\Windows\system32\en-GB
2017-10-12 00:16 - 2016-11-04 21:51 - 000000000 ____D C:\Windows\system32\MRT
2017-10-12 00:13 - 2016-11-04 21:51 - 126925120 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2017-10-11 16:58 - 2017-03-09 17:06 - 000003914 _____ C:\Windows\System32\Tasks\Avast Emergency Update
2017-10-11 16:57 - 2016-11-01 22:23 - 000587168 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2017-10-11 16:57 - 2016-11-01 22:23 - 000363440 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2017-10-11 16:57 - 2016-11-01 22:23 - 000201352 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2017-10-11 16:57 - 2016-11-01 22:23 - 000147776 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2017-10-11 16:57 - 2016-11-01 22:23 - 000110376 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2017-10-11 16:57 - 2016-11-01 22:23 - 000084416 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2017-10-11 16:57 - 2016-11-01 22:23 - 000047008 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2017-10-11 16:57 - 2016-11-01 22:21 - 000000000 ____D C:\ProgramData\AVAST Software
2017-10-11 16:56 - 2017-03-09 17:06 - 000343288 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbloga.sys
2017-10-11 16:56 - 2017-03-09 17:06 - 000198976 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsha.sys
2017-10-11 16:56 - 2017-03-09 17:06 - 000057736 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbuniva.sys
2017-10-11 16:55 - 2017-03-09 17:06 - 000321032 _____ (AVAST Software s.r.o.) C:\Windows\system32\Drivers\aswbidsdrivera.sys
2017-10-09 15:42 - 2016-11-07 01:09 - 000000000 ____D C:\Users\John\AppData\Roaming\vlc
2017-10-03 19:20 - 2017-09-30 17:15 - 000000000 ____D C:\Users\John\Downloads\Taubman, William - Gorbachev; His Life and Times
2017-10-03 19:20 - 2017-09-23 15:52 - 000000000 ____D C:\Users\John\Downloads\Charles Dickens - A Tales of Two Cities (Read by Tom Baker) (1992 Durkin Hayes Audio Ltd USA)

==================== Files in the root of some directories =======

2017-04-29 08:51 - 2017-04-29 08:51 - 000184174 _____ () C:\Users\John\AppData\Local\ars.cache
2017-04-29 08:52 - 2017-04-29 08:52 - 000519888 _____ () C:\Users\John\AppData\Local\census.cache
2017-04-29 08:19 - 2017-04-29 08:19 - 000000036 _____ () C:\Users\John\AppData\Local\housecall.guid.cache
2017-04-24 09:50 - 2017-04-26 02:32 - 000000429 _____ () C:\Users\John\AppData\Local\kdeglobals
2017-04-24 09:49 - 2017-04-27 00:43 - 000004114 _____ () C:\Users\John\AppData\Local\kdenliverc
2017-04-29 08:44 - 2017-04-29 08:44 - 000000010 _____ () C:\Users\John\AppData\Local\sponge.last.runtime.ca che
2017-04-24 09:49 - 2017-04-24 09:49 - 000000533 _____ () C:\Users\John\AppData\Local\user-places.xbel
2017-04-24 09:49 - 2017-04-24 09:49 - 000000000 _____ () C:\Users\John\AppData\Local\user-places.xbel.tbcache

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-10-26 15:31

==================== End of FRST.txt ============================
Reply With Quote
  #5  
Old 03-11-17, 22:27
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Re: Chrome: Yahoo redirection malware.

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-11-2017
Ran by John (02-11-2017 16:02:47)
Running from C:\Users\John\AppData\Local\Temp\scoped_dir2140_15 887
Windows 8.1 Pro (Update) (X64) (2016-11-01 19:59:28)
Boot Mode: Normal
================================================== ========


==================== Accounts: =============================

Administrator (S-1-5-21-3092938066-71598384-3575754765-500 - Administrator - Disabled)
Guest (S-1-5-21-3092938066-71598384-3575754765-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3092938066-71598384-3575754765-1003 - Limited - Enabled)
John (S-1-5-21-3092938066-71598384-3575754765-1001 - Administrator - Enabled) => C:\Users\John

