# 11 (Eleven) instances of winlogon.exe running???



## andrewoman (Feb 5, 2015)

I cannot imagine having 11 instances of winlogon.exe at the same time is a good thing???
And yes, I have googled "multiple winlogon running" and such, with poor results in answers.

This is a Lenovo Y510P Laptop, Windows 8.1. 8G RAM. 

Thank you to whomever can help!!!!!


----------



## BrianDrab (Oct 22, 2014)

Hi. My name is *Brian*, and I would be happy to look into your issue.

*- General Instructions -*


*Please read all instructions and fixes thoroughly. Read the ENTIRE post BEFORE performing any steps so you understand all that needs to be done.*
I would advise *printing any instructions* for easy reference as some of the fixes may require you to boot in Safe mode. Access to these instructions may not be available in Safe Mode.
Any fixes provided by myself are for *this log file only* and should not be used on any other systems.
*Do not run* any other removal software or perform updates other than the ones I provide, as it will complicate the cleaning process.
It's very likely that part of our cleanup will include emptying your recycle bin. If you use your recycle bin as an archive and do not wish this to be emptied, please let me know.
You have 4 days to reply to each post or the topic will be closed. You will be able to request that the topic be re-opened by sending me a PM (Personal Message) or PM a moderator.
Please feel free to ask any questions, *especially *if you are having problems with my instructions.

*- Save ALL Tools to your Desktop-*

All tools that I have you download should be placed on the *desktop *unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.







Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.







Choose *Settings*. at the bottom of the screen click the
"*Show advanced settings...*" link. Scroll down to find the Downloads section and click the *Change... *button. Select your desktop and click OK.







Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser.







Choose *Options*. In the downloads section, click the *Browse *button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.







Internet Explorer - Click the Tools menu in the upper right-corner of the browser.







Select *View downloads*. Select the *Options *link in the lower left of the window. Click Browse and
select the Desktop and then choose the *Select Folder *button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

*- Finally Before We Start-*

Removing malware is a complicated multiple step process, Please stay with me until I have declared your system clean. *I strongly recommend you backup your personal files and folders*. Although rare, attempting to remove malware can render your machine unbootable or cause data loss. Having backups of your data is your responsibility. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Let's take a look. Please do the following.

Step#1 - FRST Scan
1. Please download Farbar Recovery Scan Tool and save it to your Desktop.
* Note*: You need to run the 64-bit Version so please ensure you download that one.
2. Right click to run as administrator. When the tool opens click *Yes* to disclaimer.
3. Please ensure you place a check mark in the Addition.txt check box at the bottom of the form before running (if not already).
4. Press *Scan* button.
5. It will produce a log called *FRST.txt* in the same directory the tool is run from (which should now be the desktop)
6. Please copy and paste log back here.
7. Another log (*Addition.txt* - also located in the same directory as FRST64.exe) will be generated Please also paste that along with the FRST.txt into your reply.


----------



## andrewoman (Feb 5, 2015)

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-02-2015
Ran by JUSTME (administrator) on MYPC on 05-02-2015 20:29:32
Running from C:\Users\JUSTME\Downloads
Loaded Profiles: JUSTME (Available profiles: JUSTME)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Cyberfox)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Condusiv Technologies) C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(McAfee, Inc.) C:\Program Files\mcafee\msc\McAPExe.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\AMCore\mcshield.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Program Files\mcafee\vul\McVulCtr.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(Microsoft Corporation) C:\Windows\System32\LogonUI.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Ruiware LLC) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(McAfee, Inc.) C:\Program Files\Common Files\mcafee\platform\McUICnt.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Farbar) C:\Users\JUSTME\Downloads\FRST64 (1).exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13648600 2013-08-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [RtsFT] => C:\windows\RTFTrack.exe [6340312 2013-10-17] (Realtek semiconductor)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe -start
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17111056 2014-03-25] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [193008 2014-03-25] (Lenovo(beijing) Limited)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2463552 2014-10-04] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\windows\system32\rundll32.exe C:\windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [mcpltui_exe] => C:\Program Files\McAfee.com\Agent\mcagent.exe [537992 2014-04-25] (McAfee, Inc.)
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-06] (CyberLink Corp.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [Power2GoExpress] => C:\Program Files (x86)\Lenovo\Power2Go\Power2GoExpress.exe [2534976 2013-09-25] (Cyberlink)
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [10387752 2014-12-26] (SecureMix LLC)
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1154112 2014-07-20] (Ruiware LLC)
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [184048 2013-12-26] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll => C:\windows\SysWOW64\nvinit.dll [156256 2013-12-26] (NVIDIA Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://home.lenovo.com/
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2335979010-2088281229-887777252-1002 -> DefaultScope {B5B24B33-D3D0-4733-BE51-DA0E1B29E9F9} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US0D20140726&p={SearchTerms}
SearchScopes: HKU\S-1-5-21-2335979010-2088281229-887777252-1002 -> {7ECD25DF-CA9D-4033-A485-1874BD4748A6} URL = 
SearchScopes: HKU\S-1-5-21-2335979010-2088281229-887777252-1002 -> {B5B24B33-D3D0-4733-BE51-DA0E1B29E9F9} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US0D20140726&p={SearchTerms}
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\mcafee\msc\McSnIePl64.dll (McAfee, Inc.)
Filter-x32: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files (x86)\McAfee\msc\McSnIePl.dll (McAfee, Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.5.1 64.134.255.2 64.134.255.10

FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> c:\PROGRA~1\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\McAfee\MSK
FF Extension: McAfee Anti-Spam Thunderbird Extension - C:\Program Files\McAfee\MSK [2014-03-25]

Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchKeyword: Default -> mcafee
CHR DefaultSearchURL: Default -> https://search.yahoo.com/search?fr=mcafee&type=B211US0D20140726&p={searchTerms}
CHR DefaultSuggestURL: Default -> 
CHR Profile: C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-25]
CHR Extension: (Google Drive) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-25]
CHR Extension: (YouTube) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-25]
CHR Extension: (Google Search) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-25]
CHR Extension: (Google Wallet) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-25]
CHR Extension: (Offline Solitaire) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojldfpglenpceffckkjhajofdbpkfgmn [2014-08-28]
CHR Extension: (Gmail) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-25]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ExpressCache; C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe [107944 2013-01-08] (Condusiv Technologies)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1149760 2014-10-04] (NVIDIA Corporation)
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [6296872 2014-12-26] (SecureMix LLC)
R2 HomeNetSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel(R) Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-08-08] (Intel Corporation)
R2 Intel(R) Wireless Bluetooth(R) 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [155448 2013-09-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
R2 McAPExe; C:\Program Files\McAfee\MSC\McAPExe.exe [178528 2014-04-25] (McAfee, Inc.)
S3 McAWFwk; c:\Program Files\Common Files\mcafee\ActWiz\McAWFwk.exe [334608 2013-07-24] (McAfee, Inc.)
R2 McMPFSvc; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McNaiAnn; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 McODS; C:\Program Files\mcafee\VirusScan\mcods.exe [603424 2014-06-12] (McAfee, Inc.)
S4 McOobeSv2; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mcpltsvc; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 McProxy; C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
R2 mfecore; C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe [1041192 2014-07-24] (McAfee, Inc.)
R2 mfefire; C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe [219752 2014-06-20] (McAfee, Inc.)
R2 mfevtp; C:\windows\system32\mfevtps.exe [189912 2014-06-20] (McAfee, Inc.)
R2 MSK80Service; C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe [328928 2013-07-30] (McAfee, Inc.)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2013-08-23] ()
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-10-04] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19440960 2014-10-04] (NVIDIA Corporation)
S3 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
S2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3667696 2013-08-23] (Intel® Corporation)
S2 0276051415324923mcinstcleanup; C:\Users\JUSTME\AppData\Local\Temp\027605~1.EXE -cleanup -nolog [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [132920 2013-04-23] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1386296 2013-08-19] (Motorola Solutions, Inc.)
R3 cfwids; C:\Windows\System32\drivers\cfwids.sys [72128 2014-06-20] (McAfee, Inc.)
R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [26024 2013-01-08] (Condusiv Technologies)
R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [112552 2013-01-08] (Condusiv Technologies)
U5 GeneStor; C:\Windows\System32\Drivers\GeneStor.sys [105704 2013-08-15] (GenesysLogic)
R1 gwdrv; C:\Windows\system32\DRIVERS\gwdrv.sys [33296 2014-12-25] (SecureMix LLC)
S3 HipShieldK; C:\Windows\System32\drivers\HipShieldK.sys [197704 2013-09-23] (McAfee, Inc.)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [118216 2013-09-23] (Intel Corporation)
R4 KProcessHacker2; C:\Program Files\Process Hacker 2\kprocesshacker.sys [39576 2013-11-13] (wj32)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-08-08] (Intel Corporation)
R3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [181704 2014-06-20] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [313544 2014-06-20] (McAfee, Inc.)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [70600 2014-06-20] (McAfee, Inc.)
R3 mfefirek; C:\Windows\System32\drivers\mfefirek.sys [523792 2014-06-20] (McAfee, Inc.)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [786296 2014-06-20] (McAfee, Inc.)
R3 mfencbdc; C:\Windows\system32\DRIVERS\mfencbdc.sys [444720 2014-07-24] (McAfee, Inc.)
S3 mfencrk; C:\Windows\system32\DRIVERS\mfencrk.sys [96592 2014-07-24] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [348552 2014-06-20] (McAfee, Inc.)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-25] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20288 2014-10-04] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38048 2014-09-04] (NVIDIA Corporation)
S3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8876248 2013-10-17] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-09-17] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)
S3 TDKLIB; \??\C:\Users\ADMINI~1\AppData\Local\Temp\TdkLib64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 20:29 - 2015-02-05 20:29 - 00019125 _____ () C:\Users\JUSTME\Downloads\FRST.txt
2015-02-05 20:24 - 2015-02-05 20:25 - 02131968 _____ (Farbar) C:\Users\JUSTME\Downloads\FRST64 (1).exe
2015-02-05 20:02 - 2015-02-05 20:02 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
2015-02-05 19:22 - 2015-02-05 20:29 - 00000000 ____D () C:\FRST
2015-02-05 19:21 - 2015-02-05 19:22 - 02131968 _____ (Farbar) C:\Users\JUSTME\Downloads\FRST64.exe
2015-02-05 17:49 - 2015-02-05 19:33 - 00116946 _____ () C:\windows\WindowsUpdate.log
2015-02-04 18:21 - 2015-02-04 18:21 - 01156136 _____ (Ruiware) C:\Users\JUSTME\Downloads\wpsetup.exe
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\Users\JUSTME\AppData\Roaming\WinPatrol
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\ProgramData\InstallMate
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\Program Files (x86)\Ruiware
2015-01-31 21:04 - 2015-01-31 21:05 - 00000000 ____D () C:\Users\JUSTME\AppData\Roaming\Stellarium
2015-01-31 21:04 - 2015-01-31 21:04 - 00001743 _____ () C:\Users\Public\Desktop\Stellarium.lnk
2015-01-31 21:04 - 2015-01-31 21:04 - 00000000 ____D () C:\Users\JUSTME\AppData\Local\stellarium
2015-01-31 21:04 - 2015-01-31 21:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stellarium
2015-01-31 21:03 - 2015-01-31 21:04 - 00000000 ____D () C:\Program Files\Stellarium
2015-01-31 20:57 - 2015-01-31 21:03 - 136010710 _____ (Stellarium team ) C:\Users\JUSTME\Downloads\stellarium-0.13.2-win64.exe
2015-01-30 02:54 - 2015-01-05 18:08 - 00714720 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-01-30 02:54 - 2015-01-05 18:08 - 00106976 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-28 21:07 - 2015-01-28 21:07 - 00000000 ____D () C:\Users\JUSTME\AppData\Roaming\Process Hacker 2
2015-01-28 20:00 - 2015-01-31 06:40 - 00002118 _____ () C:\Users\JUSTME\Desktop\Process Hacker 2.lnk
2015-01-28 20:00 - 2015-01-28 20:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2
2015-01-28 20:00 - 2015-01-28 20:00 - 00000000 ____D () C:\Program Files\Process Hacker 2
2015-01-28 19:59 - 2015-01-28 20:00 - 01932448 _____ (wj32 ) C:\Users\JUSTME\Downloads\processhacker-2.33-setup.exe
2015-01-25 20:54 - 2015-01-25 21:19 - 00000000 ____D () C:\Users\JUSTME\AppData\Local\paint.net
2015-01-25 20:54 - 2015-01-25 20:54 - 00001211 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2015-01-25 20:54 - 2015-01-25 20:54 - 00001199 _____ () C:\Users\Public\Desktop\paint.net.lnk
2015-01-25 20:54 - 2015-01-25 20:54 - 00000000 ____D () C:\Program Files\paint.net
2015-01-25 20:52 - 2015-01-25 20:53 - 06528454 _____ () C:\Users\JUSTME\Downloads\paint.net.4.0.5.install.zip
2015-01-25 20:23 - 2015-01-25 20:23 - 00009127 _____ () C:\Users\JUSTME\Downloads\gimp-2.8.14-setup-1.exe.torrent
2015-01-18 16:25 - 2015-01-18 16:25 - 00055414 _____ () C:\Users\JUSTME\Downloads\religion.jpeg
2015-01-15 19:54 - 2015-01-15 19:56 - 149262968 _____ ( ) C:\Users\JUSTME\Downloads\PowerDVD_v6806_RiTA(Lenovo_NB)_Patch_DVD140730-01.exe
2015-01-13 17:19 - 2014-12-19 00:26 - 00140800 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2015-01-13 17:19 - 2014-12-11 20:04 - 00087040 _____ (Microsoft Corporation) C:\windows\system32\TSWbPrxy.exe
2015-01-13 17:19 - 2014-12-11 18:51 - 00075776 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ahcache.sys
2015-01-13 17:19 - 2014-12-08 19:50 - 00225280 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-01-13 17:19 - 2014-12-05 21:17 - 00360448 _____ (Microsoft Corporation) C:\windows\system32\ncsi.dll
2015-01-13 17:19 - 2014-12-05 19:41 - 00391680 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2015-01-13 17:19 - 2014-10-28 19:24 - 00086016 _____ (Microsoft Corporation) C:\windows\system32\nlaapi.dll
2015-01-13 17:19 - 2014-10-28 19:01 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00535640 _____ (Microsoft Corporation) C:\windows\system32\wer.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00531616 _____ (Microsoft Corporation) C:\windows\system32\ci.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00448792 _____ (Microsoft Corporation) C:\windows\SysWOW64\wer.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00413248 _____ (Microsoft Corporation) C:\windows\system32\Faultrep.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00372408 _____ (Microsoft Corporation) C:\windows\SysWOW64\Faultrep.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00108944 _____ (Microsoft Corporation) C:\windows\system32\EncDump.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00038264 _____ (Microsoft Corporation) C:\windows\system32\WerFaultSecure.exe
2015-01-13 17:13 - 2014-12-08 13:42 - 00033584 _____ (Microsoft Corporation) C:\windows\SysWOW64\WerFaultSecure.exe
2015-01-13 17:13 - 2014-12-05 19:35 - 00229888 _____ (Microsoft Corporation) C:\windows\system32\AudioEndpointBuilder.dll
2015-01-13 17:13 - 2014-10-28 22:00 - 00465320 _____ (Microsoft Corporation) C:\windows\system32\WerFault.exe
2015-01-13 17:13 - 2014-10-28 22:00 - 00139984 _____ (Microsoft Corporation) C:\windows\system32\wermgr.exe
2015-01-13 17:13 - 2014-10-28 21:52 - 00500016 _____ (Microsoft Corporation) C:\windows\system32\AudioSes.dll
2015-01-13 17:13 - 2014-10-28 21:52 - 00482872 _____ (Microsoft Corporation) C:\windows\system32\AudioEng.dll
2015-01-13 17:13 - 2014-10-28 21:52 - 00394120 _____ (Microsoft Corporation) C:\windows\system32\AUDIOKSE.dll
2015-01-13 17:13 - 2014-10-28 21:52 - 00272248 _____ (Microsoft Corporation) C:\windows\system32\audiodg.exe
2015-01-13 17:13 - 2014-10-28 21:12 - 00413136 _____ (Microsoft Corporation) C:\windows\SysWOW64\WerFault.exe
2015-01-13 17:13 - 2014-10-28 21:12 - 00136296 _____ (Microsoft Corporation) C:\windows\SysWOW64\wermgr.exe
2015-01-13 17:13 - 2014-10-28 21:07 - 00424544 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioEng.dll
2015-01-13 17:13 - 2014-10-28 21:07 - 00370424 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioSes.dll
2015-01-13 17:13 - 2014-10-28 21:07 - 00344536 _____ (Microsoft Corporation) C:\windows\SysWOW64\AUDIOKSE.dll
2015-01-13 17:13 - 2014-10-28 20:44 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\werdiagcontroller.dll
2015-01-13 17:13 - 2014-10-28 19:59 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\werdiagcontroller.dll
2015-01-13 17:13 - 2014-10-28 19:02 - 00911360 _____ (Microsoft Corporation) C:\windows\system32\audiosrv.dll
2015-01-12 15:57 - 2015-01-12 15:57 - 00054541 _____ () C:\Users\JUSTME\Downloads\FRANCE MARCH.jpeg

