Hi all,
I purchased a clearance model 2-in-1 (Lenovo Yoga 2, if that matters) several months ago due to needing something relatively inexpensive and portable to take on the road for work. I don't recall the reason it was on clearance other than it just being a discontinued model- there was no mention of it being a refurb (I *think*).
That being said, this thing has been plagued by performance issues since day 1. It was virtually unusable out of the box, so I removed a lot of the bloatware, some programs that I was entirely unfamiliar with but definitely weren't critical to the machine or OS, and ran MBAM. It was decent for a while after, but never great. Now, it has gotten to the point where it is barely usable again a lot of the time. So, basically, this thing has been used mostly as a paperweight since November. The main issues are connectivity and speed, but I'm not running anything that requires heavy power. It may be that the wireless adapter is faulty, but I thought I'd have someone more knowledgeable than me look this thing over because of the odd programs, redirects, and the fact that MBAM has worked as a temporary solution in the past.
The FRST logs are pasted below, and thanks in advance for your help!
************************************************************************************************
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 25-06-2017 01
Ran by erin (administrator) on DESKTOP-6S12IL0 (28-06-2017 12:55:58)
Running from C:\Users\erin\Desktop
Loaded Profiles: erin (Available Profiles: erin)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Normal
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Intel Corporation) C:\Windows\SysWOW64\esif_uf.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Conexant Systems Inc.) C:\Windows\System32\CxAudMsg64.exe
(Conexant Systems, Inc.) C:\Windows\SysWOW64\SASrv.exe
(Lenovo) C:\ProgramData\LenovoTransition\Server\x64\ymc.exe
(AVAST Software s.r.o.) C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe
(Intel Corporation) C:\Windows\Temp\DPTF\esif_assist_64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersServer.exe
() C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkypeHost.exe
(Conexant Systems, Inc.) C:\Program Files\CONEXANT\cAudioFilterAgent\CAudioFilterAgent64.exe
() C:\Program Files\Lenovo\LenovoUtility\utility.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.33.5\GoogleCrashHandler64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\SnippingTool.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
==================== Registry (Whitelisted) ====================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [919768 2014-11-20] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830616 2014-04-10] (Conexant Systems, Inc.)
HKLM\...\Run: [LenovoUtility] => C:\Program Files\Lenovo\LenovoUtility\utility.exe [791848 2016-04-23] ()
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [322472 2015-07-22] (Intel Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3936936 2015-07-09] (Synaptics Incorporated)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvLaunch.exe [213824 2017-04-16] (AVAST Software)
HKU\S-1-5-21-328612464-2169652915-4037219084-1001\...\RunOnce: [Uninstall 17.3.6799.0327\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\erin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327\amd64"
HKU\S-1-5-21-328612464-2169652915-4037219084-1001\...\RunOnce: [Uninstall 17.3.6799.0327] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\erin\AppData\Local\Microsoft\OneDrive\17.3.6799.0327"
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-04-16] (AVAST Software)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2017-04-16] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
Startup: C:\Users\erin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-03-16]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)
GroupPolicy: Restriction <==== ATTENTION
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{1f571c5f-1917-4da7-aa9d-60dc83a7272b}: [DhcpNameServer] 150.208.1.3
Tcpip\..\Interfaces\{59864cc1-03da-48e0-85b9-cb2673d02f59}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=arh&hsimp=yhs-001&type=zxy_e70416baa1271a5808¶m1=ArFaIWVoNqArQGMVHFFoNqAqBbFaISEaQGR7xTVoN9I4y7IsQGR7B7JoN9JbDSk8vFE9GqQANFdcFCk8NVM3vqYTNVA9Jmk3vmpdJCk4wVVdJCIXvFFdJGYXNVU9GqYVNUI3wGYGwVM3vmoVwVQ9GqUNNos3wCIYwVA9JmoVwVA9J6ITvFI9ISILNFdcJ6k8NoFcFGUMwVU9J6ITwVM4ICITvFI9GqUNNFxcJqUDNF5bDGUNNEU3wGQGvFM3vGYXvFM9JmoWvFQ4J6ISwVVdJmoUwVI9I6IYNVU4ISoVwVw9IWYUvmpdImISwVU9Jmk4NVA4JmoUwVU4J6oXNVI9JaYTNoU9GqUMNFBcJqQzNEBcGqQANFdcFCk8NoM9JqYUvmk9JaYVNVM4JmIVwVxdJ6IXNVQ4J6ISvFE4ICIYNVM9I6k4wVNdJqYTwVw4JmIYvFI9JqYUwVRdJmIXNVNdICoWNVFbFCILNVVdGSk8vFFoNqAqxrFaIWV6LGJ8NWV4MWtoNqAsQGMVvDIlC6MuNGwuNWIuyDwfC6IeA70eCaV7CaJ5C7MmNGV9MqRoNqAex807ACRoN9JcNX5dQGR7y6NoN9ICzD4py6waQGQXNGZoNpQRy78o¶m2=MaRbNqZ4NWJ5