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

1.5 (HKLM-x32\...\{45CEBDDE-AD94-4C5A-999D-0D35CE61405B}_is1) (Version: - Dirk Paehl)
Adobe Flash Player 27 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 27.0.0.170 - Adobe Systems Incorporated)
Adobe Photoshop CS6 (HKLM-x32\...\Adobe Photoshop CS6) (Version: 13.0.0.0 - © The Computer Guy Tony)
Apple Application Support (32-bit) (HKLM-x32\...\{3D1290E6-1F77-46D5-A715-A56679C8D4E3}) (Version: 6.0.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{D0E45DEC-F4B9-4370-A9DF-66837789C2EF}) (Version: 6.0.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{E3C4B99B-BE71-4C27-8E3C-4FAE3C46E1D5}) (Version: 11.0.0.30 - Apple Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.7.2314 - AVAST Software)
Bandizip (HKLM\...\Bandizip) (Version: 6.05 - Bandisoft.com)
Blender (HKLM\...\{437221A8-91D1-42A0-9E04-0AD64B502374}) (Version: 2.78.1 - Blender Foundation)
CCleaner (HKLM\...\CCleaner) (Version: 5.36 - Piriform)
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.7.6389 - CDBurnerXP)
Classic Shell (HKLM\...\{383BB30A-B4A7-4666-9A83-22CFA8640097}) (Version: 4.3.0 - IvoSoft)
Clever Dog version 1.4.0.4 (HKLM-x32\...\{84EE6015-F9C8-4962-A83B-5D065E65BE6C}_is1) (Version: 1.4.0.4 - Shenzhen Cylan Technology Co.,Ltd)
CopyTrans Control Center Uninstall Only (HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\CopyTrans Suite) (Version: 4.017 - WindSolutions)
DVD Flick 1.3.0.7 (HKLM-x32\...\DVD Flick_is1) (Version: 1.3.0.7 - Dennis Meuwissen)
EPSON Stylus Photo 1500 Series Printer Uninstall (HKLM\...\EPSON Stylus Photo 1500 Series) (Version: - SEIKO EPSON Corporation)
FairStars CD Ripper 1.90 (HKLM-x32\...\FairStars CD Ripper_is1) (Version: - FairStars Soft)
Flvto YouTube Downloader (HKLM-x32\...\Flvto YouTube Downloader) (Version: 1.0.9 - Hotger)
Freemake Video Downloader (HKLM-x32\...\Freemake Video Downloader_is1) (Version: 3.8.0 - Ellora Assets Corporation)
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.3.17.5274 - GOM & Company)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 62.0.3202.75 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden
IObit Uninstaller (HKLM-x32\...\IObitUninstall) (Version: 6.1.0.418 - IObit)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - )
Malwarebytes version 3.2.2.2029 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.2.2.2029 - Malwarebytes)
Microsoft Office Professional Plus 2016 - en-us (HKLM\...\ProPlusRetail - en-us) (Version: 16.0.8528.2147 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\OneDriveSetup.exe) (Version: 17.3.6390.0509 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
My Lockbox 3.8.1 (HKLM\...\My Lockbox_is1) (Version: 3.8.1 - )
NVIDIA 3D Vision Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 340.52 - NVIDIA Corporation)
NVIDIA Graphics Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 340.52 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA Update 10.4.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 10.4.0 - NVIDIA Corporation)
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.8528.2147 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component 64-bit Registration (HKLM\...\{90160000-00DD-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2147 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.8528.2147 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.8326.2107 - Microsoft Corporation) Hidden
Opera Stable 48.0.2685.52 (HKLM-x32\...\Opera 48.0.2685.52) (Version: 48.0.2685.52 - Opera Software)
qBittorrent 3.3.16 (HKLM-x32\...\qBittorrent) (Version: 3.3.16 - The qBittorrent project)
SafeZone Stable 4.58.2552.909 (HKLM-x32\...\SafeZone 4.58.2552.909) (Version: 4.58.2552.909 - Avast Software) Hidden
VDownloader 4.3.2229 (HKLM\...\{A7E19604-93AF-4611-8C9F-CE509C2B286E}_is1) (Version: - Vitzo Limited)
VidCutter (HKLM\...\{CCDC440A-CC57-4BED-8CDE-1DA285976A64}_is1) (Version: 3.0.1 - Pete Alexandrou)
VLC media player (HKLM\...\VLC media player) (Version: 2.2.5.1 - VideoLAN)
WhatsApp (HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\WhatsApp) (Version: 0.2.4240 - WhatsApp)
Winamp (HKLM-x32\...\Winamp) (Version: 5.666 - Nullsoft, Inc)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3092938066-71598384-3575754765-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\John\AppData\Local\Microsoft\OneDrive\17. 3.6390.0509_2\amd64\FileCoAuthLib64.dll ()
CustomCLSID: HKU\S-1-5-21-3092938066-71598384-3575754765-1001_Classes\CLSID\{5B69A6B4-393B-459C-8EBB-214237A9E7AC}\InprocServer32 -> C:\Program Files\Bandizip\bdzshl64.dll (Bandisoft.com)
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-10-11] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-10-11] (AVAST Software)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
ContextMenuHandlers1: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)
ContextMenuHandlers1: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-10-11] (AVAST Software)
ContextMenuHandlers1: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2016-11-05] (IObit)
ContextMenuHandlers2: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)
ContextMenuHandlers3: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-10-11] (AVAST Software)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-30] (Malwarebytes)
ContextMenuHandlers4: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)
ContextMenuHandlers4: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2016-11-05] (IObit)
ContextMenuHandlers5: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2014-07-02] (NVIDIA Corporation)
ContextMenuHandlers6: [avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-10-11] (AVAST Software)
ContextMenuHandlers6: [IObitUnstaler] -> {B19ED566-D419-470b-B111-3C89040BC027} => C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMenuRight.dll [2016-11-05] (IObit)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2017-08-30] (Malwarebytes)
ContextMenuHandlers6: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2016-07-30] (IvoSoft)
ContextMenuHandlers1_S-1-5-21-3092938066-71598384-3575754765-1001: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)
ContextMenuHandlers2_S-1-5-21-3092938066-71598384-3575754765-1001: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)
ContextMenuHandlers4_S-1-5-21-3092938066-71598384-3575754765-1001: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)
ContextMenuHandlers5_S-1-5-21-3092938066-71598384-3575754765-1001: [AABdzCtx] -> {5B69A6B4-393B-459C-8EBB-214237A9E7AC} => C:\Program Files\Bandizip\bdzshl64.dll [2017-04-24] (Bandisoft.com)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {1A3E9898-BE53-42AD-A3AE-FA17EA350555} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-23] (Microsoft Corporation)
Task: {1C12FD84-C802-4986-B8F6-657B29CF753C} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2017-10-18] (Piriform Ltd)
Task: {1D39B770-56DA-4831-BFBF-C600F436A5D5} - System32\Tasks\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_27_ 0_0_170_pepper.exe [2017-10-22] (Adobe Systems Incorporated)
Task: {2730A8EA-9115-432D-958D-6F93EE216A6C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-02] (Google Inc.)
Task: {3D89A078-371A-4391-9F03-AFB554D6D78C} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2017-10-23] (Microsoft Corporation)
Task: {4185F578-9A8B-4F00-A815-3746960622D9} - System32\Tasks\Microsoft\Office\OfficeTelemetryAge ntLogOn2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-10-29] (Microsoft Corporation)
Task: {42404126-CE02-444B-84D2-550CFA65334C} - System32\Tasks\Opera scheduled Autoupdate 1486599902 => C:\Program Files (x86)\Opera\launcher.exe [2017-10-24] (Opera Software)
Task: {465C5430-F20F-486E-A4BB-046A59745885} - System32\Tasks\Uninstaller_SkipUac_John => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe [2016-11-05] (IObit)
Task: {4F2FFA1C-52DB-4351-9984-0AAF54BD5E9B} - System32\Tasks\Microsoft\Office\OfficeBackgroundTa skHandlerRegistration => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.e xe [2017-09-23] ()
Task: {55105AF3-901C-4586-AAD6-9E4648F165F7} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe
Task: {57479281-F776-41A5-B709-0745B566180A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-11-02] (Google Inc.)
Task: {5AFFD86C-51A8-4D7F-8E8A-5BB32F9CAEBC} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-10-11] (AVAST Software)
Task: {625133C6-3E92-49C8-B142-9D8CCF38FC27} - System32\Tasks\REGUtilities Task => C:\Program Files (x86)\REGUtilities\REGUtilities.exe <==== ATTENTION
Task: {7F3ADAE4-FAD8-4E10-8459-22B3F2E7BF69} - System32\Tasks\Microsoft\Office\OfficeBackgroundTa skHandlerLogon => C:\Program Files (x86)\Microsoft Office\root\Office16\officebackgroundtaskhandler.e xe [2017-09-23] ()