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-05 20:07 - 2014-07-04 18:56 - 00003596 _____ () C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2335979010-2088281229-887777252-1002
2015-02-05 20:01 - 2014-07-25 21:40 - 00000916 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-05 20:00 - 2013-08-22 09:36 - 00000000 ____D () C:\windows\system32\sru
2015-02-05 19:05 - 2013-08-22 09:36 - 00000000 ____D () C:\windows\rescache
2015-02-05 18:02 - 2014-07-25 21:47 - 00002214 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-05 18:01 - 2014-07-25 21:40 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-05 17:54 - 2013-08-22 09:20 - 00000000 ____D () C:\windows\CbsTemp
2015-02-04 16:44 - 2014-03-25 05:38 - 00003058 _____ () C:\windows\System32\Tasks\PDVDServ Task
2015-02-03 17:56 - 2014-07-25 21:40 - 00003888 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-03 17:56 - 2014-07-25 21:40 - 00003652 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-31 21:04 - 2014-03-25 05:18 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-31 00:50 - 2013-10-07 12:27 - 00865408 _____ () C:\windows\system32\PerfStringBackup.INI
2015-01-30 23:08 - 2014-07-05 16:09 - 00000000 ____D () C:\ProgramData\tmp
2015-01-30 06:45 - 2014-07-04 18:51 - 00000000 ____D () C:\Users\JUSTME
2015-01-30 02:59 - 2013-08-22 08:45 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-01-30 02:57 - 2013-08-22 07:25 - 00262144 ___SH () C:\windows\system32\config\BBI
2015-01-30 02:54 - 2013-08-22 07:25 - 00262144 ___SH () C:\windows\system32\config\ELAM
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ____D () C:\Program Files\Windows Defender
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2015-01-29 17:38 - 2014-09-22 20:21 - 00001334 _____ () C:\Users\JUSTME\AppData\Local\7396d5af-93b3-4d36-bfec-04bbd1449761.dat
2015-01-16 16:30 - 2014-07-25 22:05 - 00002774 _____ () C:\windows\System32\Tasks\CCleanerSkipUAC
2015-01-15 19:59 - 2014-03-25 05:09 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-15 19:56 - 2014-03-25 05:37 - 00029480 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3a.dll
2015-01-15 19:56 - 2014-03-25 05:29 - 00000000 ____D () C:\ProgramData\Temp
2015-01-15 19:56 - 2014-03-25 05:29 - 00000000 ____D () C:\ProgramData\install_clap

==================== Files in the root of some directories =======

2014-09-22 20:21 - 2015-01-29 17:38 - 0001334 _____ () C:\Users\JUSTME\AppData\Local\7396d5af-93b3-4d36-bfec-04bbd1449761.dat
2014-03-25 05:13 - 2014-03-25 05:13 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-03 17:54

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-02-2015
Ran by JUSTME at 2015-02-05 20:30:10
Running from C:\Users\JUSTME\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: McAfee Anti-Virus and Anti-Spyware (Disabled - Up to date) {ADA629C7-7F48-5689-624A-3B76997E0892}
AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Disabled - Up to date) {16C7C823-5972-5907-58FA-0004E2F9422F}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: McAfee Firewall (Disabled) {959DA8E2-3527-57D1-4915-924367AD4FE9}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
Cyberfox Web Browser (HKLM\...\{5EFB52C0-4EC9-46B4-80EB-8432C6599641}_is1) (Version: 33.0.3.0 - 8pecxstudios)
CyberLink PhotoDirector 3 (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.1.4107 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.)
CyberLink PowerDirector 10 (Version: 10.0.0.2810 - CyberLink Corp.) Hidden
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 8.0.2.14 - Lenovo)
Energy Management (x32 Version: 8.0.2.14 - Lenovo) Hidden
ExpressCache (HKLM\...\{C123584F-9C84-45E8-AE5F-522328BB79A0}) (Version: 1.0.100.0 - Condusiv Technologies)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.3.0.8 - Genesys Logic)
GlassWire 1.0 (remove only) (HKLM-x32\...\GlassWire 1.0) (Version: 1.0.35 - SecureMix LLC)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Host App Service (HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Pokki) (Version: 0.269.4.103 - Pokki)
Intel(R) Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{0EC7F9CC-4741-45AE-9F55-6E9343F726F5}) (Version: 1.1.0.36960 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.0.20.1447 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3277 - Intel Corporation)
Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology(patch version 3.0.1337.1) (HKLM\...\{302600C1-6BDF-4FD1-1307-148929CC1385}) (Version: 3.1.1307.0362 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{72814a2c-2e03-4a50-b30a-43e7884b3934}) (Version: 16.5.1 - Intel Corporation)
Lenovo EasyCamera (HKLM-x32\...\{E0A7ED39-8CD6-4351-93C3-69CCA00D12B4}) (Version: 6.2.9200.10249 - Realtek Semiconductor Corp.)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.0.0.2105 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 8.0.0.2105 - CyberLink Corp.) Hidden
Lenovo Photos (HKLM-x32\...\Lenovo Photos) (Version: 4.8.7 - CEWE Stiftung u Co. KGaA)
Lenovo PowerDVD10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.6806.52 - CyberLink Corp.)
Lenovo PowerDVD10 (x32 Version: 10.0.6806.52 - CyberLink Corp.) Hidden
Lenovo Reach (HKLM-x32\...\{0B5E0E89-4BCA-4035-BBA1-D1439724B6E2}) (Version: 1.1.0.166 - Stoneware, Inc.)
McAfee LiveSafe - Internet Security (HKLM-x32\...\MSC) (Version: 12.8.988 - McAfee, Inc.)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Monopoly (HKLM-x32\...\Monopoly) (Version: - PopCap Games)
NVIDIA GeForce Experience 2.1.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1.3 - NVIDIA Corporation)
NVIDIA Graphics Driver 327.62 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 327.62 - NVIDIA Corporation)
Onekey Theater (HKLM-x32\...\{91CC5BAE-A098-40D3-A43B-C0DC7CE263FE}) (Version: 3.0.1.2 - Lenovo)
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.10525 - CyberLink Corp.)
Process Hacker 2.33 (r5590) (HKLM\...\Process_Hacker2_is1) (Version: 2.33.0.5590 - wj32)
Qualcomm Atheros Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.21 - Qualcomm Atheros Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7030 - Realtek Semiconductor Corp.)
Scrabble (HKLM-x32\...\Scrabble) (Version: - PopCap Games)
SHIELD Streaming (Version: 3.1.1000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 16.13.56 - NVIDIA Corporation) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.26 - Piriform)
SRWare Iron version SRWare Iron 35.0.1900.0 (HKLM-x32\...\{C59CF2CE-B302-4833-AA35-E0E07D8EBC52}_is1) (Version: SRWare Iron 35.0.1900.0 - SRWare)
StageLight version 1.0.0.3508 (HKLM\...\StageLight) (Version: version 1.0.0.3508 - Open Labs, LLC.)
Start Menu (HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Pokki_Start_Menu) (Version: 0.269.4.103 - Pokki)
Stellarium 0.13.2 (HKLM\...\Stellarium_is1) (Version: 0.13.2 - Stellarium team)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.10.12 - Synaptics Incorporated)
UserGuide (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.15 - Lenovo)
UserGuide (x32 Version: 1.0.0.15 - Lenovo) Hidden
Windows Driver Package - Lenovo (ACPIVPC) System (02/17/2013 9.52.0.776) (HKLM\...\35DD26BE48DAF4A9F35F969F3CB1E3E1435E661E) (Version: 02/17/2013 9.52.0.776 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid (07/25/2013 10.30.0.288) (HKLM\...\6BCA401E9CBEED970D75F55FA5320F60D11984E9) (Version: 07/25/2013 10.30.0.288 - Lenovo)
WinPatrol (HKLM\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 32.0.2014.5 - Ruiware)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

15-01-2015 19:41:54 Windows Update
23-01-2015 20:16:32 Scheduled Checkpoint
25-01-2015 20:54:25 paint.net 4.0.5
31-01-2015 21:04:07 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 07:25 - 2013-08-22 07:25 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0C44D1AE-2A15-449B-953D-F7289B9A83E9} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-12-12] (Piriform Ltd)
Task: {3CB5B3FB-3483-4988-8B6F-ABD8E868FFB5} - System32\Tasks\PDVDServ Task => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.EXE [2013-03-08] (CyberLink Corp.)
Task: {50F5F610-B488-4315-AC9C-68D7621D0573} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2013-03-07] (Intel Corporation)
Task: {A03689F0-358F-4517-B5F7-39A01B230D98} - System32\Tasks\UMonitor Task => C:\windows\SysWOW64\UMonit64.exe [2013-10-25] ()
Task: {A0B0E075-24D8-4426-9390-E3C510E3AD7C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-25] (Google Inc.)
Task: {C3582DFC-C1B3-4D85-86F1-3A2CD1757F70} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-25] (Google Inc.)
Task: {C502F863-2071-4ADC-82AB-A586FC10AA36} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2013-03-07] (Intel Corporation)
Task: {D7814988-EDFA-4AEC-ADF2-14B05C34D5A3} - System32\Tasks\OFFICE2013ACT => C:\ProgramData\Office2013\OFFICEICON.vbs [2013-06-03] ()
Task: {DA6B28C9-D53F-4CB8-993F-018BDE3672F8} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-09-17] (Synaptics Incorporated)
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2013-12-26 19:42 - 2013-12-26 19:42 - 00013088 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2014-03-25 05:10 - 2013-08-08 14:25 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll
2015-02-03 18:02 - 2015-01-26 21:44 - 01117512 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.94\libglesv2.dll
2015-02-03 18:02 - 2015-01-26 21:44 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.94\libegl.dll
2015-02-03 18:02 - 2015-01-26 21:44 - 09171272 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.94\pdf.dll
2015-02-04 22:24 - 2015-02-03 12:22 - 14964912 _____ () C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\PepperFlash\16.0.0.305\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefire => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfefirek.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Registry Areas =====================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\JUSTME\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "BTMTrayAgent"
HKLM\...\StartupApproved\Run: => "IAStorIcon"
HKLM\...\StartupApproved\Run: => "EnergyUtility"
HKLM\...\StartupApproved\Run: => "Energy Management"
HKLM\...\StartupApproved\Run: => "Nvtmru"
HKLM\...\StartupApproved\Run: => "OnekeyStudio"
HKLM\...\StartupApproved\Run: => "RtsFT"
HKLM\...\StartupApproved\Run: => "ShadowPlay"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "UpdateP2GShortCut"
HKLM\...\StartupApproved\Run32: => "IAStorIcon"
HKLM\...\StartupApproved\Run32: => "Nvtmru"
HKLM\...\StartupApproved\Run32: => "NvBackend"
HKLM\...\StartupApproved\Run32: => "RtsFT"
HKLM\...\StartupApproved\Run32: => "BTMTrayAgent"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Pokki"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Power2GoExpress"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Skype"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "GlassWire"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "CCleaner Monitoring"

==================== Accounts: =============================

Administrator (S-1-5-21-2335979010-2088281229-887777252-500 - Administrator - Disabled)
Guest (S-1-5-21-2335979010-2088281229-887777252-501 - Limited - Disabled)
JUSTME (S-1-5-21-2335979010-2088281229-887777252-1002 - Administrator - Enabled) => C:\Users\JUSTME

==================== Faulty Device Manager Devices =============

Name: Microphone (Realtek High Definition Audio)
Description: Audio Endpoint
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Lenovo EasyCamera
Description: Lenovo EasyCamera
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Lite-On
Service: rtsuvc
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/05/2015 03:01:23 AM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/03/2015 08:51:45 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (02/03/2015 08:07:05 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (02/03/2015 05:56:01 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Activation of app Microsoft.BingHealthAndFitness_8wekyb3d8bbwe!AppexHealthAndFitness failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Activation of app Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Activation of app Microsoft.BingFoodAndDrink_8wekyb3d8bbwe!AppexFoodAndDrink failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Activation of app Microsoft.BingSports_8wekyb3d8bbwe!AppexSports failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Activation of app Microsoft.BingWeather_8wekyb3d8bbwe!App failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Activation of app Microsoft.BingNews_8wekyb3d8bbwe!AppexNews failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

System errors:
=============
Error: (02/05/2015 06:59:06 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (02/05/2015 06:58:36 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (02/05/2015 00:32:00 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) PROSet/Wireless Zero Configuration Service service terminated unexpectedly. It has done this 1 time(s).

Error: (02/04/2015 08:17:38 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (02/04/2015 08:17:08 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (02/04/2015 05:03:44 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (02/04/2015 05:03:14 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (02/03/2015 05:55:29 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (02/03/2015 05:54:59 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (02/01/2015 07:43:17 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Microsoft Office Sessions:
=========================
Error: (02/05/2015 03:01:23 AM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/03/2015 08:51:45 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (02/03/2015 08:07:05 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (02/03/2015 05:56:01 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Microsoft.BingHealthAndFitness_8wekyb3d8bbwe!AppexHealthAndFitness-2144927142

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Microsoft.BingFinance_8wekyb3d8bbwe!AppexFinance-2144927142

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Microsoft.BingFoodAndDrink_8wekyb3d8bbwe!AppexFoodAndDrink-2144927142

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Microsoft.BingSports_8wekyb3d8bbwe!AppexSports-2144927142

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Microsoft.BingWeather_8wekyb3d8bbwe!App-2144927142

Error: (02/03/2015 04:08:32 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Microsoft.BingNews_8wekyb3d8bbwe!AppexNews-2144927142

CodeIntegrity Errors:
===================================
Date: 2014-12-01 18:32:16.185
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:32:15.120
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:32:14.053
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:32:12.970
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:32.199
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:31.136
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:30.067
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:28.985
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:28:51.601
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:28:50.539
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7-4700MQ CPU @ 2.40GHz
Percentage of memory in use: 45%
Total physical RAM: 8104.27 MB
Available physical RAM: 4412.37 MB
Total Pagefile: 9384.27 MB
Available Pagefile: 4894.26 MB
Total Virtual: 131072 MB
Available Virtual: 131071.85 MB

==================== Drives ================================

Drive c: (Windows8_OS) (Fixed) (Total:891.65 GB) (Free:847.85 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:24.9 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 22.4 GB) (Disk ID: DB494C5F)

Partition: GPT Partition Type.