HKU\S-1-5-21-328612464-2169652915-4037219084-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617912&ResetID=131285382747270131&GUID=A1809C8D-EF40-4B57-9384-BEA0FFCEA7F3
HKU\S-1-5-21-328612464-2169652915-4037219084-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://lenovo15.msn.com/?pc=LCTE
SearchScopes: HKLM -> DefaultScope {2FBBC7D8-4DF4-46FA-97D7-96F1DACF30F3} URL =
SearchScopes: HKLM -> {f79e5d1c-5148-469e-9f98-a11d8d7863f4} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKLM-x32 -> DefaultScope {2FBBC7D8-4DF4-46FA-97D7-96F1DACF30F3} URL =
SearchScopes: HKLM-x32 -> {f79e5d1c-5148-469e-9f98-a11d8d7863f4} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
SearchScopes: HKU\S-1-5-21-328612464-2169652915-4037219084-1001 -> DefaultScope {2FBBC7D8-4DF4-46FA-97D7-96F1DACF30F3} URL =
SearchScopes: HKU\S-1-5-21-328612464-2169652915-4037219084-1001 -> {f79e5d1c-5148-469e-9f98-a11d8d7863f4} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSERBM&pc=MSERT1
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2017-06-21] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2017-03-14] (Microsoft Corporation)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2017-01-23] (Microsoft Corporation)
FireFox:
========
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2017-01-09] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-06-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-06-28] (Google Inc.)
Chrome:
=======
CHR HomePage: Default -> hxxps://homepage-web.com/?s=lenovo&m=home
CHR StartupUrls: Default -> "hxxps://homepage-web.com/?s=lenovo&m=start"
CHR DefaultSearchURL: Default -> hxxps://secure.homepage-web.com/?partner=lenovo&src=omnibox&q={searchTerms}
CHR DefaultSearchKeyword: Default -> homepage-web.com
CHR DefaultSuggestURL: Default -> hxxps://secure-suggest.homepage-web.com/suggest?format=json&locale={language}&q={searchTerms}
CHR Profile: C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default [2017-06-28]
CHR Extension: (Google Slides) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-11-28]
CHR Extension: (Duolingo on the Web) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiahmijlpehemcpleichkcokhegllfjl [2017-01-08]
CHR Extension: (Google Docs) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-11-28]
CHR Extension: (Google Drive) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-11-28]
CHR Extension: (YouTube) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-11-28]
CHR Extension: (Google Sheets) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-11-28]
CHR Extension: (Google Docs Offline) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-01-09]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2017-06-28]
CHR Extension: (Chrome Web Store Payments) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-14]
CHR Extension: (Gmail) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-11-28]
CHR Extension: (Chrome Media Router) - C:\Users\erin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-28]
CHR HKLM\...\Chrome\Extension: [bpmmandcadflhnnaiclipadomfmdbjbp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-328612464-2169652915-4037219084-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bpmmandcadflhnnaiclipadomfmdbjbp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bpmmandcadflhnnaiclipadomfmdbjbp] - hxxps://clients2.google.com/service/update2/crx
==================== Services (Whitelisted) ====================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 aswbIDSAgent; C:\Program Files\AVAST Software\Avast\x64\aswidsagenta.exe [7398336 2017-04-16] (AVAST Software s.r.o.)
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [323152 2015-06-29] (Windows ® Win 7 DDK provider)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [261712 2017-04-16] (AVAST Software)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3042544 2017-03-14] (Microsoft Corporation)
R2 esifsvc; C:\WINDOWS\SysWoW64\esif_uf.exe [1385640 2015-05-26] (Intel Corporation)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [18856 2015-07-22] (Intel Corporation)
R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [373744 2017-01-10] (Intel Corporation)
S2 ImControllerService; C:\Program Files\Lenovo\ImController\Service\Lenovo.Modern.ImController.exe [61768 2017-02-15] (Lenovo Group Limited)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 ymc; C:\ProgramData\LenovoTransition\Server\x64\ymc.exe [41912 2015-10-13] (Lenovo)
===================== Drivers (Whitelisted) ======================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R1 aswbidsdriver; C:\WINDOWS\system32\drivers\aswbidsdrivera.sys [311808 2017-06-21] (AVAST Software s.r.o.)
R0 aswbidsh; C:\WINDOWS\system32\drivers\aswbidsha.sys [190256 2017-06-21] (AVAST Software s.r.o.)
R0 aswblog; C:\WINDOWS\system32\drivers\aswbloga.sys [334576 2017-06-21] (AVAST Software s.r.o.)