Task: {D0AC41D0-DB14-4CAA-A94D-2DB6E294401F} - System32\Tasks\Microsoft\Office\OfficeTelemetryAge ntFallBack2016 => C:\Program Files (x86)\Microsoft Office\root\Office16\msoia.exe [2017-10-29] (Microsoft Corporation)
Task: {F4C65116-97EC-4398-A43C-6C08D2E8A26D} - System32\Tasks\SafeZone scheduled Autoupdate 1478039183 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2017-08-04] (Avast Software)
Task: {FF6B7467-F08C-402C-A2AF-4E33AA59FA97} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2017-10-18] (Piriform Ltd)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\REGUtilities Task.job => C:\Program Files (x86)\REGUtilities\REGUtilities.exe-t C:\Program Files (x86)\REGUtilities\REGUtilities.exe <==== ATTENTION
Task: C:\Windows\Tasks\Uninstaller_SkipUac_John.job => C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2016-11-01 20:11 - 2014-07-02 18:55 - 000116568 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-11-05 04:43 - 2016-11-05 04:43 - 000959168 _____ () C:\Users\John\AppData\Local\Microsoft\OneDrive\17. 3.6390.0509_2\amd64\ClientTelemetry.dll
2016-11-05 04:29 - 2017-10-19 17:15 - 008929464 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2017-09-01 02:49 - 2017-09-01 02:49 - 000092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2017-09-01 02:49 - 2017-09-01 02:49 - 001356088 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2017-10-30 17:07 - 2017-10-04 13:15 - 002289096 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\SelfProtectionSdk.dll
2017-10-26 18:47 - 2017-10-24 05:33 - 091487832 _____ () C:\Program Files (x86)\Opera\48.0.2685.52\opera_browser.dll
2017-10-26 18:47 - 2017-10-24 05:33 - 004197464 _____ () C:\Program Files (x86)\Opera\48.0.2685.52\libglesv2.dll
2017-10-26 18:47 - 2017-10-24 05:33 - 000101464 _____ () C:\Program Files (x86)\Opera\48.0.2685.52\libegl.dll
2016-11-05 05:00 - 2016-06-21 19:30 - 000442144 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madExcept_.bpl
2016-11-05 05:00 - 2016-06-21 19:29 - 000210720 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madBasic_.bpl
2016-11-05 05:00 - 2016-06-21 19:29 - 000059680 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\madDisAsm_.bpl
2017-10-11 16:56 - 2017-10-11 16:56 - 000167096 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2017-10-11 16:56 - 2017-10-11 16:56 - 000059040 _____ () C:\Program Files\AVAST Software\Avast\module_lifetime.dll
2017-07-04 21:16 - 2017-07-04 21:16 - 067109376 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-10-11 16:56 - 2017-10-11 16:56 - 000217088 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-10-11 16:56 - 2017-10-11 16:56 - 000244584 _____ () C:\Program Files\AVAST Software\Avast\tasks_core.dll
2017-10-11 16:56 - 2017-10-11 16:56 - 000234280 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-10-25 16:58 - 2017-10-25 16:58 - 000703336 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-11-05 05:00 - 2015-12-28 13:50 - 000899872 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\webres.dll
2016-11-05 05:00 - 2016-11-05 04:59 - 000631072 _____ () C:\Program Files (x86)\IObit\IObit Uninstaller\ProductStatistics.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows\avastSS.scr:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ActionQueue.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\adhsvc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\adtschema.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\apisetschema.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\asycfilt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\auditpolmsg.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\basesrv.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\bcrypt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\BdeHdCfg.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\BdeHdCfgLib.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\bdesvc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\certenc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\CertEnroll.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\certprop.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\cryptxml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\d3d10level9.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\dab.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\DafPrintProvider.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\diagtrack.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\E_GCINST.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\E_ID4BHME.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\E_ILMHME.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\FirewallAPI.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\fveapi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\fvecpl.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\GlobCollationHost.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\gpresult.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\hbaapi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\httpprxm.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\httpprxp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\icm32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\input.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\IPHLPAPI.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\iphlpsvc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\iscsidsc.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\iscsiexe.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\iscsiwmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\LocationApi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\mfmjpegdec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfmp4srcsnk.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfsvr.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\microsoft-windows-system-events.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\mispace.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MPSSVC.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\mscms.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msdtcprx.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msiexec.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\msobjs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msv1_0.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MSVidCtl.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\netlogon.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\pcasvc.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\pdh.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\pmcsnap.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\quartz.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\rdpcore.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\rdpcorets.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\rdpudd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\RestoreOptIn.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\samlib.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\samsrv.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ScDeviceEnum.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\shsetup.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\sppobjs.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\sppsvc.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\sppwinob.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\storagewmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\tzsync.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ucrtbase.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\UIAnimation.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\user32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\UserAccountBroker.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\vmrdvcore.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WebClnt.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\webio.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\wfapigp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Windows.Devices.Geolocation.dl l:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Windows.Globalization.dll:$Cmd TcID [64]