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: EF3EBA0C)

Partition: GPT Partition Type.

==================== End Of Log ============================


----------



## andrewoman (Feb 5, 2015)

In retrospect, I should have posted my other issue together with this one. I won't waste your time explaining why I posted the issues separately.
I posted the issue - below - after this one. 

WEBCAM Enabled Remotely Suspected???
I have been suspecting spyware on my laptop - Lenovo Y510P. Windows 8.1. 8G RAM.

I especially suspect something now!!! Every time I log onto my computer and open Device Manager the only 2 programs that are ALWAYS open in there are the Webcam (Lenovo Easycam) and the Audio Outputs and Inputs. I have both the webcam and the Microphone disabled.

I will close those two programs in Device Manager and they will reopen and I am NOT doing it, and those are the only 2 that keep reopening.

Before anyone brings up whether the webcam light is on or not, that does not matter. I have already googled that and the webcam light can be disabled by malware. However, I have not found any good answers online regarding the issue.

Thank you to whomever can help!!!!!


----------



## BrianDrab (Oct 22, 2014)

Thank you for the information. A couple questions.

1. I see that you have McAfee LiveSafe - Internet Security installed but it's currently *disabled*. It appears you are using Windows Defender as your Antivirus. If this is the case, can you uninstall McAfee?

2. When you reboot your machine and then take a look at task manager/Process Hacker 2.33, do you see the multiple LogonUI.exe processes or does it take time for them to start appearing?

Lastly please do the following.

*Run RogueKiller*


Click *here* to go to the *RogueKiller* download page.
Scroll down on the page and click on the *Download* button for the 64-bit version.











Quit all programs and close all browsers.
Double click the *RogueKiller * icon to run the program.
*NOTE:* If this is the first time you have used the program you will need to accept the *User Agreement* and the browser will open with some information related to the program.
Wait until Prescan has finished ...This may take a few minutes, especially if it is the first time you have used the program.
Click on *Scan*
Wait for the end of the scan.
*DO NOT *delete anything at this time.
The report has been created on the desktop.
Please post:All *RKreport.txt * text files located on your desktop.
*NOTE:* If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it to *winlogon.exe (or winlogon.com)* and try again


----------



## andrewoman (Feb 5, 2015)

I uninstalled McAfee. No more winlogons in Process Hacker, even after laptop is on for awhile. 

I will run RogueKiller tonight and post results tomorrow. Thank you.


----------



## andrewoman (Feb 5, 2015)

Ok, there are now 6 instances of winlogon in Process Hacker

Rogue Killer results:

RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : JUSTME [Administrator]
Mode : Scan -- Date : 02/10/2015 18:18:01

¤¤¤ Processes : 5 ¤¤¤
[Suspicious.Path] HostAppService.exe(7524) -- C:\Users\JUSTME\AppData\Local\Pokki\Engine\HostAppService.exe[7] -> Killed [TermProc]
[Suspicious.Path] HostAppServiceUpdater.exe(4764) -- C:\Users\JUSTME\AppData\Local\Pokki\Engine\HostAppServiceUpdater.exe[7] -> Killed [TermProc]
[Suspicious.Path] HostAppService.exe(6968) -- C:\Users\JUSTME\AppData\Local\Pokki\Engine\HostAppService.exe[7] -> Killed [TermThr]
[Suspicious.Path] HostAppService.exe(6084) -- C:\Users\JUSTME\AppData\Local\Pokki\Engine\HostAppService.exe[7] -> Killed [TermThr]
[Suspicious.Path] StartMenuIndexer.exe(3364) -- C:\Users\JUSTME\AppData\Local\Pokki\Engine\StartMenuIndexer.exe[7] -> Killed [TermProc]

¤¤¤ Registry : 14 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844} -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | RtsFT : RTFTrack.exe -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Windows\CurrentVersion\Run | Pokki : "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Windows\CurrentVersion\Run | Pokki : "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDKLIB (\??\C:\Users\ADMINI~1\AppData\Local\Temp\TdkLib64.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\TDKLIB (\??\C:\Users\ADMINI~1\AppData\Local\Temp\TdkLib64.sys) -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 24.217.0.5 24.217.201.67 192.168.33.1 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 24.217.0.5 24.217.201.67 192.168.33.1 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{763BBC0F-D129-4C4B-8C73-36008E2B8A98} | DhcpNameServer : 24.217.0.5 24.217.201.67 192.168.33.1 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{763BBC0F-D129-4C4B-8C73-36008E2B8A98} | DhcpNameServer : 24.217.0.5 24.217.201.67 192.168.33.1 [UNITED STATES (US)][UNITED STATES (US)] -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] \\OFFICE2013ACT -- C:\ProgramData\Office2013\OFFICEICON.vbs -> Found

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: LITEONIT LSS-24L6G +++++
--- User ---
[MBR] 23970ceab2ee1281b051bc2a6a347cac
[BSP] 926144d330a8ed59bbe600f8fcd94658 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097152 MB
User = LL1 ... OK
User = LL2 ... OK


----------



## BrianDrab (Oct 22, 2014)

Do you use the Pokki Start menu?


----------



## andrewoman (Feb 5, 2015)

I wasn't exactly sure what that is. Had seen it awhile ago and assumed it was fine, looked to be a Lenovo program. What exactly does it do?


----------



## BrianDrab (Oct 22, 2014)

It basically makes your Start menu more like Windows 7.


----------



## andrewoman (Feb 5, 2015)

That is what I read. I do prefer the W7 look, so I just left it alone


----------



## andrewoman (Feb 5, 2015)

If I disable it will my desktop look like W7 or not?


----------



## BrianDrab (Oct 22, 2014)

Many people agree with you. The Start Screen in Windows 8 was so drastically different that Microsoft is bringing back the start menu in Windows 10. For the purposes of troubleshooting would you mind uninstalling the program and using an alternative one?

http://www.classicshell.net/


----------



## andrewoman (Feb 5, 2015)

What is up with those PUM.Dns keys? And any idea about my webcam and mic always being on in Device Manager? Very odd.


----------



## BrianDrab (Oct 22, 2014)

> If I disable it will my desktop look like W7 or not?


If you uninstall it, it will not look like W7 but I've provided an alternative that I'd like to try.


----------



## andrewoman (Feb 5, 2015)

What is it called?


----------



## BrianDrab (Oct 22, 2014)

> What is up with those PUM.Dns keys? And any idea about my webcam and mic always being on in Device Manager? Very odd.


The DNS keys are OK. Those are provided by your internet service provider. Let's take one issue at a time. I've not looked into the webcam and mic issues yet.


----------



## BrianDrab (Oct 22, 2014)

http://www.classicshell.net/


----------



## andrewoman (Feb 5, 2015)

Have you used it? I would imagine I could download Pokki again, from Lenovo if need be? 
The main thing for me is searching for files. It has gotten harder and harder to do since XP. Makes no sense.
I installed a program called Everything on my last laptop that was much better than anything so far for finding files.
I hope Classicshell is short for Classic Shell, not Classics Hell...lol


----------



## BrianDrab (Oct 22, 2014)

Yes, it's the one I currently use. I'm only suggesting this as a temporary install. If you like it keep it. Once we resolve your issues if you want to go back to it you can install from the following link.

https://www.pokki.com/windows-8-start-menu


----------



## BrianDrab (Oct 22, 2014)

> I installed a program called Everything on my last laptop that was much better than anything so far for finding files.


By the way I used this program in the past too and loved it. Good choice.


----------



## andrewoman (Feb 5, 2015)

Ok, I'll do it. Just read very favorable reviews on sourceforge.net
Please advise your steps to uninstall, then install new program
Thank you


----------



## BrianDrab (Oct 22, 2014)

I only use the good stuff.

Uninstall the program named *Start Menu. *If you are unfamiliar with going to the control panel and uninstalling programs, step-by-step instructions are here.

Then download and install Classic Shell.


----------



## andrewoman (Feb 5, 2015)

I know how to uninstall and install, but wasn't sure if you needed me to uninstall, then reboot, etc, all those steps or not


----------



## BrianDrab (Oct 22, 2014)

Got it. Sorry. In this case you only need to reboot if you are prompted to during the uninstall or install. Thanks for asking.


----------



## andrewoman (Feb 5, 2015)

I just uninstalled Pokki, installed Classicshell. It wants to put an IE BHO on. I hate BHO's and Toolbars, so would like to deny that aspect of the program....unless you think it is necessary. However, it wants to put it on IE, which I never use due to safety issues


----------



## BrianDrab (Oct 22, 2014)

I agree. Don't install anything you don't use/want.


----------



## andrewoman (Feb 5, 2015)

Ok. Think you wanted to troubleshoot now?


----------



## BrianDrab (Oct 22, 2014)

OK, now let's do the following please.

Step#1 - FRST Fix
*NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system*
1. Download attached file and save it to the *Desktop*.
*Note.* It's important that both files, *FRST64* and *fixlist.txt *are in the same location or the fix will not work (in this case...the desktop).
2. Run *FRST64* by *Right-Clicking *on the file and choosing *Run as administrator*.
3. Press the *Fix* button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (*Fixlog.txt*). Please post the contents of it in your reply.

Step#2 - Fresh Set of Logs
1. *Right click *on FRST64.exe and select *Run as administrator*. When the tool opens click *Yes* to disclaimer.
2. Please ensure you place a check mark in the Addition.txt check box at the bottom of the form before running.
3. Press *Scan* button.
4. It will produce a log called *FRST.txt* in the same directory the tool is run from (which should now be the desktop)
5. Please copy and paste log back here.
6. Because you selected the *Addition.txt *check box this log will be created as well. Please copy and paste this log as well.

Items for your next post
1. FRST Fix log
2. FRST and Addition logs


----------



## andrewoman (Feb 5, 2015)

FRST64 and fixlist.txt are both on my Desktop. I press Fix - it says no fixlist.txt found


----------



## BrianDrab (Oct 22, 2014)

Download a new version of FRST64 from here and overwrite the one that is currently on the desktop. Then try again.


----------



## andrewoman (Feb 5, 2015)

Jeez. I downloaded it, hit fix, and it restarted my machine


----------



## BrianDrab (Oct 22, 2014)

Correct. That was mentioned in my instructions. Now you just need to post the contents of the fixlog.txt that should be on the desktop.


----------



## andrewoman (Feb 5, 2015)

Not on the desktop


----------



## BrianDrab (Oct 22, 2014)

Then go to the following location and post the contents of the most *recent* log.

C:\FRST\Logs


----------



## andrewoman (Feb 5, 2015)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
Ran by JUSTME at 2015-02-10 19:30:12 Run:1
Running from C:\Users\JUSTME\Downloads
Loaded Profiles: JUSTME (Available profiles: JUSTME)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
S3 TDKLIB; \??\C:\Users\ADMINI~1\AppData\Local\Temp\TdkLib64.sys [X]
C:\Users\ADMINI~1\AppData\Local\Temp\TdkLib64.sys
EmptyTemp:

*****************

Restore point was successfully created.
TDKLIB => Service deleted successfully.
"C:\Users\ADMINI~1\AppData\Local\Temp\TdkLib64.sys" => File/Directory not found.
EmptyTemp: => Removed 190.4 MB temporary data.

The system needed a reboot.

==== End of Fixlog 19:30:22 ====


----------



## BrianDrab (Oct 22, 2014)

Perfect. I see the issue that you were having as well. You were running it from Running from *C:\Users\JUSTME\Downloads* and not the Desktop. You may have had a shortcut on the desktop but the program was actually in your Downloads folder. Common mistake.

Please proceed with Step#2 of my previous instructions so I can get current FRST and Addition logs.

Thanks.


----------



## andrewoman (Feb 5, 2015)

Yeah, wondered about the shortcut being an issue.


----------



## andrewoman (Feb 5, 2015)

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-02-2015
Ran by JUSTME (administrator) on MYPC on 10-02-2015 19:48:58
Running from C:\Users\JUSTME\Downloads
Loaded Profiles: JUSTME (Available profiles: JUSTME)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Cyberfox)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicShellService.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Intel(R) Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(Condusiv Technologies) C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(SecureMix LLC) C:\Program Files (x86)\GlassWire\GWIdlMon.exe
(Intel(R) Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Ruiware LLC) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Motorola Solutions, Inc.) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Nvtmru] => "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13648600 2013-08-29] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_Dolby] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshellex.dll",TrayApp
HKLM\...\Run: [RtsFT] => C:\windows\RTFTrack.exe [6340312 2013-10-17] (Realtek semiconductor)
HKLM\...\Run: [OnekeyStudio] => C:\Program Files\Lenovo\Onekey Theater\OnekeyStudio.exe -start
HKLM\...\Run: [Energy Management] => C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [17111056 2014-03-25] (Lenovo (Beijing) Limited)
HKLM\...\Run: [EnergyUtility] => C:\Program Files (x86)\Lenovo\Energy Management\Utility.exe [193008 2014-03-25] (Lenovo(beijing) Limited)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2463552 2014-10-04] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\windows\system32\rundll32.exe C:\windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [UpdateP2GShortCut] => C:\Program Files (x86)\Lenovo\Power2Go\MUITransfer\MUIStartMenu.exe [214312 2011-12-06] (CyberLink Corp.)
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [Power2GoExpress] => C:\Program Files (x86)\Lenovo\Power2Go\Power2GoExpress.exe [2534976 2013-09-25] (Cyberlink)
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [GlassWire] => C:\Program Files (x86)\GlassWire\glasswire.exe [10387752 2014-12-26] (SecureMix LLC)
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1154112 2014-07-20] (Ruiware LLC)
AppInit_DLLs: C:\windows\system32\nvinitx.dll => C:\windows\system32\nvinitx.dll [184048 2013-12-26] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\windows\SysWOW64\nvinit.dll => C:\windows\SysWOW64\nvinit.dll [156256 2013-12-26] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://home.lenovo.com/
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = http://home.lenovo.com
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2335979010-2088281229-887777252-1002 -> DefaultScope {B5B24B33-D3D0-4733-BE51-DA0E1B29E9F9} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US0D20140726&p={SearchTerms}
SearchScopes: HKU\S-1-5-21-2335979010-2088281229-887777252-1002 -> {7ECD25DF-CA9D-4033-A485-1874BD4748A6} URL = 
SearchScopes: HKU\S-1-5-21-2335979010-2088281229-887777252-1002 -> {B5B24B33-D3D0-4733-BE51-DA0E1B29E9F9} URL = https://search.yahoo.com/search?fr=mcafee&type=B011US0D20140726&p={SearchTerms}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
BHO: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIE9DLL_64.dll (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
BHO-x32: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIE9DLL_32.dll (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
Tcpip\Parameters: [DhcpNameServer] 24.217.0.5 24.217.201.67 192.168.33.1

FireFox:
========
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)

Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSearchKeyword: Default -> mcafee
CHR DefaultSearchURL: Default -> https://search.yahoo.com/search?fr=mcafee&type=B211US0D20140726&p={searchTerms}
CHR DefaultSuggestURL: Default -> 
CHR Profile: C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-25]
CHR Extension: (Google Drive) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-25]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-25]
CHR Extension: (YouTube) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-25]
CHR Extension: (Google Search) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-25]
CHR Extension: (Google Wallet) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-25]
CHR Extension: (Offline Solitaire) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\ojldfpglenpceffckkjhajofdbpkfgmn [2014-08-28]
CHR Extension: (Gmail) - C:\Users\JUSTME\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-25]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClassicShellService; C:\Program Files\Classic Shell\ClassicShellService.exe [68608 2013-06-29] (IvoSoft) [File not signed]
R2 ExpressCache; C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe [107944 2013-01-08] (Condusiv Technologies)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1149760 2014-10-04] (NVIDIA Corporation)
R2 GlassWire; C:\Program Files (x86)\GlassWire\GWCtlSrv.exe [6296872 2014-12-26] (SecureMix LLC)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [733696 2013-05-11] (Intel(R) Corporation) [File not signed]
S3 Intel(R) Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [822232 2013-05-11] (Intel(R) Corporation)
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [131544 2013-08-08] (Intel Corporation)
R2 Intel(R) Wireless Bluetooth(R) 4.0 Radio Management; C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe [155448 2013-09-23] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [169432 2013-08-08] (Intel Corporation)
S3 MyWiFiDHCPDNS; C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe [284912 2013-08-23] ()
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-10-04] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19440960 2014-10-04] (NVIDIA Corporation)
S3 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [3667696 2013-08-23] (Intel® Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
R3 btmaux; C:\Windows\system32\DRIVERS\btmaux.sys [132920 2013-04-23] (Motorola Solutions, Inc.)
R3 btmhsf; C:\Windows\system32\DRIVERS\btmhsf.sys [1386296 2013-08-19] (Motorola Solutions, Inc.)
R1 excfs; C:\Windows\System32\DRIVERS\excfs.sys [26024 2013-01-08] (Condusiv Technologies)
R0 excsd; C:\Windows\System32\DRIVERS\excsd.sys [112552 2013-01-08] (Condusiv Technologies)
U5 GeneStor; C:\Windows\System32\Drivers\GeneStor.sys [105704 2013-08-15] (GenesysLogic)
R1 gwdrv; C:\Windows\system32\DRIVERS\gwdrv.sys [33296 2014-12-25] (SecureMix LLC)
R3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [118216 2013-09-23] (Intel Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-08-08] (Intel Corporation)
R3 NETwNb64; C:\Windows\system32\DRIVERS\NETwbw02.sys [3589600 2013-09-25] (Intel Corporation)
S3 NETwNe64; C:\Windows\system32\DRIVERS\NETwew02.sys [4649440 2013-06-18] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20288 2014-10-04] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38048 2014-09-04] (NVIDIA Corporation)
S3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [8876248 2013-10-17] (Realtek Semiconductor Corp.)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [34544 2013-09-17] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S3 wsvd; C:\Windows\system32\DRIVERS\wsvd.sys [102376 2012-06-13] ("CyberLink)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-10 19:46 - 2015-02-10 19:46 - 02132992 _____ (Farbar) C:\Users\JUSTME\Downloads\FRST64 (2).exe
2015-02-10 19:31 - 2015-02-10 19:31 - 00346768 _____ () C:\windows\system32\FNTCACHE.DAT
2015-02-10 19:31 - 2015-02-10 19:31 - 00000572 _____ () C:\windows\PFRO.log
2015-02-10 19:30 - 2015-02-10 19:30 - 02132992 _____ (Farbar) C:\Users\JUSTME\Downloads\FRST64 (1).exe
2015-02-10 19:29 - 2015-02-10 19:29 - 00000154 _____ () C:\Users\JUSTME\Downloads\fixlist (1).txt
2015-02-10 19:21 - 2015-02-10 19:23 - 00002471 _____ () C:\Users\JUSTME\Desktop\FRST64 - Shortcut.lnk
2015-02-10 19:17 - 2015-02-10 19:17 - 00000000 ____D () C:\Users\JUSTME\Downloads\FRST-OlderVersion
2015-02-10 19:15 - 2015-02-10 19:15 - 00000154 _____ () C:\Users\JUSTME\Desktop\fixlist.txt
2015-02-10 19:05 - 2015-02-10 19:05 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Classic Shell
2015-02-10 19:05 - 2015-02-10 19:05 - 00000000 ____D () C:\Program Files\Classic Shell
2015-02-10 19:01 - 2015-02-10 19:02 - 08437760 _____ (IvoSoft) C:\Users\JUSTME\Downloads\ClassicShellSetup_3_6_8.exe
2015-02-10 02:34 - 2015-02-10 19:33 - 00144584 _____ () C:\windows\WindowsUpdate.log
2015-02-10 01:42 - 2015-02-10 19:31 - 00007396 _____ () C:\windows\setupact.log
2015-02-10 01:42 - 2015-02-10 01:42 - 00000000 _____ () C:\windows\setuperr.log
2015-02-06 22:27 - 2015-02-10 18:15 - 00037624 _____ () C:\windows\system32\Drivers\TrueSight.sys
2015-02-06 22:27 - 2015-02-06 22:27 - 18570328 _____ () C:\Users\JUSTME\Downloads\RogueKillerX64.exe
2015-02-06 22:27 - 2015-02-06 22:27 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-05 20:31 - 2015-02-05 20:31 - 00030339 _____ () C:\Users\JUSTME\Downloads\FRS SCAN PAGE 1.txt
2015-02-05 20:31 - 2015-02-05 20:31 - 00027172 _____ () C:\Users\JUSTME\Desktop\FRS SCAN.txt
2015-02-05 20:30 - 2015-02-05 20:30 - 00027172 _____ () C:\Users\JUSTME\Downloads\Addition.txt
2015-02-05 20:29 - 2015-02-10 19:49 - 00016298 _____ () C:\Users\JUSTME\Downloads\FRST.txt
2015-02-05 19:22 - 2015-02-10 19:48 - 00000000 ____D () C:\FRST
2015-02-05 19:21 - 2015-02-10 19:17 - 02132992 _____ (Farbar) C:\Users\JUSTME\Downloads\FRST64.exe
2015-02-04 18:21 - 2015-02-04 18:21 - 01156136 _____ (Ruiware) C:\Users\JUSTME\Downloads\wpsetup.exe
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\Users\JUSTME\AppData\Roaming\WinPatrol
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\ProgramData\InstallMate
2015-02-04 18:21 - 2015-02-04 18:21 - 00000000 ____D () C:\Program Files (x86)\Ruiware
2015-01-31 21:04 - 2015-01-31 21:05 - 00000000 ____D () C:\Users\JUSTME\AppData\Roaming\Stellarium
2015-01-31 21:04 - 2015-01-31 21:04 - 00000000 ____D () C:\Users\JUSTME\AppData\Local\stellarium
2015-01-31 20:57 - 2015-01-31 21:03 - 136010710 _____ (Stellarium team ) C:\Users\JUSTME\Downloads\stellarium-0.13.2-win64.exe
2015-01-30 02:54 - 2015-01-05 18:08 - 00714720 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe
2015-01-30 02:54 - 2015-01-05 18:08 - 00106976 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-28 21:07 - 2015-01-28 21:07 - 00000000 ____D () C:\Users\JUSTME\AppData\Roaming\Process Hacker 2
2015-01-28 20:00 - 2015-01-31 06:40 - 00002118 _____ () C:\Users\JUSTME\Desktop\Process Hacker 2.lnk
2015-01-28 20:00 - 2015-01-28 20:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Process Hacker 2
2015-01-28 20:00 - 2015-01-28 20:00 - 00000000 ____D () C:\Program Files\Process Hacker 2
2015-01-28 19:59 - 2015-01-28 20:00 - 01932448 _____ (wj32 ) C:\Users\JUSTME\Downloads\processhacker-2.33-setup.exe
2015-01-25 20:54 - 2015-01-25 21:19 - 00000000 ____D () C:\Users\JUSTME\AppData\Local\paint.net
2015-01-25 20:54 - 2015-01-25 20:54 - 00001211 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\paint.net.lnk
2015-01-25 20:54 - 2015-01-25 20:54 - 00001199 _____ () C:\Users\Public\Desktop\paint.net.lnk
2015-01-25 20:54 - 2015-01-25 20:54 - 00000000 ____D () C:\Program Files\paint.net
2015-01-25 20:52 - 2015-01-25 20:53 - 06528454 _____ () C:\Users\JUSTME\Downloads\paint.net.4.0.5.install.zip
2015-01-25 20:23 - 2015-01-25 20:23 - 00009127 _____ () C:\Users\JUSTME\Downloads\gimp-2.8.14-setup-1.exe.torrent
2015-01-18 16:25 - 2015-01-18 16:25 - 00055414 _____ () C:\Users\JUSTME\Downloads\religion.jpeg
2015-01-15 19:54 - 2015-01-15 19:56 - 149262968 _____ ( ) C:\Users\JUSTME\Downloads\PowerDVD_v6806_RiTA(Lenovo_NB)_Patch_DVD140730-01.exe
2015-01-13 17:19 - 2014-12-19 00:26 - 00140800 _____ (Microsoft Corporation) C:\windows\system32\Drivers\mrxdav.sys
2015-01-13 17:19 - 2014-12-11 20:04 - 00087040 _____ (Microsoft Corporation) C:\windows\system32\TSWbPrxy.exe
2015-01-13 17:19 - 2014-12-11 18:51 - 00075776 _____ (Microsoft Corporation) C:\windows\system32\Drivers\ahcache.sys
2015-01-13 17:19 - 2014-12-08 19:50 - 00225280 _____ (Microsoft Corporation) C:\windows\system32\profsvc.dll
2015-01-13 17:19 - 2014-12-05 21:17 - 00360448 _____ (Microsoft Corporation) C:\windows\system32\ncsi.dll
2015-01-13 17:19 - 2014-12-05 19:41 - 00391680 _____ (Microsoft Corporation) C:\windows\system32\nlasvc.dll
2015-01-13 17:19 - 2014-10-28 19:24 - 00086016 _____ (Microsoft Corporation) C:\windows\system32\nlaapi.dll
2015-01-13 17:19 - 2014-10-28 19:01 - 00065536 _____ (Microsoft Corporation) C:\windows\SysWOW64\nlaapi.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00535640 _____ (Microsoft Corporation) C:\windows\system32\wer.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00531616 _____ (Microsoft Corporation) C:\windows\system32\ci.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00448792 _____ (Microsoft Corporation) C:\windows\SysWOW64\wer.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00413248 _____ (Microsoft Corporation) C:\windows\system32\Faultrep.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00372408 _____ (Microsoft Corporation) C:\windows\SysWOW64\Faultrep.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00108944 _____ (Microsoft Corporation) C:\windows\system32\EncDump.dll
2015-01-13 17:13 - 2014-12-08 13:42 - 00038264 _____ (Microsoft Corporation) C:\windows\system32\WerFaultSecure.exe
2015-01-13 17:13 - 2014-12-08 13:42 - 00033584 _____ (Microsoft Corporation) C:\windows\SysWOW64\WerFaultSecure.exe
2015-01-13 17:13 - 2014-12-05 19:35 - 00229888 _____ (Microsoft Corporation) C:\windows\system32\AudioEndpointBuilder.dll
2015-01-13 17:13 - 2014-10-28 22:00 - 00465320 _____ (Microsoft Corporation) C:\windows\system32\WerFault.exe
2015-01-13 17:13 - 2014-10-28 22:00 - 00139984 _____ (Microsoft Corporation) C:\windows\system32\wermgr.exe
2015-01-13 17:13 - 2014-10-28 21:52 - 00500016 _____ (Microsoft Corporation) C:\windows\system32\AudioSes.dll
2015-01-13 17:13 - 2014-10-28 21:52 - 00482872 _____ (Microsoft Corporation) C:\windows\system32\AudioEng.dll
2015-01-13 17:13 - 2014-10-28 21:52 - 00394120 _____ (Microsoft Corporation) C:\windows\system32\AUDIOKSE.dll
2015-01-13 17:13 - 2014-10-28 21:52 - 00272248 _____ (Microsoft Corporation) C:\windows\system32\audiodg.exe
2015-01-13 17:13 - 2014-10-28 21:12 - 00413136 _____ (Microsoft Corporation) C:\windows\SysWOW64\WerFault.exe
2015-01-13 17:13 - 2014-10-28 21:12 - 00136296 _____ (Microsoft Corporation) C:\windows\SysWOW64\wermgr.exe
2015-01-13 17:13 - 2014-10-28 21:07 - 00424544 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioEng.dll
2015-01-13 17:13 - 2014-10-28 21:07 - 00370424 _____ (Microsoft Corporation) C:\windows\SysWOW64\AudioSes.dll
2015-01-13 17:13 - 2014-10-28 21:07 - 00344536 _____ (Microsoft Corporation) C:\windows\SysWOW64\AUDIOKSE.dll
2015-01-13 17:13 - 2014-10-28 20:44 - 00037888 _____ (Microsoft Corporation) C:\windows\system32\werdiagcontroller.dll
2015-01-13 17:13 - 2014-10-28 19:59 - 00033280 _____ (Microsoft Corporation) C:\windows\SysWOW64\werdiagcontroller.dll
2015-01-13 17:13 - 2014-10-28 19:02 - 00911360 _____ (Microsoft Corporation) C:\windows\system32\audiosrv.dll
2015-01-12 15:57 - 2015-01-12 15:57 - 00054541 _____ () C:\Users\JUSTME\Downloads\FRANCE MARCH.jpeg

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-10 19:36 - 2014-07-04 18:56 - 00003596 _____ () C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2335979010-2088281229-887777252-1002
2015-02-10 19:32 - 2014-07-25 21:40 - 00000912 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-10 19:31 - 2013-08-22 08:45 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2015-02-10 19:30 - 2013-08-22 07:25 - 00262144 ___SH () C:\windows\system32\config\BBI
2015-02-10 19:01 - 2014-07-25 21:40 - 00000916 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-10 19:00 - 2014-07-04 18:51 - 00000000 ____D () C:\Users\JUSTME\AppData\Local\Pokki
2015-02-10 19:00 - 2013-08-22 09:36 - 00000000 ____D () C:\windows\system32\sru
2015-02-10 17:28 - 2014-09-22 20:21 - 00001494 _____ () C:\Users\JUSTME\AppData\Local\7396d5af-93b3-4d36-bfec-04bbd1449761.dat
2015-02-06 18:45 - 2013-10-07 12:27 - 00865408 _____ () C:\windows\system32\PerfStringBackup.INI
2015-02-06 18:39 - 2014-03-25 05:30 - 00000000 ____D () C:\ProgramData\McAfee
2015-02-06 18:36 - 2013-08-22 09:36 - 00000000 ___HD () C:\windows\ELAMBKUP
2015-02-06 18:02 - 2013-08-22 09:20 - 00000000 ____D () C:\windows\CbsTemp
2015-02-05 19:05 - 2013-08-22 09:36 - 00000000 ____D () C:\windows\rescache
2015-02-05 18:02 - 2014-07-25 21:47 - 00002214 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-04 16:44 - 2014-03-25 05:38 - 00003058 _____ () C:\windows\System32\Tasks\PDVDServ Task
2015-02-03 17:56 - 2014-07-25 21:40 - 00003888 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-03 17:56 - 2014-07-25 21:40 - 00003652 _____ () C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-01-31 21:04 - 2014-03-25 05:18 - 00000000 ____D () C:\ProgramData\Package Cache
2015-01-30 23:08 - 2014-07-05 16:09 - 00000000 ____D () C:\ProgramData\tmp
2015-01-30 06:45 - 2014-07-04 18:51 - 00000000 ____D () C:\Users\JUSTME
2015-01-30 02:54 - 2013-08-22 07:25 - 00262144 ___SH () C:\windows\system32\config\ELAM
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ____D () C:\Program Files\Windows Defender
2015-01-30 02:51 - 2013-08-22 09:36 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2015-01-16 16:30 - 2014-07-25 22:05 - 00002774 _____ () C:\windows\System32\Tasks\CCleanerSkipUAC
2015-01-15 19:59 - 2014-03-25 05:09 - 00000000 ___HD () C:\Program Files (x86)\InstallShield Installation Information
2015-01-15 19:56 - 2014-03-25 05:37 - 00029480 _____ (Microsoft Corporation) C:\windows\SysWOW64\msxml3a.dll
2015-01-15 19:56 - 2014-03-25 05:29 - 00000000 ____D () C:\ProgramData\Temp
2015-01-15 19:56 - 2014-03-25 05:29 - 00000000 ____D () C:\ProgramData\install_clap