R0 aswbuniv; C:\WINDOWS\system32\drivers\aswbuniva.sys [49016 2017-06-21] (AVAST Software s.r.o.)
S3 aswHwid; C:\WINDOWS\system32\drivers\aswHwid.sys [38296 2017-06-21] (AVAST Software)
R2 aswMonFlt; C:\WINDOWS\system32\drivers\aswMonFlt.sys [128648 2017-06-21] (AVAST Software)
R1 aswRdr; C:\WINDOWS\system32\drivers\aswRdr2.sys [101152 2017-06-21] (AVAST Software)
R0 aswRvrt; C:\WINDOWS\system32\drivers\aswRvrt.sys [75704 2017-06-21] (AVAST Software)
R1 aswSnx; C:\WINDOWS\system32\drivers\aswSnx.sys [1007160 2017-06-21] (AVAST Software)
R1 aswSP; C:\WINDOWS\system32\drivers\aswSP.sys [569192 2017-06-21] (AVAST Software)
R2 aswStm; C:\WINDOWS\system32\drivers\aswStm.sys [158880 2017-06-21] (AVAST Software)
R0 aswVmm; C:\WINDOWS\system32\drivers\aswVmm.sys [339696 2017-06-21] (AVAST Software)
R3 dptf_cpu; C:\WINDOWS\System32\drivers\dptf_cpu.sys [43000 2015-05-26] (Intel Corporation)
R3 dptf_pch; C:\WINDOWS\System32\drivers\dptf_pch.sys [41976 2015-05-26] (Intel Corporation)
R3 esif_lf; C:\WINDOWS\system32\DRIVERS\esif_lf.sys [251384 2015-05-26] (Intel Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77440 2017-04-16] ()
R0 IntelHSWPcc; C:\WINDOWS\System32\drivers\IntelPcc.sys [88256 2015-06-09] (Intel Corporation)
U1 lpsport; no ImagePath
R2 MBAMChameleon; C:\WINDOWS\system32\drivers\MBAMChameleon.sys [176584 2017-01-26] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251832 2017-06-21] (Malwarebytes)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 NETwNe64; C:\WINDOWS\System32\drivers\NETwew01.sys [3354384 2015-07-10] (Intel Corporation)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [33960 2015-07-09] (Synaptics Incorporated)
R3 SPUVCbv; C:\WINDOWS\System32\Drivers\SPUVCbv_x64.sys [744928 2015-06-22] (Sunplus)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
S3 wsvd; C:\WINDOWS\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-06-28 12:55 - 2017-06-28 12:57 - 00017599 _____ C:\Users\erin\Desktop\FRST.txt
2017-06-28 12:55 - 2017-06-28 12:55 - 00000000 ____D C:\FRST
2017-06-28 12:54 - 2017-06-28 12:54 - 02441216 _____ (Farbar) C:\Users\erin\Desktop\FRST64.exe
2017-06-28 12:02 - 2017-06-28 12:02 - 00002351 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-06-28 12:02 - 2017-06-28 12:02 - 00002339 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2017-06-28 12:00 - 2017-06-28 12:00 - 00003416 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2017-06-28 12:00 - 2017-06-28 12:00 - 00003292 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2017-06-28 11:58 - 2017-06-28 11:58 - 01130328 _____ (Google Inc.) C:\Users\erin\Downloads\ChromeSetup.exe
2017-06-28 11:55 - 2017-06-28 11:55 - 00000000 ___HD C:\OneDriveTemp
2017-06-21 17:10 - 2017-06-21 17:10 - 00000000 ____D C:\Users\erin\AppData\Local\ElevatedDiagnostics
2017-06-21 17:00 - 2017-06-21 17:00 - 00061304 _____ () C:\WINDOWS\system32\Drivers\lpsport.sys.149808240054603
2017-06-21 16:59 - 2017-06-21 16:59 - 00400456 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2017-06-21 16:56 - 2017-06-21 16:56 - 00003632 _____ C:\WINDOWS\System32\Tasks\{4B7C4E24-0382-47FB-917A-A03D00739710}
2017-06-21 16:56 - 2017-06-21 16:56 - 00000000 ____D C:\ProgramData\SWCUTemp
2017-06-21 16:47 - 2017-06-21 16:47 - 00000036 _____ C:\Users\erin\OneDrive\Documents\MBAM scan 6.21.17.txt
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2017-06-28 12:55 - 2016-07-16 06:47 - 00000000 ___HD C:\Program Files\WindowsApps
2017-06-28 12:55 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-06-28 12:45 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-06-28 12:01 - 2016-11-28 19:26 - 00000000 ____D C:\Program Files (x86)\Google
2017-06-28 11:56 - 2016-07-16 06:47 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2017-06-28 11:56 - 2016-04-23 01:00 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2017-06-28 11:55 - 2016-11-14 11:14 - 00000000 ___RD C:\Users\erin\OneDrive
2017-06-28 11:54 - 2016-11-14 11:14 - 00002367 _____ C:\Users\erin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-06-28 11:52 - 2017-02-03 10:41 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-06-21 17:10 - 2016-07-16 06:47 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2017-06-21 17:08 - 2017-01-09 12:20 - 00000000 ____D C:\Program Files\Microsoft Office 15
2017-06-21 16:59 - 2017-02-08 22:58 - 00003994 _____ C:\WINDOWS\System32\Tasks\Avast Emergency Update
