Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"Requested resource is in use" error when trying to run exes

Started by dyinginside , Apr 24 2017 08:25 AM

  • Please log in to reply

#1
dyinginside
Posted 24 April 2017 - 08:25 AM

dyinginside

    Member

  • Member
  • PipPip
  • 12 posts

Just bought a new PC, made a mistake download. Lenovo h30 running win10. I cannot runarrow-10x10.png any exes, coms, or anything without the error message "requested resource is in use". Cannot run rkill, in eye or com format. Cannot install Mbam or Mbar as they are exes. Cannot restart in safe mode - when I do shift+restart, it just restarts, no option to choose safe mode. Restarting in pseudo-safe mode using msconfig, it looks like safe mode, but again no exes or coms run. Cannot restore to an earlier point, all attempts to use the systemarrow-10x10.png reset options have failed, I also cannot boot from a win10 disc to repair/redo my install, nor can I run it while in windows. Any thoughts on how to restore my functionality/remove this rootkit? I don't even mind a fresh install, if it were possible.
EDIT: I was able to finally run FRST, related text files attached below

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-04-2017 01
Ran by Nik (administrator) on DESKTOP-448G5DT (24-04-2017 11:52:12)
Running from C:\Users\Nik\Downloads
Loaded Profiles: Nik (Available Profiles: Nik)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Realtek Semiconductor Corp.) C:\Program Files (x86)\Realtek\Realtek Bluetooth Filter ONLY\BTDevMgr.exe
() C:\Users\Nik\AppData\Local\ntuserlitelist\dataup\dataup.exe
() C:\ProgramData\service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
() C:\Windows\jmesoft\Service.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
() C:\Windows\System32\tprdpw32.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD12\PDVD12Serv.exe
(Lenovo) C:\Windows\jmesoft\hotkey.exe
() C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
() C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
(SweetLabs, Inc) C:\Users\Nik\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
(Microsoft Corporation) C:\Windows\System32\browser_broker.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\PluginHost\Lenovo.Modern.ImController.PluginHost.Device.exe
() C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe
() C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
() C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [UMonit] => C:\WINDOWS\SysWOW64\UMonit64.exe [53832 2015-07-15] ()
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16695816 2016-08-21] (Realtek Semiconductor)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [6626696 2016-07-12] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-07-16] (Microsoft Corporation)
HKLM\...\Run: [gplyra] => C:\Users\Nik\AppData\Roaming\gplyra\gplyra.exe <===== ATTENTION
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe [103720 2009-12-04] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-06] (CyberLink Corp.)
HKLM-x32\...\Run: [jmekey] => C:\Windows\jmesoft\hotkey.exe [118784 2013-07-24] (Lenovo)
HKLM-x32\...\Run: [jmesoft] => C:\Windows\jmesoft\ServiceLoader.exe [28672 2011-08-16] ()
HKLM-x32\...\Run: [cpx] => "C:\Users\Nik\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [UQ2RQ5A25XP9TE7] => "C:\Program Files\26BXPZPONX\FVHCXYVPN.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [UGPOITRZT4Q59IZ] => "C:\Program Files\CZ0HBTETUE\CZ0HBTETU.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [373444] => "C:\Users\Nik\AppData\Roaming\19993260\599073.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [XH7C9F9Q269T9EV] => "C:\Program Files (x86)\SpeeDownloader\520T4.exe" <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [YLUV2ZRN89GGET2] => "C:\Program Files\E7XWUR77TK\E7XWUR77T.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [emling] => rundll32.exe "C:\Users\Nik\AppData\Local\emling.dll",emling <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [907870] => "C:\Users\Nik\AppData\Roaming\89068969\784915.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [KE21LGF3B7S523T] => "C:\Program Files\8BHVV11SSU\8BHVV11SS.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [msiql] => C:\Users\Nik\AppData\Local\Temp\00032183\msiql.exe /RUNNING <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [YeaDesktop] => C:\Program Files (x86)\YeaDesktop\YeaDesktop.exe /autostart
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [Pritc] => C:\Users\Nik\AppData\Local\Temp\is-4NDF6.tmp\Setup.exe <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [V9RK5V3J38IR71O] => "C:\Program Files\2RPMVCQNW5\2RPMVCQNW.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [GDEAOP9S8AHUE0O] => "C:\Program Files\QPV8NRUO69\QPV8NRUO6.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [280502] => "C:\Users\Nik\AppData\Roaming\27377748\74164.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [VJWFLILUM3F5VHJ] => "C:\Program Files\O3WD7LGUGJ\O3WD7LGUG.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\MountPoints2: {ab6ef73b-9d61-11e6-af05-806e6f6e6963} - "E:\setup.exe" 
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\¿ìѹ\X64\KZipShell.dll -> No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
ProxyServer: [S-1-5-21-2724206413-2812493579-1046086373-1001] => 127.0.0.1:8003
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{d9c3edaf-f503-4944-842f-9faa10d71943}: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
Internet Explorer:
==================
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo15.msn.com/?pc=LCTE
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
SearchScopes: HKU\S-1-5-21-2724206413-2812493579-1046086373-1001 -> {A1F7D86E-5048-45A1-B7FD-0F3E9456F148} URL = 
SearchScopes: HKU\S-1-5-21-2724206413-2812493579-1046086373-1001 -> {FF39F5D5-81C5-43A2-9604-11414BC21B5A} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=H4Ozamobl20488BU,e8d0b2c1-e3f7-4cb5-b2b6-cf2c5d795994,
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-10-26] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
 