AlternateDataStreams: C:\Windows\system32\Windows.UI.Xaml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\WindowsCodecs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\winhttp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\wininit.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WinSCard.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\winspool.drv:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wintrust.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wow64.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\xolehlp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\actxprxy.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\adtschema.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\asycfilt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\auditpolmsg.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\bcrypt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\certenc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\CertEnroll.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\cryptxml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\d3d10level9.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\DafPrintProvider.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\FirewallAPI.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\GlobCollationHost.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\gpresult.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\hbaapi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\icm32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\input.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\IPHLPAPI.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\iscsidsc.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\iscsiwmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\LocationApi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\mfmjpegdec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfmp4srcsnk.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfsvr.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mispace.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MrmCoreR.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mscms.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msdtcprx.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msftedit.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msiexec.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\msobjs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msv1_0.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MSVidCtl.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\netlogon.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\olepro32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\pdh.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\PrintConfig.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\quartz.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\rdpcore.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\RestoreOptIn.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\samlib.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\shsetup.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\storagewmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\ucrtbase.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\UIAnimation.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\user32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\UserAccountBroker.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\WebClnt.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\webio.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\wfapigp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\Windows.Devices.Geolocation.dl l:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\Windows.Globalization.dll:$Cmd TcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\Windows.UI.Xaml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\WindowsCodecs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\winhttp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\WinSCard.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\winspool.drv:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\wintrust.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\xolehlp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\BasicRender.sys:$CmdTc ID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\bowser.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\Classpnp.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\cmimcext.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\cng.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\csc.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\dfsc.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\dumpfve.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\FSPFltd2.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\fvevol.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\hidclass.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\hidparse.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\hidusb.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\mup.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\ndis.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\ndiswan.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\rdbss.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\refs.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\scfilter.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\spaceport.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\storvsp.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\tapSF0901.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\vhdmp.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\volmgr.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\WdBoot.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\WdFilter.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\WdNisDrv.sys:$CmdTcID [64]
AlternateDataStreams: C:\Users\John\Desktop\Clive_Cussler_-_Dirk_Pit.azw3:$CmdZnID [26]
AlternateDataStreams: C:\Users\John\Desktop\Clive_Cussler_-_Dirk_Pitt_-_04_of_23_-_Raise_the_T.mobi:$CmdZnID [26]
AlternateDataStreams: C:\Users\John\Desktop\Plantar+Fasciitis+-+Recovery+&+Prevention+Oct+2016+Edition.pdf:$CmdZn ID [26]
AlternateDataStreams: C:\Users\John\Desktop\Spark_Nicholas_-_The_Lucky_One.mobi:$CmdZnID [26]
AlternateDataStreams: C:\Users\John\Desktop\The well being resource book for new managers.doc:$CmdZnID [26]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Min imal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Net work\MBAMService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 13:25 - 2013-08-22 13:25 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3092938066-71598384-3575754765-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\John\Desktop\16463354_1842759099315249_77 13661877425259732_o.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run32: => "ProductUpdater"
HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe"
HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk"
HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-3092938066-71598384-3575754765-1001\...\StartupApproved\Run: => "EPLTarget\P0000000000000000"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{7882FA27-A95B-44E3-BE5C-0AA824268D55}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{91F8103C-CA56-4632-8502-9552BC587ADB}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{3DCF0CAD-719E-4242-937F-BA3BC868F86F}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe
FirewallRules: [{F734C2FC-7829-4E96-BDB5-2F1551FD8E46}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe
FirewallRules: [{1E68D4CC-B374-463C-89BC-4640F1BA8C4F}] => (Allow) C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [{DA10AF5A-2314-4B3B-8694-35CA49681B60}] => (Allow) C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [TCP Query User{F5261574-0828-4054-9292-69226CB4B6DA}C:\program files (x86)\clever dog\cleverdog.exe] => (Allow) C:\program files (x86)\clever dog\cleverdog.exe
FirewallRules: [UDP Query User{93E8838C-66D0-48C2-BFB8-07E553681B14}C:\program files (x86)\clever dog\cleverdog.exe] => (Allow) C:\program files (x86)\clever dog\cleverdog.exe
FirewallRules: [{0A87A981-C68C-4F72-95D6-39EC249B8641}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\3.55.2393.609\SZBrowser.exe
FirewallRules: [{EDC9D045-35D1-4685-94BE-B3F82D5B9621}] => (Allow) C:\Program Files\AVAST Software\SZBrowser\4.58.2552.909\SZBrowser.exe
FirewallRules: [{7BEC8306-926B-41E3-8F3B-233D12AC20F8}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{734048ED-9AAF-421E-B8A9-40E7E256734F}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
FirewallRules: [{DD31C631-FF8B-4E2E-B8C0-B908C86C9C91}] => (Allow) C:\Program Files (x86)\qBittorrent\qbittorrent.exe
FirewallRules: [{F90616C4-56B6-4DA8-9C3B-08D72EE8B682}] => (Allow) C:\Program Files (x86)\Opera\48.0.2685.50\opera.exe
FirewallRules: [{7E93C97E-9A37-48E8-AF2D-1F1BEBB14600}] => (Allow) C:\Program Files (x86)\Opera\48.0.2685.52\opera.exe
FirewallRules: [{DE074567-609E-4FB5-870E-6E3BD4435BF9}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{D94CC935-B9B4-4569-9106-2AC8C81EFF93}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