2017-06-21 16:59 - 2016-11-28 19:24 - 00569192 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2017-06-21 16:59 - 2016-11-28 19:24 - 00339696 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2017-06-21 16:59 - 2016-11-28 19:24 - 00158880 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswstm.sys
2017-06-21 16:59 - 2016-11-28 19:24 - 00158368 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswstm.sys.149808239953102
2017-06-21 16:59 - 2016-11-28 19:24 - 00128648 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2017-06-21 16:59 - 2016-11-28 19:24 - 00101152 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2017-06-21 16:59 - 2016-11-28 19:24 - 00075704 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2017-06-21 16:59 - 2016-11-28 19:24 - 00038296 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2017-06-21 16:58 - 2016-11-28 19:24 - 01007160 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2017-06-21 16:57 - 2017-02-08 22:58 - 00334576 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbloga.sys
2017-06-21 16:57 - 2017-02-08 22:58 - 00311808 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsdrivera.sys
2017-06-21 16:57 - 2017-02-08 22:58 - 00190256 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbidsha.sys
2017-06-21 16:57 - 2017-02-08 22:58 - 00049016 _____ (AVAST Software s.r.o.) C:\WINDOWS\system32\Drivers\aswbuniva.sys
2017-06-21 16:57 - 2017-01-23 08:09 - 00000000 ____D C:\Users\erin\AppData\Roaming\Zoom
2017-06-21 16:56 - 2016-11-28 19:23 - 00000000 ____D C:\Users\erin\AppData\Local\{FE6EC832-DAC6-A48A-B75E-816293367DFA}
2017-06-21 16:56 - 2015-07-16 10:54 - 01225098 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-06-21 16:54 - 2016-11-14 11:11 - 00000000 ____D C:\Users\erin\AppData\Local\Packages
2017-06-21 16:49 - 2017-02-03 10:43 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-06-21 16:49 - 2017-01-26 18:47 - 00251832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-06-21 16:49 - 2016-11-14 11:10 - 00000000 __SHD C:\Users\erin\IntelGraphicsProfiles
2017-06-21 16:48 - 2017-02-03 10:59 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-06-21 16:48 - 2016-07-16 01:04 - 00524288 _____ C:\WINDOWS\system32\config\BBI
2017-06-09 18:08 - 2016-11-14 11:16 - 00000120 ____R C:\Users\erin\OneDrive\Documents\Finances- Personal.url
==================== Files in the root of some directories =======
2016-12-08 22:24 - 2017-01-23 08:16 - 0000241 _____ () C:\Users\erin\AppData\Roaming\WB.CFG
2017-02-03 10:43 - 2017-02-03 10:43 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
Some files in TEMP:
====================
2017-06-21 16:57 - 2017-01-23 11:11 - 0034992 _____ (Zoom Video Communications, Inc.) C:\Users\erin\AppData\Local\Temp\CptInstall.exe
2017-06-21 16:57 - 2017-01-23 11:06 - 0146608 _____ (Zoom Video Communications, Inc.) C:\Users\erin\AppData\Local\Temp\CptShare.dll
2017-06-21 16:57 - 2017-01-23 11:09 - 0090288 _____ () C:\Users\erin\AppData\Local\Temp\zCrashReport.dll
2017-06-21 15:44 - 2017-06-21 16:47 - 0219197 _____ () C:\Users\erin\AppData\Local\Temp\{0FA160D5-FDF2-47E6-A889-072B95BA5BCF}-58.0.3029.110_chrome_installer.exe
==================== Bamital & volsnap ======================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2017-04-16 23:08
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 25-06-2017 01
Ran by erin (28-06-2017 12:58:06)
Running from C:\Users\erin\Desktop
Windows 10 Home Version 1607 (X64) (2017-02-03 16:06:50)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-328612464-2169652915-4037219084-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-328612464-2169652915-4037219084-503 - Limited - Disabled)
erin (S-1-5-21-328612464-2169652915-4037219084-1001 - Administrator - Enabled) => C:\Users\erin
Guest (S-1-5-21-328612464-2169652915-4037219084-501 - Limited - Disabled)
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Avast Antivirus (Enabled - Up to date) {8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}
AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Avast Antivirus (Enabled - Up to date) {35C973AA-9ABB-D3CA-B100-B0DC0E5F2402}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Avast Free Antivirus (HKLM-x32\...\Avast Antivirus) (Version: 17.4.2294 - AVAST Software)
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.66.4.0 - Conexant)
Dolby Digital Plus Home Theater (HKLM\...\{7E3D8FA1-6092-469A-955B-68FC4A2C67CA}) (Version: 7.6.5.1 - Dolby Laboratories Inc)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 59.0.3071.115 - Google Inc.)