FireFox:
========
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-10-26] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-05-10] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jlcgehabolcakkjhgmgpkagpolbjlhfa] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [138752 2016-07-12] () [File not signed]
R2 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth Filter ONLY\BTDevMgr.exe [125144 2016-02-15] (Realtek Semiconductor Corp.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2912496 2016-03-06] (Microsoft Corporation)
R2 Dataup; C:\Users\Nik\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 GoogleChromeUpService; C:\ProgramData\service.exe [1620992 2017-04-24] () [File not signed] <==== ATTENTION
R2 ImControllerService; C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [58688 2017-03-03] (Lenovo Group Limited)
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-08-16] () [File not signed]
S3 LSC.Services.SystemService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSC.Services.SystemService.exe [273232 2016-04-20] (Lenovo)
S3 ShareItSvc; C:\Program Files (x86)\SHAREit\SHAREit\Shareit.Service.exe [31176 2016-01-14] (SHAREit Technologies Co.Ltd)
S4 srcsrv; C:\WINDOWS\src_srv\winsrcsrv.exe [16384 2017-04-04] () [File not signed]
R2 tbaseprovisioning; C:\WINDOWS\SysWOW64\tbaseprovisioning.exe [51208 2017-01-09] (Advanced Micro Devices, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
S2 windowsmanagementservice; C:\Users\Nik\AppData\Local\iaukbk\ct.exe [947200 2017-03-29] (Google Inc.) [File not signed] <==== ATTENTION
S2 KuaizipUpdateChecker; C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll [X]
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [X] <==== ATTENTION
S4 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe /service [X] <==== ATTENTION
S2 UCBrowserSvc; "C:\Program Files (x86)\UCBrowser\Application\UCService.exe" [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 amdkmcsp; C:\WINDOWS\system32\DRIVERS\amdkmcsp.sys [100744 2017-01-09] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [78072 2016-07-25] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\WINDOWS\System32\DRIVERS\amdpsp.sys [255368 2017-01-09] (Advanced Micro Devices, Inc. )
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [110096 2016-04-26] (Advanced Micro Devices)
R0 drmkpro64; C:\WINDOWS\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed] <==== ATTENTION
R3 GeneStor; C:\WINDOWS\system32\DRIVERS\GeneStor.sys [115704 2015-07-15] (GenesysLogic)
R2 KuaiZipDrive; C:\WINDOWS\system32\drivers\KuaiZipDrive.sys [92832 2017-04-24] (WinMount International Inc)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R1 NetUtils2016; C:\WINDOWS\system32\drivers\NetUtils2016.sys [907160 2017-04-24] () <==== ATTENTION
S3 NETwNe64; C:\WINDOWS\System32\drivers\NETwew01.sys [3343872 2015-10-30] (Intel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [895256 2015-06-22] (Realtek                                            )
R3 RtkBtFilter; C:\WINDOWS\system32\DRIVERS\RtkBtfilter.sys [726832 2016-04-18] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\WINDOWS\system32\DRIVERS\rtwlane.sys [5491456 2016-05-25] (Realtek Semiconductor Corporation                           )
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 SMUpdd; \??\C:\Program Files\Common Files\Noobzo\GNUpdate\smw.sys [X]
S1 ucdrv; \??\C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [X] <==== ATTENTION
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-24 12:35 - 2017-04-24 12:45 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2017-04-24 11:52 - 2017-04-24 11:56 - 00015179 _____ C:\Users\Nik\Downloads\FRST.txt
2017-04-24 11:51 - 2017-04-24 11:52 - 00000000 ____D C:\FRST
2017-04-24 11:49 - 2017-04-24 11:51 - 02426368 _____ (Farbar) C:\Users\Nik\Downloads\FRST64.exe
2017-04-24 11:40 - 2017-04-24 11:40 - 00624640 _____ C:\WINDOWS\system32\NetUtils2016.dll
2017-04-24 08:26 - 2017-04-24 08:26 - 00000000 ___HD C:\$Windows.~WS
2017-04-24 08:06 - 2017-04-24 08:06 - 00000000 ____D C:\ProgramData\dbg
2017-04-24 07:40 - 2017-04-24 11:39 - 00000000 ____D C:\WINDOWS\pss
2017-04-24 07:31 - 2017-04-24 07:31 - 00000000 ___HD C:\$SysReset
2017-04-24 07:24 - 2017-04-24 07:27 - 00376528 _____ (Microsoft Corporation) C:\Users\Nik\Downloads\c.exe
2017-04-24 07:22 - 2017-04-24 07:22 - 00000000 ____D C:\ProgramData\AMD
2017-04-24 06:40 - 2017-04-24 06:43 - 60107896 _____ (Malwarebytes ) C:\Users\Nik\Downloads\mb3-setup-consumer-3.0.6.1469-10103.exe
2017-04-24 06:31 - 2017-04-24 06:31 - 00000000 ____D C:\Users\Nik\Desktop\rkill
2017-04-24 06:21 - 2017-04-24 06:23 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Nik\Downloads\rkill.com
2017-04-24 06:13 - 2017-04-24 11:46 - 00006053 _____ C:\WINDOWS\system32\InstallUtil.InstallLog
2017-04-24 05:57 - 2017-04-24 06:33 - 00006008 _____ C:\Users\Nik\Desktop\Rkill.txt
2017-04-24 05:57 - 2017-04-24 05:57 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Nik\Downloads\eXplorer.exe
2017-04-24 05:55 - 2017-04-24 05:56 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Nik\Downloads\iexplore.exe.exe
2017-04-24 05:51 - 2017-04-24 05:56 - 16790752 _____ C:\Users\Nik\Downloads\gu5setup.exe
2017-04-24 05:11 - 2017-04-24 05:11 - 00003240 _____ C:\WINDOWS\System32\Tasks\{C6E12F23-A1F9-4AA5-885D-D4F50C71ACD8}
2017-04-24 05:03 - 2017-04-24 05:03 - 00000000 ____D C:\WINDOWS\tbaseregistry
2017-04-24 05:03 - 2015-10-30 03:18 - 00418816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\IEShims.dll
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Videos
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Pictures
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Music
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Documents and Settings
2017-04-24 04:38 - 2017-04-24 04:52 - 02365296 _____ (Microsoft Corporation) C:\WINDOWS\system32\WudfUpdate_01011.dll
2017-04-24 04:37 - 2017-04-24 04:45 - 00000000 ____D C:\WINDOWS\Minidump
2017-04-24 04:37 - 2017-04-24 04:37 - 776255504 _____ C:\WINDOWS\MEMORY.DMP
2017-04-24 04:37 - 2017-04-24 04:37 - 00000258 __RSH C:\Users\Nik\ntuser.pol
2017-04-24 04:35 - 2017-04-24 04:35 - 00000000 ____D C:\ProgramData\PrefsSecure
2017-04-24 04:34 - 2017-04-24 04:43 - 00000000 ____D C:\Users\Nik\AppData\Local\llssoft
2017-04-24 04:34 - 2017-04-24 04:34 - 00002730 _____ C:\WINDOWS\System32\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A
2017-04-24 04:34 - 2017-04-24 04:34 - 00000330 _____ C:\WINDOWS\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A.job
2017-04-24 04:34 - 2017-04-24 04:34 - 00000000 ____D C:\Users\Nik\AppData\Local\CEF
2017-04-24 04:33 - 2017-04-24 11:15 - 00000000 ____D C:\Users\Nik\AppData\Local\ntuserlitelist
2017-04-24 04:33 - 2017-04-24 06:05 - 00000320 _____ C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job
2017-04-24 04:33 - 2017-04-24 05:04 - 00002648 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore
2017-04-24 04:33 - 2017-04-24 04:37 - 00000484 _____ C:\WINDOWS\Tasks\UCBrowserUpdater.job
2017-04-24 04:33 - 2017-04-24 04:33 - 00003498 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2017-04-24 04:32 - 2017-04-24 04:35 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
2017-04-24 04:32 - 2017-04-24 04:32 - 00000258 __RSH C:\ProgramData\ntuser.pol
2017-04-24 04:31 - 2017-04-24 04:31 - 00003780 _____ C:\WINDOWS\System32\Tasks\SoftUpgrade
2017-04-24 04:28 - 2017-04-24 04:28 - 00092832 _____ (WinMount International Inc) C:\WINDOWS\system32\Drivers\KuaiZipDrive.sys
2017-04-24 04:28 - 2017-04-24 04:28 - 00000000 ____D C:\Users\Public\Documents\Tools
2017-04-24 04:28 - 2017-04-24 04:28 - 00000000 ____D C:\Users\Nik\AppData\Local\iaukbk
2017-04-24 04:27 - 2017-04-24 11:36 - 00003652 _____ C:\WINDOWS\System32\Tasks\CreateExplorerShellUnelevatedTask
2017-04-24 04:27 - 2017-04-24 04:28 - 00000000 ____D C:\WINDOWS\system32\SSL
2017-04-24 04:27 - 2017-04-24 04:28 - 00000000 ____D C:\Users\Nik\AppData\Local\viojzx
2017-04-24 04:27 - 2017-04-24 04:27 - 00003050 _____ C:\WINDOWS\System32\Tasks\Pritc
2017-04-24 04:27 - 2017-04-24 04:27 - 00000000 ____D C:\Users\Public\Documents\Guid
2017-04-24 04:26 - 2017-04-24 04:27 - 00000000 ____D C:\ProgramData\26e6adfb-4851-0
2017-04-24 04:26 - 2017-04-24 04:26 - 01620992 _____ C:\ProgramData\service.exe
2017-04-24 04:26 - 2017-04-24 04:26 - 00907160 _____ C:\WINDOWS\system32\Drivers\NetUtils2016.sys
2017-04-24 04:26 - 2017-04-24 04:26 - 00000000 ____D C:\WINDOWS\system32\sstmp
2017-04-24 04:26 - 2017-04-24 04:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YeaDesktop
2017-04-24 04:26 - 2017-04-24 04:26 - 00000000 ____D C:\ProgramData\26e6adfb-3df3-1
2017-04-24 04:25 - 2017-04-24 04:25 - 00004414 _____ C:\WINDOWS\System32\Tasks\SMW_UpdateTask_Time_323032313631383839352d415b343437414545785a5a6c
2017-04-24 04:25 - 2017-04-24 04:25 - 00000000 ____D C:\ProgramData\SearchModule
2017-04-24 04:24 - 2017-04-24 04:24 - 00178176 _____ C:\ProgramData\smp2.exe
2017-04-24 04:24 - 2017-04-24 04:24 - 00004256 _____ C:\WINDOWS\System32\Tasks\SMW_P
2017-04-24 04:24 - 2017-04-24 04:24 - 00000000 ____H C:\WINDOWS\system32\BIT7B0.tmp
2017-04-24 04:22 - 2017-04-24 11:05 - 00000000 ____D C:\WINDOWS\src_srv
2017-04-24 04:22 - 2017-04-24 04:22 - 00000000 ____D C:\Users\Nik\AppData\Local\CrashRpt
2017-04-24 04:21 - 2017-04-24 04:21 - 00000000 ____D C:\Users\Nik\AppData\Roaming\CyberLink
2017-04-24 03:47 - 2017-04-24 03:41 - 00532136 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-04-24 01:41 - 2017-04-24 01:41 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2017-04-24 01:38 - 2017-04-24 04:40 - 00000000 ____D C:\Users\Nik\AppData\Local\ConnectedDevicesPlatform
2017-04-24 01:38 - 2017-04-24 01:38 - 00000020 ___SH C:\Users\Nik\ntuser.ini
2017-04-23 20:12 - 2017-04-24 08:27 - 00000000 ___DC C:\WINDOWS\Panther
2017-04-23 20:08 - 2017-04-23 20:08 - 00000000 ____D C:\Windows.old
2017-04-23 20:06 - 2017-04-23 20:06 - 00008192 _____ C:\WINDOWS\system32\config\userdiff
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files\Reference Assemblies
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files\MSBuild
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files (x86)\Reference Assemblies
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files (x86)\MSBuild
2017-04-23 20:01 - 2016-05-25 18:31 - 01166520 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 18:31 - 00124624 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 18:31 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\system32\TsWpfWrp.exe
2017-04-23 20:01 - 2016-05-25 15:03 - 00778936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 15:03 - 00103120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 15:03 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TsWpfWrp.exe
2017-04-23 16:39 - 2017-04-23 16:39 - 00000000 ____D C:\ProgramData\USOShared
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\My Documents
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2017-04-23 16:37 - 2017-04-24 11:45 - 00001908 _____ C:\WINDOWS\diagwrn.xml
2017-04-23 16:37 - 2017-04-24 11:45 - 00001908 _____ C:\WINDOWS\diagerr.xml
2017-04-23 16:35 - 2017-04-24 11:40 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-23 16:35 - 2017-04-23 16:35 - 00022744 _____ C:\WINDOWS\system32\emptyregdb.dat
2017-04-23 16:35 - 2017-04-23 16:35 - 00002772 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-04-23 16:35 - 2017-04-23 16:35 - 00002408 _____ C:\WINDOWS\System32\Tasks\App Explorer
2017-04-23 16:35 - 2017-04-23 16:35 - 00002212 _____ C:\WINDOWS\System32\Tasks\PDVDServ12 Task
2017-04-23 16:35 - 2017-04-23 16:35 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2017-04-23 16:35 - 2017-04-23 16:35 - 00000000 ____D C:\WINDOWS\System32\Tasks\Lenovo
2017-04-23 16:30 - 2017-04-23 16:30 - 00001576 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2017-04-23 16:30 - 2017-04-23 16:30 - 00000000 ____D C:\Users\Default\AppData\Local\Host App Service
2017-04-23 16:30 - 2017-04-23 16:30 - 00000000 ____D C:\Users\Default User\AppData\Local\Host App Service
2017-04-23 16:23 - 2017-04-23 16:31 - 00000000 ____D C:\WINDOWS\system32\config\bbimigrate
2017-04-23 16:21 - 2017-04-24 04:45 - 00000000 ____D C:\Users\Nik
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\My Documents
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\Documents\My Videos
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\Documents\My Pictures
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\Documents\My Music
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____H C:\ProgramData\DP45977C.lfl
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\WINDOWS\system32\DAX2
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Settings
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\Program Files\ATI Technologies
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\Program Files (x86)\AMD
2017-04-23 16:16 - 2017-04-24 11:39 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-04-23 16:16 - 2017-04-23 16:24 - 00000000 ____D C:\ProgramData\Package Cache
2017-04-23 16:16 - 2017-04-23 16:23 - 00000000 ____D C:\Program Files\AMD
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\WINDOWS\SysWOW64\RTCOM
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\Program Files\Realtek
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\AMD
2017-04-23 16:16 - 2016-07-16 07:41 - 02716672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2017-04-23 16:15 - 2017-04-23 16:15 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_Kernel_amdpsp_01011.Wdf
2017-04-23 16:15 - 2017-04-23 16:15 - 00000000 ____D C:\WINDOWS\SysWOW64\sda
2017-04-23 16:13 - 2017-04-24 09:22 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-04-23 16:13 - 2017-04-24 04:37 - 00337776 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-04-23 16:13 - 2017-04-23 16:13 - 00000000 ____D C:\WINDOWS\ServiceProfiles
2017-04-23 15:09 - 2017-04-23 15:09 - 00000000 ____D C:\Users\Nik\AppData\Local\Comms
2017-04-23 14:59 - 2017-04-23 14:59 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Google
2017-04-23 14:53 - 2017-04-24 10:53 - 00000000 ____D C:\Program Files (x86)\Google
2017-04-23 14:53 - 2017-04-24 10:51 - 00000000 ____D C:\Users\Nik\AppData\Local\Google
2017-04-23 14:51 - 2017-04-23 14:51 - 00003254 _____ C:\Users\Nik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo App Explorer.lnk
2017-04-23 14:47 - 2017-04-24 09:33 - 00000000 ____D C:\$WINDOWS.~BT
2017-04-23 14:36 - 2017-04-24 01:43 - 00002368 _____ C:\Users\Nik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-04-23 14:36 - 2017-04-24 01:43 - 00000000 ___RD C:\Users\Nik\OneDrive
2017-04-23 14:36 - 2017-04-23 14:47 - 00000036 _____ C:\WINDOWS\progress.ini
2017-04-23 14:36 - 2017-04-23 14:36 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Skype
2017-04-23 14:29 - 2017-04-23 14:53 - 01129376 _____ (Google Inc.) C:\Users\Nik\Downloads\ChromeSetup.exe
2017-04-23 14:28 - 2017-04-23 14:44 - 00000000 ____D C:\Users\Nik\AppData\Local\MicrosoftEdge
2017-04-23 14:27 - 2017-04-23 14:27 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Macromedia
2017-04-23 14:21 - 2017-04-24 11:44 - 00000000 ____D C:\Windows10Upgrade
2017-04-23 14:21 - 2017-04-23 14:36 - 00000000 ___HD C:\$GetCurrent
2017-04-23 14:21 - 2017-04-23 14:21 - 00000818 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10 Upgrade Assistant.lnk
2017-04-23 14:21 - 2017-04-23 14:21 - 00000806 _____ C:\Users\Nik\Desktop\Windows 10 Upgrade Assistant.lnk
2017-04-23 14:21 - 2017-04-23 14:21 - 00000000 ____D C:\Users\Nik\AppData\Local\Power2Go
2017-04-23 14:21 - 2017-04-23 14:21 - 00000000 ____D C:\Users\Nik\AppData\Local\AMD
2017-04-23 14:19 - 2017-04-23 14:19 - 00000000 ____D C:\Users\Public\Lenovo App Explorer
2017-04-23 14:18 - 2017-04-23 14:18 - 00000000 ____D C:\Users\Nik\AppData\Local\Publishers
2017-04-23 14:18 - 2017-04-23 14:18 - 00000000 ____D C:\Users\Nik\AppData\Local\ActiveSync
2017-04-23 14:16 - 2017-04-24 02:23 - 00000000 ____D C:\Users\Nik\AppData\Local\Packages
2017-04-23 14:16 - 2017-04-23 14:16 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Adobe
2017-04-23 14:16 - 2017-04-23 14:16 - 00000000 ____D C:\Users\Nik\AppData\Local\VirtualStore
2017-04-23 14:16 - 2017-04-23 14:16 - 00000000 ____D C:\Users\Nik\AppData\Local\Lenovo
2017-04-23 14:15 - 2017-04-24 11:41 - 00000000 ____D C:\Users\Nik\AppData\Local\Host App Service
2017-04-23 14:15 - 2017-04-23 14:15 - 00000000 ____D C:\Users\Nik\AppData\Local\TileDataLayer
2017-04-23 14:11 - 2017-04-23 14:11 - 00000000 ___SD C:\WINDOWS\UpdateAssistantV2
2017-03-29 19:04 - 2017-03-29 19:04 - 00833024 ____N C:\WINDOWS\system32\tprdpw32.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-24 11:44 - 2015-11-03 15:28 - 01042104 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-04-24 11:39 - 2016-07-16 02:04 - 00262144 _____ C:\WINDOWS\system32\config\BBI
2017-04-24 10:37 - 2016-07-16 07:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-04-24 06:13 - 2016-10-26 15:49 - 00000000 ____D C:\ProgramData\Lenovo
2017-04-24 04:53 - 2016-07-16 07:45 - 00000000 ____D C:\WINDOWS\INF
2017-04-24 04:31 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\GroupPolicy
2017-04-24 04:21 - 2016-10-26 16:09 - 00000000 ____D C:\Users\Public\CyberLink
2017-04-24 02:49 - 2016-07-16 07:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-24 02:24 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-04-24 01:39 - 2015-11-03 15:24 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-04-23 20:12 - 2016-07-16 07:49 - 00000000 ____D C:\WINDOWS\Setup
2017-04-23 20:12 - 2016-07-16 07:47 - 00028672 _____ C:\WINDOWS\system32\config\BCD-Template
2017-04-23 16:42 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\rescache
2017-04-23 16:39 - 2016-07-16 07:47 - 00000000 ____D C:\ProgramData\USOPrivate
2017-04-23 16:38 - 2016-07-16 02:04 - 00032768 _____ C:\WINDOWS\system32\config\ELAM
2017-04-23 16:37 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\Registration
2017-04-23 16:36 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\WinBioDatabase
2017-04-23 16:36 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\Tasks_Migrated
2017-04-23 16:34 - 2016-07-16 07:47 - 00000000 __RHD C:\Users\Public\Libraries
2017-04-23 16:31 - 2016-10-28 19:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Radeon Settings
2017-04-23 16:31 - 2016-10-26 16:07 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-04-23 16:31 - 2016-10-26 15:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2017-04-23 16:31 - 2016-10-26 15:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-04-23 16:31 - 2016-07-16 07:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-04-23 16:30 - 2015-10-30 02:28 - 00000000 ____D C:\Users\Default.migrated
2017-04-23 16:24 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\spool
2017-04-23 16:24 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\oobe
2017-04-23 16:23 - 2016-10-26 16:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SHAREit
2017-04-23 16:23 - 2016-07-16 07:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-04-23 16:20 - 2016-07-16 02:04 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2017-04-23 16:17 - 2016-07-16 07:47 - 00000000 ___RD C:\WINDOWS\PrintDialog
2017-04-23 16:17 - 2016-07-16 07:47 - 00000000 ___RD C:\WINDOWS\MiracastView
2017-04-23 16:17 - 2016-07-16 07:47 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2017-04-23 14:38 - 2016-10-26 15:49 - 00000000 ____D C:\ProgramData\McAfee
2017-04-23 14:26 - 2016-10-26 15:49 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-04-23 14:22 - 2016-10-26 15:52 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
 
==================== Files in the root of some directories =======
 
2017-04-23 16:17 - 2017-04-23 16:17 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2017-04-24 04:26 - 2017-04-24 04:26 - 1620992 _____ () C:\ProgramData\service.exe
2017-04-24 04:24 - 2017-04-24 04:24 - 0178176 _____ () C:\ProgramData\smp2.exe
 
Files to move or delete:
====================
C:\ProgramData\service.exe
C:\ProgramData\smp2.exe
 
 
Some files in TEMP:
====================
2017-04-24 06:16 - 2017-04-24 06:16 - 0340904 _____ (360.cn) C:\Users\Nik\AppData\Local\Temp\Inst13__3112295__3f7372633d6c6d266c733d6e37616163383063353938__68616f2e3336302e636e__0c9f.exe
2017-04-24 07:27 - 2017-04-24 08:26 - 18309328 _____ (Microsoft Corporation) C:\Users\Nik\AppData\Local\Temp\MediaCreationTool.exe
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-04-23 16:13
 