18-10-2017 17:41:11 Windows Update
26-10-2017 15:34:30 Scheduled Checkpoint
30-10-2017 05:50:23 Installed Apple Application Support (32-bit)
30-10-2017 05:52:35 Installed Apple Application Support (64-bit)
30-10-2017 05:53:50 Installed Apple Mobile Device Support
30-10-2017 13:26:18 Installed TouchCopy 16

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (11/02/2017 05:13:14 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: da4

Start Time: 01d353988d941978

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsa pps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.ex e

Report Id: 85597c5f-bf8c-11e7-82ca-485b39ae6824

Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.2091 1_x64__8wekyb3d8bbwe

Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

Error: (11/02/2017 04:08:14 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: ac4

Start Time: 01d3538ffeab8598

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsa pps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.ex e

Report Id: 6f91fa9d-bf83-11e7-82ca-485b39ae6824

Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.2091 1_x64__8wekyb3d8bbwe

Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

Error: (11/02/2017 03:42:16 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program LiveComm.exe version 17.5.9600.20911 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 15e0

Start Time: 01d3538bd926c636

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsa pps_17.5.9600.20911_x64__8wekyb3d8bbwe\LiveComm.ex e

Report Id: ce8789eb-bf7f-11e7-82ca-485b39ae6824

Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.2091 1_x64__8wekyb3d8bbwe

Faulting package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1

Error: (11/02/2017 02:41:30 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32", version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",ve rsion="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/02/2017 02:29:12 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32", version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",ve rsion="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/02/2017 01:36:51 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32", version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",ve rsion="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (11/01/2017 01:59:15 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32", version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",ve rsion="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (10/31/2017 03:01:04 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32", version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",ve rsion="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.

Error: (10/31/2017 02:57:23 AM) (Source: Desktop Window Manager) (EventID: 9020) (User: )
Description: The Desktop Window Manager has encountered a fatal error (0x8898008d)

Error: (10/30/2017 07:33:43 PM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program Files (x86)\Microsoft Office\root\Office16\UccApi.DLL" on line 1.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32", version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",ve rsion="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.


System errors:
=============
Error: (11/02/2017 01:50:11 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Microsoft Office Click-to-Run Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (11/02/2017 01:50:10 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The IObit Uninstaller Service service terminated unexpectedly. It has done this 1 time(s).

Error: (11/02/2017 01:50:10 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Stereoscopic 3D Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (11/02/2017 01:50:10 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Apple Mobile Device Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (11/02/2017 01:50:10 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (11/01/2017 04:02:50 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The aswbIDSAgent service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (11/01/2017 04:02:50 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the aswbIDSAgent service to connect.

Error: (11/01/2017 03:59:11 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Superfetch service terminated with the following error:
The service has not been started.

Error: (11/01/2017 03:58:56 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ClickToRunSvc service.

Error: (11/01/2017 03:58:56 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MBAMService service.