Google Update Helper (x32 Version: 1.3.33.5 - Google Inc.) Hidden
Intel Collaborative Processor Performance Control (HKLM-x32\...\0E7DAF70-FB54-4B91-B192-7E771C25AEEB) (Version: 1.0.0.1018 - Intel Corporation)
Intel® Chipset Device Software (x32 Version: 10.1.1.7 - Intel® Corporation) Hidden
Intel® Dynamic Platform and Thermal Framework (HKLM-x32\...\{654EE65D-FAA4-4EA6-8C07-DC94E6A304D4}) (Version: 8.1.10600.147 - Intel Corporation)
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 11.0.0.1153 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 20.19.15.4531 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 14.5.2.1088 - Intel Corporation)
Lenovo EasyCamera (HKLM-x32\...\Sunplus SPUVCb) (Version: 3.5.5.5 - SunplusIT)
Lenovo Experience Improvement (HKLM\...\LenovoExperienceImprovement) (Version: 2.0.9.0 - Lenovo)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.1.0.4706 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 8.1.0.4706 - CyberLink Corp.) Hidden
Lenovo Photo Master (HKLM-x32\...\{BC94C56A-3649-420C-8756-2ADEBE399D33}) (Version: 2.5.5720.01 - CyberLink Corp.)
Lenovo QuickOptimizer (HKLM\...\{8D2C871B-1B9F-45AC-9C43-2BB18089CDFA}) (Version: 1.0.019.00 - Lenovo)
Lenovo System Interface Foundation (HKLM\...\{C2E5CA37-C862-4A69-AC6D-24F450A20C16}) (Version: 1.0.070.02 - Lenovo)
LenovoUtility (HKLM-x32\...\InstallShield_{6ADA7E88-8D16-4D0D-BC90-2B93AC5E56DA}) (Version: 3.0.0.3 - Lenovo)
LenovoUtility (x32 Version: 3.0.0.3 - Lenovo) Hidden
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
Metric Collection SDK 35 (x32 Version: 1.2.0010.00 - Lenovo Group Limited) Hidden
Microsoft Office 365 Business - en-us (HKLM\...\O365BusinessRetail - en-us) (Version: 15.0.4937.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-328612464-2169652915-4037219084-1001\...\OneDriveSetup.exe) (Version: 17.3.6917.0607 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4937.1000 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4937.1000 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4937.1000 - Microsoft Corporation) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 10.0.1.1 - Qualcomm Atheros)
Qualcomm Atheros Client Installation Program (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Qualcomm Atheros)
REACHit (HKLM-x32\...\{4532E4C5-C84D-4040-A044-ECFCC5C6995B}) (Version: 2.1.0.11 - Lenovo)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 10.0.10125.31214 - Realtek Semiconductor Corp.)
Search Provided by Yahoo (HKLM-x32\...\{82A16A61-D221-BBE1-63A1-CB61B32118E1}) (Version: - ) <==== ATTENTION
SHAREit (HKLM-x32\...\SHAREit_is1) (Version: 2.5.5.1 - Lenovo)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.16.0 - Synaptics Incorporated)
User Manuals (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 4.0.0.1 - Lenovo)
User Manuals (x32 Version: 4.0.0.1 - Lenovo) Hidden
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-328612464-2169652915-4037219084-1001_Classes\CLSID\{cece6816-6107-4dc7-bdbc-20cd5ae1ffed}\localserver32 -> C:\ProgramData\Lenovo\ImController\Plugins\LenovoAppPromotionPlugin\x64\DesktopToastsHelper.exe (Lenovo Group Limited)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {0FDE7662-61D1-492C-A07B-2F71023EAF5B} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2017-05-16] (Microsoft Corporation)
Task: {12FAB6B7-62CD-448E-AA41-6AB784C6342C} - System32\Tasks\Lenovo\ImController\TimeBasedEvents\12377992-2d47-4085-a282-a1bb4de17ba3 => powershell.exe -nologo -noninteractive "& {New-Item -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\12377992-2d47-4085-a282-a1bb4de17ba3 -type directory -force;$conter=Get-Date;$conter=$conter.ToUniversalTime();Set-ItemProperty -Path Registry::HKCU\Software\Lenovo\ImController\ScheduledTasks\12377 (the data entry has 69 more characters).