==================== Files in the root of some directories =======

2014-09-22 20:21 - 2015-02-10 17:28 - 0001494 _____ () C:\Users\JUSTME\AppData\Local\7396d5af-93b3-4d36-bfec-04bbd1449761.dat
2014-03-25 05:13 - 2014-03-25 05:13 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-02-03 17:54

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 08-02-2015
Ran by JUSTME at 2015-02-10 19:49:22
Running from C:\Users\JUSTME\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
Classic Shell (HKLM\...\{FEA1590B-540A-41FC-A95C-664493C82A21}) (Version: 3.6.8 - IvoSoft)
Cyberfox Web Browser (HKLM\...\{5EFB52C0-4EC9-46B4-80EB-8432C6599641}_is1) (Version: 33.0.3.0 - 8pecxstudios)
CyberLink PhotoDirector 3 (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.1.4107 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.0.2810 - CyberLink Corp.)
CyberLink PowerDirector 10 (Version: 10.0.0.2810 - CyberLink Corp.) Hidden
Energy Management (HKLM-x32\...\InstallShield_{D0956C11-0F60-43FE-99AD-524E833471BB}) (Version: 8.0.2.14 - Lenovo)
Energy Management (x32 Version: 8.0.2.14 - Lenovo) Hidden
ExpressCache (HKLM\...\{C123584F-9C84-45E8-AE5F-522328BB79A0}) (Version: 1.0.100.0 - Condusiv Technologies)
Genesys USB Mass Storage Device (HKLM-x32\...\{959B7F35-2819-40C5-A0CD-3C53B5FCC935}) (Version: 4.3.0.8 - Genesys Logic)
GlassWire 1.0 (remove only) (HKLM-x32\...\GlassWire 1.0) (Version: 1.0.35 - SecureMix LLC)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Host App Service (HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Pokki) (Version: 0.269.4.103 - Pokki)
Intel(R) Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{0EC7F9CC-4741-45AE-9F55-6E9343F726F5}) (Version: 1.1.0.36960 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.0.20.1447 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3277 - Intel Corporation)
Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology(patch version 3.0.1337.1) (HKLM\...\{302600C1-6BDF-4FD1-1307-148929CC1385}) (Version: 3.1.1307.0362 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{72814a2c-2e03-4a50-b30a-43e7884b3934}) (Version: 16.5.1 - Intel Corporation)
Lenovo EasyCamera (HKLM-x32\...\{E0A7ED39-8CD6-4351-93C3-69CCA00D12B4}) (Version: 6.2.9200.10249 - Realtek Semiconductor Corp.)
Lenovo OneKey Recovery (HKLM-x32\...\InstallShield_{46F4D124-20E5-4D12-BE52-EC177A7A4B42}) (Version: 8.0.0.2105 - CyberLink Corp.)
Lenovo OneKey Recovery (Version: 8.0.0.2105 - CyberLink Corp.) Hidden
Lenovo Photos (HKLM-x32\...\Lenovo Photos) (Version: 4.8.7 - CEWE Stiftung u Co. KGaA)
Lenovo PowerDVD10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.6806.52 - CyberLink Corp.)
Lenovo PowerDVD10 (x32 Version: 10.0.6806.52 - CyberLink Corp.) Hidden
Lenovo Reach (HKLM-x32\...\{0B5E0E89-4BCA-4035-BBA1-D1439724B6E2}) (Version: 1.1.0.166 - Stoneware, Inc.)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Monopoly (HKLM-x32\...\Monopoly) (Version: - PopCap Games)
NVIDIA GeForce Experience 2.1.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1.3 - NVIDIA Corporation)
NVIDIA Graphics Driver 327.62 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 327.62 - NVIDIA Corporation)
Onekey Theater (HKLM-x32\...\{91CC5BAE-A098-40D3-A43B-C0DC7CE263FE}) (Version: 3.0.1.2 - Lenovo)
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 5.6.0.10525 - CyberLink Corp.)
Process Hacker 2.33 (r5590) (HKLM\...\Process_Hacker2_is1) (Version: 2.33.0.5590 - wj32)
Qualcomm Atheros Inc.(R) AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 2.1.0.21 - Qualcomm Atheros Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7030 - Realtek Semiconductor Corp.)
Scrabble (HKLM-x32\...\Scrabble) (Version: - PopCap Games)
SHIELD Streaming (Version: 3.1.1000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 16.13.56 - NVIDIA Corporation) Hidden
Speccy (HKLM\...\Speccy) (Version: 1.26 - Piriform)
SRWare Iron version SRWare Iron 35.0.1900.0 (HKLM-x32\...\{C59CF2CE-B302-4833-AA35-E0E07D8EBC52}_is1) (Version: SRWare Iron 35.0.1900.0 - SRWare)
StageLight version 1.0.0.3508 (HKLM\...\StageLight) (Version: version 1.0.0.3508 - Open Labs, LLC.)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.10.12 - Synaptics Incorporated)
UserGuide (HKLM-x32\...\InstallShield_{F07C2CF8-4C53-4EC3-8162-A6221E36EB88}) (Version: 1.0.0.15 - Lenovo)
UserGuide (x32 Version: 1.0.0.15 - Lenovo) Hidden
Windows Driver Package - Lenovo (ACPIVPC) System (02/17/2013 9.52.0.776) (HKLM\...\35DD26BE48DAF4A9F35F969F3CB1E3E1435E661E) (Version: 02/17/2013 9.52.0.776 - Lenovo)
Windows Driver Package - Lenovo (WUDFRd) LenovoVhid (07/25/2013 10.30.0.288) (HKLM\...\6BCA401E9CBEED970D75F55FA5320F60D11984E9) (Version: 07/25/2013 10.30.0.288 - Lenovo)
WinPatrol (HKLM\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 32.0.2014.5 - Ruiware)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

25-01-2015 20:54:25 paint.net 4.0.5
31-01-2015 21:04:07 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005
08-02-2015 18:21:05 Scheduled Checkpoint
10-02-2015 19:05:38 Installed Classic Shell
10-02-2015 19:30:13 Restore Point Created by FRST

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 07:25 - 2013-08-22 07:25 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0C44D1AE-2A15-449B-953D-F7289B9A83E9} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-12-12] (Piriform Ltd)
Task: {3CB5B3FB-3483-4988-8B6F-ABD8E868FFB5} - System32\Tasks\PDVDServ Task => C:\Program Files (x86)\Lenovo\PowerDVD10\PDVD10Serv.EXE [2013-03-08] (CyberLink Corp.)
Task: {50F5F610-B488-4315-AC9C-68D7621D0573} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2013-03-07] (Intel Corporation)
Task: {A03689F0-358F-4517-B5F7-39A01B230D98} - System32\Tasks\UMonitor Task => C:\windows\SysWOW64\UMonit64.exe [2013-10-25] ()
Task: {A0B0E075-24D8-4426-9390-E3C510E3AD7C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-25] (Google Inc.)
Task: {C3582DFC-C1B3-4D85-86F1-3A2CD1757F70} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-25] (Google Inc.)
Task: {C502F863-2071-4ADC-82AB-A586FC10AA36} - System32\Tasks\ISM-UpdateService-4e00205a-2ab1-4423-8f77-cc25b82cde1d-Logon => C:\Program Files (x86)\Intel\Intel(R) ME FW Recovery Agent\bin\Bootstrap.exe [2013-03-07] (Intel Corporation)
Task: {D7814988-EDFA-4AEC-ADF2-14B05C34D5A3} - System32\Tasks\OFFICE2013ACT => C:\ProgramData\Office2013\OFFICEICON.vbs [2013-06-03] ()
Task: {DA6B28C9-D53F-4CB8-993F-018BDE3672F8} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-09-17] (Synaptics Incorporated)
Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2013-12-26 19:42 - 2013-12-26 19:42 - 00013088 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2015-02-05 18:02 - 2015-02-04 03:02 - 01117512 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\libglesv2.dll
2015-02-05 18:02 - 2015-02-04 03:02 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\libegl.dll
2015-02-05 18:02 - 2015-02-04 03:02 - 09170760 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\pdf.dll
2014-03-25 05:10 - 2013-08-08 14:25 - 01242584 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\ACE.dll
2015-02-05 18:02 - 2015-02-04 03:02 - 14965064 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Other Registry Areas =====================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\JUSTME\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "BTMTrayAgent"
HKLM\...\StartupApproved\Run: => "IAStorIcon"
HKLM\...\StartupApproved\Run: => "EnergyUtility"
HKLM\...\StartupApproved\Run: => "Energy Management"
HKLM\...\StartupApproved\Run: => "Nvtmru"
HKLM\...\StartupApproved\Run: => "OnekeyStudio"
HKLM\...\StartupApproved\Run: => "RtsFT"
HKLM\...\StartupApproved\Run: => "ShadowPlay"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run32: => "UpdateP2GShortCut"
HKLM\...\StartupApproved\Run32: => "IAStorIcon"
HKLM\...\StartupApproved\Run32: => "Nvtmru"
HKLM\...\StartupApproved\Run32: => "NvBackend"
HKLM\...\StartupApproved\Run32: => "RtsFT"
HKLM\...\StartupApproved\Run32: => "BTMTrayAgent"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Pokki"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Power2GoExpress"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "Skype"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "GlassWire"
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\StartupApproved\Run: => "CCleaner Monitoring"

==================== Accounts: =============================

Administrator (S-1-5-21-2335979010-2088281229-887777252-500 - Administrator - Disabled)
Guest (S-1-5-21-2335979010-2088281229-887777252-501 - Limited - Disabled)
JUSTME (S-1-5-21-2335979010-2088281229-887777252-1002 - Administrator - Enabled) => C:\Users\JUSTME

==================== Faulty Device Manager Devices =============

Name: Microphone (Realtek High Definition Audio)
Description: Audio Endpoint
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Lenovo EasyCamera
Description: Lenovo EasyCamera
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Lite-On
Service: rtsuvc
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/10/2015 07:46:26 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/10/2015 02:34:13 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Activation of app Microsoft.BingHealthAndFitness_8wekyb3d8bbwe!AppexHealthAndFitness failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/10/2015 01:46:19 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (02/09/2015 06:01:03 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/08/2015 05:01:06 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/07/2015 05:34:03 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (02/07/2015 05:33:47 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (02/07/2015 05:28:09 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (02/07/2015 05:26:51 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

Error: (02/07/2015 05:23:27 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest1".Error in manifest or policy file "C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest2" on line C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifest.
Component 2: C:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifest.

System errors:
=============
Error: (02/10/2015 05:55:14 PM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Error: (02/10/2015 06:47:58 AM) (Source: DCOM) (EventID: 10010) (User: MYPC)
Description: {4545DEA0-2DFC-4906-A728-6D986BA399A9}

Microsoft Office Sessions:
=========================
Error: (02/10/2015 07:46:26 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/10/2015 02:34:13 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: MYPC)
Description: Microsoft.BingHealthAndFitness_8wekyb3d8bbwe!AppexHealthAndFitness-2144927141

Error: (02/10/2015 01:46:19 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (02/09/2015 06:01:03 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/08/2015 05:01:06 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: C:\Windows\System32\winspool.drvSpooler8

Error: (02/07/2015 05:34:03 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (02/07/2015 05:33:47 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (02/07/2015 05:28:09 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (02/07/2015 05:26:51 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

Error: (02/07/2015 05:23:27 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_a9efdb8b01377ea7.manifestC:\windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17031_none_6242a4b3ecbb55a1.manifestC:\Program Files\CCleaner\CCleaner.exe

CodeIntegrity Errors:
===================================
Date: 2014-12-01 18:32:16.185
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:32:15.120
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:32:14.053
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:32:12.970
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:32.199
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:31.136
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:30.067
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:31:28.985
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:28:51.601
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-12-01 18:28:50.539
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume7\Windows\System32\dsound.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7-4700MQ CPU @ 2.40GHz
Percentage of memory in use: 40%
Total physical RAM: 8104.27 MB
Available physical RAM: 4860.23 MB
Total Pagefile: 9384.27 MB
Available Pagefile: 5865.94 MB
Total Virtual: 131072 MB
Available Virtual: 131071.83 MB

==================== Drives ================================

Drive c: (Windows8_OS) (Fixed) (Total:891.65 GB) (Free:848.86 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (LENOVO) (Fixed) (Total:25 GB) (Free:24.9 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 22.4 GB) (Disk ID: DB494C5F)

Partition: GPT Partition Type.

========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: EF3EBA0C)

Partition: GPT Partition Type.

==================== End Of Log ============================


----------



## BrianDrab (Oct 22, 2014)

My primary responsibility is to ensure you are malware free. So while I'm reviewing the logs you provided please do these 3 final scans. We'll be able to tell if you have a nasty rootkit infection or anything else lurking around. Then when I can declare your machine malware free I can begin to look at your other issues or point you to another forum with experts that can assist (if it gets to that point). Thank you.

Step#1 - Rootkit Scan
1. Download aswMBR to your desktop.
2. Right-click on *aswMBR.exe* and select *Run as adm*inistrator to run it.
3. If you get a question about *Virtualization Technology*, answer *Yes*.
4. If you see this question: Would you like to download latest Avast! virus definitions?" say "*Yes*".
5. Click the "*Scan*" button to start scan.
6. On completion of the scan click "*Save log*", save it to your *desktop *and post in your next reply.
NOTE. aswMBR will create *MBR.dat* file on your desktop. This is a copy of your MBR. Do NOT delete it.

Step#2 - Malwarebytes Scan


Download Malwarebytes *to your desktop *from here.
*Right-click *on the file that is downloaded to your *desktop *and select *Run as administrator*.
Select the appropriate language and click *OK*.
Click *Next*.
Select "*I accept the agreement*" and click *Next*.
Click Next
Change the install path if desired. Normally you will keep this as is. Click *Next*.
Click *Next *again.
Click *Next *again.
Click *Install*.
*Uncheck *"Enable free trial of Malwarebytes Anti-Malware Premium".
Click *Finish*
If an update is found you will be prompted to download and install. Go ahead.
Click the *Settings *button and then the *Detection and Protection *tab. Then check the box to *Scan for rootkits*. as shown below.









Click the *Scan *button at the top of the form and then click *Scan Now*.








If anything is detected, there will be an *Apply Actions *button. Please click this.
Once the scan completes click the *View detailed log *link.








Then click the *Copy to clipboard *button and paste into your next post.









Step#3 - ESET Online Scanner and Post Results
Before running this scan, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done. Instructions for doing this on many AVs are here.