CodeIntegrity:
===================================
Date: 2017-04-17 02:25:52.124
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-17 02:07:17.419
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-16 23:50:57.261
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-16 22:42:50.941
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-16 22:33:02.486
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-16 21:09:13.369
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-16 20:06:09.569
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-16 13:55:21.834
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-16 03:10:02.005
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.

Date: 2017-04-15 23:23:37.794
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\guard64.d ll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Pentium(R) Dual-Core CPU E6500 @ 2.93GHz
Percentage of memory in use: 37%
Total physical RAM: 4095.18 MB
Available physical RAM: 2575.36 MB
Total Virtual: 4863.18 MB
Available Virtual: 2941.89 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.75 GB) (Free:30.27 GB) NTFS ==>[drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

================================================== ======
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: A8B9A8B9)
Partition 1: (Active) - (Size=465.8 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================
Reply With Quote
  #6  
Old 04-11-17, 10:33
kevinf80's Avatar
kevinf80 kevinf80 is offline
Global Moderator
 
Join Date: Feb 2008
Location: Sunderland.UK.
Posts: 2,944
Default Re: Chrome: Yahoo redirection malware.

Hiya John,

Thanks for those logs. Do you recall when this program was downloaded/installed on your system... Freemake Video Downloader

Have a read here: https://www.bleepingcomputer.com/vir...system-service regarding the following software...

HKLM-x32\...\Run: [ProductUpdater] => C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe

FRST has been saved to a Temp folder C:\Users\John\AppData\Local\Temp\scoped_dir2140_15 887 it is beneficial to run FRST from your Desktop, can you move FRST there. Also the fixlist.txt file I will attach to this reply needs to saved to the same place.....

Continue with the following:

UNinstall "Freemake Video Downloader" re-boot when complete.....

Next,

Run the following fix to remove remnants of FVD and its more than likely piggybacked companion that came with it:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please open Malwarebytes Anti-Malware.
  • On the Settings tab > Protection Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives
  • Scroll further to Potential Threat Protection make sure the following are set as follows:

    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:

    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Next,

Although I see no references in the logs to show issues in Google Chrome Browser that does not mean it is not already exploited, I recommend a full "Clean" install to be certain...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/ch...top/index.html https://www.google.com/intl/en_usa/c...top/index.html

Remove all synced data from Chrome go here: https://support.google.com/chrome/an...86691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windo...windows-vista/

Install Google Chrome :

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/d...ibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/d...ijcmbonb?hl=en

Does that help...

Thanks,

Kevin
Attached Files
File Type: txt fixlist.txt (13.7 KB, 1 views)
Reply With Quote
  #7  
Old 05-11-17, 05:05
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Re: Chrome: Yahoo redirection malware.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/5/17
Scan Time: 1:24 AM
Log File: 1308f800-c1c8-11e7-8b31-485b39ae6824.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.212
Update Package Version: 1.0.3176
License: Free

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: JOHNS\John

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 327757
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 11 min, 5 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)


(end)
Reply With Quote
  #8  
Old 05-11-17, 05:08
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Re: Chrome: Yahoo redirection malware.