Task: {264CB75A-ECF6-4E40-B044-BDFFC6B9EF4B} - System32\Tasks\Lenovo\REACHit Agent Startup => C:\Program Files (x86)\Lenovo\REACHit\webAgent.exe [2015-06-12] (Lenovo)
Task: {3ED01480-5779-4210-9170-E4564ADC5AD2} - System32\Tasks\{4B7C4E24-0382-47FB-917A-A03D00739710} => pcalua.exe -a C:\Users\erin\AppData\Local\{FE6EC832-DAC6-A48A-B75E-816293367DFA}\uninst.exe -d C:\Windows\ImmersiveControlPanel -c -FN="C:\Program Files (x86)\Common Files\0f1f386b081f4e95221d2a69c2c1fd10\updtask.exe"-P=/Uninstall /s /noun /DelSelfDir
Task: {3F83EDEC-C2FE-4F5D-8675-76450D0402F3} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2017-04-16] (AVAST Software)
Task: {441CDCA9-CCC1-4236-8257-B1BDC9520CFE} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-04-11] (Microsoft Corporation)
Task: {44F1E8EB-36C3-4C08-AD1A-4D0AF02296DC} - System32\Tasks\Lenovo\SHPrompt => C:\Program Files (x86)\Lenovo\SHAREit\ShareitPrompt.exe [2015-09-25] ()
Task: {55D361A3-8E0C-48AB-AC60-EAD8F81DC223} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-06-28] (Google Inc.)
Task: {59FBC0A1-123A-470B-A33F-C7F9B5646DE7} - System32\Tasks\Bing Search Engine sirer => Wscript.exe "C:\ProgramData\{9AFA5F99-10B8-D55F-967E-4B1D0C3CC0D3}\nimo.txt" "687474703a2f2f77617662736c792e636f6d" "433a5c50726f6772616d446174615c7b39414641354639392d313042382d443535462d393637452d3442314430433343433044337d5c746f6e65666f" "433a5c50726f6772616d446174615c7b39414641354639392d313042382d443535462d39 (the data entry has 82 more characters). <==== ATTENTION
Task: {5B6E8A26-2B31-4A54-9181-7A4F3FF0F3BE} - System32\Tasks\Lenovo\Experience Improvement => C:\Program Files\Lenovo\ExperienceImprovement\LenovoExperienceImprovement.exe [2016-11-14] (Lenovo)
Task: {67CF9576-9CC0-4D57-B445-9121539ECC58} - System32\Tasks\CyberLink\Photo Master Gadget startup => C:\Program Files (x86)\Lenovo\Lenovo Photo Master\PhotoMasterWorker.exe [2016-09-22] (CyberLink Corp.)
Task: {85697ED9-C059-4555-8B60-3CC35F7521EC} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-06-28] (Google Inc.)
Task: {8D16A2B2-D631-4ABA-9138-C5535C904146} - System32\Tasks\Lenovo\Lenovo Customer Feedback Program 64 35 => C:\Program Files (x86)\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe [2015-07-06] (Lenovo)
Task: {9BB786FA-9A0C-40DE-88AD-6DC0C2AF9F8F} - System32\Tasks\Avast Emergency Update => C:\Program Files\AVAST Software\Avast\AvEmUpdate.exe [2017-06-21] (AVAST Software)
Task: {B1061D32-1BEB-443B-8D59-011BA87D6D83} - System32\Tasks\Lenovo\ImController\Plugins\LenovoSystemUpdatePlugin_WeeklyTask => reg.exe add hklm\SOFTWARE\Lenovo\SystemUpdatePlugin\scheduler /v start /t reg_dword /d 1 /f /reg:32
Task: {BB05B78D-A083-4C76-BB17-A339DBA21EB4} - System32\Tasks\Lenovo\ImController\Lenovo iM Controller Scheduled Maintenance => Sc.exe START ImControllerService
Task: {CB353300-1EDF-4A88-9745-129D020E498B} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2017-04-11] (Microsoft Corporation)
Task: {E5F741A5-55C5-4A89-9911-75C0BA067E1F} - System32\Tasks\Lenovo\SHUpdate => C:\Program Files (x86)\Lenovo\SHAREit\ShareitUpdater.exe [2015-09-25] ()
Task: {FA05D876-AF8E-489E-8AFF-137AC955B726} - System32\Tasks\Lenovo\REACHit Agent Update => C:\Program Files (x86)\Lenovo\REACHit\webAgent.exe [2015-06-12] (Lenovo)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\WINDOWS\Tasks\Bing Search Engine sirer.job => Wscript.exe C:\ProgramData\{9AFA5F99-10B8-D55F-967E-4B1D0C3CC0D3}\nimo.txt <==== ATTENTION
==================== Shortcuts & WMI ========================
(The entries could be listed to be restored or removed.)