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-04-2017 01
Ran by Nik (24-04-2017 12:03:54)
Running from C:\Users\Nik\Downloads
Windows 10 Home Version 1607 (X64) (2017-04-23 20:38:51)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2724206413-2812493579-1046086373-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2724206413-2812493579-1046086373-503 - Limited - Disabled)
Guest (S-1-5-21-2724206413-2812493579-1046086373-501 - Limited - Disabled)
Nik (S-1-5-21-2724206413-2812493579-1046086373-1001 - Administrator - Enabled) => C:\Users\Nik
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Reader X (10.1.7) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
AMD Install Manager (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.6 - Advanced Micro Devices, Inc.)
AMD Settings (HKLM\...\WUCCCApp) (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.)
Catalyst Control Center Next Localization BR (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
Driver and Application Installation (HKLM-x32\...\{6EC299C6-074C-4529-8D5F-2798584BB27B}) (Version: 2.12.0219 - Lenovo)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.5.0.6.1001 - Genesys Logic)
Lenovo App Explorer (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Host App Service) (Version: 0.272.1.559 - SweetLabs for Lenovo)
Lenovo Blacksilk USB Keyboard Driver (HKLM-x32\...\{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.6.13.0724 - Lenovo)
Lenovo Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.8231 - CyberLink Corp.)
Lenovo Power2Go (x32 Version: 6.0.8231 - CyberLink Corp.) Hidden
Lenovo PowerDVD12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.5320.55 - CyberLink Corp.)
Lenovo PowerDVD12 (x32 Version: 12.0.5320.55 - CyberLink Corp.) Hidden
Lenovo QuickOptimizer (HKLM\...\{8D2C871B-1B9F-45AC-9C43-2BB18089CDFA}) (Version: 1.0.022.00 - Lenovo)
Lenovo Solution Center (HKLM\...\{AB46AC6D-3E9A-4484-8061-64FF10301B41}) (Version: 3.3.002.00 - Lenovo)
Lenovo System Interface Foundation (HKLM\...\{C2E5CA37-C862-4A69-AC6D-24F450A20C16}) (Version: 1.0.071.04 - Lenovo)
Manual (HKLM-x32\...\{693F92E5-37D1-46B7-A0D6-19A74A2FD0EC}) (Version: 1.00.0701 - Lenovo)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.6001.1070 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6001.1070 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.6001.1070 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6001.1070 - Microsoft Corporation) Hidden
OlxX (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\OlxX) (Version:  - )
REALTEK Bluetooth Filter Driver (HKLM-x32\...\{9D3D8C60-A5EF-4123-B2B9-172095903AD}) (Version: 1.3.887.041216 - REALTEK Semiconductor Corp.)
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 10.1.505.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7910 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{9DAABC60-A5EF-41FF-B2B9-17329590CD5}) (Version: 1.00.0286 - REALTEK Semiconductor Corp.)
Search module (HKLM-x32\...\Search module) (Version:  - Goobzo) <==== ATTENTION
SHAREit (HKLM-x32\...\SHAREit_is1) (Version: 3.2.0.526 - Lenovo)
Vertech (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Vertech) (Version: 1.0.0.0 - Vertech)
Vulkan Run Time Libraries 1.0.17.0 (HKLM\...\VulkanRT1.0.17.0) (Version: 1.0.17.0 - LunarG, Inc.)
Windows 10 Upgrade Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.17376 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {00C27919-E473-483E-939D-062322ABF68B} - System32\Tasks\Lenovo\ImController\Plugins\LenovoSystemUpdatePlugin_WeeklyTask => reg.exe add hklm\SOFTWARE\Lenovo\SystemUpdatePlugin\scheduler  /v start /t reg_dword /d 1 /f /reg:32
Task: {035EAE1E-C13B-4B25-953C-AFE1F5EF4FFF} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\00c01899-6170-4bd5-853a-31f65c3f1c62 => powershell.exe -nologo -noninteractive "&amp; {New-Item -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\00c01899-6170-4bd5-853a-31f65c3f1c62 -type directory -force;$conter=Get-Date;$conter=$conter.ToUniversalTime();Set-ItemProperty -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\0 (the data entry has 73 more characters).
Task: {26D47CC1-49DD-4832-8BFC-3595131E42C3} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe  <==== ATTENTION
Task: {3050FE2D-FB81-4E46-9FCC-1CEBA611970F} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2016-04-20] (Lenovo)
Task: {34FE83CD-9280-4BE0-B47F-F3F0B1507BA8} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe  <==== ATTENTION
Task: {3D6A5165-95AC-41B4-8B32-7EB078AC34C4} - System32\Tasks\Lenovo\SHPrompt => C:\Program Files (x86)\SHAREit\SHAREit\ShareitPrompt.exe 
Task: {51DAEACF-7130-4A67-BB84-0A508BBE85C3} - System32\Tasks\Pritc => C:\Users\Nik\AppData\Local\Temp\is-4NDF6.tmp\Setup.exe  <==== ATTENTION
Task: {525FFE62-21B2-4C05-A9B8-E59511555B76} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-03-06] (Microsoft Corporation)
Task: {6672C382-A87A-4D19-AC81-C9F152E1EB62} - System32\Tasks\Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance => Sc.exe START ImControllerService
Task: {69D7FEAC-ACFB-489B-9C59-4F480A7F57D9} - System32\Tasks\App Explorer => C:\Users\Nik\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2016-11-07] (SweetLabs, Inc)
Task: {79641DEB-7A49-469D-9033-C7168DD4FE37} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\b5f42443-a14f-49d2-aceb-01fb4486012b => powershell.exe -nologo -noninteractive "&amp; {New-Item -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\b5f42443-a14f-49d2-aceb-01fb4486012b -type directory -force;$conter=Get-Date;$conter=$conter.ToUniversalTime();Set-ItemProperty -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\b (the data entry has 73 more characters).
Task: {8890577C-B7C8-4952-950D-79FA37E6B881} - System32\Tasks\Lenovo\SHUpdate => C:\Program Files (x86)\SHAREit\SHAREit\ShareitUpdater.exe 
Task: {A2AB329B-9B90-4BE0-BE3F-A56443770EDA} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\WINDOWS\Explorer.EXE /NOUACCHECK
Task: {A66A57A7-34D0-4612-8115-3131FEF48881} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2017-04-24] () <==== ATTENTION
Task: {A6732453-23DF-4A36-A1AA-E0F1E6D63A38} - System32\Tasks\{C6E12F23-A1F9-4AA5-885D-D4F50C71ACD8} => pcalua.exe -a C:\Users\Nik\AppData\Local\uninstallro.exe
Task: {ADC13543-2B0B-4EA2-9F78-33476B30C8CD} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-03-06] (Microsoft Corporation)
Task: {C010731F-E2B4-474A-9855-55E7ED41019C} - System32\Tasks\SMW_UpdateTask_Time_323032313631383839352d415b343437414545785a5a6c => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {DA679D01-E201-47AA-B77B-46039C72FBCD} - System32\Tasks\PDVDServ12 Task => C:\Program Files (x86)\Lenovo\PowerDVD12\PDVD12Serv.exe [2015-05-20] (CyberLink Corp.)
Task: {EFDB7F3F-2432-4746-B7D9-EF5E84CFBBE3} - System32\Tasks\Lenovo\LSC\Lenovo Solution Center Notifications => C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe [2016-04-20] (Lenovo)
Task: {F171CEC6-A7EB-4EAC-AE6D-2729A4096CB5} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2016-04-20] (Lenovo)
Task: {F9982D69-2FA3-4830-8110-04A53171CE91} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe  <==== ATTENTION
Task: {FBFBCFF6-7F3D-4033-90A3-2E9945749807} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSC.Services.UpdateStatusService.exe [2016-04-20] ()
Task: {FC86D5BA-0796-4C2D-B153-F7578D5E96D1} - System32\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A => Rundll32.exe "C:\Program Files (x86)\YoutubeAdBlockU\Jn4pRuG.dll",#1
Task: {FEBFD077-4C30-457A-A569-49981E118C90} - System32\Tasks\SoftUpgrade => C:\Program Files (x86)\SoftUpgrade\softup.exe  <==== ATTENTION
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A.job => 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-04-24 11:40 - 2017-04-24 11:40 - 00624640 _____ () C:\Windows\System32\NetUtils2016.dll
2016-07-16 07:42 - 2016-07-16 07:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-07-16 07:42 - 2016-07-16 07:42 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-10-26 15:52 - 2016-03-06 14:34 - 00171712 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll
2017-01-05 17:36 - 2017-01-05 17:36 - 00077824 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\dataup\dataup.exe
2017-04-24 04:26 - 2017-04-24 04:26 - 01620992 _____ () C:\ProgramData\service.exe
2016-10-28 19:11 - 2011-08-16 23:46 - 00032768 _____ () C:\Windows\jmesoft\Service.exe
2016-07-16 07:42 - 2016-07-16 07:42 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-10-26 15:54 - 2016-10-26 15:54 - 08911040 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2017-03-29 19:04 - 2017-03-29 19:04 - 00833024 ____N () C:\windows\system32\tprdpw32.exe
2016-07-16 07:42 - 2016-07-16 07:42 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-07-16 07:43 - 2016-07-16 07:43 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 09761280 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 01400320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 01033728 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 02438144 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2015-06-25 17:34 - 2015-06-25 17:34 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick.2\qtquick2plugin.dll
2015-06-25 17:37 - 2015-06-25 17:37 - 00739840 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Controls\qtquickcontrolsplugin.dll
2015-06-25 17:35 - 2015-06-25 17:35 - 00014336 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Window.2\windowplugin.dll
2015-06-25 17:38 - 2015-06-25 17:38 - 00071168 _____ () C:\Program Files\AMD\CNext\CNext\QtQuick\Layouts\qquicklayoutsplugin.dll
2015-06-25 16:53 - 2015-06-25 16:53 - 00011776 _____ () C:\Program Files\AMD\CNext\CNext\libEGL.dll
2015-06-25 16:51 - 2015-06-25 16:51 - 02013696 _____ () C:\Program Files\AMD\CNext\CNext\libGLESv2.dll
2017-01-13 20:09 - 2017-01-13 20:09 - 00896512 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe
2017-01-20 20:18 - 2017-01-20 20:18 - 01087488 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\vmxclient.exe
2016-07-12 21:32 - 2016-07-12 21:32 - 00138752 _____ () C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe
2016-07-16 07:43 - 2016-07-16 07:43 - 00375648 _____ () C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe
2016-09-21 23:32 - 2016-09-21 23:32 - 00224768 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\dataup\help_dll.dll
2017-01-14 19:40 - 2017-01-14 19:40 - 53460992 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\libcef.dll
2016-05-31 11:43 - 2016-05-31 11:43 - 01976832 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\libglesv2.dll
2016-05-31 11:44 - 2016-05-31 11:44 - 00075264 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\libegl.dll
2016-07-16 07:42 - 2016-07-16 07:42 - 02681200 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-06-15 17:15 - 2016-06-15 17:15 - 17599640 _____ () C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\pepflashplayer.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [25444]
AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [1498914]
AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1223458]
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-30 03:24 - 2017-04-24 04:23 - 00001123 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1 cpm.paneladmin.pro
127.0.0.1 publisher.hmdiadmingate.xyz
127.0.0.1 distribution.hmdiadmingate.xyz
127.0.0.1 hmdicrewtracksystem.xyz
127.0.0.1 linkmate.space
127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 doctorlink.space
127.0.0.1 beautifllink.xyz
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Lenovo\LenovoWallPaper.jpg
DNS Servers: 75.75.76.76 - 75.75.75.75
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: Dataup => 
MSCONFIG\Services: SMUpd => 2
MSCONFIG\Services: srcsrv => 2
HKLM\...\StartupApproved\Run: => "UMonit"
HKLM\...\StartupApproved\Run32: => "CLMLServer"
HKLM\...\StartupApproved\Run32: => "UpdateP2GoShortCut"
HKLM\...\StartupApproved\Run32: => "AnonymizerGadget"
HKLM\...\StartupApproved\Run32: => "MyMemory"
HKLM\...\StartupApproved\Run32: => "jmesoft"
HKLM\...\StartupApproved\Run32: => "SpeeDownloader"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "emling"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "InterStat"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "280502"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "907870"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "373444"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "VJWFLILUM3F5VHJ"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "GDEAOP9S8AHUE0O"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "V9RK5V3J38IR71O"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "KE21LGF3B7S523T"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "YLUV2ZRN89GGET2"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "XH7C9F9Q269T9EV"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "UGPOITRZT4Q59IZ"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "UQ2RQ5A25XP9TE7"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "msiql"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "Pritc"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "TESTUK"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "YeaDesktop"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{C5F53E46-6638-498A-A13F-426BEA4DBC41}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{909849B2-E8F5-4BDE-881B-6E65C82617E4}] => (Allow) C:\Program Files (x86)\SHAREit\SHAREit\SHAREit.exe
FirewallRules: [{0968CAA4-B887-4E13-9C39-EFA792F1AB26}] => (Allow) C:\Program Files (x86)\SHAREit\SHAREit\SHAREit.exe
FirewallRules: [{7AE72771-138C-4DB9-B00C-A64B9D3B2E27}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{E0107E09-0A48-48BD-BA8A-F7813DA66D19}] => (Allow) C:\WINDOWS\system32\rundll32.exe
FirewallRules: [{2E189D71-7679-496C-ABE8-ED197566DD6B}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{4B70AFCF-F6E5-4144-971A-B901939CE9AE}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe
FirewallRules: [{AB180DB8-07B7-47B1-BAEA-3C4B7D3A400A}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{3AA39057-6B9D-46B1-B472-EFAC69F41594}] => (Allow) C:\WINDOWS\system32\rundll32.exe
FirewallRules: [{24B7ADEC-41B7-46EF-B451-A062C5023768}] => (Allow) C:\Program Files (x86)\Maoha\MaohaAP\MaohaWifiSvr.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/24/2017 11:56:01 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: taskhostw.exe, version: 10.0.14393.0, time stamp: 0x57899a8f
Faulting module name: ntdll.dll, version: 10.0.14393.0, time stamp: 0x578997b2
Exception code: 0xc0000374
Fault offset: 0x00000000000f73e3
Faulting process id: 0x1c34
Faulting application start time: 0x01d2bd133c0c0bb8
Faulting application path: C:\WINDOWS\system32\taskhostw.exe
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 4a6ddf4d-ae9d-4479-afb6-b8c442e9399b
Faulting package full name: 
Faulting package-relative application ID:
 
Error: (04/24/2017 11:54:19 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program MicrosoftEdge.exe version 11.0.14393.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
 
Process ID: d7c
 
Start Time: 01d2bd114fb51b55
 
Termination Time: 4294967295
 
Application Path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
 
Report Id: 41e07447-2906-11e7-af21-784561ff7ac0
 
Faulting package full name: Microsoft.MicrosoftEdge_38.14393.0.0_neutral__8wekyb3d8bbwe
 
Faulting package-relative application ID: MicrosoftEdge
 
Error: (04/24/2017 11:41:00 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EFD
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (04/24/2017 11:41:00 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80072EFD
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (04/24/2017 11:37:10 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (04/24/2017 11:36:09 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (04/24/2017 11:26:15 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x80004005
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (04/24/2017 11:25:05 AM) (Source: ATIeRecord) (EventID: 16387) (User: )
Description: ATI EEU Service event error
 
Error: (04/24/2017 10:55:21 AM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (04/24/2017 10:44:52 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x803F7001
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
 
System errors:
=============
Error: (04/24/2017 11:42:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Management Service service failed to start due to the following error: 
The service did not respond to the start or control request in a timely fashion.
 