Please go here and click on








*Note*: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (*esetsmartinstaller_enu.exe). *Go ahead and download and run this file.
Please accept the *ESET Online Scanner EULA *and click *Start*.
If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
Make sure *Enable detection of potentially unwanted applications *is selected.
Click the *Advanced Settings *link.
Make sure *Remove found threats *is NOT checked.
Make sure *Scan archives *IS checked.
Make sure *Scan for potentially unsafe applications *IS checked.
Make sure* Enable Anti-Stealth technology *IS checked









Click on Start
The *virus signature database *will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall. 
When completed, if anything was detected please click the *List of found threats *link.
*







*
Then click the *Copy to Clipboard *link and paste this information into your next reply.
*







*
Then you may click the Back button.
Check *Uninstall Application on Close *before clicking finish.

Items for your next post

1. Rootkit Scan log
2. Malwarebytes log
3. Contents of the ESET log file


----------



## andrewoman (Feb 5, 2015)

aswMBR version 1.0.1.2290 Copyright(c) 2014 AVAST Software
Run date: 2015-02-10 20:04:20
-----------------------------
20:04:20.565 OS Version: Windows x64 6.2.9200 
20:04:20.565 Number of processors: 8 586 0x3C03
20:04:20.565 ComputerName: MYPC UserName: 
20:04:20.721 Initialize success
20:04:20.721 VM: initialized successfully
20:04:20.721 VM: Intel CPU BiosDisabled 
20:04:39.218 AVAST engine defs: 15021001
20:04:42.601 Disk 0 \Device\Harddisk0\DR0 -> \Device\00000034
20:04:42.601 Disk 0 Vendor: LITEONIT_LSS-24L6G DSR2206 Size: 22902MB BusType: 11
20:04:42.601 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\00000035
20:04:42.601 Disk 1 Vendor: ST1000LM024_HN-M101MBB 2BA30001 Size: 953869MB BusType: 11
20:04:42.804 Disk 1 MBR read successfully
20:04:42.804 Disk 1 MBR scan
20:04:42.804 Disk 1 unknown MBR code
20:04:42.804 Disk 1 Partition 1 00 EE GPT 2097151 MB offset 1
20:04:42.851 Disk 1 scanning C:\windows\system32\drivers
20:04:54.503 Service scanning
20:05:08.013 Modules scanning
20:05:08.018 Disk 1 trace - called modules:
20:05:08.053 ntoskrnl.exe CLASSPNP.SYS disk.sys storport.sys hal.dll iaStorA.sys 
20:05:08.056 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xffffe000711ee740]
20:05:08.058 3 CLASSPNP.SYS[fffff801a060227b] -> nt!IofCallDriver -> \Device\00000035[0xffffe0006eff4060]
20:05:08.210 AVAST engine scan C:\windows
20:05:10.086 AVAST engine scan C:\windows\system32
20:08:59.289 AVAST engine scan C:\windows\system32\drivers
20:09:16.598 AVAST engine scan C:\Users\JUSTME
20:13:11.814 Disk 1 MBR has been saved successfully to "C:\Users\JUSTME\Desktop\MBR.dat"
20:13:11.820 The log file has been saved successfully to "C:\Users\JUSTME\Desktop\aswMBR.txt"


----------



## andrewoman (Feb 5, 2015)

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/10/2015
Scan Time: 8:17:48 PM
Logfile: 
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.11.01
Rootkit Database: v2015.02.03.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: JUSTME

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333601
Time Elapsed: 10 min, 54 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)


----------



## andrewoman (Feb 5, 2015)

C:\Users\JUSTME\Downloads\ccsetup416.exe	Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\JUSTME\Downloads\ccsetup501.exe	Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\JUSTME\Downloads\jetclean-setup.exe	a variant of Win32/Toolbar.Widgi.B potentially unwanted application
C:\Users\JUSTME\Downloads\spsetup126.exe	Win32/Bundled.Toolbar.Google.D potentially unsafe application


----------



## BrianDrab (Oct 22, 2014)

Excellent. Now let's clean up the final remnants that were found.


1. Please remove Host App Service from Add/Remove programs. It was a part of Pokki.
2. Do you use the Cyberfox Web Broswer? 


Thanks.


----------



## andrewoman (Feb 5, 2015)

Removed Host App Service.
I sometimes use Cyberfox. Fastest browser I have ever used.


----------



## BrianDrab (Oct 22, 2014)

Step#1 - FRST Fix
*NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system*
1. Download attached file and save it to the *Desktop*.
*Note.* It's important that both files, *FRST64* and *fixlist.txt *are in the same location or the fix will not work (in this case...the desktop).
2. Run *FRST64* by *Right-Clicking *on the file and choosing *Run as administrator*.
3. Press the *Fix* button just once and wait. No reboot will be necessary on this one.
4. When finished FRST64 will generate a log on the Desktop (*Fixlog.txt*). Please post the contents of it in your reply.


----------



## andrewoman (Feb 5, 2015)

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
Ran by JUSTME at 2015-02-10 22:24:37 Run:2
Running from C:\Users\JUSTME\Downloads
Loaded Profiles: JUSTME (Available profiles: JUSTME)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\...\Run: [Pokki] => "%LOCALAPPDATA%\Pokki\Engine\HostAppServiceUpdater.exe" /LOGON
CHR DefaultSearchKeyword: Default -> mcafee
2015-02-06 18:39 - 2014-03-25 05:30 - 00000000 ____D () C:\ProgramData\McAfee
AlternateDataStreams: C:\Windows:nlsPreferences
2015-02-10 19:00 - 2014-07-04 18:51 - 00000000 ____D () C:\Users\JUSTME\AppData\Local\Pokki

*****************

Restore point was successfully created.
HKU\S-1-5-21-2335979010-2088281229-887777252-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Pokki => Value not found.
Chrome DefaultSearchKeyword deleted successfully.
C:\ProgramData\McAfee => Moved successfully.
C:\Windows => ":nlsPreferences" ADS removed successfully.
"C:\Users\JUSTME\AppData\Local\Pokki" => File/Directory not found.

==== End of Fixlog 22:24:50 ====


----------



## BrianDrab (Oct 22, 2014)

OK! Well done, your computer is clean again!







Part of our jobs is to help you clean your computer. But beyond that and just as important is to provide you with some information to keep you safe and secure on the net as well as to share knowledge. Following is that information.

After you review the information and provide the Delfix log we can focus on your remaining issues/concerns (i.e. camera, etc.). You will have to let me know if you see multiple LogonUI processes occurring again, and if they do, in my professional opinion I don't believe it is malware related.

*1. Clean Up!*
We need to remove all the tools that we used so that should you ever be re-infected, you will download updated versions which may have updated detection logic.
1. Download *Delfix *from here.
2. Ensure everything is checked.
3. Click *Run*.
Note: The program will run for a few moments and then notepad will open with a log. *Please paste the log in your next reply*.
Note: Delete any other *.bat, .log, .reg, .txt,* and any other files created during this process, and left on the desktop and empty the *Recycle Bin*.

*2. Keeping Programs Updated*
You need to ensure that any programs installed on your machine are kept current. The bad guys exploit vulnerabilities that are found in older versions of software. A very good piece of software that keeps your programs up-to-date is *Secunia Personal Software Inspector (PSI)*. You can download and install it from here. You can read more information about this free software as well as a video walkthrough from here.

*3. Antimalware- Preventative*
*Note*: Let's keep Malwarebytes installed as it's a fantastic piece of software. Malwarebytes is an anti-malware software and not an antivirus software so it won't conflict with the Antivirus that you are running. I would recommend that you open up this program, allow it to update and scan your machine at least quarterly...monthly if you can.

*4. Crypto Warning!!!! - Complete Data Loss can occur!*
There are particularly nasty infections out there at the moment that encrypt your data and hold it for ransom. You may read more about this here.
New strains of this are coming out all the time.


*Download *CryptoPrevent *free *for home use here  following the instructions below.
*Save *the file to your *desktop *from the link above and then *open *the program by clicking *Run *when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
Accept all the defaults during the install. The last screen of the install has a checkmark in "*Launch CryptoPrevent*". This is good and will launch the program once you click *Finish*.
You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer *No*.
You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
You will then be prompted to apply all default protections. Answer *Yes*.
You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
That's it. The protection is in place.
Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.










*5. Adobe Flash Player*
There's a very nasty piece of malware going around right now called Cryptowall. It's very destructive and most recently the newest variant is exploiting unpatched versions of Adobe Flash. Let's make sure you get current.

1. Determine if you have the most current version by going to this  website. If your version represented by the top box matches the version in the bottom box you are current.









2. If your version is older than the current then click on the *Player Download Center *link (shown in the screen shot above).
3. You will be brought to the install/update page. Ensure you *uncheck *any optional offers (unless you want them of course) and then click on *Install Now.*









4. You may be prompted to run the installer. Go ahead and do this.
5. When it's complete, click *Finish*. You now have the latest version. You can verify by going back to this  website if you feel the need.

For more information about computer security and how to protect yourself when on the internet, please read this guide *Best Practices for Safe Computing*

OK, all the best, and stay safe!

Items for your next post
*1. Contents of the delfix log*


----------



## andrewoman (Feb 5, 2015)

# DelFix v10.8 - Logfile created 10/02/2015 at 22:34:24
# Updated 29/07/2014 by Xplode
# Username : JUSTME - MYPC
# Operating System : Windows 8.1 (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\Users\JUSTME\Downloads\FRST-OlderVersion
Deleted : C:\Users\JUSTME\Desktop\aswMBR.txt
Deleted : C:\Users\JUSTME\Desktop\MBR.dat
Deleted : C:\Users\JUSTME\Desktop\WINLOGONS 11.rtf
Deleted : C:\Users\JUSTME\Downloads\Addition.txt
Deleted : C:\Users\JUSTME\Downloads\aswmbr.exe
Deleted : C:\Users\JUSTME\Downloads\Fixlog.txt
Deleted : C:\Users\JUSTME\Downloads\FRST.txt
Deleted : C:\Users\JUSTME\Downloads\FRST64 (1).exe
Deleted : C:\Users\JUSTME\Downloads\FRST64 (2).exe
Deleted : C:\Users\JUSTME\Downloads\FRST64 (3).exe
Deleted : C:\Users\JUSTME\Downloads\FRST64 (4).exe
Deleted : C:\Users\JUSTME\Downloads\FRST64 (5).exe
Deleted : C:\Users\JUSTME\Downloads\FRST64.exe
Deleted : C:\Users\JUSTME\Downloads\HijackThis.exe
Deleted : C:\Users\JUSTME\Downloads\RogueKillerX64.exe
Deleted : HKLM\SYSTEM\CurrentControlSet\Services\aswMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #31 [paint.net 4.0.5 | 01/26/2015 02:54:25]
Deleted : RP #32 [Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 | 02/01/2015 03:04:07]
Deleted : RP #33 [Scheduled Checkpoint | 02/09/2015 00:21:05]
Deleted : RP #34 [Installed Classic Shell | 02/11/2015 01:05:38]
Deleted : RP #36 [Restore Point Created by FRST | 02/11/2015 01:30:13]
Deleted : RP #38 [Restore Point Created by FRST | 02/11/2015 04:24:40]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


----------



## BrianDrab (Oct 22, 2014)

OK, so we know you will monitor for the multiple LogonUI processes.


Other than that can you provide more details on the camera?


I see that you have it disabled in Device Manager. Are you ever going to use the camera or is your goal to have it completely disabled?


----------



## andrewoman (Feb 5, 2015)

Completely disabled!!!! But I may use it at some point, not sure


----------



## andrewoman (Feb 5, 2015)

I did have Skype for a short time, but uninstalled it. Perhaps some remnant keeps the webcam open, but I have disabled it, so it is strange that it and mic keep popping open in Device Manager


----------



## BrianDrab (Oct 22, 2014)

I would uninstall "Lenovo EasyCamera" from Add/Remove programs.


Can you explain what you mean that it keeps "popping open" in device manager?


----------



## andrewoman (Feb 5, 2015)

I may use it for Skype or VSee??? 

Every time I open Device Manager the tabs are open ONLY for webcam and audio. I will close the tabs, so that no programs are open (using the + key). I open Device Manager another time, once again the tabs for those two programs - webcam and audio - only are open again.


----------



## BrianDrab (Oct 22, 2014)

Ahh, yes that is standard windows device manager behavior. For example if I went to device manager and opened up the *DVD/CD-ROM drives* and disabled my DVD drive, next time I went into Device Manager that category (DVD/CD-ROM drives) would automatically be expanded.

As long as you have it disabled, it can't be used. You're good to go.


----------



## andrewoman (Feb 5, 2015)

I understand, but those 2 programs keep being open even though I disabled them long ago.


----------



## BrianDrab (Oct 22, 2014)

Where do they keep being opened at?


----------



## andrewoman (Feb 5, 2015)

In Device Manager


----------



## andrewoman (Feb 5, 2015)

I disabled webcam and mic long ago and they are the only two programs tabbed open in Device Manager no matter when I open Device Manager


----------



## BrianDrab (Oct 22, 2014)

Correct, as mentioned that is normal behavior. Since they are disabled they will show up when you open device manager. As long as they are disabled you can be sure you are safe.


----------



## andrewoman (Feb 5, 2015)

Okee dokee


----------



## andrewoman (Feb 5, 2015)

Did we check the MBR during these scans???


----------



## BrianDrab (Oct 22, 2014)

OK, if there is nothing else I will go ahead and close this topic.


----------



## BrianDrab (Oct 22, 2014)

Yes, your MBR was clean.


----------



## andrewoman (Feb 5, 2015)

Thank you very much for your help!!!!!!!!!!! 

One last question, though. Which antivirus and firewall do you use? If you do not mind me asking or which one's do you recommend???


----------



## BrianDrab (Oct 22, 2014)

Honestly I use Windows Defender for my AV. It's very lightweight and does a good job.


I use only the Windows Firewall. It was not very good in Windows XP, but each version since Vista it has been better and better.


----------



## andrewoman (Feb 5, 2015)

Cool. I guess I am doing okay then. Been using Glasswire as firewall and Windows Defender. 
I like Glasswire because it warns you when there are changes on the network.

Anyway, you are an awesome possum. This was a better experience than Malwarebytes and Majorgeeks tech help that I used a few years ago.


----------



## BrianDrab (Oct 22, 2014)

No problem. Glad I could help. Have a good evening.


----------



## andrewoman (Feb 5, 2015)

Thank you, and you as well!


----------



## andrewoman (Feb 5, 2015)

Sorry BrianDrab. I swear this is the last question. I meant to ask and forgot. I use free wifi daily, such as coffee shops, restaurants and such. Is there software you could recommend for safety???


----------



## BrianDrab (Oct 22, 2014)

No problem. Sorry I didn't get back to you last night. I had turned in for the evening.


That is a great question. I can tell you care about security. So many people don't. I always, without exception, immediately connect to a VPN after I connect to a Wifi network (even my home Wifi). I have the benefit of being able to use our secure VPN at work so I've never had to look at third party products. I don't recommend products unless I've used them so I don't know what is out there. But I would highly suggest connecting to a VPN service anytime you are connected to Wifi so that all of your traffic is encrypted.


----------



## andrewoman (Feb 5, 2015)

Hi Brian, the issues still persist - 12 instances of winlogon, 11 instances of LogonUI and 12 instances of dwm.exe


----------



## BrianDrab (Oct 22, 2014)

Wow. OK, please do the following while the issue is happening.