==================== Loaded Modules (Whitelisted) ==============
2016-07-16 06:42 - 2016-07-16 06:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2017-02-03 12:29 - 2017-02-03 12:29 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2017-01-26 18:47 - 2017-04-16 22:56 - 02271520 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2016-04-23 01:01 - 2015-08-18 22:00 - 00058296 _____ () C:\ProgramData\LenovoTransition\Server\x64\dptf.dll
2017-01-23 08:52 - 2017-01-31 07:34 - 08909512 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2017-02-03 12:29 - 2017-02-03 12:29 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-02-03 12:29 - 2017-02-03 12:29 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-01-10 10:47 - 2017-01-10 10:47 - 00401896 _____ () C:\WINDOWS\system32\igfxTray.exe
2017-02-03 12:30 - 2017-02-03 12:30 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-02-03 12:30 - 2017-02-03 12:30 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-02-03 12:30 - 2017-02-03 12:30 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-02-03 12:30 - 2017-02-03 12:30 - 01033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll
2017-02-03 12:30 - 2017-02-03 12:30 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-02-03 12:30 - 2017-02-03 12:30 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2017-03-28 14:48 - 2017-03-28 14:49 - 00077312 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkypeHost.exe
2017-03-28 14:48 - 2017-03-28 14:49 - 00182784 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll
2017-03-28 14:48 - 2017-03-28 14:49 - 41048064 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\SkyWrap.dll
2017-03-28 14:48 - 2017-03-28 14:49 - 02236896 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.12.112.0_x64__kzf8qxf38zg5c\roottools.dll
2016-04-23 01:01 - 2016-04-23 01:01 - 00791848 _____ () C:\Program Files\Lenovo\LenovoUtility\utility.exe
2016-04-23 01:01 - 2016-04-23 01:01 - 00097048 _____ () C:\Program Files\Lenovo\LenovoUtility\kbdhook.dll
2017-01-09 12:20 - 2017-01-17 04:25 - 00117440 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
2016-04-23 01:01 - 2015-09-17 00:45 - 00043960 _____ () C:\ProgramData\LenovoTransition\Server\x64\EnableAutoRotation.dll
2017-06-28 12:02 - 2017-06-22 22:21 - 03807064 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libglesv2.dll
2017-06-28 12:02 - 2017-06-22 22:21 - 00100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\59.0.3071.115\libegl.dll
2017-04-16 22:40 - 2017-04-16 22:40 - 00170216 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-11-28 19:23 - 2016-11-28 19:23 - 48936448 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2017-04-16 22:41 - 2017-04-16 22:41 - 00176480 _____ () C:\Program Files\AVAST Software\Avast\event_routing_rpc.dll
2017-04-16 22:40 - 2017-04-16 22:40 - 00293936 _____ () C:\Program Files\AVAST Software\Avast\gaming_mode_ui.dll
2017-04-16 22:41 - 2017-04-16 22:41 - 00653520 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2017-06-21 15:53 - 2017-06-21 15:53 - 00325824 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream32.dll
2017-06-21 17:06 - 2017-06-21 17:06 - 00325824 _____ () C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\AppVIsvStream32.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
IE trusted site: HKU\S-1-5-21-328612464-2169652915-4037219084-1001\...\sharepoint.com -> hxxps://actmasteryla.sharepoint.com
==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2015-07-10 06:04 - 2017-01-26 17:50 - 00000824 _____ C:\WINDOWS\system32\Drivers\etc\hosts
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-328612464-2169652915-4037219084-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\Web\Wallpaper\Lenovo\LenovoWallPaper.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [{32526C76-818C-46A8-8E06-21E4939B3ABA}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exe
FirewallRules: [{2A84B1A6-526C-45B8-A4DB-53C6F2BAC85A}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{74202991-B32E-4829-BF8C-1BF8B57DA676}] => (Allow) C:\Program Files (x86)\Lenovo\SHAREit\SHAREit.exe
FirewallRules: [{DBEF10F4-76FE-46A9-8CF5-D987A8BDE570}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Restore Points =========================
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (06/28/2017 11:52:25 AM) (Source: DPTF) (EventID: 256) (User: )
Description: Intel® Dynamic Platform and Thermal Framework : ESIF(8.1.10600.147) TYPE: ERROR
DPTF Build Version: 8.1.10600.147
DPTF Build Date: May 26 2015 13:35:22
Source File: ..\..\..\Sources\Manager\EsifApplicationInterface.cpp @ line 737
Executing Function: DptfEvent
Message: Received unexpected event
Framework Event: DptfResume [3]
Error: (06/21/2017 08:26:18 PM) (Source: DPTF) (EventID: 256) (User: )
Description: Intel® Dynamic Platform and Thermal Framework : ESIF(8.1.10600.147) TYPE: ERROR
DPTF Build Version: 8.1.10600.147
DPTF Build Date: May 26 2015 13:35:22
Source File: ..\..\..\Sources\Manager\EsifApplicationInterface.cpp @ line 737
Executing Function: DptfEvent
Message: Received unexpected event
Framework Event: DptfResume [3]
Error: (06/21/2017 05:08:12 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: DESKTOP-6S12IL0)
Description: Application or service 'Microsoft Office Document Cache Sync Client Interface' could not be shut down.