Error: (04/24/2017 11:42:37 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Management Service service to connect.
 
Error: (04/24/2017 11:41:59 AM) (Source: DCOM) (EventID: 10001) (User: DESKTOP-448G5DT)
Description: Unable to start a DCOM Server: {B9B05098-3E30-483F-87F7-027CA78DA287} as Unavailable/Unavailable. The error:
"170"
Happened while starting this command:
C:\WINDOWS\system32\ApplicationFrameHost.exe -Embedding
 
Error: (04/24/2017 11:40:52 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/24/2017 11:40:47 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/24/2017 11:40:47 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/24/2017 11:40:45 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/24/2017 11:40:28 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The KuaizipUpdateChecker service terminated with the following error: 
The specified module could not be found.
 
Error: (04/24/2017 11:40:27 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The UCBrowserSvc service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (04/24/2017 11:40:27 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The pgt_svc service failed to start due to the following error: 
The system cannot find the file specified.
 
 
==================== Memory info =========================== 
 
Processor: AMD E1-7010 APU with AMD Radeon R2 Graphics 
Percentage of memory in use: 82%
Total physical RAM: 3503.44 MB
Available physical RAM: 605.06 MB
Total Virtual: 4847.44 MB
Available Virtual: 1288.81 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:433.92 GB) (Free:389.5 GB) NTFS
Drive e: (w_10_pro_x64) (CDROM) (Total:3.15 GB) (Free:0 GB) UDF
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 7AA7ED9D)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

Attached Files


Edited by RKinner, 24 April 2017 - 02:06 PM.

  • 0

Advertisements

#2
RKinner
Posted 24 April 2017 - 02:51 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

This is an ugly one and he's invited his friends.

I'm not sure how it could have an effect on booting from the Win 10 disk.  Did you go into the BIOS and change the boot order so it would look at the CD/DVD first?

That would certainly be the easiest fix.

 

Let's see how much of it we can remove with a fixlist.

 

 
Download the attached fixlist.txt to the same location as FRST
 
 
Run FRST and press Fix
A fix log will be generated please post that (it will reboot.)
 
 
We are probably going to have to go into the registry and take ownership and change the permissions in order to kill it.
 
After it reboots, see if you can download:
 
Zemana from the second Download Now  button on https://www.bleeping...nwanted-program
 
and then right click on it and Run As Admin.   See if it will run.
 
 
Run FRST again as before.  Make sure Addition.txt is checked and hit Scan.  Post both logs.
 
Get Process Explorer
 
Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  
 
View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures
 
 
Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  
 
Wait a full minute then:
 
File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.
 
 
 
 
 
 
Run FRST again as before.  Make sure Addition.txt is checked and hit Scan.  Post both logs.
 

  • 0

#3
dyinginside
Posted 25 April 2017 - 12:42 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
At work right now so I cannot yet post the logs, but I just wanted to update and say I had already changed the boot order in BIOS and it still did not boot from the disc. I ran the fix file in FRST but I still could not run exes after the reboot (which includes Zemana). I'll be adding the log files in about 3-4 hours once I get off work
  • 0

#4
dyinginside
Posted 25 April 2017 - 04:55 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Here are the FRST and fixlogs
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 23-04-2017 01
Ran by Nik (administrator) on DESKTOP-448G5DT (25-04-2017 06:38:53)
Running from C:\Users\Nik\Downloads
Loaded Profiles: Nik (Available Profiles: Nik)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Advanced Micro Devices, Inc.) C:\Windows\SysWOW64\tbaseprovisioning.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Realtek Semiconductor Corp.) C:\Program Files (x86)\Realtek\Realtek Bluetooth Filter ONLY\BTDevMgr.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
() C:\Windows\jmesoft\Service.exe
(Lenovo Group Limited) C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
() C:\Windows\System32\tprdpw32.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Lenovo) C:\Windows\jmesoft\hotkey.exe
(CyberLink Corp.) C:\Program Files (x86)\Lenovo\PowerDVD12\PDVD12Serv.exe
(SweetLabs, Inc) C:\Users\Nik\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe
(Lenovo) C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe
(Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
(Microsoft Corporation) C:\Windows\System32\DeviceCensus.exe
(Microsoft Corporation) C:\Users\Nik\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Windows\System32\CompatTelRunner.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [UMonit] => C:\WINDOWS\SysWOW64\UMonit64.exe [53832 2015-07-15] ()
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [16695816 2016-08-21] (Realtek Semiconductor)
HKLM\...\Run: [StartCN] => C:\Program Files\AMD\CNext\CNext\RadeonSettings.exe [6626696 2016-07-12] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-07-16] (Microsoft Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-10] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [CLMLServer] => C:\Program Files (x86)\Lenovo\Power2Go\CLMLSvc.exe [103720 2009-12-04] (CyberLink)
HKLM-x32\...\Run: [UpdateP2GoShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-06] (CyberLink Corp.)
HKLM-x32\...\Run: [jmekey] => C:\Windows\jmesoft\hotkey.exe [118784 2013-07-24] (Lenovo)
HKLM-x32\...\Run: [cpx] => "C:\Users\Nik\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => "C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
Tcpip\..\Interfaces\{d9c3edaf-f503-4944-842f-9faa10d71943}: [DhcpNameServer] 75.75.76.76 75.75.75.75
 
Internet Explorer:
==================
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo15.msn.com/?pc=LCTE
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = hxxp://www.lenovo.com
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-10-26] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-10-26] (Microsoft Corporation)
 