 Step#1 - Process Explorer
1. Download *Process Explorer* from here and save it to your *desktop*.
2. *Right-click* on the file procexp.exe and choose* Run as administrator*. <---Note: This step needs to be done exactly as stated.
3. Answer *Yes* to allow on the User Account Control message.
4. Click *Agree* to accept the Process Explorer License Agreement if prompted.
5. Select the *View* menu and choose *Select Columns*.
6. In addition to what is already checked, check *User Name*, *Image Path, **Session, **Command Line*, *Autostart* *Location*, and *VirusTotal*.
7. Click OK. You will get an information VirusTotal message. Click *OK*.
8. Select the *Options* menu and choose *VirusTotal.com....Check VirusTotal.com*.
9. You will get another message box to agree to the terms of use. The Terms of Use will also open up in a web page. You can close that page that opened up. Just click on *Yes* in the message box.
10. The last column of Process Explorer should be the VirusTotal column. It will say *Hash submitted* and then a few moments later it will show something like 0/57.
11. Once it no longer says Hash submitted, Select the *File* menu and click *Save*. Name the file whatever you want and save it to the *desktop*.
12. Please post the contents of this file into your next post.


----------



## andrewoman (Feb 5, 2015)

Process	CPU	Private Bytes	Working Set	PID	Description	Company Name	User Name	Session	Path	Command Line	Autostart Location	VirusTotal
System Idle Process	87.58	0 K	4 K	0 NT AUTHORITY\SYSTEM 
System	0.14	1,956 K	9,084 K	4 NT AUTHORITY\SYSTEM	0 
Interrupts	0.16	0 K	0 K	n/a	Hardware Interrupts and DPCs 0 
smss.exe 344 K	624 K	428	Windows Session Manager	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\smss.exe	\SystemRoot\System32\smss.exe 0/57
csrss.exe 2,816 K	4,064 K	616	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
wininit.exe 1,260 K	3,760 K	724	Windows Start-Up Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\wininit.exe	wininit.exe 0/57
services.exe 4,356 K	7,852 K	820	Services and Controller app	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\services.exe	C:\windows\system32\services.exe 0/57
svchost.exe	< 0.01	8,896 K	15,484 K	900	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\svchost.exe	C:\windows\system32\svchost.exe -k DcomLaunch 0/57
unsecapp.exe 1,780 K	4,548 K	3452	Sink to receive asynchronous callbacks for WMI client application	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\wbem\unsecapp.exe	C:\windows\system32\wbem\unsecapp.exe -Embedding 0/57
WmiPrvSE.exe 7,148 K	13,420 K	3548	WMI Provider Host	Microsoft Corporation	NT AUTHORITY\NETWORK SERVICE	0	C:\Windows\System32\wbem\WmiPrvSE.exe	C:\windows\system32\wbem\wmiprvse.exe 0/57
WmiPrvSE.exe 3,528 K	8,588 K	3876	WMI Provider Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\wbem\WmiPrvSE.exe	C:\windows\system32\wbem\wmiprvse.exe 0/57
igfxsrvc.exe 2,192 K	6,484 K	7576	igfxsrvc Module	Intel Corporation	MYPC\JUSTME	13	C:\Windows\System32\igfxsrvc.exe	"C:\windows\system32\igfxsrvc.exe" -Embedding 0/51
WmiPrvSE.exe 1,612 K	5,448 K	8220	WMI Provider Host	Microsoft Corporation	NT AUTHORITY\NETWORK SERVICE	0	C:\Windows\System32\wbem\WmiPrvSE.exe	C:\windows\system32\wbem\wmiprvse.exe 0/57
WWAHost.exe	Suspended	32,060 K	60,564 K	7284	Microsoft WWA Host	Microsoft Corporation	MYPC\JUSTME	13	C:\Windows\System32\WWAHost.exe	"C:\Windows\System32\WWAHost.exe" -ServerName:Windows.Store 0/57
RuntimeBroker.exe 2,884 K	13,288 K	8640	Runtime Broker	Microsoft Corporation	MYPC\JUSTME	13	C:\Windows\System32\RuntimeBroker.exe	C:\Windows\System32\RuntimeBroker.exe -Embedding 0/57
dllhost.exe 1,540 K	7,968 K	772	COM Surrogate	Microsoft Corporation	MYPC\JUSTME	13	C:\Windows\SysWOW64\dllhost.exe	C:\WINDOWS\SYSWOW64\DLLHOST.EXE /PROCESSID:{3AD05575-8857-4850-9277-11B85BDB8E09} 0/57
svchost.exe	< 0.01	8,068 K	11,340 K	940	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\NETWORK SERVICE	0	C:\Windows\System32\svchost.exe	C:\windows\system32\svchost.exe -k RPCSS 0/57
nvvsvc.exe 2,388 K	6,148 K	1020	NVIDIA Driver Helper Service, Version 327.62	NVIDIA Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\nvvsvc.exe	"C:\windows\system32\nvvsvc.exe"	HKLM\System\CurrentControlSet\Services\nvsvc	0/57
nvxdsync.exe 5,848 K	16,736 K	5868	NVIDIA User Experience Driver Component	NVIDIA Corporation	NT AUTHORITY\SYSTEM	13	C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe	"C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe" 0/57
nvvsvc.exe	< 0.01 4,676 K	12,912 K	5928	NVIDIA Driver Helper Service, Version 327.62	NVIDIA Corporation	NT AUTHORITY\SYSTEM	13	C:\Windows\System32\nvvsvc.exe	C:\windows\system32\nvvsvc.exe -session	HKLM\System\CurrentControlSet\Services\nvsvc	0/57
svchost.exe	0.05	41,108 K	38,952 K	480	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	0	C:\Windows\System32\svchost.exe	C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted 0/57
audiodg.exe	< 0.01	8,692 K	12,184 K	7672	Windows Audio Device Graph Isolation Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	0	C:\Windows\System32\audiodg.exe	C:\windows\system32\AUDIODG.EXE 0x2bf8 0/57
svchost.exe 50,584 K	63,520 K	812	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\svchost.exe	C:\windows\system32\svchost.exe -k netsvcs 0/57
taskhostex.exe 4,628 K	11,332 K	7988	Host Process for Windows Tasks	Microsoft Corporation	MYPC\JUSTME	13	C:\Windows\System32\taskhostex.exe	taskhostex.exe 0/57
svchost.exe	< 0.01	14,432 K	19,856 K	1032	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	0	C:\Windows\System32\svchost.exe	C:\windows\system32\svchost.exe -k LocalService 0/57
svchost.exe	0.07	132,740 K	141,480 K	1120	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\svchost.exe	C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted 0/57
WUDFHost.exe	< 0.01	1,216 K	4,456 K	3328	Windows Driver Foundation - User-mode Driver Framework Host Process	Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	0	C:\Windows\System32\WUDFHost.exe	"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-5234e32d-b0ea-479e-b15a-b96abff700e6 -SystemEventPortName:HostProcess-d54d076a-c141-4b17-b285-43dcfb5283ff -IoCancelEventPortName:HostProcess-45e9ebe5-1914-42e9-a1a9-d691fc6af799 -NonStateChangingEventPortName:HostProcess-3ac8c2f8-5acf-4356-a490-cb2e90ba3137 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:d2442109-6249-48aa-836e-f150c2e89a57 -DeviceGroupId:WudfDefaultDevicePool 0/57
wlanext.exe 4,716 K	13,432 K	4728	Windows Wireless LAN 802.11 Extensibility Framework	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\wlanext.exe	C:\windows\system32\WLANExt.exe 141378448720 0/57
conhost.exe 564 K	2,656 K	1988	Console Window Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\conhost.exe	\??\C:\windows\system32\conhost.exe 0x4 0/57
ClassicShellService.exe 764 K	2,788 K	1416	Classic Shell Service	IvoSoft	NT AUTHORITY\SYSTEM	0	C:\Program Files\Classic Shell\ClassicShellService.exe	"C:\Program Files\Classic Shell\ClassicShellService.exe"	HKLM\System\CurrentControlSet\Services\ClassicShellService	0/57
ClassicStartMenu.exe 3,816 K	7,480 K	8680	Classic Start Menu	IvoSoft	MYPC\JUSTME	13	C:\Program Files\Classic Shell\ClassicStartMenu.exe	"C:\Program Files\Classic Shell\ClassicStartMenu.exe" -startup 0/53
svchost.exe	< 0.01	18,368 K	28,776 K	1460	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\NETWORK SERVICE	0	C:\Windows\System32\svchost.exe	C:\windows\system32\svchost.exe -k NetworkService 0/57
svchost.exe 23,444 K	28,580 K	1676	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	0	C:\Windows\System32\svchost.exe	C:\windows\system32\svchost.exe -k LocalServiceNoNetwork 0/57
EvtEng.exe 5,660 K	11,364 K	1880	Intel(R) PROSet/Wireless Event Log Service	Intel(R) Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files\Intel\WiFi\bin\EvtEng.exe	"C:\Program Files\Intel\WiFi\bin\EvtEng.exe"	HKLM\System\CurrentControlSet\Services\EvtEng	0/54
ExpressCache.exe	9.31	30,524 K	123,436 K	2040	ExpressCache Service	Condusiv Technologies	NT AUTHORITY\SYSTEM	0	C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe	"C:\Program Files\Condusiv Technologies\ExpressCache\ExpressCache.exe"	HKLM\System\CurrentControlSet\Services\ExpressCache	0/55
GfExperienceService.exe 1,800 K	4,648 K	2368	NVIDIA GeForce Experience Service	NVIDIA Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe	"C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe"	HKLM\System\CurrentControlSet\Services\GfExperienceService	0/54
GWCtlSrv.exe	0.07	44,392 K	52,620 K	2396	GlassWire Control Service	SecureMix LLC	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\GlassWire\GWCtlSrv.exe	"C:\Program Files (x86)\GlassWire\GWCtlSrv.exe"	HKLM\System\CurrentControlSet\Services\GlassWire	0/57
GWIdlMon.exe	< 0.01	2,432 K	7,584 K	4436	GlassWire Computer Idle Monitor	SecureMix LLC	MYPC\JUSTME	13	C:\Program Files (x86)\GlassWire\GWIdlMon.exe	"C:\Program Files (x86)\GlassWire\GWIdlMon.exe" --cookie 79117592579332 --port 26887 0/57
conhost.exe 736 K	3,256 K	8096	Console Window Host	Microsoft Corporation	MYPC\JUSTME	13	C:\Windows\System32\conhost.exe	\??\C:\windows\system32\conhost.exe 0x4 0/57
HeciServer.exe 1,292 K	3,904 K	2480	Intel(R) Capability Licensing Service Interface	Intel(R) Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files\Intel\iCLS Client\HeciServer.exe	"C:\Program Files\Intel\iCLS Client\HeciServer.exe"	HKLM\System\CurrentControlSet\Services\Intel(R) Capability Licensing Service Interface	0/57
ibtrksrv.exe 1,444 K	3,660 K	2500	Intel(R) Wireless Bluetooth(R) Radio Management Service	Intel Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe	"C:\Program Files (x86)\Intel\Bluetooth\ibtrksrv.exe"	HKLM\System\CurrentControlSet\Services\Intel(R) Wireless Bluetooth(R) 4.0 Radio Management	0/52
NvNetworkService.exe	< 0.01	1,424 K	4,872 K	2576	NVIDIA Network Service	NVIDIA Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe	"C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe"	HKLM\System\CurrentControlSet\Services\NvNetworkService	1/57
nvstreamsvc.exe	< 0.01	3,188 K	8,588 K	2636	NVIDIA Streamer Service	NVIDIA Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe	"C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe"	HKLM\System\CurrentControlSet\Services\NvStreamSvc	0/56
nvstreamsvc.exe	0.02	6,704 K	11,532 K	2896	NVIDIA Streamer Service	NVIDIA Corporation	NT AUTHORITY\NETWORK SERVICE	0	C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe	"C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe" nss b1182286-f2ae-480d-be6d-6e17faa50628 1	HKLM\System\CurrentControlSet\Services\NvStreamSvc	0/56
conhost.exe 672 K	1,456 K	2904	Console Window Host	Microsoft Corporation	NT AUTHORITY\NETWORK SERVICE	0	C:\Windows\System32\conhost.exe	\??\C:\windows\system32\conhost.exe 0x4 0/57
nvstreamsvc.exe	< 0.01	4,984 K	12,876 K	4980	NVIDIA Streamer Service	NVIDIA Corporation	NT AUTHORITY\SYSTEM	13	C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe	"C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe" serviceapp	HKLM\System\CurrentControlSet\Services\NvStreamSvc	0/56
conhost.exe 788 K	3,624 K	6584	Console Window Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	13	C:\Windows\System32\conhost.exe	\??\C:\windows\system32\conhost.exe 0x4 0/57
RegSrvc.exe 1,792 K	5,496 K	2700	Intel(R) PROSet/Wireless Registry Service	Intel(R) Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe	"C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe"	HKLM\System\CurrentControlSet\Services\RegSrvc	0/55
MsMpEng.exe	0.01	169,116 K	147,640 K	2888	Antimalware Service Executable	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files\Windows Defender\MsMpEng.exe	"C:\Program Files\Windows Defender\MsMpEng.exe"	HKLM\System\CurrentControlSet\Services\WinDefend	0/57
SearchIndexer.exe	< 0.01	32,720 K	36,912 K	2412	Microsoft Windows Search Indexer	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\SearchIndexer.exe	C:\windows\system32\SearchIndexer.exe /Embedding	HKLM\System\CurrentControlSet\Services\WSearch	0/57
svchost.exe 1,140 K	3,360 K	3132	Host Process for Windows Services	Microsoft Corporation	NT AUTHORITY\LOCAL SERVICE	0	C:\Windows\System32\svchost.exe	C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation 0/57
devmonsrv.exe 2,904 K	6,148 K	4316	Bluetooth Device Monitor	Motorola Solutions, Inc.	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe	"C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe"	HKLM\System\CurrentControlSet\Services\Bluetooth Device Monitor	2/57
obexsrv.exe 2,836 K	5,948 K	3416	Bluetooth OBEX Service	Motorola Solutions, Inc.	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe	"C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe"	HKLM\System\CurrentControlSet\Services\Bluetooth OBEX Service	2/57
IAStorDataMgrSvc.exe 32,196 K	29,528 K	3036	IAStorDataSvc	Intel Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe	"C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe"	HKLM\System\CurrentControlSet\Services\IAStorDataMgrSvc	0/57
IntelMeFWService.exe 800 K	2,760 K	1960	Intel(R) ME Service	Intel Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe	"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe"	HKLM\System\CurrentControlSet\Services\Intel(R) ME Service	0/57
jhi_service.exe 972 K	3,276 K	3464	Intel(R) Dynamic Application Loader Host Interface	Intel Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe	"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe"	HKLM\System\CurrentControlSet\Services\jhi_service	0/57
LMS.exe 3,216 K	7,100 K	4328	Intel(R) Local Management Service	Intel Corporation	NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe	"C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe"	HKLM\System\CurrentControlSet\Services\LMS	0/56
Everything.exe 1,248 K	5,476 K	6192	Everything NT AUTHORITY\SYSTEM	0	C:\Program Files (x86)\Everything\Everything.exe	"C:\Program Files (x86)\Everything\Everything.exe" -svc	HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Everything	0/57
lsass.exe 6,672 K	12,932 K	828	Local Security Authority Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	0	C:\Windows\System32\lsass.exe	C:\windows\system32\lsass.exe	HKLM\System\CurrentControlSet\Services\SamSs	0/57
csrss.exe	< 0.01	1,884 K	2,524 K	5668	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	2	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,128 K	3,444 K	5104	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	2	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
dwm.exe 808 K	2,256 K	2076	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-2	2	C:\Windows\System32\dwm.exe -hiberboot 0/57
LogonUI.exe 5,056 K	13,020 K	2908	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	2	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
csrss.exe	< 0.01	1,576 K	2,312 K	5664	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	1	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,132 K	3,448 K	5936	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	1	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
dwm.exe 812 K	2,308 K	444	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-1	1	C:\Windows\System32\dwm.exe -hiberboot 0/57
LogonUI.exe 4,932 K	12,920 K	4504	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	1	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
csrss.exe	< 0.01 1,620 K	2,292 K	1928	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	3	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,112 K	3,444 K	5484	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	3	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
LogonUI.exe 4,936 K	12,828 K	2088	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	3	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
dwm.exe 804 K	2,248 K	5944	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-3	3	C:\Windows\System32\dwm.exe -hiberboot 0/57
csrss.exe	< 0.01	1,580 K	2,300 K	1540	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	4	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,132 K	3,440 K	1060	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	4	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
LogonUI.exe 4,848 K	12,768 K	3944	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	4	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
dwm.exe 812 K	2,264 K	4400	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-4	4	C:\Windows\System32\dwm.exe -hiberboot 0/57
csrss.exe	< 0.01	1,804 K	2,476 K	204	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	6	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,128 K	3,444 K	3560	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	6	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
dwm.exe 808 K	2,272 K	4004	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-6	6	C:\Windows\System32\dwm.exe -hiberboot 0/57
LogonUI.exe 4,836 K	12,704 K	6216	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	6	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
csrss.exe	< 0.01	1,616 K	2,424 K	4188	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	5	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,064 K	3,392 K	1048	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	5	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
dwm.exe 808 K	2,292 K	2508	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-5	5	C:\Windows\System32\dwm.exe -hiberboot 0/57
LogonUI.exe 4,896 K	12,848 K	6536	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	5	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
csrss.exe	< 0.01	1,696 K	2,456 K	3300	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	7	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,068 K	3,392 K	7156	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	7	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
LogonUI.exe 4,908 K	12,824 K	1980	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	7	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
dwm.exe 812 K	2,292 K	3896	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-7	7	C:\Windows\System32\dwm.exe -hiberboot 0/57
csrss.exe	< 0.01	1,664 K	2,440 K	8232	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	8	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,048 K	3,496 K	8908	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	8	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
dwm.exe 808 K	2,272 K	8236	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-8	8	C:\Windows\System32\dwm.exe -hiberboot 0/57
LogonUI.exe 4,876 K	12,776 K	8960	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	8	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
csrss.exe	< 0.01	1,576 K	3,656 K	4816	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	10	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,072 K	4,864 K	6648	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	10	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
LogonUI.exe 4,824 K	14,204 K	6152	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	10	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
dwm.exe 808 K	3,776 K	7504	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-10	10	C:\Windows\System32\dwm.exe -hiberboot 0/57
csrss.exe	< 0.01	1,752 K	3,908 K	376	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	9	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,044 K	4,840 K	7768	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	9	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
LogonUI.exe 4,808 K	14,268 K	8448	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	9	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
dwm.exe 808 K	3,780 K	8692	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-9	9	C:\Windows\System32\dwm.exe -hiberboot 0/57
csrss.exe	< 0.01	1,572 K	3,672 K	8508	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	11	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,064 K	4,864 K	2848	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	11	C:\Windows\System32\winlogon.exe	C:\windows\System32\WinLogon.exe -SpecialSession 0/57
dwm.exe 808 K	3,788 K	8700	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-11	11	C:\Windows\System32\dwm.exe -hiberboot 0/57
LogonUI.exe 4,804 K	14,240 K	8876	Windows Logon User Interface Host	Microsoft Corporation	NT AUTHORITY\SYSTEM	11	C:\Windows\System32\LogonUI.exe	"LogonUI.exe" /flags:0x0 0/57
csrss.exe	0.01	2,520 K	56,808 K	8392	Client Server Runtime Process	Microsoft Corporation	NT AUTHORITY\SYSTEM	13	C:\Windows\System32\csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 0/57
winlogon.exe 1,296 K	5,540 K	4568	Windows Logon Application	Microsoft Corporation	NT AUTHORITY\SYSTEM	13	C:\Windows\System32\winlogon.exe	winlogon.exe 0/57
dwm.exe	< 0.01	23,252 K	31,416 K	7476	Desktop Window Manager	Microsoft Corporation	Window Manager\DWM-13	13	C:\Windows\System32\dwm.exe	"dwm.exe" 0/57
explorer.exe	< 0.01	100,812 K	150,656 K	6840	Windows Explorer	Microsoft Corporation	MYPC\JUSTME	13	C:\Windows\explorer.exe	C:\windows\Explorer.EXE	HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	0/57
igfxtray.exe 1,376 K	5,848 K	4452	igfxTray Module	Intel Corporation	MYPC\JUSTME	13	C:\Windows\System32\igfxtray.exe	"C:\Windows\System32\igfxtray.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IgfxTray	0/50
hkcmd.exe 1,380 K	5,728 K	5060	hkcmd Module	Intel Corporation	MYPC\JUSTME	13	C:\Windows\System32\hkcmd.exe	"C:\Windows\System32\hkcmd.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKeysCmds	0/51
igfxpers.exe 1,400 K	6,056 K	6632	persistence Module	Intel Corporation	MYPC\JUSTME	13	C:\Windows\System32\igfxpers.exe	"C:\Windows\System32\igfxpers.exe" HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Persistence	0/57
RAVCpl64.exe 3,452 K	10,000 K	7312	Realtek HD Audio Manager	Realtek Semiconductor	MYPC\JUSTME	13	C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe	"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe" -s	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RtHDVCpl	0/57
RAVBg64.exe 4,960 K	9,624 K	1344	HD Audio Background Process	Realtek Semiconductor	MYPC\JUSTME	13	C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe	"C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /FORPCEE4	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RtHDVBg_Dolby	0/57
WinPatrol.exe	< 0.01	3,492 K	12,160 K	2668	WinPatrol Background Change Monitor	Ruiware LLC	MYPC\JUSTME	13	C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe	"C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe" -expressboot	HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinPatrol	0/57
NvBackend.exe	< 0.01	12,220 K	19,916 K	3388	NVIDIA GeForce Experience Backend	NVIDIA Corporation	MYPC\JUSTME	13	C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe	"C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvBackend	0/57
chrome.exe	0.07	107,264 K	152,172 K	1636	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" 0/57
chrome.exe	< 0.01	73,804 K	98,240 K	3016	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --channel="1636.0.241139882\1640947207" --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,18,39 --gpu-vendor-id=0x8086 --gpu-device-id=0x0416 --gpu-driver-vendor="Intel Corporation" --gpu-driver-version=10.18.10.3277 --ignored=" --type=renderer " /prefetch:822062411 0/57
chrome.exe	< 0.01	150,028 K	150,908 K	1944	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.1.575766175\483398115" /prefetch:673131151 0/57
chrome.exe	< 0.01	163,424 K	166,680 K	2872	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.5.1726605946\291544081" /prefetch:673131151 0/57
chrome.exe 69,500 K	73,696 K	8632	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.11.1924133341\717833491" /prefetch:673131151 0/57
chrome.exe	< 0.01	65,844 K	70,836 K	2728	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.26.1831387616\1274925410" /prefetch:673131151 0/57
chrome.exe	0.03	126,600 K	128,344 K	4016	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.29.847253649\1390970570" /prefetch:673131151 0/57
chrome.exe	0.08	66,736 K	67,156 K	3636	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=ppapi --channel="1636.38.1215799803\966020468" --ppapi-flash-args=enable_hw_video_decode=1 --lang=en-US --ignored=" --type=renderer " /prefetch:-632637702 0/57
chrome.exe	0.01	74,964 K	85,252 K	7944	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.42.1389927423\32341540" /prefetch:673131151 0/57
chrome.exe 57,160 K	60,180 K	4072	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.47.1248217731\1135834584" /prefetch:673131151 0/57
chrome.exe	0.02	92,764 K	97,800 K	896	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.57.1102051254\413175674" /prefetch:673131151 0/57
chrome.exe	0.04	53,400 K	56,388 K	2732	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.61.525084371\1933213363" /prefetch:673131151 0/57
chrome.exe	< 0.01	73,040 K	75,372 K	6212	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --extension-process --enable-webrtc-hw-h264-encoding --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.62.792060882\94182093" /prefetch:673131151 0/57
chrome.exe	< 0.01	56,996 K	51,964 K	5384	Google Chrome	Google Inc.	MYPC\JUSTME	13	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --enable-deferred-image-decoding --lang=en-US --force-fieldtrials="BrowserBlacklist/Enabled/ChromeSuggestions/Default/DomRel-Enable/enable/EmbeddedSearch/Group2 pct:10b stablep2 prefetch_results:1 reuse_instant_search_base_page:1/EnhancedBookmarks/Default/ExtensionContentVerification/Enforce/ExtensionInstallVerification/Enforce/GCM/Enabled/GoogleNow/Enable/MaterialDesignNTP/Enabled/NewProfileManagement/NewAvatarMenu/OmniboxBundledExperimentV1/StandardR4/PasswordGeneration/Disabled/PrerenderFromOmnibox/OmniboxPrerenderEnabled/QUIC/EnabledForLargePopulation/RememberCertificateErrorDecisions/Default/SPDY/Spdy4Enabled-default/SRTPromptFieldTrial/Default/SafeBrowsingIncidentReportingService/Default/SettingsEnforcement/enforce_always_with_extensions_and_dse/ShowAppLauncherPromo/ShowPromoUntilDismissed/UMA-Dynamic-Binary-Uniformity-Trial/default/UMA-Dynamic-Uniformity-Trial/Group3/UMA-Population-Restrict/normal/UMA-Uniformity-Trial-1-Percent/group_49/UMA-Uniformity-Trial-10-Percent/group_01/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_17/UMA-Uniformity-Trial-50-Percent/group_01/UwSInterstitialStatus/On/VoiceTrigger/Install/WebRTC-IPv6Default/Default/" --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --enable-pinch --device-scale-factor=1 --enable-delegated-renderer --enable-impl-side-painting --num-raster-threads=1 --channel="1636.65.1563451646\176599089" /prefetch:673131151 0/57
Everything.exe	0.01	34,888 K	51,912 K	4772	Everything MYPC\JUSTME	13	C:\Program Files (x86)\Everything\Everything.exe	"C:\Program Files (x86)\Everything\Everything.exe"	HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Everything	0/57
procexp.exe 2,188 K	7,404 K	8540	Sysinternals Process Explorer	Sysinternals - www.sysinternals.com MYPC\JUSTME	13	C:\Users\JUSTME\Downloads\procexp.exe	"C:\Users\JUSTME\Downloads\procexp.exe" 0/57
procexp64.exe	0.13	27,272 K	52,200 K	7600	Sysinternals Process Explorer	Sysinternals - www.sysinternals.com MYPC\JUSTME	13	C:\Users\JUSTME\AppData\Local\Temp\procexp64.exe	"C:\Users\JUSTME\Downloads\procexp.exe" 0/57