Fix result of Farbar Recovery Scan Tool (x64) Version: 02-11-2017
Ran by John (05-11-2017 01:12:23) Run:1
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available Profiles: John)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [ProductUpdater] => C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater\ProductUpdater.exe
C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater
C:\Program Files (x86)\Common Files\Freemake Shared
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {625133C6-3E92-49C8-B142-9D8CCF38FC27} - System32\Tasks\REGUtilities Task => C:\Program Files (x86)\REGUtilities\REGUtilities.exe <==== ATTENTION
Task: C:\Windows\Tasks\REGUtilities Task.job => C:\Program Files (x86)\REGUtilities\REGUtilities.exe-t C:\Program Files (x86)\REGUtilities\REGUtilities.exe <==== ATTENTION
C:\Program Files (x86)\REGUtilities
AlternateDataStreams: C:\Windows\avastSS.scr:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ActionQueue.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\adhsvc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\adtschema.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\apisetschema.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\asycfilt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\auditpolmsg.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\basesrv.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\bcrypt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\BdeHdCfg.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\BdeHdCfgLib.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\bdesvc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\certenc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\CertEnroll.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\certprop.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\cryptxml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\d3d10level9.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\dab.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\DafPrintProvider.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\diagtrack.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\E_GCINST.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\E_ID4BHME.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\E_ILMHME.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\FirewallAPI.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\fveapi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\fvecpl.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\GlobCollationHost.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\gpresult.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\hbaapi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\httpprxm.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\httpprxp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\icm32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\input.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\IPHLPAPI.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\iphlpsvc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\iscsidsc.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\iscsiexe.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\iscsiwmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\LocationApi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\mfmjpegdec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfmp4srcsnk.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\mfsvr.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\microsoft-windows-system-events.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\mispace.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MPSSVC.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\mscms.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msdtcprx.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msiexec.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\msobjs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\msv1_0.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\MSVidCtl.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\netlogon.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\pcasvc.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\pdh.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\pmcsnap.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\quartz.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\rdpcore.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\rdpcorets.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\rdpudd.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\RestoreOptIn.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\samlib.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\samsrv.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ScDeviceEnum.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\shsetup.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\sppobjs.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\sppsvc.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\sppwinob.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\storagewmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\tzsync.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\ucrtbase.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\UIAnimation.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\user32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\UserAccountBroker.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\vmrdvcore.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WebClnt.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\webio.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\wfapigp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Windows.Devices.Geolocation.dl l:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Windows.Globalization.dll:$Cmd TcID [64]
AlternateDataStreams: C:\Windows\system32\Windows.UI.Xaml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\WindowsCodecs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\winhttp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\wininit.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\WinSCard.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\winspool.drv:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wintrust.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\wow64.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\xolehlp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\actxprxy.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\adtschema.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\asycfilt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\auditpolmsg.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\bcrypt.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\certenc.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\CertEnroll.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\cryptxml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\d3d10level9.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\DafPrintProvider.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\FirewallAPI.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\GlobCollationHost.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\gpresult.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\hbaapi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\icm32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\input.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\IPHLPAPI.DLL:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\iscsidsc.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\iscsiwmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\LocationApi.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\mfmjpegdec.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfmp4srcsnk.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mfsvr.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mispace.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MrmCoreR.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\mscms.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msdtcprx.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msftedit.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msiexec.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\msobjs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\msv1_0.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\MSVidCtl.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\netlogon.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\olepro32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\pdh.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\PrintConfig.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\quartz.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\rdpcore.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\RestoreOptIn.exe:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\samlib.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\shsetup.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\storagewmi.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\ucrtbase.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\UIAnimation.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\user32.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\UserAccountBroker.exe:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\WebClnt.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\webio.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\wfapigp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\Windows.Devices.Geolocation.dl l:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\Windows.Globalization.dll:$Cmd TcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\Windows.UI.Xaml.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\WindowsCodecs.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\winhttp.dll:$CmdTcID [130]
AlternateDataStreams: C:\Windows\SysWOW64\WinSCard.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\winspool.drv:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\wintrust.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\SysWOW64\xolehlp.dll:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\BasicRender.sys:$CmdTc ID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\bowser.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\Classpnp.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\cmimcext.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\cng.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\csc.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\dfsc.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\dumpfve.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\FSPFltd2.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\fvevol.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\hidclass.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\hidparse.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\hidusb.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\mup.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\ndis.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\ndiswan.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\rdbss.sys:$CmdTcID [130]
AlternateDataStreams: C:\Windows\system32\Drivers\refs.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\scfilter.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\spaceport.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\storvsp.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\tapSF0901.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\vhdmp.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\volmgr.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\WdBoot.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\WdFilter.sys:$CmdTcID [64]
AlternateDataStreams: C:\Windows\system32\Drivers\WdNisDrv.sys:$CmdTcID [64]
AlternateDataStreams: C:\Users\John\Desktop\Clive_Cussler_-_Dirk_Pit.azw3:$CmdZnID [26]
AlternateDataStreams: C:\Users\John\Desktop\Clive_Cussler_-_Dirk_Pitt_-_04_of_23_-_Raise_the_T.mobi:$CmdZnID [26]
AlternateDataStreams: C:\Users\John\Desktop\Plantar+Fasciitis+-+Recovery+&+Prevention+Oct+2016+Edition.pdf:$CmdZn ID [26]
AlternateDataStreams: C:\Users\John\Desktop\Spark_Nicholas_-_The_Lucky_One.mobi:$CmdZnID [26]
AlternateDataStreams: C:\Users\John\Desktop\The well being resource book for new managers.doc:$CmdZnID [26]
HKLM\...\StartupApproved\Run32: => "ProductUpdater"