FireFox:
========
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-10-26] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2013-05-10] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jlcgehabolcakkjhgmgpkagpolbjlhfa] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [138752 2016-07-12] () [File not signed]
R2 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth Filter ONLY\BTDevMgr.exe [125144 2016-02-15] (Realtek Semiconductor Corp.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2912496 2016-03-06] (Microsoft Corporation)
R2 ImControllerService; C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [58688 2017-03-03] (Lenovo Group Limited)
R2 JME Keyboard; C:\Windows\jmesoft\Service.exe [32768 2011-08-16] () [File not signed]
S3 LSC.Services.SystemService; C:\Program Files\Lenovo\Lenovo Solution Center\App\LSC.Services.SystemService.exe [273232 2016-04-20] (Lenovo)
S3 ShareItSvc; C:\Program Files (x86)\SHAREit\SHAREit\Shareit.Service.exe [31176 2016-01-14] (SHAREit Technologies Co.Ltd)
R2 tbaseprovisioning; C:\WINDOWS\SysWOW64\tbaseprovisioning.exe [51208 2017-01-09] (Advanced Micro Devices, Inc.)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
S2 Dataup; C:\Users\Nik\AppData\Local\NTUSER~1\dataup\dataup.exe [X] <==== ATTENTION
S2 windowsmanagementservice; "C:\Users\Nik\AppData\Local\iaukbk\ct.exe" /svc [X] <==== ATTENTION
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 amdkmcsp; C:\WINDOWS\system32\DRIVERS\amdkmcsp.sys [100744 2017-01-09] (Advanced Micro Devices, Inc. )
R0 amdkmpfd; C:\WINDOWS\System32\drivers\amdkmpfd.sys [78072 2016-07-25] (Advanced Micro Devices, Inc.)
R0 amdpsp; C:\WINDOWS\System32\DRIVERS\amdpsp.sys [255368 2017-01-09] (Advanced Micro Devices, Inc. )
R3 AtiHDAudioService; C:\WINDOWS\system32\drivers\AtihdWT6.sys [110096 2016-04-26] (Advanced Micro Devices)
R0 drmkpro64; C:\WINDOWS\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed] <==== ATTENTION
R3 GeneStor; C:\WINDOWS\system32\DRIVERS\GeneStor.sys [115704 2015-07-15] (GenesysLogic)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R1 NetUtils2016; C:\WINDOWS\system32\drivers\NetUtils2016.sys [907160 2017-04-24] () <==== ATTENTION
S3 NETwNe64; C:\WINDOWS\System32\drivers\NETwew01.sys [3343872 2015-10-30] (Intel Corporation)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [895256 2015-06-22] (Realtek                                            )
R3 RtkBtFilter; C:\WINDOWS\system32\DRIVERS\RtkBtfilter.sys [726832 2016-04-18] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\WINDOWS\system32\DRIVERS\rtwlane.sys [5491456 2016-05-25] (Realtek Semiconductor Corporation                           )
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-25 06:30 - 2017-04-25 06:30 - 00386700 _____ C:\WINDOWS\Minidump\042517-19671-01.dmp
2017-04-24 19:26 - 2017-04-24 19:26 - 00000008 __RSH C:\Users\Nik\ntuser.pol
2017-04-24 19:26 - 2017-04-24 19:26 - 00000000 ____D C:\WINDOWS\system32\sstmp
2017-04-24 19:17 - 2017-04-24 19:17 - 00000008 __RSH C:\ProgramData\ntuser.pol
2017-04-24 19:11 - 2017-04-24 19:11 - 00000000 ____D C:\Users\Nik\AppData\Local\llssoft
2017-04-24 19:08 - 2017-04-24 19:26 - 00029588 _____ C:\Users\Nik\Downloads\Fixlog.txt
2017-04-24 19:08 - 2017-04-24 19:05 - 02710688 _____ (Sysinternals - www.sysinternals.com) C:\Users\Nik\Downloads\procexp.exe
2017-04-24 19:07 - 2017-04-24 09:10 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Nik\Downloads\mbar-1.09.3.1001.exe
2017-04-24 12:35 - 2017-04-24 12:45 - 00000000 ____D C:\WINDOWS\Microsoft Antimalware
2017-04-24 12:03 - 2017-04-24 12:07 - 00033626 _____ C:\Users\Nik\Downloads\Addition.txt
2017-04-24 11:52 - 2017-04-25 06:40 - 00010236 _____ C:\Users\Nik\Downloads\FRST.txt
2017-04-24 11:51 - 2017-04-25 06:38 - 00000000 ____D C:\FRST
2017-04-24 11:49 - 2017-04-24 11:51 - 02426368 _____ (Farbar) C:\Users\Nik\Downloads\FRST64.exe
2017-04-24 11:40 - 2017-04-25 06:37 - 00624640 _____ C:\WINDOWS\system32\NetUtils2016.dll
2017-04-24 08:26 - 2017-04-24 08:26 - 00000000 ___HD C:\$Windows.~WS
2017-04-24 08:06 - 2017-04-24 08:06 - 00000000 ____D C:\ProgramData\dbg
2017-04-24 07:40 - 2017-04-24 11:39 - 00000000 ____D C:\WINDOWS\pss
2017-04-24 07:31 - 2017-04-24 07:31 - 00000000 ___HD C:\$SysReset
2017-04-24 07:24 - 2017-04-24 07:27 - 00376528 _____ (Microsoft Corporation) C:\Users\Nik\Downloads\c.exe
2017-04-24 07:22 - 2017-04-24 07:22 - 00000000 ____D C:\ProgramData\AMD
2017-04-24 06:40 - 2017-04-24 06:43 - 60107896 _____ (Malwarebytes ) C:\Users\Nik\Downloads\mb3-setup-consumer-3.0.6.1469-10103.exe
2017-04-24 06:31 - 2017-04-24 06:31 - 00000000 ____D C:\Users\Nik\Desktop\rkill
2017-04-24 06:21 - 2017-04-24 06:23 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Nik\Downloads\rkill.com
2017-04-24 06:13 - 2017-04-24 19:33 - 00007815 _____ C:\WINDOWS\system32\InstallUtil.InstallLog
2017-04-24 05:57 - 2017-04-24 19:05 - 05766464 _____ (Zemana Ltd. ) C:\Users\Nik\Downloads\eXplorer.exe
2017-04-24 05:57 - 2017-04-24 06:33 - 00006008 _____ C:\Users\Nik\Desktop\Rkill.txt
2017-04-24 05:55 - 2017-04-24 05:56 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Nik\Downloads\iexplore.exe.exe
2017-04-24 05:51 - 2017-04-24 05:56 - 16790752 _____ C:\Users\Nik\Downloads\gu5setup.exe
2017-04-24 05:03 - 2017-04-24 05:03 - 00000000 ____D C:\WINDOWS\tbaseregistry
2017-04-24 05:03 - 2015-10-30 03:18 - 00418816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\IEShims.dll
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Public\Documents\My Videos
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Public\Documents\My Pictures
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Public\Documents\My Music
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Videos
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Pictures
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Users\Default.migrated\Documents\My Music
2017-04-24 05:02 - 2017-04-24 05:02 - 00000000 _SHDL C:\Documents and Settings
2017-04-24 04:38 - 2017-04-24 04:52 - 02365296 _____ (Microsoft Corporation) C:\WINDOWS\system32\WudfUpdate_01011.dll
2017-04-24 04:37 - 2017-04-25 06:30 - 512511960 _____ C:\WINDOWS\MEMORY.DMP
2017-04-24 04:37 - 2017-04-25 06:30 - 00000000 ____D C:\WINDOWS\Minidump
2017-04-24 04:26 - 2017-04-24 19:11 - 00907160 _____ C:\WINDOWS\system32\Drivers\NetUtils2016.sys
2017-04-24 04:22 - 2017-04-24 04:22 - 00000000 ____D C:\Users\Nik\AppData\Local\CrashRpt
2017-04-24 04:21 - 2017-04-24 04:21 - 00000000 ____D C:\Users\Nik\AppData\Roaming\CyberLink
2017-04-24 03:47 - 2017-04-24 03:41 - 00532136 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2017-04-24 01:41 - 2017-04-24 01:41 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2017-04-24 01:38 - 2017-04-24 04:40 - 00000000 ____D C:\Users\Nik\AppData\Local\ConnectedDevicesPlatform
2017-04-24 01:38 - 2017-04-24 01:38 - 00000020 ___SH C:\Users\Nik\ntuser.ini
2017-04-23 20:12 - 2017-04-24 08:27 - 00000000 ___DC C:\WINDOWS\Panther
2017-04-23 20:08 - 2017-04-23 20:08 - 00000000 ____D C:\Windows.old
2017-04-23 20:06 - 2017-04-23 20:06 - 00008192 _____ C:\WINDOWS\system32\config\userdiff
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files\Reference Assemblies
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files\MSBuild
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files (x86)\Reference Assemblies
2017-04-23 20:02 - 2017-04-23 20:02 - 00000000 ____D C:\Program Files (x86)\MSBuild
2017-04-23 20:01 - 2016-05-25 18:31 - 01166520 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 18:31 - 00124624 _____ (Microsoft Corporation) C:\WINDOWS\system32\PresentationCFFRasterizerNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 18:31 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\system32\TsWpfWrp.exe
2017-04-23 20:01 - 2016-05-25 15:03 - 00778936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 15:03 - 00103120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2017-04-23 20:01 - 2016-05-25 15:03 - 00035480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\TsWpfWrp.exe
2017-04-23 16:39 - 2017-04-23 16:39 - 00000000 ____D C:\ProgramData\USOShared
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\My Documents
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\Documents\My Videos
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\Documents\My Pictures
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default\Documents\My Music
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default User\Documents\My Videos
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default User\Documents\My Pictures
2017-04-23 16:38 - 2017-04-23 16:38 - 00000000 _SHDL C:\Users\Default User\Documents\My Music
2017-04-23 16:37 - 2017-04-24 11:45 - 00001908 _____ C:\WINDOWS\diagwrn.xml
2017-04-23 16:37 - 2017-04-24 11:45 - 00001908 _____ C:\WINDOWS\diagerr.xml
2017-04-23 16:35 - 2017-04-25 06:30 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-04-23 16:35 - 2017-04-24 19:11 - 00000000 ____D C:\WINDOWS\System32\Tasks\Lenovo
2017-04-23 16:35 - 2017-04-23 16:35 - 00022744 _____ C:\WINDOWS\system32\emptyregdb.dat
2017-04-23 16:35 - 2017-04-23 16:35 - 00002772 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-04-23 16:35 - 2017-04-23 16:35 - 00002408 _____ C:\WINDOWS\System32\Tasks\App Explorer
2017-04-23 16:35 - 2017-04-23 16:35 - 00002212 _____ C:\WINDOWS\System32\Tasks\PDVDServ12 Task
2017-04-23 16:35 - 2017-04-23 16:35 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2017-04-23 16:30 - 2017-04-23 16:30 - 00001576 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2017-04-23 16:30 - 2017-04-23 16:30 - 00000000 ____D C:\Users\Default\AppData\Local\Host App Service
2017-04-23 16:30 - 2017-04-23 16:30 - 00000000 ____D C:\Users\Default User\AppData\Local\Host App Service
2017-04-23 16:23 - 2017-04-23 16:31 - 00000000 ____D C:\WINDOWS\system32\config\bbimigrate
2017-04-23 16:21 - 2017-04-25 06:37 - 00000000 ____D C:\Users\Nik
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\My Documents
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\Documents\My Videos
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\Documents\My Pictures
2017-04-23 16:21 - 2017-04-23 16:21 - 00000000 _SHDL C:\Users\Nik\Documents\My Music
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____H C:\ProgramData\DP45977C.lfl
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\WINDOWS\system32\DAX2
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Settings
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\Program Files\ATI Technologies
2017-04-23 16:17 - 2017-04-23 16:17 - 00000000 ____D C:\Program Files (x86)\AMD
2017-04-23 16:16 - 2017-04-24 19:16 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2017-04-23 16:16 - 2017-04-23 16:24 - 00000000 ____D C:\ProgramData\Package Cache
2017-04-23 16:16 - 2017-04-23 16:23 - 00000000 ____D C:\Program Files\AMD
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\WINDOWS\SysWOW64\RTCOM
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\Program Files\Realtek
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\Program Files\Common Files\ATI Technologies
2017-04-23 16:16 - 2017-04-23 16:16 - 00000000 ____D C:\AMD
2017-04-23 16:16 - 2016-07-16 07:41 - 02716672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\PrintConfig.dll
2017-04-23 16:15 - 2017-04-23 16:15 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_Kernel_amdpsp_01011.Wdf
2017-04-23 16:15 - 2017-04-23 16:15 - 00000000 ____D C:\WINDOWS\SysWOW64\sda
2017-04-23 16:13 - 2017-04-25 06:30 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-04-23 16:13 - 2017-04-24 04:37 - 00337776 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-04-23 16:13 - 2017-04-23 16:13 - 00000000 ____D C:\WINDOWS\ServiceProfiles
2017-04-23 15:09 - 2017-04-23 15:09 - 00000000 ____D C:\Users\Nik\AppData\Local\Comms
2017-04-23 14:59 - 2017-04-23 14:59 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Google
2017-04-23 14:53 - 2017-04-24 10:53 - 00000000 ____D C:\Program Files (x86)\Google
2017-04-23 14:53 - 2017-04-24 10:51 - 00000000 ____D C:\Users\Nik\AppData\Local\Google
2017-04-23 14:51 - 2017-04-23 14:51 - 00003254 _____ C:\Users\Nik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lenovo App Explorer.lnk
2017-04-23 14:47 - 2017-04-24 09:33 - 00000000 ____D C:\$WINDOWS.~BT
2017-04-23 14:36 - 2017-04-24 01:43 - 00002368 _____ C:\Users\Nik\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-04-23 14:36 - 2017-04-24 01:43 - 00000000 ___RD C:\Users\Nik\OneDrive
2017-04-23 14:36 - 2017-04-23 14:47 - 00000036 _____ C:\WINDOWS\progress.ini
2017-04-23 14:36 - 2017-04-23 14:36 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Skype
2017-04-23 14:29 - 2017-04-23 14:53 - 01129376 _____ (Google Inc.) C:\Users\Nik\Downloads\ChromeSetup.exe
2017-04-23 14:28 - 2017-04-23 14:44 - 00000000 ____D C:\Users\Nik\AppData\Local\MicrosoftEdge
2017-04-23 14:27 - 2017-04-23 14:27 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Macromedia
2017-04-23 14:21 - 2017-04-24 11:44 - 00000000 ____D C:\Windows10Upgrade
2017-04-23 14:21 - 2017-04-23 14:36 - 00000000 ___HD C:\$GetCurrent
2017-04-23 14:21 - 2017-04-23 14:21 - 00000818 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows 10 Upgrade Assistant.lnk
2017-04-23 14:21 - 2017-04-23 14:21 - 00000806 _____ C:\Users\Nik\Desktop\Windows 10 Upgrade Assistant.lnk
2017-04-23 14:21 - 2017-04-23 14:21 - 00000000 ____D C:\Users\Nik\AppData\Local\Power2Go
2017-04-23 14:21 - 2017-04-23 14:21 - 00000000 ____D C:\Users\Nik\AppData\Local\AMD
2017-04-23 14:19 - 2017-04-23 14:19 - 00000000 ____D C:\Users\Public\Lenovo App Explorer
2017-04-23 14:18 - 2017-04-23 14:18 - 00000000 ____D C:\Users\Nik\AppData\Local\Publishers
2017-04-23 14:18 - 2017-04-23 14:18 - 00000000 ____D C:\Users\Nik\AppData\Local\ActiveSync
2017-04-23 14:16 - 2017-04-24 02:23 - 00000000 ____D C:\Users\Nik\AppData\Local\Packages
2017-04-23 14:16 - 2017-04-23 14:16 - 00000000 ____D C:\Users\Nik\AppData\Roaming\Adobe
2017-04-23 14:16 - 2017-04-23 14:16 - 00000000 ____D C:\Users\Nik\AppData\Local\VirtualStore
2017-04-23 14:16 - 2017-04-23 14:16 - 00000000 ____D C:\Users\Nik\AppData\Local\Lenovo
2017-04-23 14:15 - 2017-04-25 06:39 - 00000000 ____D C:\Users\Nik\AppData\Local\Host App Service
2017-04-23 14:15 - 2017-04-23 14:15 - 00000000 ____D C:\Users\Nik\AppData\Local\TileDataLayer
2017-04-23 14:11 - 2017-04-23 14:11 - 00000000 ___SD C:\WINDOWS\UpdateAssistantV2
2017-03-29 19:04 - 2017-03-29 19:04 - 00833024 ____N C:\WINDOWS\system32\tprdpw32.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-04-25 06:34 - 2015-11-03 15:28 - 01096178 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-04-25 06:32 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-04-25 06:31 - 2016-07-16 07:45 - 00000000 ____D C:\WINDOWS\INF
2017-04-24 19:16 - 2016-07-16 02:04 - 00262144 _____ C:\WINDOWS\system32\config\BBI
2017-04-24 19:08 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\GroupPolicy
2017-04-24 10:37 - 2016-07-16 07:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-04-24 06:13 - 2016-10-26 15:49 - 00000000 ____D C:\ProgramData\Lenovo
2017-04-24 04:21 - 2016-10-26 16:09 - 00000000 ____D C:\Users\Public\CyberLink
2017-04-24 02:49 - 2016-07-16 07:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-04-24 01:39 - 2015-11-03 15:24 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-04-23 20:12 - 2016-07-16 07:49 - 00000000 ____D C:\WINDOWS\Setup
2017-04-23 20:12 - 2016-07-16 07:47 - 00028672 _____ C:\WINDOWS\system32\config\BCD-Template
2017-04-23 16:42 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\rescache
2017-04-23 16:39 - 2016-07-16 07:47 - 00000000 ____D C:\ProgramData\USOPrivate
2017-04-23 16:38 - 2016-07-16 02:04 - 00032768 _____ C:\WINDOWS\system32\config\ELAM
2017-04-23 16:37 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\Registration
2017-04-23 16:36 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\WinBioDatabase
2017-04-23 16:36 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\Tasks_Migrated
2017-04-23 16:34 - 2016-07-16 07:47 - 00000000 __RHD C:\Users\Public\Libraries
2017-04-23 16:31 - 2016-10-28 19:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AMD Radeon Settings
2017-04-23 16:31 - 2016-10-26 16:07 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lenovo
2017-04-23 16:31 - 2016-10-26 15:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2017-04-23 16:31 - 2016-10-26 15:49 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-04-23 16:31 - 2016-07-16 07:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-04-23 16:30 - 2015-10-30 02:28 - 00000000 ____D C:\Users\Default.migrated
2017-04-23 16:24 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\spool
2017-04-23 16:24 - 2016-07-16 07:47 - 00000000 ____D C:\WINDOWS\system32\oobe
2017-04-23 16:23 - 2016-10-26 16:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SHAREit
2017-04-23 16:23 - 2016-07-16 07:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-04-23 16:20 - 2016-07-16 02:04 - 00000000 ____D C:\WINDOWS\system32\Sysprep
2017-04-23 16:17 - 2016-07-16 07:47 - 00000000 ___RD C:\WINDOWS\PrintDialog
2017-04-23 16:17 - 2016-07-16 07:47 - 00000000 ___RD C:\WINDOWS\MiracastView
2017-04-23 16:17 - 2016-07-16 07:47 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2017-04-23 14:38 - 2016-10-26 15:49 - 00000000 ____D C:\ProgramData\McAfee
2017-04-23 14:26 - 2016-10-26 15:49 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-04-23 14:22 - 2016-10-26 15:52 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
 
==================== Files in the root of some directories =======
 
2017-04-23 16:17 - 2017-04-23 16:17 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2017-04-23 16:13
 