Error: (06/21/2017 04:45:56 PM) (Source: DPTF) (EventID: 256) (User: )
Description: Intel® Dynamic Platform and Thermal Framework : ESIF(8.1.10600.147) TYPE: ERROR
DPTF Build Version: 8.1.10600.147
DPTF Build Date: May 26 2015 13:35:22
Source File: ..\..\..\Sources\Manager\EsifApplicationInterface.cpp @ line 737
Executing Function: DptfEvent
Message: Received unexpected event
Framework Event: DptfResume [3]
Error: (06/21/2017 03:56:51 PM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating Avast Antivirus status to SECURITY_PRODUCT_STATE_ON (error %3).
Error: (06/21/2017 03:56:51 PM) (Source: SecurityCenter) (EventID: 16) (User: )
Description: Error while updating Avast Antivirus status to SECURITY_PRODUCT_STATE_ON (error %3).
Error: (06/21/2017 03:45:27 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_wuauserv, version: 10.0.14393.0, time stamp: 0x57899b1c
Faulting module name: msvcrt.dll, version: 7.0.14393.0, time stamp: 0x57899b47
Exception code: 0xc0000005
Fault offset: 0x0000000000055d91
Faulting process id: 0x168
Faulting application start time: 0x01d2b72da363e0fa
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\msvcrt.dll
Report Id: c474d62e-1414-4007-86aa-7910e041835f
Faulting package full name:
Faulting package-relative application ID:
Error: (06/21/2017 03:41:55 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-6S12IL0)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
Error: (06/21/2017 03:41:55 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DESKTOP-6S12IL0)
Description: Activation of app Microsoft.Windows.Photos_8wekyb3d8bbwe!App failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.
Error: (06/21/2017 03:41:55 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Microsoft.Photos.exe version 1.0.1611.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 1d14
Start Time: 01d2eaceb1c7302a
Termination Time: 4294967295
Application Path: C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
Report Id: 0d071cf9-56c2-11e7-9bd7-c8ff289a93a2
Faulting package full name: Microsoft.Windows.Photos_16.1118.10000.0_x64__8wekyb3d8bbwe
Faulting package-relative application ID: App
System errors:
=============
Error: (06/21/2017 05:26:11 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/21/2017 04:49:41 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/21/2017 04:49:41 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/21/2017 04:49:39 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/21/2017 04:48:01 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-6S12IL0)
Description: The server CortanaPlaces.PlaceStore did not register with DCOM within the required timeout.
Error: (06/21/2017 04:48:00 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-6S12IL0)
Description: The server {3BFADDE5-09ED-42AE-8190-2E68B650CFE6} did not register with DCOM within the required timeout.
Error: (06/21/2017 04:47:58 PM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-6S12IL0)
Description: The server {3BFADDE5-09ED-42AE-8190-2E68B650CFE6} did not register with DCOM within the required timeout.
Error: (06/21/2017 04:47:56 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/21/2017 04:01:23 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
Error: (06/21/2017 03:55:42 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{8D8F4F83-3594-4F07-8369-FC3C3CAE4919}
and APPID
{F72671A9-012C-4725-9D2F-2A4D32D65169}
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.
CodeIntegrity:
===================================
Date: 2017-02-03 09:45:48.714
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe because the set of per-page image hashes could not be found on the system.
Date: 2017-02-03 09:45:48.704
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe because the set of per-page image hashes could not be found on the system.
Date: 2017-02-03 09:45:48.692
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe because the set of per-page image hashes could not be found on the system.
Date: 2017-02-03 09:45:48.680
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Processor: Intel® Core i3-4012Y CPU @ 1.50GHz
Percentage of memory in use: 69%
Total physical RAM: 3988.27 MB
Available physical RAM: 1222.89 MB
Total Virtual: 5921.45 MB
Available Virtual: 2713.96 MB
==================== Drives ================================
Drive c: (Windows) (Fixed) (Total:421.91 GB) (Free:386.79 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:23.18 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 55323E72)
Partition: GPT.
==================== End of Addition.txt ============================