Hosts:
CMD: ipconfig /flushDNS
EmptyTemp:
end


*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\Curren tVersion\Run\\ProductUpdater => value not found.
"C:\Program Files (x86)\Common Files\Freemake Shared\ProductUpdater" => not found.
"C:\Program Files (x86)\Common Files\Freemake Shared" => not found.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{625133 C6-3E92-49C8-B142-9D8CCF38FC27} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{625133 C6-3E92-49C8-B142-9D8CCF38FC27} => key removed successfully
C:\Windows\System32\Tasks\REGUtilities Task => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\REGUtili ties Task => key removed successfully
C:\Windows\Tasks\REGUtilities Task.job => moved successfully
"C:\Program Files (x86)\REGUtilities" => not found.
C:\Windows\avastSS.scr => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\ActionQueue.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\adhsvc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\adtschema.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\apisetschema.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\asycfilt.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\auditpolmsg.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\basesrv.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\bcrypt.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\BdeHdCfg.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\BdeHdCfgLib.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\bdesvc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\certenc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\CertEnroll.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\certprop.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\cryptxml.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\d3d10level9.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\dab.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\DafPrintProvider.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\diagtrack.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\E_GCINST.DLL => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\E_ID4BHME.DLL => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\E_ILMHME.DLL => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\FirewallAPI.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\fveapi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\fvecpl.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\GlobCollationHost.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\gpresult.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\hbaapi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\httpprxm.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\httpprxp.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\icm32.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\input.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\IPHLPAPI.DLL => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\iphlpsvc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\iscsidsc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\iscsiexe.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\iscsiwmi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\LocationApi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\mfmjpegdec.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\mfmp4srcsnk.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\mfsvr.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\microsoft-windows-system-events.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\mispace.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\MPSSVC.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\mscms.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\msdtcprx.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\msi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\msiexec.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\msobjs.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\msv1_0.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\MSVidCtl.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\netlogon.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\pcasvc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\pdh.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\pmcsnap.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\quartz.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\rdpcore.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\rdpcorets.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\rdpudd.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\RestoreOptIn.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\samlib.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\samsrv.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\ScDeviceEnum.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\shsetup.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\sppobjs.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\sppsvc.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\sppwinob.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\storagewmi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\tzsync.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\ucrtbase.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\UIAnimation.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\user32.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\UserAccountBroker.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\vmrdvcore.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\WebClnt.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\webio.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\wfapigp.dll => ":$CmdTcID" ADS removed successfully.
"C:\Windows\system32\Windows.Devices.Geolocation.d l l" => ":$CmdTcID" ADS not found.
C:\Windows\system32\Windows.Globalization.dll => ":$Cmd TcID" ADS could not remove.
C:\Windows\system32\Windows.UI.Xaml.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\WindowsCodecs.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\winhttp.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\wininit.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\WinSCard.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\winspool.drv => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\wintrust.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\wow64.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\xolehlp.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\actxprxy.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\adtschema.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\asycfilt.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\auditpolmsg.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\bcrypt.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\certenc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\CertEnroll.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\cryptxml.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\d3d10level9.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\DafPrintProvider.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\FirewallAPI.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\GlobCollationHost.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\gpresult.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\hbaapi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\icm32.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\input.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\IPHLPAPI.DLL => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\iscsidsc.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\iscsiwmi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\LocationApi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\mfmjpegdec.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\mfmp4srcsnk.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\mfsvr.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\mispace.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\MrmCoreR.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\mscms.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\msdtcprx.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\msftedit.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\msi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\msiexec.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\msobjs.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\msv1_0.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\MSVidCtl.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\netlogon.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\olepro32.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\pdh.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\PrintConfig.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\quartz.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\rdpcore.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\RestoreOptIn.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\samlib.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\shsetup.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\storagewmi.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\ucrtbase.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\UIAnimation.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\user32.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\UserAccountBroker.exe => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\WebClnt.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\webio.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\wfapigp.dll => ":$CmdTcID" ADS removed successfully.
"C:\Windows\SysWOW64\Windows.Devices.Geolocation.d l l" => ":$CmdTcID" ADS not found.
C:\Windows\SysWOW64\Windows.Globalization.dll => ":$Cmd TcID" ADS could not remove.
C:\Windows\SysWOW64\Windows.UI.Xaml.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\WindowsCodecs.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\winhttp.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\WinSCard.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\winspool.drv => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\wintrust.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\SysWOW64\xolehlp.dll => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\BasicRender.sys => ":$CmdTc ID" ADS could not remove.
C:\Windows\system32\Drivers\bowser.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\Classpnp.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\cmimcext.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\cng.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\csc.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\dfsc.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\dumpfve.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\FSPFltd2.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\fvevol.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\hidclass.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\hidparse.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\hidusb.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\mup.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\ndis.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\ndiswan.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\rdbss.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\refs.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\scfilter.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\spaceport.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\storvsp.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\tapSF0901.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\vhdmp.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\volmgr.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\WdBoot.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\WdFilter.sys => ":$CmdTcID" ADS removed successfully.
C:\Windows\system32\Drivers\WdNisDrv.sys => ":$CmdTcID" ADS removed successfully.
C:\Users\John\Desktop\Clive_Cussler_-_Dirk_Pit.azw3 => ":$CmdZnID" ADS removed successfully.
C:\Users\John\Desktop\Clive_Cussler_-_Dirk_Pitt_-_04_of_23_-_Raise_the_T.mobi => ":$CmdZnID" ADS removed successfully.
C:\Users\John\Desktop\Plantar+Fasciitis+-+Recovery+&+Prevention+Oct+2016+Edition.pdf => ":$CmdZn ID" ADS could not remove.
C:\Users\John\Desktop\Spark_Nicholas_-_The_Lucky_One.mobi => ":$CmdZnID" ADS removed successfully.
C:\Users\John\Desktop\The well being resource book for new managers.doc => ":$CmdZnID" ADS removed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\StartupApproved\Run32\\ProductUpdater => value removed successfully
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Curren tVersion\Run\\ProductUpdater => value not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

========= ipconfig /flushDNS =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 16777216 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 7546555 B
Java, Flash, Steam htmlcache => 552 B
Windows/system/drivers => 979832 B
Edge => 0 B
Chrome => 1656848 B
Firefox => 0 B
Opera => 373227355 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 643897 B
systemprofile32 => 0 B
LocalService => 8262 B
NetworkService => 0 B
John => 90479595 B

RecycleBin => 1238519 B
EmptyTemp: => 469.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 01:13:04 ====
Reply With Quote
  #9  
Old 05-11-17, 05:18
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Re: Chrome: Yahoo redirection malware.

I have worked my way through your instructions, done everything except install Chrome. Just about to do that, wish me luck
Reply With Quote
  #10  
Old 05-11-17, 08:11
J0HN J0HN is offline
Familiar face
 
Join Date: Apr 2013
Posts: 52
Default Re: Chrome: Yahoo redirection malware.

Looking good so far
Reply With Quote
Reply

Bookmarks

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Search the forum

Search

© Dennis Publishing Limited Licensed by Felden





All times are GMT. The time now is 16:18.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright Dennis Publishing 2010, All rights reserved