==================== End of FRST.txt ============================
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-04-2017 01
Ran by Nik (25-04-2017 06:42:58)
Running from C:\Users\Nik\Downloads
Windows 10 Home Version 1607 (X64) (2017-04-23 20:38:51)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2724206413-2812493579-1046086373-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2724206413-2812493579-1046086373-503 - Limited - Disabled)
Guest (S-1-5-21-2724206413-2812493579-1046086373-501 - Limited - Disabled)
Nik (S-1-5-21-2724206413-2812493579-1046086373-1001 - Administrator - Enabled) => C:\Users\Nik
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Reader X (10.1.7) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
AMD Install Manager (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.6 - Advanced Micro Devices, Inc.)
AMD Settings (HKLM\...\WUCCCApp) (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.)
Catalyst Control Center Next Localization BR (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2016.0712.2133.36943 - Advanced Micro Devices, Inc.) Hidden
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
Driver and Application Installation (HKLM-x32\...\{6EC299C6-074C-4529-8D5F-2798584BB27B}) (Version: 2.12.0219 - Lenovo)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.5.0.6.1001 - Genesys Logic)
Lenovo App Explorer (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Host App Service) (Version: 0.272.1.559 - SweetLabs for Lenovo)
Lenovo Blacksilk USB Keyboard Driver (HKLM-x32\...\{B266E062-D6C5-485B-B426-51B152B041A6}) (Version: V1.6.13.0724 - Lenovo)
Lenovo Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.8231 - CyberLink Corp.)
Lenovo Power2Go (x32 Version: 6.0.8231 - CyberLink Corp.) Hidden
Lenovo PowerDVD12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.5320.55 - CyberLink Corp.)
Lenovo PowerDVD12 (x32 Version: 12.0.5320.55 - CyberLink Corp.) Hidden
Lenovo QuickOptimizer (HKLM\...\{8D2C871B-1B9F-45AC-9C43-2BB18089CDFA}) (Version: 1.0.022.00 - Lenovo)
Lenovo Solution Center (HKLM\...\{AB46AC6D-3E9A-4484-8061-64FF10301B41}) (Version: 3.3.002.00 - Lenovo)
Lenovo System Interface Foundation (HKLM\...\{C2E5CA37-C862-4A69-AC6D-24F450A20C16}) (Version: 1.0.071.04 - Lenovo)
Manual (HKLM-x32\...\{693F92E5-37D1-46B7-A0D6-19A74A2FD0EC}) (Version: 1.00.0701 - Lenovo)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.6001.1070 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\OneDriveSetup.exe) (Version: 17.3.6799.0327 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6001.1070 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.6001.1070 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6001.1070 - Microsoft Corporation) Hidden
OlxX (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\OlxX) (Version:  - )
REALTEK Bluetooth Filter Driver (HKLM-x32\...\{9D3D8C60-A5EF-4123-B2B9-172095903AD}) (Version: 1.3.887.041216 - REALTEK Semiconductor Corp.)
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 10.1.505.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7910 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{9DAABC60-A5EF-41FF-B2B9-17329590CD5}) (Version: 1.00.0286 - REALTEK Semiconductor Corp.)
Search module (HKLM-x32\...\Search module) (Version:  - Goobzo) <==== ATTENTION
SHAREit (HKLM-x32\...\SHAREit_is1) (Version: 3.2.0.526 - Lenovo)
Vertech (HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Vertech) (Version: 1.0.0.0 - Vertech)
Vulkan Run Time Libraries 1.0.17.0 (HKLM\...\VulkanRT1.0.17.0) (Version: 1.0.17.0 - LunarG, Inc.)
Windows 10 Upgrade Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.17376 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {00C27919-E473-483E-939D-062322ABF68B} - System32\Tasks\Lenovo\ImController\Plugins\LenovoSystemUpdatePlugin_WeeklyTask => reg.exe add hklm\SOFTWARE\Lenovo\SystemUpdatePlugin\scheduler  /v start /t reg_dword /d 1 /f /reg:32
Task: {035EAE1E-C13B-4B25-953C-AFE1F5EF4FFF} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\00c01899-6170-4bd5-853a-31f65c3f1c62 => powershell.exe -nologo -noninteractive "&amp; {New-Item -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\00c01899-6170-4bd5-853a-31f65c3f1c62 -type directory -force;$conter=Get-Date;$conter=$conter.ToUniversalTime();Set-ItemProperty -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\0 (the data entry has 73 more characters).
Task: {3050FE2D-FB81-4E46-9FCC-1CEBA611970F} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2016-04-20] (Lenovo)
Task: {3D6A5165-95AC-41B4-8B32-7EB078AC34C4} - System32\Tasks\Lenovo\SHPrompt => C:\Program Files (x86)\SHAREit\SHAREit\ShareitPrompt.exe 
Task: {525FFE62-21B2-4C05-A9B8-E59511555B76} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-03-06] (Microsoft Corporation)
Task: {6672C382-A87A-4D19-AC81-C9F152E1EB62} - System32\Tasks\Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance => Sc.exe START ImControllerService
Task: {69D7FEAC-ACFB-489B-9C59-4F480A7F57D9} - System32\Tasks\App Explorer => C:\Users\Nik\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2016-11-07] (SweetLabs, Inc)
Task: {79641DEB-7A49-469D-9033-C7168DD4FE37} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\b5f42443-a14f-49d2-aceb-01fb4486012b => powershell.exe -nologo -noninteractive "&amp; {New-Item -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\b5f42443-a14f-49d2-aceb-01fb4486012b -type directory -force;$conter=Get-Date;$conter=$conter.ToUniversalTime();Set-ItemProperty -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\b (the data entry has 73 more characters).
Task: {8890577C-B7C8-4952-950D-79FA37E6B881} - System32\Tasks\Lenovo\SHUpdate => C:\Program Files (x86)\SHAREit\SHAREit\ShareitUpdater.exe 
Task: {ADC13543-2B0B-4EA2-9F78-33476B30C8CD} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-03-06] (Microsoft Corporation)
Task: {DA679D01-E201-47AA-B77B-46039C72FBCD} - System32\Tasks\PDVDServ12 Task => C:\Program Files (x86)\Lenovo\PowerDVD12\PDVD12Serv.exe [2015-05-20] (CyberLink Corp.)
Task: {EFDB7F3F-2432-4746-B7D9-EF5E84CFBBE3} - System32\Tasks\Lenovo\LSC\Lenovo Solution Center Notifications => C:\Program Files\Lenovo\Lenovo Solution Center\LSCNotify.exe [2016-04-20] (Lenovo)
Task: {F171CEC6-A7EB-4EAC-AE6D-2729A4096CB5} - System32\Tasks\Lenovo\LSC\LSCHardwareScan => C:\Program Files\Lenovo\Lenovo Solution Center\LSC.exe [2016-04-20] (Lenovo)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2017-04-24 11:40 - 2017-04-25 06:37 - 00624640 _____ () C:\Windows\System32\NetUtils2016.dll
2016-07-16 07:42 - 2016-07-16 07:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-07-16 07:42 - 2016-07-16 07:42 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-10-26 15:52 - 2016-03-06 14:34 - 00171712 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll
2016-10-28 19:11 - 2011-08-16 23:46 - 00032768 _____ () C:\Windows\jmesoft\Service.exe
2016-07-12 21:32 - 2016-07-12 21:32 - 00138752 _____ () C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe
2016-07-16 07:42 - 2016-07-16 07:42 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-10-26 15:54 - 2016-10-26 15:54 - 08911040 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2017-03-29 19:04 - 2017-03-29 19:04 - 00833024 ____N () C:\windows\system32\tprdpw32.exe
2016-07-16 07:42 - 2016-07-16 07:42 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2016-07-16 07:43 - 2016-07-16 07:43 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 09761280 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 01400320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 01033728 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 02438144 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-07-16 07:43 - 2016-07-16 10:27 - 00114176 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Dss.BackgroundTask.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-10-30 03:24 - 2017-04-24 04:23 - 00001123 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
127.0.0.1 cpm.paneladmin.pro
127.0.0.1 publisher.hmdiadmingate.xyz
127.0.0.1 distribution.hmdiadmingate.xyz
127.0.0.1 hmdicrewtracksystem.xyz
127.0.0.1 linkmate.space
127.0.0.1 space1.adminpressure.space
127.0.0.1 trackpressure.website
127.0.0.1 doctorlink.space
127.0.0.1 beautifllink.xyz
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Lenovo\LenovoWallPaper.jpg
DNS Servers: 75.75.76.76 - 75.75.75.75
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
MSCONFIG\Services: Dataup => 
MSCONFIG\Services: SMUpd => 2
MSCONFIG\Services: srcsrv => 2
HKLM\...\StartupApproved\Run: => "UMonit"
HKLM\...\StartupApproved\Run32: => "CLMLServer"
HKLM\...\StartupApproved\Run32: => "UpdateP2GoShortCut"
HKLM\...\StartupApproved\Run32: => "AnonymizerGadget"
HKLM\...\StartupApproved\Run32: => "MyMemory"
HKLM\...\StartupApproved\Run32: => "jmesoft"
HKLM\...\StartupApproved\Run32: => "SpeeDownloader"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "emling"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "InterStat"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "280502"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "907870"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "373444"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "VJWFLILUM3F5VHJ"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "GDEAOP9S8AHUE0O"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "V9RK5V3J38IR71O"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "KE21LGF3B7S523T"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "YLUV2ZRN89GGET2"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "XH7C9F9Q269T9EV"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "UGPOITRZT4Q59IZ"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "UQ2RQ5A25XP9TE7"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "msiql"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "Pritc"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "TESTUK"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\StartupApproved\Run: => "YeaDesktop"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{C5F53E46-6638-498A-A13F-426BEA4DBC41}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{909849B2-E8F5-4BDE-881B-6E65C82617E4}] => (Allow) C:\Program Files (x86)\SHAREit\SHAREit\SHAREit.exe
FirewallRules: [{0968CAA4-B887-4E13-9C39-EFA792F1AB26}] => (Allow) C:\Program Files (x86)\SHAREit\SHAREit\SHAREit.exe
FirewallRules: [{7AE72771-138C-4DB9-B00C-A64B9D3B2E27}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
 
==================== Restore Points =========================
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/25/2017 06:37:20 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x803F7001
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (04/25/2017 06:32:55 AM) (Source: Windows Search Service) (EventID: 3104) (User: )
Description: Enumerating user sessions to generate filter pools failed.
 
Details:
(HRESULT : 0x80040210) (0x80040210)
 
Error: (04/25/2017 06:31:27 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007139F
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (04/24/2017 07:27:13 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x803F7001
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (04/24/2017 07:17:41 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0x8007139F
Command-line arguments:
RuleId=31e71c49-8da7-4a2f-ad92-45d98a1c79ba;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2b1f36bb-c1cd-4306-bf5c-a0367c2d97d8;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (04/24/2017 07:16:22 PM) (Source: ATIeRecord) (EventID: 16387) (User: )
Description: ATI EEU Service event error
 
 
System errors:
=============
Error: (04/25/2017 06:37:05 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/25/2017 06:37:05 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/25/2017 06:37:04 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
 and APPID 
{F72671A9-012C-4725-9D2F-2A4D32D65169}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/25/2017 06:32:53 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Management Service service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (04/25/2017 06:30:52 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000001a (0x000000000000003f, 0x000000000005d9fb, 0x0000000067d7a379, 0x000000008054db64). A dump was saved in: C:\WINDOWS\MEMORY.DMP. Report Id: c98f2aa2-ae2e-4835-aecf-c4bf041d57ae.
 
Error: (04/25/2017 06:30:45 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Dataup service failed to start due to the following error: 
The system cannot find the file specified.
 
Error: (04/25/2017 06:30:17 AM) (Source: Microsoft-Windows-Kernel-Boot) (EventID: 16) (User: NT AUTHORITY)
Description: 32212254731140976
 
Error: (04/25/2017 06:30:39 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 7:57:09 PM on ‎4/‎24/‎2017 was unexpected.
 
Error: (04/24/2017 07:57:59 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID 
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
Error: (04/24/2017 07:26:52 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID 
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID 
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
 
 
==================== Memory info =========================== 
 
Processor: AMD E1-7010 APU with AMD Radeon R2 Graphics 
Percentage of memory in use: 46%
Total physical RAM: 3503.44 MB
Available physical RAM: 1873.91 MB
Total Virtual: 4847.44 MB
Available Virtual: 3151.36 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:433.92 GB) (Free:389.86 GB) NTFS
Drive e: (w_10_pro_x64) (CDROM) (Total:3.15 GB) (Free:0 GB) UDF
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 7AA7ED9D)
 
Partition: GPT.
 