----------



## BrianDrab (Oct 22, 2014)

OK, that confirmed my suspicions. The good news is that it's not malware related. It appears to happen in Windows 8 and is likely a part of the new Hybrid Boot. I have a few things we can try. 


Before I do I have a question. Do you normally shut down your computer at the end of each day? Do you put it to sleep? Do you just let it hibernate on it's own? Let me know what your process is.


Thanks.


----------



## andrewoman (Feb 5, 2015)

Every day I run CCleaner then Shut Down, not hibernate nor sleep


----------



## BrianDrab (Oct 22, 2014)

That's what I hoped you would say. To prove my theory, let's do the following.

Step#1 - Disable Hybrid Boot
1. *Right-click* on the *Start* button and choose *Power Options*.
2. Click the link on the left that says "*Choose what the power buttons do*"
3. Click the link that says "*Change settings that are currently unavailable*."
4. In the *Shutdown Settings* section, *uncheck* "*Turn on fast startup (recommended)*"
5. Click the *Save changes* button.

Now shut down your machine like normal and let me know if your issue comes back.

Thanks.


----------



## andrewoman (Feb 5, 2015)

That seems to have solved the multiple instances. Do I leave the Power Options as they are now?
One last question. How many instances of conhost should there be running?


----------



## BrianDrab (Oct 22, 2014)

> That seems to have solved the multiple instances. Do I leave the Power Options as they are now?


Since Hybrid Boot is causing issues yes I would.



> One last question. How many instances of conhost should there be running?


That really depends on how many apps you have that utilize the console. Having several is not a problem. For example if I opened a command-prompt, another one would be created.


----------



## andrewoman (Feb 5, 2015)

Thanks!!!! I always have 4 instances of conhost running.


----------



## BrianDrab (Oct 22, 2014)

If you are interested we can find out what programs are creating them. Let me know. If not I'll go ahead and close this topic. Thank you.


----------



## andrewoman (Feb 5, 2015)

Ok. That is the only other thing that has bothered me. Thanks


----------



## BrianDrab (Oct 22, 2014)

I assume you still have Process Explorer downloaded to your desktop. If so, skip bullet#1 below.

Step#1 - Identify What Programs are using Conhost.exe
1. Download *Process Explorer* from here and save it to your *desktop*.
2. *Right-click* on the file procexp.exe and choose* Run as administrator*. <---Note: This step needs to be done exactly as stated.
3. Answer *Yes* to allow on the User Account Control message.
4. Click the Process column so all the processes sort.
5. Locate one of the *conhost.exe* processes and double-click on it.
6. Locate the Parent process. In my case it's openvpn.exe which is my Watchgard Firewall VPN Client.









Let me know what yours are. One of them is the default one and will show a parent of cmd.exe. You can ignore this one as that will always be there.


----------



## andrewoman (Feb 5, 2015)

conhost.exe's (all 4 of them). None have a Parent of cmd.exe

What do the question marks mean?: \??\C:\windows

1) wlanext.exe (1340)
\??\C:\windows\system32\conhost.exe 0x4

2) nvstreamsvc.exe (2708)
\??\C:\windows\system32\conhost.exe 0x4

3) nvstreamsvc.exe (2700)
\??\C:\windows\system32\conhost.exe 0x4

4) GWIdlMon.exe (2932)
\??\C:\windows\system32\conhost.exe 0x4


----------



## BrianDrab (Oct 22, 2014)

Perfect. So the last thing to do is to then locate those processes in the Process Monitor list. So in the example I provided above for me, I found that *openvpn.exe* was using conhost.exe. So I located openvpn.exe in the Process Monitor list and looked at the *Path* column. It pointed me to what this program was which was my *Watchguard VPN client*. What are the paths of your four?


----------



## andrewoman (Feb 5, 2015)

C:\Windows\System32\wlanext.exe - PID 1528

C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe - PID 2148
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe - PID 2884
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe - PID 3052

C:\Program Files (x86)\GlassWire - PID 2872


----------



## BrianDrab (Oct 22, 2014)

And there you have it. 


So basically GlassWire, and your NVidia Card. I believe GlassWire is utilizing Microsoft's wireless framework which is why you are seeing wlanext.exe.


At lease you can put that to bed now.


Is there anything else I can assist you with? Are you satisfied?


Thank you.


----------



## andrewoman (Feb 5, 2015)

I am very satisfied. Thank you very much for your thoroughness and expertise. 

One last question. Advice on how to monitor your network, for safety reasons? Software you would recommend, perhaps. 
Online classes? 

Thanks you very much for your help!


----------



## BrianDrab (Oct 22, 2014)

> One last question. Advice on how to monitor your network, for safety reasons? Software you would recommend, perhaps.
> Online classes?


Unfortunately I wouldn't be the best person to ask in regards to that. You would get a better answer on that question in either the Security forum or Networking forum. My specialty is really in malware removal.


----------



## andrewoman (Feb 5, 2015)

Thank you very much for your help!!!!!!!!!!!


----------