==================== End of Addition.txt ============================
 
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 23-04-2017 01
Ran by Nik (24-04-2017 19:08:33) Run:1
Running from C:\Users\Nik\Downloads
Loaded Profiles: Nik (Available Profiles: Nik)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKLM\...\Run: [gplyra] => C:\Users\Nik\AppData\Roaming\gplyra\gplyra.exe <===== ATTENTION
HKLM-x32\...\Run: [jmesoft] => C:\Windows\jmesoft\ServiceLoader.exe [28672 2011-08-16] ()
HKLM-x32\...\Run: [cpx] => "C:\Users\Nik\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <===== ATTENTION
HKLM-x32\...\Run: [svcvmx] => C:\Users\Nik\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe [896512 2017-01-13] ()
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [UQ2RQ5A25XP9TE7] => "C:\Program Files\26BXPZPONX\FVHCXYVPN.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [UGPOITRZT4Q59IZ] => "C:\Program Files\CZ0HBTETUE\CZ0HBTETU.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [373444] => "C:\Users\Nik\AppData\Roaming\19993260\599073.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [XH7C9F9Q269T9EV] => "C:\Program Files (x86)\SpeeDownloader\520T4.exe" <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [YLUV2ZRN89GGET2] => "C:\Program Files\E7XWUR77TK\E7XWUR77T.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [emling] => rundll32.exe "C:\Users\Nik\AppData\Local\emling.dll",emling <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [907870] => "C:\Users\Nik\AppData\Roaming\89068969\784915.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [KE21LGF3B7S523T] => "C:\Program Files\8BHVV11SSU\8BHVV11SS.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [msiql] => C:\Users\Nik\AppData\Local\Temp\00032183\msiql.exe /RUNNING <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [YeaDesktop] => C:\Program Files (x86)\YeaDesktop\YeaDesktop.exe /autostart
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [Pritc] => C:\Users\Nik\AppData\Local\Temp\is-4NDF6.tmp\Setup.exe <===== ATTENTION
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [V9RK5V3J38IR71O] => "C:\Program Files\2RPMVCQNW5\2RPMVCQNW.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [GDEAOP9S8AHUE0O] => "C:\Program Files\QPV8NRUO69\QPV8NRUO6.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [280502] => "C:\Users\Nik\AppData\Roaming\27377748\74164.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\Run: [VJWFLILUM3F5VHJ] => "C:\Program Files\O3WD7LGUGJ\O3WD7LGUG.exe"
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\...\MountPoints2: {ab6ef73b-9d61-11e6-af05-806e6f6e6963} - "E:\setup.exe" 
ShellIconOverlayIdentifiers: [KzShlobj] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => C:\Program Files\¿ìѹ\X64\KZipShell.dll -> No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
ProxyServer: [S-1-5-21-2724206413-2812493579-1046086373-1001] => 127.0.0.1:8003
SearchScopes: HKU\S-1-5-21-2724206413-2812493579-1046086373-1001 -> {A1F7D86E-5048-45A1-B7FD-0F3E9456F148} URL = 
SearchScopes: HKU\S-1-5-21-2724206413-2812493579-1046086373-1001 -> {FF39F5D5-81C5-43A2-9604-11414BC21B5A} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=H4Ozamobl20488BU,e8d0b2c1-e3f7-4cb5-b2b6-cf2c5d795994,
R2 Dataup; C:\Users\Nik\AppData\Local\ntuserlitelist\dataup\dataup.exe [77824 2017-01-05] () [File not signed] <==== ATTENTION
R2 GoogleChromeUpService; C:\ProgramData\service.exe [1620992 2017-04-24] () [File not signed] <==== ATTENTION
S4 srcsrv; C:\WINDOWS\src_srv\winsrcsrv.exe [16384 2017-04-04] () [File not signed]
S2 windowsmanagementservice; C:\Users\Nik\AppData\Local\iaukbk\ct.exe [947200 2017-03-29] (Google Inc.) [File not signed] <==== ATTENTION
S2 KuaizipUpdateChecker; C:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll [X]
S2 pgt_svc; C:\Program Files (x86)\ProxyGate\MainService.exe [X] <==== ATTENTION
S4 SMUpd; C:\Program Files\Common Files\Noobzo\GNUpdate\smu.exe /service [X] <==== ATTENTION
S2 UCBrowserSvc; "C:\Program Files (x86)\UCBrowser\Application\UCService.exe" [X]
R0 drmkpro64; C:\WINDOWS\System32\drivers\ndistpr64.sys [78112 2013-09-28] () [File not signed] <==== ATTENTION
R2 KuaiZipDrive; C:\WINDOWS\system32\drivers\KuaiZipDrive.sys [92832 2017-04-24] (WinMount International Inc)
R1 NetUtils2016; C:\WINDOWS\system32\drivers\NetUtils2016.sys [907160 2017-04-24] () <==== ATTENTION
S3 SMUpdd; \??\C:\Program Files\Common Files\Noobzo\GNUpdate\smw.sys [X]
S1 ucdrv; \??\C:\Program Files (x86)\UCBrowser\Security:ucdrv-x64.sys [X] <==== ATTENTION
2017-04-24 04:35 - 2017-04-24 04:35 - 00000000 ____D C:\ProgramData\PrefsSecure
2017-04-24 04:34 - 2017-04-24 04:43 - 00000000 ____D C:\Users\Nik\AppData\Local\llssoft
2017-04-24 04:34 - 2017-04-24 04:34 - 00002730 _____ C:\WINDOWS\System32\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A
2017-04-24 04:34 - 2017-04-24 04:34 - 00000330 _____ C:\WINDOWS\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A.job
2017-04-24 04:34 - 2017-04-24 04:34 - 00000000 ____D C:\Users\Nik\AppData\Local\CEF
2017-04-24 04:33 - 2017-04-24 11:15 - 00000000 ____D C:\Users\Nik\AppData\Local\ntuserlitelist
2017-04-24 04:33 - 2017-04-24 06:05 - 00000320 _____ C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job
2017-04-24 04:33 - 2017-04-24 05:04 - 00002648 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore
2017-04-24 04:33 - 2017-04-24 04:37 - 00000484 _____ C:\WINDOWS\Tasks\UCBrowserUpdater.job
2017-04-24 04:33 - 2017-04-24 04:33 - 00003498 _____ C:\WINDOWS\System32\Tasks\UCBrowserUpdater
2017-04-24 04:32 - 2017-04-24 04:35 - 00003476 _____ C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater
2017-04-24 04:31 - 2017-04-24 04:31 - 00003780 _____ C:\WINDOWS\System32\Tasks\SoftUpgrade
2017-04-24 04:28 - 2017-04-24 04:28 - 00092832 _____ (WinMount International Inc) C:\WINDOWS\system32\Drivers\KuaiZipDrive.sys
2017-04-24 04:28 - 2017-04-24 04:28 - 00000000 ____D C:\Users\Public\Documents\Tools
2017-04-24 04:28 - 2017-04-24 04:28 - 00000000 ____D C:\Users\Nik\AppData\Local\iaukbk
2017-04-24 04:27 - 2017-04-24 11:36 - 00003652 _____ C:\WINDOWS\System32\Tasks\CreateExplorerShellUnelevatedTask
2017-04-24 04:27 - 2017-04-24 04:28 - 00000000 ____D C:\WINDOWS\system32\SSL
2017-04-24 04:27 - 2017-04-24 04:28 - 00000000 ____D C:\Users\Nik\AppData\Local\viojzx
2017-04-24 04:27 - 2017-04-24 04:27 - 00003050 _____ C:\WINDOWS\System32\Tasks\Pritc
2017-04-24 04:27 - 2017-04-24 04:27 - 00000000 ____D C:\Users\Public\Documents\Guid
2017-04-24 04:26 - 2017-04-24 04:27 - 00000000 ____D C:\ProgramData\26e6adfb-4851-0
2017-04-24 04:26 - 2017-04-24 04:26 - 01620992 _____ C:\ProgramData\service.exe
2017-04-24 04:26 - 2017-04-24 04:26 - 00907160 _____ C:\WINDOWS\system32\Drivers\NetUtils2016.sys
2017-04-24 04:26 - 2017-04-24 04:26 - 00000000 ____D C:\WINDOWS\system32\sstmp
2017-04-24 04:26 - 2017-04-24 04:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YeaDesktop
2017-04-24 04:26 - 2017-04-24 04:26 - 00000000 ____D C:\ProgramData\26e6adfb-3df3-1
2017-04-24 04:25 - 2017-04-24 04:25 - 00004414 _____ C:\WINDOWS\System32\Tasks\SMW_UpdateTask_Time_323032313631383839352d415b343437414545785a5a6c
2017-04-24 04:25 - 2017-04-24 04:25 - 00000000 ____D C:\ProgramData\SearchModule
2017-04-24 04:24 - 2017-04-24 04:24 - 00178176 _____ C:\ProgramData\smp2.exe
2017-04-24 04:24 - 2017-04-24 04:24 - 00004256 _____ C:\WINDOWS\System32\Tasks\SMW_P
2017-04-24 04:24 - 2017-04-24 04:24 - 00000000 ____H C:\WINDOWS\system32\BIT7B0.tmp
2017-04-24 04:22 - 2017-04-24 11:05 - 00000000 ____D C:\WINDOWS\src_srv
2017-04-24 04:32 - 2017-04-24 04:32 - 00000258 __RSH C:\ProgramData\ntuser.pol
2017-04-24 04:37 - 2017-04-24 04:37 - 00000258 __RSH C:\Users\Nik\ntuser.pol
2017-03-29 19:04 - 2017-03-29 19:04 - 00833024 ____N C:\WINDOWS\system32\tprdpw32.exe
2017-04-24 04:26 - 2017-04-24 04:26 - 1620992 _____ () C:\ProgramData\service.exe
2017-04-24 04:24 - 2017-04-24 04:24 - 0178176 _____ () C:\ProgramData\smp2.exe
C:\ProgramData\service.exe
C:\ProgramData\smp2.exe
Task: {26D47CC1-49DD-4832-8BFC-3595131E42C3} - System32\Tasks\UCBrowserUpdaterCore => C:\Program Files (x86)\UCBrowser\Application\update_task.exe  <==== ATTENTION
Task: {34FE83CD-9280-4BE0-B47F-F3F0B1507BA8} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe  <==== ATTENTION
Task: {51DAEACF-7130-4A67-BB84-0A508BBE85C3} - System32\Tasks\Pritc => C:\Users\Nik\AppData\Local\Temp\is-4NDF6.tmp\Setup.exe  <==== ATTENTION
Task: {A2AB329B-9B90-4BE0-BE3F-A56443770EDA} - System32\Tasks\CreateExplorerShellUnelevatedTask => C:\WINDOWS\Explorer.EXE /NOUACCHECK
Task: {A66A57A7-34D0-4612-8115-3131FEF48881} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe [2017-04-24] () <==== ATTENTION
Task: {A6732453-23DF-4A36-A1AA-E0F1E6D63A38} - System32\Tasks\{C6E12F23-A1F9-4AA5-885D-D4F50C71ACD8} => pcalua.exe -a C:\Users\Nik\AppData\Local\uninstallro.exe
Task: {C010731F-E2B4-474A-9855-55E7ED41019C} - System32\Tasks\SMW_UpdateTask_Time_323032313631383839352d415b343437414545785a5a6c => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {F9982D69-2FA3-4830-8110-04A53171CE91} - System32\Tasks\UCBrowserSecureUpdater => C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe  <==== ATTENTION
Task: {FBFBCFF6-7F3D-4033-90A3-2E9945749807} - System32\Tasks\Lenovo\Lenovo Solution Center Launcher => C:\Program Files\lenovo\lenovo solution center\App\LSC.Services.UpdateStatusService.exe [2016-04-20] ()
Task: {FC86D5BA-0796-4C2D-B153-F7578D5E96D1} - System32\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A => Rundll32.exe "C:\Program Files (x86)\YoutubeAdBlockU\Jn4pRuG.dll",#1
Task: {FEBFD077-4C30-457A-A569-49981E118C90} - System32\Tasks\SoftUpgrade => C:\Program Files (x86)\SoftUpgrade\softup.exe  <==== ATTENTION
Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A.job => 
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION
AlternateDataStreams: C:\WINDOWS\system32\drivers:ucdrv-x64.sys [25444]
AlternateDataStreams: C:\WINDOWS\system32\drivers:x64 [1498914]
AlternateDataStreams: C:\WINDOWS\system32\drivers:x86 [1223458]
FirewallRules: [{E0107E09-0A48-48BD-BA8A-F7813DA66D19}] => (Allow) C:\WINDOWS\system32\rundll32.exe
FirewallRules: [{2E189D71-7679-496C-ABE8-ED197566DD6B}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{4B70AFCF-F6E5-4144-971A-B901939CE9AE}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\Downloader\download\MiniThunderPlatform.exe
FirewallRules: [{AB180DB8-07B7-47B1-BAEA-3C4B7D3A400A}] => (Allow) C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe
FirewallRules: [{3AA39057-6B9D-46B1-B472-EFAC69F41594}] => (Allow) C:\WINDOWS\system32\rundll32.exe
FirewallRules: [{24B7ADEC-41B7-46EF-B451-A062C5023768}] => (Allow) C:\Program Files (x86)\Maoha\MaohaAP\MaohaWifiSvr.exe
C:\Program Files (x86)\UCBrowser
DeleteKey: HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup 
EmptyTemp:
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
 
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\gplyra => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\jmesoft => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\cpx => value could not remove.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\svcvmx => value could not remove.
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\UQ2RQ5A25XP9TE7 => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\UGPOITRZT4Q59IZ => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\373444 => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\XH7C9F9Q269T9EV => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YLUV2ZRN89GGET2 => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\emling => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\907870 => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\KE21LGF3B7S523T => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\msiql => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\YeaDesktop => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\Pritc => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\V9RK5V3J38IR71O => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\GDEAOP9S8AHUE0O => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\280502 => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Run\\VJWFLILUM3F5VHJ => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ab6ef73b-9d61-11e6-af05-806e6f6e6963} => key removed successfully
HKCR\CLSID\{ab6ef73b-9d61-11e6-af05-806e6f6e6963} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj => key removed successfully
HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} => key not found. 
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A1F7D86E-5048-45A1-B7FD-0F3E9456F148} => key removed successfully
HKCR\CLSID\{A1F7D86E-5048-45A1-B7FD-0F3E9456F148} => key not found. 
HKU\S-1-5-21-2724206413-2812493579-1046086373-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FF39F5D5-81C5-43A2-9604-11414BC21B5A} => key removed successfully
HKCR\CLSID\{FF39F5D5-81C5-43A2-9604-11414BC21B5A} => key not found. 
Dataup => Unable to stop service.
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
GoogleChromeUpService => Unable to stop service.
HKLM\System\CurrentControlSet\Services\GoogleChromeUpService => key removed successfully
GoogleChromeUpService => service removed successfully
HKLM\System\CurrentControlSet\Services\srcsrv => key removed successfully
srcsrv => service removed successfully
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker => key removed successfully
KuaizipUpdateChecker => service removed successfully
HKLM\System\CurrentControlSet\Services\pgt_svc => key removed successfully
pgt_svc => service removed successfully
HKLM\System\CurrentControlSet\Services\SMUpd => key removed successfully
SMUpd => service removed successfully
HKLM\System\CurrentControlSet\Services\UCBrowserSvc => key removed successfully
UCBrowserSvc => service removed successfully
drmkpro64 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected
KuaiZipDrive => Unable to stop service.
HKLM\System\CurrentControlSet\Services\KuaiZipDrive => key removed successfully
KuaiZipDrive => service removed successfully
NetUtils2016 => Unable to stop service.
HKLM\System\CurrentControlSet\Services\NetUtils2016 => key removed successfully
NetUtils2016 => service removed successfully
HKLM\System\CurrentControlSet\Services\SMUpdd => key removed successfully
SMUpdd => service removed successfully
HKLM\System\CurrentControlSet\Services\ucdrv => key removed successfully
ucdrv => service removed successfully
C:\ProgramData\PrefsSecure => moved successfully
 
"C:\Users\Nik\AppData\Local\llssoft" folder move:
 
"C:\Users\Nik\AppData\Local\llssoft" => folder moved successfully
 
C:\WINDOWS\System32\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A => moved successfully
C:\WINDOWS\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A.job => moved successfully
C:\Users\Nik\AppData\Local\CEF => moved successfully
 
"C:\Users\Nik\AppData\Local\ntuserlitelist" folder move:
 
Could not move "C:\Users\Nik\AppData\Local\ntuserlitelist" => Scheduled to move on reboot.
 
C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job => moved successfully
C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore => moved successfully
C:\WINDOWS\Tasks\UCBrowserUpdater.job => moved successfully
C:\WINDOWS\System32\Tasks\UCBrowserUpdater => moved successfully
C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater => moved successfully
C:\WINDOWS\System32\Tasks\SoftUpgrade => moved successfully
C:\WINDOWS\system32\Drivers\KuaiZipDrive.sys => moved successfully
C:\Users\Public\Documents\Tools => moved successfully
C:\Users\Nik\AppData\Local\iaukbk => moved successfully
C:\WINDOWS\System32\Tasks\CreateExplorerShellUnelevatedTask => moved successfully
C:\WINDOWS\system32\SSL => moved successfully
C:\Users\Nik\AppData\Local\viojzx => moved successfully
C:\WINDOWS\System32\Tasks\Pritc => moved successfully
C:\Users\Public\Documents\Guid => moved successfully
C:\ProgramData\26e6adfb-4851-0 => moved successfully
C:\ProgramData\service.exe => moved successfully
C:\WINDOWS\system32\Drivers\NetUtils2016.sys => moved successfully
C:\WINDOWS\system32\sstmp => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\YeaDesktop => moved successfully
C:\ProgramData\26e6adfb-3df3-1 => moved successfully
C:\WINDOWS\System32\Tasks\SMW_UpdateTask_Time_323032313631383839352d415b343437414545785a5a6c => moved successfully
C:\ProgramData\SearchModule => moved successfully
C:\ProgramData\smp2.exe => moved successfully
C:\WINDOWS\System32\Tasks\SMW_P => moved successfully
C:\WINDOWS\system32\BIT7B0.tmp => moved successfully
C:\WINDOWS\src_srv => moved successfully
C:\ProgramData\ntuser.pol => moved successfully
C:\Users\Nik\ntuser.pol => moved successfully
Could not move "C:\WINDOWS\system32\tprdpw32.exe" => Scheduled to move on reboot.
"C:\ProgramData\service.exe" => not found.
"C:\ProgramData\smp2.exe" => not found.
"C:\ProgramData\service.exe" => not found.
"C:\ProgramData\smp2.exe" => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{26D47CC1-49DD-4832-8BFC-3595131E42C3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{26D47CC1-49DD-4832-8BFC-3595131E42C3} => key removed successfully
C:\WINDOWS\System32\Tasks\UCBrowserUpdaterCore => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdaterCore => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{34FE83CD-9280-4BE0-B47F-F3F0B1507BA8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{34FE83CD-9280-4BE0-B47F-F3F0B1507BA8} => key removed successfully
C:\WINDOWS\System32\Tasks\UCBrowserUpdater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{51DAEACF-7130-4A67-BB84-0A508BBE85C3} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{51DAEACF-7130-4A67-BB84-0A508BBE85C3} => key removed successfully
C:\WINDOWS\System32\Tasks\Pritc => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Pritc => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A2AB329B-9B90-4BE0-BE3F-A56443770EDA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2AB329B-9B90-4BE0-BE3F-A56443770EDA} => key removed successfully
C:\WINDOWS\System32\Tasks\CreateExplorerShellUnelevatedTask => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CreateExplorerShellUnelevatedTask => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A66A57A7-34D0-4612-8115-3131FEF48881} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A66A57A7-34D0-4612-8115-3131FEF48881} => key removed successfully
C:\WINDOWS\System32\Tasks\SMW_P => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_P => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A6732453-23DF-4A36-A1AA-E0F1E6D63A38} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6732453-23DF-4A36-A1AA-E0F1E6D63A38} => key removed successfully
C:\WINDOWS\System32\Tasks\{C6E12F23-A1F9-4AA5-885D-D4F50C71ACD8} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C6E12F23-A1F9-4AA5-885D-D4F50C71ACD8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C010731F-E2B4-474A-9855-55E7ED41019C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C010731F-E2B4-474A-9855-55E7ED41019C} => key removed successfully
C:\WINDOWS\System32\Tasks\SMW_UpdateTask_Time_323032313631383839352d415b343437414545785a5a6c => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_UpdateTask_Time_323032313631383839352d415b343437414545785a5a6c => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F9982D69-2FA3-4830-8110-04A53171CE91} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F9982D69-2FA3-4830-8110-04A53171CE91} => key removed successfully
C:\WINDOWS\System32\Tasks\UCBrowserSecureUpdater => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserSecureUpdater => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FBFBCFF6-7F3D-4033-90A3-2E9945749807} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FBFBCFF6-7F3D-4033-90A3-2E9945749807} => key removed successfully
C:\WINDOWS\System32\Tasks\Lenovo\Lenovo Solution Center Launcher => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Lenovo\Lenovo Solution Center Launcher => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FC86D5BA-0796-4C2D-B153-F7578D5E96D1} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FC86D5BA-0796-4C2D-B153-F7578D5E96D1} => key removed successfully
C:\WINDOWS\System32\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Update Service for E3605470-291B-44EB-8648-745EE356599A => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FEBFD077-4C30-457A-A569-49981E118C90} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FEBFD077-4C30-457A-A569-49981E118C90} => key removed successfully
C:\WINDOWS\System32\Tasks\SoftUpgrade => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SoftUpgrade => key removed successfully
C:\WINDOWS\Tasks\UCBrowserUpdater.job => not found.
C:\WINDOWS\Tasks\UCBrowserUpdaterCore.job => not found.
C:\WINDOWS\Tasks\Update Service for E3605470-291B-44EB-8648-745EE356599A.job => not found.
WMI_ActiveScriptEventConsumer_ASEC: <===== ATTENTION => removed successfully
C:\WINDOWS\system32\drivers => ":ucdrv-x64.sys" ADS removed successfully.
C:\WINDOWS\system32\drivers => ":x64" ADS removed successfully.
C:\WINDOWS\system32\drivers => ":x86" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E0107E09-0A48-48BD-BA8A-F7813DA66D19} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2E189D71-7679-496C-ABE8-ED197566DD6B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4B70AFCF-F6E5-4144-971A-B901939CE9AE} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{AB180DB8-07B7-47B1-BAEA-3C4B7D3A400A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3AA39057-6B9D-46B1-B472-EFAC69F41594} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{24B7ADEC-41B7-46EF-B451-A062C5023768} => value removed successfully
"C:\Program Files (x86)\UCBrowser" => not found.
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup => key could not remove, key could be protected
 
========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" =========
 
Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
Failed to clear log Microsoft-Windows-USBVideo/Analytic. The instance name passed was not recognized as valid by a WMI data provider.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 581912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6956708 B
Java, Flash, Steam htmlcache => 1491 B
Windows/system/drivers => 2960388 B
Edge => 153578954 B
Chrome => 0 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 7456 B
NetworkService => 28334 B
Nik => 88434384 B
 
RecycleBin => 0 B
EmptyTemp: => 240.9 MB temporary data Removed.
 
================================
 
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 24-04-2017 19:26:59)
 
C:\Users\Nik\AppData\Local\ntuserlitelist => Is moved successfully
"C:\WINDOWS\system32\tprdpw32.exe" => Could not move
 
Result of scheduled keys to remove after reboot:
 
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup => key could not remove, key could be protected
 
==== End of Fixlog 19:26:59 ====
 
 

 


  • 0

#5
RKinner
Posted 25 April 2017 - 05:00 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Can I see a process Explorer log?


  • 0

#6
dyinginside
Posted 25 April 2017 - 05:11 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Unfortunately process explorer will not run (as it is an exe, not sure why it allows FRST to run)
  • 0

#7
RKinner
Posted 25 April 2017 - 05:55 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

Make sure you can see hidden files:

 

http://www.howtogeek...-windows-vista/
 

 

Then see if you can rename procexp.exe to explorer.exe or explorer.com.  Does either work?


  • 0

#8
dyinginside
Posted 25 April 2017 - 06:16 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Process CPU Private Bytes Working Set PID Description Company Name Verified Signer
MsMpEng.exe 42.94 115,768 K 78,616 K 2256 Antimalware Service Executable Microsoft Corporation (Verified) Microsoft Corporation
svchost.exe 27.73 34,948 K 51,912 K 1424 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 9.27 68,288 K 56,804 K 444 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
procexp64.exe 6.76 19,340 K 49,788 K 5932 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
SearchIndexer.exe 4.91 14,412 K 10,120 K 4092 Microsoft Windows Search Indexer Microsoft Corporation (Verified) Microsoft Windows
System 3.36 124 K 128 K 4
ShellExperienceHost.exe 1.37 38,344 K 76,048 K 4136 Windows Shell Experience Host Microsoft Corporation (Verified) Microsoft Windows
Interrupts 1.16 0 K 0 K n/a Hardware Interrupts and DPCs
dwm.exe 1.03 33,480 K 32,444 K 988
csrss.exe 0.48 3,424 K 7,624 K 624
System Idle Process 0.39 0 K 4 K 0
WMIADAP.exe 0.21 1,756 K 7,300 K 268
explorer.exe 0.13 31,044 K 72,796 K 3712 Windows Explorer Microsoft Corporation (Verified) Microsoft Windows
wermgr.exe 0.10 2,736 K 9,140 K 6280
svchost.exe 0.09 17,392 K 18,436 K 1044 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 0.05 10,500 K 23,504 K 920 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
WmiPrvSE.exe < 0.01 3,232 K 9,388 K 4984
iexplore.exe < 0.01 141,832 K 179,632 K 3272 Internet Explorer Microsoft Corporation (Verified) Microsoft Corporation
svchost.exe < 0.01 7,840 K 16,120 K 1292 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
csrss.exe < 0.01 1,288 K 3,644 K 500
WUDFHost.exe 1,380 K 4,936 K 608
WmiPrvSE.exe 2,072 K 8,320 K 5944
wlanext.exe 1,740 K 5,508 K 1900
winlogon.exe 3,524 K 11,416 K 692
wininit.exe 1,232 K 4,424 K 612
tprdpw32.exe 1,940 K 8,120 K 2096
tbaseprovisioning.exe 14,724 K 11,584 K 1204 tbaseprovisioning Advanced Micro Devices, Inc. (Verified) Microsoft Windows Hardware Compatibility Publisher
taskhostw.exe 8,728 K 18,712 K 3548 Host Process for Windows Tasks Microsoft Corporation (Verified) Microsoft Windows
svchost.exe 6,124 K 20,272 K 2124 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,720 K 9,556 K 880 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 2,464 K 8,996 K 1652 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 9,840 K 20,780 K 820 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 7,012 K 24,688 K 3416 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 11,904 K 21,128 K 896 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 9,736 K 21,908 K 2248 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,720 K 10,272 K 1800 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 4,688 K 13,252 K 5044 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 3,416 K 9,128 K 1712 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,808 K 6,724 K 6320 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
svchost.exe 1,856 K 7,048 K 3364 Host Process for Windows Services Microsoft Corporation (Verified) Microsoft Windows Publisher
spoolsv.exe 5,520 K 13,996 K 1892 Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows
smss.exe 452 K 788 K 316
sihost.exe 5,008 K 18,624 K 3408 Shell Infrastructure Host Microsoft Corporation (Verified) Microsoft Windows
services.exe 4,028 K 7,168 K 728
Service.exe 704 K 2,984 K 2108 (No signature was present in the subject)
SearchUI.exe Suspended 44,412 K 52,724 K 4448 Search and Cortana application Microsoft Corporation (Verified) Microsoft Windows
RuntimeBroker.exe 16,124 K 30,256 K 3616 Runtime Broker Microsoft Corporation (Verified) Microsoft Windows
RAVCpl64.exe 5,260 K 9,880 K 5196 Realtek HD Audio Manager Realtek Semiconductor (Verified) Realtek Semiconductor Corp.
RadeonSettings.exe 111,848 K 10,156 K 5276 Radeon Settings: Host Application Advanced Micro Devices, Inc. (Verified) Advanced Micro Devices
procexp.exe 2,728 K 10,020 K 5892 Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
PDVD12Serv.exe 1,400 K 368 K 5624 PowerDVD Service CyberLink Corp. (Verified) CyberLink Corp.
OneDrive.exe 6,520 K 23,460 K 5308 Microsoft OneDrive Microsoft Corporation (Verified) Microsoft Corporation
OfficeClickToRun.exe 13,348 K 17,296 K 1672 Microsoft Office Click-to-Run Microsoft Corporation (Verified) Microsoft Corporation
NisSrv.exe 14,804 K 9,428 K 3216 Microsoft Network Realtime Inspection Service Microsoft Corporation (Verified) Microsoft Corporation
MSASCuiL.exe 3,048 K 10,136 K 5300 Windows Defender notification icon Microsoft Corporation (Verified) Microsoft Windows
Memory Compression 232 K 70,012 K 2332
LSCNotify.exe 1,432 K 452 K 5828 Lenovo Solution Center Notifications Lenovo (Verified) LENOVO
lsass.exe 5,856 K 12,748 K 736 Local Security Authority Process Microsoft Corporation (Verified) Microsoft Windows Publisher
Lenovo.Modern.ImController.PluginHost.Device.exe 30,848 K 52,128 K 6968
Lenovo.Modern.ImController.PluginHost.Device.exe 33,668 K 50,576 K 6856
Lenovo.Modern.ImController.exe 24,092 K 30,860 K 2072 Lenovo.Modern.ImController Lenovo Group Limited (Verified) Lenovo
InstallAgentUserBroker.exe 2,196 K 9,268 K 6560 InstallAgentUserBroker Microsoft Corporation (Verified) Microsoft Windows
InstallAgent.exe 1,844 K 10,184 K 6516 InstallAgent Microsoft Corporation (Verified) Microsoft Windows
hotkey.exe 1,460 K 7,804 K 5788 Lenovo Black Silk USB Keyboard Lenovo (No signature was present in the subject) Lenovo
HostAppServiceUpdater.exe 4,760 K 2,408 K 4536 Host App Service Updater SweetLabs, Inc (Verified) SweetLabs Inc.
fontdrvhost.exe 1,396 K 7,788 K 5548
dllhost.exe 1,980 K 9,732 K 5204 COM Surrogate Microsoft Corporation (Verified) Microsoft Windows
conhost.exe 1,140 K 4,412 K 1916
BTDevMgr.exe 1,840 K 6,472 K 484 Realtek Bluetooth BTDevManager Service Application Realtek Semiconductor Corp. (Verified) Realtek Semiconductor Corp
backgroundTaskHost.exe Suspended 22,312 K 31,520 K 6752 Background Task Host Microsoft Corporation (Verified) Microsoft Windows
atiesrxx.exe 1,292 K 4,736 K 1196 AMD External Events Service Module AMD (Verified) Microsoft Windows Hardware Compatibility Publisher
atieclxx.exe 2,180 K 7,984 K 2868
armsvc.exe 1,448 K 5,508 K 2036 Adobe Acrobat Update Service Adobe Systems Incorporated (Verified) Adobe Systems
AdaptiveSleepService.exe 1,416 K 6,708 K 2168

  • 0

#9
dyinginside
Posted 25 April 2017 - 06:17 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
It was able to run after I restarted again today, I'm about to post the logs (posting from mobile right now since its nearly impossible to use a browser). I have it set to see hidden and system files but I'm using 10 and not Vista.
  • 0

#10
RKinner
Posted 25 April 2017 - 08:12 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

In Process Explorer: Can you right click on tprdpw32.exe and Suspend?  Do the same for service.exe (not services.exe)

 

Then see if you can download and run by right click and run as admin:

Malwarebytes Anti-Rootkit

https://malwarebytes...0u7msx810wz75jl

again if it won't run change its name as for Process Explorer.

 

  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.
  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

  • 0

Advertisements

#11
dyinginside
Posted 25 April 2017 - 08:50 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Yes, I can suspend them both but I still get "the requested resource is in use"
  • 0

#12
RKinner
Posted 25 April 2017 - 09:06 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

You did try changing the name?

 

OK.  Leave them suspended then open Windows Explorer and navigate to

 

C:\WINDOWS\System32\drivers\ndistpr64.sys

 

See if you are able to rename the file to ndistpr64.bad

If you can't rename it try Properties then Security. 

 

See if you can take ownership of the file and then deny access to all users:

 

http://www.windowsce...ders-windows-10

 

Repeat for

C:\Users\Nik\AppData\Local\NTUSER~1\dataup\dataup.exe

C:\Users\Nik\AppData\Local\iaukbk\ct.exe

 

C:\WINDOWS\system32\tprdpw32.exe

 

Reboot and see if  the MBAR will work now.


  • 0

#13
dyinginside
Posted 25 April 2017 - 09:18 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I tried renaming MBAR etc with no luck, still the same error message. I also tried renaming ndistpr64.sys to .bad, but it wouldn't allow it, going into the advanced security settings it says I do not have permission to edit or view this objects permission settings. Same with tprdpw32, and I seem to not have NTUSER~ or iaukbk folders in that directory
  • 0

#14
RKinner
Posted 25 April 2017 - 11:36 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP

You should be able to take ownership of the files.  Any luck with regedit?


  • 0

#15
dyinginside
Posted 25 April 2017 - 11:49 AM

dyinginside

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Yes I know I /should/ be able to, but I can't. It says the owner cannot be displayed, and I cannot change the owner of the files. Like I said, in the advanced security section it says I don't have permission to view or edit the permissions. I've even tried activating the administrator account through the command prompt and taking ownership of the whole folder with full control given to the administrator and those files were the only ones unaffected.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP