• Welcome Guest, to the Spybot Forums! It's 2025, and we just upgraded our forum software.

    Today is Safer Internet Day, and with our new forum, you can finally use passkeys to login. That was about time!

    Of course, you could ask if a forum is still useful, with so many social media networks out there where you might already have an account, and met a lot of users. You can now use your login from some of those networks to log in here. And by posting here, your question and data is stored on our servers and not automatically shared with a whole social media network.

    We'll also start using the forum for small bits of information, announcements and more again.

Downloaded an exe: Firefox starts with non-home pages

Status
Not open for further replies.
C

Chris Haslam

New member
I downloaded and ran an exe, expecting to get a user manual. Instead, FileFinder icon appeared on my desktop. Also when I run Firefox, for which I normally have no home page, I see a variety of home pages, including tech-connect.biz, ww.reimageiplus.com and winhugebonus.com. On one Firefox startup, I was asked to call a 1 844 number to have someone fix the problem: sounds like Ransomeware to me.

I am able to run Firefox OK. The chances of my clicking on the malicious home page are few.

Is my PC compromised, and if so how?

I am running Win 7 SP1 with all important updates and SS&D 2.4.40.0 Professional. I don't use Outlook, and I store passwords on a USB stick that is plugged in only when needed (which is seldom).

If it is compromised, how should I proceed?
 
Doesn't sound like Ransomeware.


Please back up your registry!

Backup the Registry:
Credit: Dakeyras

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download the installer for Registry Backup from here or here and save to your desktop.
  • Right-click on tweaking.com_registry_backup_setup.exe and select Run as Administrator >> Follow the prompts for a default installation
  • Ensure the option Open "Tweaking.com - Registry Backup" When Install Completes is selected >> Next > >> Finish
  • Once the GUI(graphical user interface) has appeared/loaded:-
TCRB-1.jpg


  • Click on Backup Now >> once the process is complete the below will be displayed in the GUI:-
TBRB-2.jpg


  • Close Tweaking.com - Registry Backup
Note: There will now be a folder at the root of the Hard-Drive named C:\RegBackup, do not delete this as it is the actual backup just created.

A tutorial for Registry Backup explaining the various features be viewed HERE


``````````````````````````````````````````````````````
Instruction for producing the Farbar Recovery Scan Tool (FRST) and aswMBR logs

Farbar Log

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note:
You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

(A simple way to check your system: Start --> Computer (right click) --> Properties
How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Please make sure All Users is checked

  • Do not check
    *List BCD
    *Drivers MD5
    *Shortcut txt
Or your logs will be too long to post.


  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please don't run the Farbar Recovery Scan Tool (FRST.txt) from your "Downloads" folder or from "Temporary Internet Files"
  • Please copy and paste log into your topic.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please attach that along with the FRST.txt into your reply.


aswMBR Log

Important! Please do NOT perform any fix options offered in aswMBR, we just need to see the report.

Please download aswMBR to your desktop.


  • Double click the aswMBR icon to run it.
  • If a prompt stating: The computer supports "Virtualization Technology" appears select Yes
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your reply with the Farbar (FRST) log.
 
Additional info: I tried to uninstall FileFinder from the Control Panel. It did not uninstall. When I tried again, it told me to wait for the first uninstall to complete.

Here is FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-08-2016
Ran by Chris (administrator) on MOLLY (31-08-2016 14:55:35)
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
(Dassault Systèmes) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe
( ) C:\Program Files\HP\HP UT\bin\hppusg.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
() F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
() F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
() F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
() F:\Program Files\Microsoft Office\Office\OSA.EXE
(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
(Avanquest Software) F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Acronis) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Foxit Corporation) C:\Users\Chris\AppData\Roaming\Foxit Software\Addon\Foxit Reader\FoxitReaderUpdater.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [5995152 2012-10-28] (Realtek Semiconductor)
HKLM\...\Run: [IndexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [46952 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [30568 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [QuickFinder Scheduler] => f:\Program Files\Corel\WordPerfect Office X6\Programs\QFSCHD160.EXE [155592 2012-10-31] (Corel Corporation)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [36864 2007-05-03] ( )
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [150208 2014-04-20] (IvoSoft)
HKLM\...\Run: [SDTray] => F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [TrueImageMonitor.exe] => C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [5343664 2015-07-20] (Acronis)
HKLM\...\Run: [AcronisTibMounterMonitor] => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [691056 2015-07-20] (Acronis International GmbH)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [408872 2014-08-14] (Acronis)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [PDHookServer] => F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe [60416 2012-12-14] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [LMab1err] => F:\Program Files\Lexmark\ErrorApp\lmab1err.exe [645296 2012-08-07] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [Spybot-S&D Cleaning] => F:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-18\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
AppInit_DLLs: C:\Windows\system32\FileMonitor32.dll => C:\Windows\system32\FileMonitor32.dll [107520 2012-12-14] ()
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-06] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk [2013-10-28]
ShortcutTarget: Microsoft Find Fast.lnk -> F:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk [2013-10-28]
ShortcutTarget: Office Startup.lnk -> F:\Program Files\Microsoft Office\Office\OSA.EXE ()
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dialog Helper.lnk [2013-10-25]
ShortcutTarget: Dialog Helper.lnk -> F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe (Avanquest Software)
BootExecute: autocheck autochk * sdnclean.exe
GroupPolicyScripts: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
AutoConfigURL: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
Tcpip\..\Interfaces\{61A2128C-D99C-413E-B4E8-292F8A12B08D}: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
ManualProxies: 0hxxp://stoppblock.biz/wpad.dat?ea35fd3ae550deddb0663b33cdfe130215396243

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-21] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-21] (Oracle Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc.)

FireFox:
========
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2015-03-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-21] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Extension: (Print Edit) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\extensions\printedit@DW-dev.xpi [2016-08-30]
FF Extension: (Adblock Plus) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-30]
FF HKLM\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: (SmartPrintButton) - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [not signed]
StartMenuInternet: FIREFOX.EXE - F:\Program Files\Mozilla Firefox\firefox.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [859456 2014-08-14] (Acronis)
R2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3996664 2015-07-31] (Acronis)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [277616 2012-12-14] (Intel Corporation)
R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [95232 2015-01-14] (Dassault Systèmes) [File not signed]
S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe [1074480 2015-03-01] (Flexera Software LLC)
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel(R) Corporation)
S3 iumsvc; C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RapportMgmtService; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2255128 2015-08-04] (IBM Corp.)
R2 SDScannerService; F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1740760 2014-09-03] (Safer-Networking Ltd.)
R2 SDUpdateService; F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 syncagentsrv; C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe [6847712 2014-09-13] (Acronis)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2009-07-13] (Microsoft Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [214304 2015-03-25] (Acronis International GmbH)
R3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [9344 2006-04-04] (Hewlett Packard) [File not signed]
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [15680 2012-05-20] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [350016 2012-05-20] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [793920 2012-05-20] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation)
R1 RapportCerberus_1507065; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_1507065.sys [555000 2015-09-01] (IBM Corp.)
R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [292280 2015-08-04] (IBM Corp.)
R0 RapportHades; C:\Windows\System32\Drivers\RapportHades.sys [70168 2015-08-04] (IBM Corp.)
R0 RapportKELL; C:\Windows\System32\Drivers\RapportKELL.sys [223000 2015-08-04] (IBM Corp.)
R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [349816 2015-08-04] (IBM Corp.)
R1 SDHookDriver; F:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys [46336 2014-04-25] ()
R2 tib; C:\Windows\System32\DRIVERS\tib.sys [685160 2015-07-31] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [184136 2015-07-31] (Acronis International GmbH)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-31 14:55 - 2016-08-31 14:55 - 00016829 _____ C:\Users\Chris\Desktop\FRST.txt
2016-08-31 14:53 - 2016-08-31 14:55 - 00000000 ____D C:\FRST
2016-08-31 14:52 - 2016-08-31 14:52 - 01747968 _____ (Farbar) C:\Users\Chris\Desktop\FRST.exe
2016-08-31 12:38 - 2016-08-31 12:38 - 00000207 _____ C:\Windows\tweaking.com-regbackup-MOLLY-Windows-7-Professional-(32-bit).dat
2016-08-31 12:38 - 2016-08-31 12:38 - 00000000 ____D C:\RegBackup
2016-08-31 12:37 - 2016-08-31 12:37 - 00002189 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\Program Files\Tweaking.com
2016-08-31 12:34 - 2016-08-31 12:37 - 00018956 _____ C:\Windows\Tweaking.com - Registry Backup Setup Log.txt
2016-08-31 12:32 - 2016-08-31 12:32 - 05575304 _____ (Tweaking.com) C:\Users\Chris\Desktop\tweaking.com_registry_backup_setup.exe
2016-08-30 12:40 - 2016-08-30 12:40 - 00000000 ____D C:\Users\Chris\Desktop\Old Firefox Data
2016-08-30 12:12 - 2016-08-30 12:12 - 00000997 _____ C:\Users\Chris\Desktop\FileFinder.lnk
2016-08-30 12:12 - 2016-08-30 12:12 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\FileFinder
2016-08-30 12:12 - 2016-08-30 12:12 - 00000000 ____D C:\ProgramData\FileFinder
2016-08-30 12:12 - 2016-08-30 12:12 - 00000000 ____D C:\Program Files\FileFinder
2016-08-30 12:11 - 2016-08-30 12:12 - 00000000 ____D C:\ProgramData\yes
2016-08-25 21:50 - 2016-08-25 21:50 - 00000000 _____ C:\Windows\Textart.INI
2016-08-19 07:03 - 2016-07-08 11:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-08-10 16:00 - 2016-08-02 10:08 - 00346312 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-08-10 16:00 - 2016-08-02 02:03 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-08-10 16:00 - 2016-08-02 02:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-08-10 16:00 - 2016-08-02 01:54 - 20343808 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-08-10 16:00 - 2016-08-02 01:51 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-08-10 16:00 - 2016-08-02 01:50 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-08-10 16:00 - 2016-08-02 01:47 - 02286592 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-08-10 16:00 - 2016-08-02 01:45 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-08-10 16:00 - 2016-08-02 01:44 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-08-10 16:00 - 2016-08-02 01:42 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-08-10 16:00 - 2016-08-02 01:41 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-08-10 16:00 - 2016-08-02 01:36 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-08-10 16:00 - 2016-08-02 01:33 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-08-10 16:00 - 2016-08-02 01:29 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-08-10 16:00 - 2016-08-02 01:28 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-08-10 16:00 - 2016-08-02 01:26 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-08-10 16:00 - 2016-08-02 01:25 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-08-10 16:00 - 2016-08-02 01:24 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-08-10 16:00 - 2016-08-02 01:22 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-08-10 16:00 - 2016-08-02 01:21 - 04608000 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-08-10 16:00 - 2016-08-02 01:16 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-08-10 16:00 - 2016-08-02 01:15 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-08-10 16:00 - 2016-08-02 01:14 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-08-10 16:00 - 2016-08-02 01:11 - 13808128 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-08-10 16:00 - 2016-08-02 00:56 - 02393088 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-08-10 16:00 - 2016-08-02 00:53 - 01316352 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-08-10 16:00 - 2016-08-02 00:51 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-08-10 16:00 - 2016-07-08 11:22 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-08-10 16:00 - 2016-07-08 11:22 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-08-10 16:00 - 2016-07-08 11:16 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00260608 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00251392 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-08-10 16:00 - 2016-07-08 10:55 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-08-10 16:00 - 2016-07-08 10:53 - 02399232 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-08-10 16:00 - 2016-07-08 10:50 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-08-10 16:00 - 2016-07-08 10:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-08-10 16:00 - 2016-07-08 10:50 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-08-31 14:52 - 1997-07-11 00:00 - 00021310 ____H C:\Windows\system32\FFASTLOG.TXT
2016-08-31 14:15 - 2013-10-11 22:28 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-31 14:06 - 2009-07-14 00:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-08-31 13:59 - 2016-03-15 11:37 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-08-31 13:48 - 2013-11-25 10:56 - 00000000 ____D C:\Users\Chris\AppData\Roaming\ClassicShell
2016-08-31 11:59 - 2013-11-03 15:00 - 00000000 ____D C:\Users\Chris\AppData\Local\CutePDF Writer
2016-08-31 11:58 - 2013-10-22 18:58 - 00000000 ____D C:\Users\Chris\AppData\Local\CrashDumps
2016-08-31 10:58 - 2010-11-20 17:01 - 00795074 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-31 10:58 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\inf
2016-08-31 10:57 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-31 10:57 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-31 10:51 - 2013-10-11 22:28 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-31 10:51 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-30 13:17 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160831-123042.backup
2016-08-30 12:12 - 2013-10-24 14:36 - 00001060 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-08-30 12:12 - 2013-10-24 14:36 - 00001060 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-08-30 12:12 - 2013-10-11 20:27 - 00001511 _____ C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-08-27 11:07 - 2013-10-24 14:36 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-08-25 23:01 - 2016-04-03 23:32 - 00013068 _____ C:\Users\Chris\Documents\PDF_Log.txt
2016-08-24 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160830-131752.backup
2016-08-20 15:35 - 2014-02-01 01:20 - 00000000 ____D C:\Users\Chris\AppData\Roaming\HpUpdate
2016-08-19 08:00 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2016-08-17 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160824-123043.backup
2016-08-10 16:13 - 2009-07-14 00:33 - 00545640 _____ C:\Windows\system32\FNTCACHE.DAT
2016-08-10 16:04 - 2013-10-12 16:40 - 00000000 ____D C:\Windows\system32\MRT
2016-08-10 16:01 - 2013-10-12 16:40 - 144884648 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-08-10 14:34 - 2013-11-17 23:41 - 00000000 ____D C:\Users\Chris\Documents\My Scans
2016-08-10 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160817-123042.backup
2016-08-03 12:30 - 2009-07-13 22:04 - 00453276 ____R C:\Windows\system32\Drivers\etc\hosts.20160810-123044.backup

==================== Files in the root of some directories =======

2015-08-01 10:23 - 2015-08-01 10:23 - 0000059 _____ () C:\Users\Chris\AppData\Roaming\StringRegExpGUIPattern.dat
2013-11-17 23:27 - 2013-11-17 23:27 - 0000093 _____ () C:\Users\Chris\AppData\Local\fusioncache.dat
2013-10-23 09:20 - 2015-09-19 10:24 - 0007607 _____ () C:\Users\Chris\AppData\Local\resmon.resmoncfg
2013-11-17 22:48 - 2015-05-25 11:35 - 0001453 _____ () C:\ProgramData\hpzinstall.log

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-08-26 00:48

==================== End of FRST.txt ============================

Here is Addition.txt:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (31-08-2016 14:55:56)
Running from C:\Users\Chris\Desktop
Microsoft Windows 7 Professional Service Pack 1 (X86) (2013-10-12 00:27:21)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4166634823-2150066620-1418166359-500 - Administrator - Disabled)
ASPNET (S-1-5-21-4166634823-2150066620-1418166359-1023 - Limited - Enabled)
Chris (S-1-5-21-4166634823-2150066620-1418166359-1000 - Administrator - Enabled) => C:\Users\Chris
Guest (S-1-5-21-4166634823-2150066620-1418166359-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-4166634823-2150066620-1418166359-1007 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Spybot - Search and Destroy (Enabled - Up to date) {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
Acronis True Image 2015 (HKLM\...\{35CFA5F4-EE2D-4B13-AAED-BC643B6874B5}Visible) (Version: 18.0.6613 - Acronis)
Acronis True Image 2015 (Version: 18.0.6613 - Acronis) Hidden
Adobe Flash Player 22 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Autodesk DWG TrueView 2016 - English (HKLM\...\DWG TrueView 2016 - English) (Version: 20.1.49.0 - Autodesk)
AutoIt Debugger 0.47.0 (HKLM\...\AutoIt Debugger) (Version: 0.47.0 - Essential Software)
AutoIt v3.3.14.0 (HKLM\...\AutoItv3) (Version: 3.3.14.0 - AutoIt Team)
AutoIt v3.3.15.0 (Beta) (HKLM\...\AutoItv3beta) (Version: 3.3.15.0 - AutoIt Team)
BabaCAD (HKLM\...\{FF8C8DDD-70E5-493E-92B6-296334F0601B}) (Version: 1.3.4 - BabaCAD)
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Classic Shell (HKLM\...\{E0E49E80-19DE-43FE-BFF2-8C58DDF3C7F9}) (Version: 4.1.0 - IvoSoft)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
CuteFTP (HKLM\...\CuteFTP) (Version: - )
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
DraftSight 2015 SP1 (HKLM\...\{FA2DA057-6711-4830-9D29-8F7C9BA77BAD}) (Version: 13.1.1091 - Dassault Systemes)
DWG TrueView 2016 - English (Version: 20.1.49.0 - Autodesk) Hidden
eMachineShop version 1.910 (HKLM\...\eMachineShop_is1) (Version: 1.910 - )
Expresso (HKLM\...\{81A1B78B-69B5-4F71-950D-598FA62FCB73}) (Version: 3.0.4750 - Ultrapico) <==== ATTENTION
FileFinder (HKLM\...\FileFinder) (Version: 1.0.1 - Webitar Production Inc.)
Fine Homebuilding Archive 2011 (HKLM\...\{FC3523BB-134E-494C-957F-53DD2651A0ED}) (Version: 1.3.0000 - )
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 7.3.4.311 - Foxit Software Inc.)
GoldWave v5.70 (HKLM\...\GoldWave v5.70) (Version: 5.70 - GoldWave Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden
HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP)
HP LaserJet 3050/3052/3055/3390/3392 4.0 (HKLM\...\HP LaserJet 3050/3052/3055/3390/3392) (Version: 4.0 - HP)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
hpp3390usg (Version: 000.105.00099 - Hewlett-Packard) Hidden
hppfaxdrv3390 (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppFaxUtility (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppFonts (Version: 001.001.00056 - Hewlett-Packard) Hidden
hppIOFiles (Version: 002.000.00030 - Hewlett-Packard) Hidden
hppLJ3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppManuals3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppscan3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppScanTo (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppSendFax (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppTooCool (Version: 003.000.00004 - Hewlett-Packard) Hidden
hppToolBoxFX (Version: 001.006.00099 - Hewlett-Packard) Hidden
hpzTLBXFX (Version: 002.005.00191 - Hewlett-Packard) Hidden
Intel(R) Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel(R) Update Manager (HKLM\...\{B991A1BC-DE0F-41B3-9037-B2F948F706EC}) (Version: 3.1.1228 - Intel Corporation)
Intel® SSD Toolbox (HKLM\...\{06D085C8-1F00-11B2-96A7-8f0CE39193ED}) (Version: 3.3.0.400 - Intel Corporation)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)
MarketResearch (Version: 82.0.174.000 - Hewlett-Packard) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 97, Professional Edition (HKLM\...\Office8.0) (Version: - )
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 48.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 48.0.2 (x86 en-US)) (Version: 48.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 48.0.2.6079 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MyBackup (HKLM\...\ST5UNST #1) (Version: - )
Notepad++ (HKLM\...\Notepad++) (Version: 6.5 - Notepad++ Team)
Nuance PaperPort 12 (HKLM\...\{D08D765A-2191-4210-9711-30FF98806770}) (Version: 12.1.0005 - Nuance Communications, Inc.)
PCRE Toolkit v3 (HKLM\...\PCRE Toolkit_is1) (Version: 3.0.1.13 - GEOSoft Software Development)
Pegasus Mail (HKLM\...\Pegasus Mail) (Version: - David Harris)
Pegasus Mail HTML Renderer 2.4.7.2 (HKLM\...\{A9F5E1E1-1281-4862-90B4-6CF8E6AF83CE}_is1) (Version: - Micha's Midnight Manufacture)
PowerDesk 9 (HKLM\...\{C4E1D1E5-0F67-463D-BD07-A24742AA7469}) (Version: 9.0.0.0 - Avanquest North America Inc.)
Rapport (Version: 3.5.1507.63 - Trusteer) Hidden
Realtek Ethernet Controller Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.65.1025.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6767 - Realtek Semiconductor Corp.)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
SciTE4AutoIt3 15.503.1200.0 (HKLM\...\SciTE4AutoIt3) (Version: 15.503.1200.0 - Jos van der Zande)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
StudioTax 2014 (HKLM\...\{5D8696DC-7DED-48D3-B0D1-8E1BB7F77FB5}) (Version: 10.0.12.1 - BHOK IT Consulting)
StudioTax 2015 (HKLM\...\{10DC0B0F-E7D6-4F37-9CF9-0A76A689AAB0}) (Version: 11.0.8.3 - BHOK IT Consulting)
System Requirements Lab for Intel (HKLM\...\{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}) (Version: 4.5.13.0 - Husdawg, LLC)
TextPad 5 (HKLM\...\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}) (Version: 5.4.0 - Helios)
Trusteer Endpoint Protection (HKLM\...\Rapport_msi) (Version: 3.5.1507.63 - Trusteer)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.5.0 - Tweaking.com)
Visual Basic 5.0 Professional Edition (HKLM\...\VB5) (Version: - )
WebReg (Version: 82.0.173.000 - Hewlett-Packard) Hidden
WordPerfect IFilter 32 bit (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.4 - Corel Corporation)
WordPerfect Office X6 - Common Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Common Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Extras (HKLM\...\{98F94B9C-9FF5-4053-85A6-3D4F3FA3EBA0}) (Version: 1.00.0000 - Corel Corporation)
WordPerfect Office X6 - IPM (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Oxford (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Setup Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - System Files (Version: 15.0 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files English (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WT (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 (HKLM\...\_{26D6D2A4-F08A-4212-86E7-7F1F75033610}) (Version: 16.0.0.428 - Corel Corporation)
WordPerfect Office X6 (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 SDK (HKLM\...\{D57A4C2B-C92F-46BF-9EFE-4EDD49E88628}) (Version: 16.0.0.388 - Corel Corporation)
WordPerfect OfficeReady (HKLM\...\{737D7CA8-D05C-46C7-AFED-A76616E8CA3B}) (Version: 1.0 - Corel Corporation.)
XML Notepad 2007 (HKLM\...\{FC7BACF0-1FFA-4605-B3B4-A66AB382752D}) (Version: 2.3.0.0 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{149DD748-EA85-45A6-93C5-AC50D0260C98}\localserver32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\dwgviewr.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{3faa4380-a399-11cf-a466-00805fe418f6}\InprocServer32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\en-US\dwgviewrficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}\InprocServer32 -> F:\Program Files\TextPad 7\System\shellext32.dll => No File
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{ABECE8A0-FF84-4efb-82AE-9B3181CE097D}\InprocServer32 -> F:\Program Files\TextPad 5\System\shellext32.dll (Helios Software Solutions)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0B6E885F-D349-4707-90FB-E92D8FE6010E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {23E49BE4-48D4-488C-86A5-AB3301C558BF} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => F:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {2F9EC57E-F920-4EF6-88F4-CA3DACFEAD02} - System32\Tasks\Intel_F_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {34A376B9-CFC2-4D4E-ABAC-68FF7C70A27A} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {4FC8919F-9E68-4818-A0E4-32229D69A286} - System32\Tasks\My Alarm003 => F:\Program Files\AutoIt3\Beta\AutoIt3.exe [2015-07-14] (AutoIt Team)
Task: {6B2525DF-EF2A-4C6A-BC96-56F8C04F59CC} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => F:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {71E34AD2-0884-4D08-B0A3-0E3B594D9A40} - System32\Tasks\Intel_C_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {837226FA-8B61-4344-AE73-B12C3D5D016C} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {85C317C4-0E0A-4C2D-8A94-8A096F45988C} - System32\Tasks\Intel_H_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {8F26E44C-8C62-4571-900F-17298ACD9C85} - System32\Tasks\My Alarm002 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {B4A21C92-41B5-4627-B5AB-91DFA73BAA16} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {BFC5DF99-3D59-4D1C-A40A-0632B292EAA6} - System32\Tasks\{82065A16-7231-4FA4-86D6-75CC5D970F17} => C:\QV2\QV2.EXE [1992-11-06] ()
Task: {C388E02D-C331-4983-8D65-0B46CF5AD7EB} - System32\Tasks\Intel_G_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {C848ADF7-CC79-4B99-B9DD-2E6B767B2DD3} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => F:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {D8876630-243E-4D7A-BAF6-7D5C8FA83EC5} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-07-14] (Adobe Systems Incorporated)
Task: {DE0EB309-7D55-4B4E-B076-ECCFCC1B45DE} - System32\Tasks\My Alarm001 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {E0F480EA-D1ED-4104-9F9C-2E18D75D94EE} - System32\Tasks\My Alarm005 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {E24E5581-902C-4661-ABBB-4834EB96726D} - System32\Tasks\_My Alarm => "F:\AutoIt scripts\MyAlarm schtasks v2_1.au3" [Argument = showIfSoon]
Task: {F8F06101-EB5F-4AE6-A67C-6F598971607F} - System32\Tasks\My Alarm007 => F:\Program Files\AutoIt3\autoit3.exe [2015-07-10] (AutoIt Team)
Task: {FF3BBFFD-5A72-4BDB-B4A3-E2382514770D} - System32\Tasks\My Alarm009 => F:\Program Files\AutoIt3\autoit3.exe [2015-07-10] (AutoIt Team)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"

==================== Loaded Modules (Whitelisted) ==============

2012-12-14 11:50 - 2012-12-14 11:50 - 00107520 _____ () C:\Windows\system32\FileMonitor32.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 00022016 _____ () C:\Windows\system32\docobj.dll
2013-11-03 14:51 - 2013-10-23 16:23 - 00089136 _____ () C:\Windows\System32\cpwmon2k.dll
2013-10-16 13:06 - 2012-08-31 15:01 - 00151552 _____ () C:\Windows\System32\HP1100LM.DLL
2013-10-16 13:08 - 2012-08-31 15:01 - 00069632 _____ () C:\Windows\system32\spool\PRTPROCS\W32X86\HP1100PP.DLL
2014-12-18 16:33 - 2014-05-13 13:04 - 00109400 _____ () F:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-12-18 16:33 - 2014-05-13 13:04 - 00416600 _____ () F:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-07-14 09:49 - 2014-05-13 13:04 - 00167768 _____ () F:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-07-14 09:49 - 2012-08-23 11:38 - 00574840 _____ () F:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-07-14 09:49 - 2012-04-03 17:06 - 00565640 _____ () F:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-12-14 11:51 - 2012-12-14 11:51 - 00011264 _____ () F:\Program Files\Avanquest\PowerDesk\DClickDesktopHook.dll
2014-09-09 10:00 - 2014-09-09 10:00 - 00023576 ____N () C:\Program Files\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
2012-12-14 11:36 - 2012-12-14 11:36 - 00011264 _____ () F:\Program Files\Avanquest\PowerDesk\mxcview.dll
2012-12-14 11:37 - 2012-12-14 11:37 - 00111616 _____ () F:\Program Files\Avanquest\PowerDesk\mxgview.dll
2013-10-29 11:08 - 2000-09-26 07:38 - 00143360 _____ () F:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll
2012-06-18 11:24 - 2012-06-18 11:24 - 00260096 _____ () F:\Program Files\Notepad++\NppShell_05.dll
2013-10-12 00:00 - 2012-11-12 01:34 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 03289088 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_d3f5dc3c\mscorlib.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 02994176 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_8cb17cfd\system.windows.forms.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 02076672 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_eadb1e09\system.xml.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 01929216 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_9009abfc\system.dll
2015-07-20 09:08 - 2015-07-20 09:08 - 00037696 _____ () C:\Program Files\Acronis\TrueImageHome\qt_icontray_ex.dll
2015-07-20 09:08 - 2015-07-20 09:08 - 00034624 _____ () C:\Program Files\Common Files\Acronis\Home\thread_pool.dll
2015-07-20 09:15 - 2015-07-20 09:15 - 00420160 _____ () C:\Program Files\Common Files\Acronis\Home\ulxmlrpcpp.dll
2014-11-27 10:44 - 2014-11-27 10:44 - 00129344 ____N () C:\Program Files\Common Files\Acronis\Home\EXPAT.dll
2012-12-14 11:51 - 2012-12-14 11:51 - 00060416 _____ () F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
2015-03-17 18:01 - 2012-08-07 08:40 - 00645296 ____N () F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
2015-03-17 18:01 - 2012-08-07 08:37 - 00217088 ____N () F:\Program Files\Lexmark\ErrorApp\lmab1err.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 00111376 _____ () F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
1997-07-11 00:00 - 1997-07-11 00:00 - 03782416 _____ () F:\Program Files\Microsoft Office\Office\MSO97.DLL
1997-07-11 00:00 - 1997-07-11 00:00 - 00051984 _____ () F:\Program Files\Microsoft Office\Office\OSA.EXE
2015-07-21 17:02 - 2015-07-21 17:02 - 00557056 _____ () C:\Program Files\Trusteer\Rapport\bin\js32.dll
2013-10-12 00:07 - 2012-06-25 10:41 - 01198912 _____ () C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Classes\.scr: DWGTrueViewScriptFile => C:\Windows\system32\notepad.exe "%1"

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7915 more sites.

IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123simsen.com -> www.123simsen.com

There are 7915 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:04 - 2016-08-31 12:30 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15555 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 192.168.0.1 - 135.19.0.18
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: ToolBoxFX => "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{EBDDD846-801E-48AE-B509-66D8B92650F6}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe
FirewallRules: [{26FC5F17-CF91-4358-AF93-570262B89E2C}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe
FirewallRules: [{98D9F9A5-C382-44C4-A820-78DBDDAEE185}] => (Allow) LPort=9100
FirewallRules: [{1F1D3D76-6FAA-499F-AA0B-038BC0B8D6E9}] => (Allow) LPort=427
FirewallRules: [{47E372C1-8768-4A61-A792-8B5D32A9B6B5}] => (Allow) LPort=161
FirewallRules: [{3E46316B-F4D2-42D3-8643-3DCED4413562}] => (Allow) LPort=427
FirewallRules: [{FE8E6E13-0E5E-4E05-B7C9-E8A1CD268090}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{CB74725E-4BDA-4B73-9059-10826BF72770}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [TCP Query User{054A7DAF-2D7E-4FAB-A276-79C5A342F349}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe
FirewallRules: [UDP Query User{AAD756BC-2D04-4728-BD30-1576279EBCC3}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe
FirewallRules: [{54A4E472-29D2-41CB-BADF-9CA40746588F}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{9E7A7DDD-0863-4017-836A-6DB11A0CDB00}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{9C82A641-0877-4AEE-BB08-BE75BE31644B}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{3653838F-07F7-4E0B-A200-119BC5EC4340}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{7ABA8A90-407B-430D-8929-2ADDC6CC53D8}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe
FirewallRules: [{C23F12FF-1779-4FC6-B5F7-25A61FA9D289}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{BFE09928-4791-40DB-B097-CEA2FDF4C003}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{7BEE059F-1A46-4951-8C0A-0E413FA3197F}] => (Allow) D:\Install\x86\InstallGui.exe
FirewallRules: [{4BEC2007-033C-40F2-8E04-EE7D8EF563F3}] => (Allow) D:\Install\x86\InstallGui.exe
FirewallRules: [{3432FBAD-0AF9-4118-8D73-A308AED73D4C}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{5914F22E-8C34-4EE1-BD3A-897141C38232}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{0C576296-EE11-410B-AF66-38D946733123}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{7CE4E130-5164-4971-AB19-58A66555663E}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{6A52C645-0B63-4A90-B661-F728E091C0DD}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{45800C23-03CE-431F-A108-73C806C72CE2}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{2F4F8DFF-6326-425D-8D16-4A87F4A5BB07}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
FirewallRules: [{ECD938F0-FCBA-49A9-8CFA-61A57F920A71}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

24-08-2016 09:46:37 Windows Update
29-08-2016 09:29:36 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/31/2016 11:58:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: ntdll.dll, version: 6.1.7601.23418, time stamp: 0x5708a7a8
Exception code: 0xc015000f
Fault offset: 0x00083c30
Faulting process id: 0xa4c
Faulting application start time: 0x01d203a07ac58913
Faulting application path: f:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: b91b15a7-6f93-11e6-9771-74d02b282604

Error: (08/31/2016 10:52:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/30/2016 12:35:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/30/2016 12:17:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/30/2016 09:36:22 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/29/2016 09:20:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: ntdll.dll, version: 6.1.7601.23418, time stamp: 0x5708a7a8
Exception code: 0xc015000f
Fault offset: 0x00083c30
Faulting process id: 0x3a64
Faulting application start time: 0x01d2025ca3bfe060
Faulting application path: f:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: e2392198-6e4f-11e6-973e-74d02b282604

Error: (08/29/2016 11:11:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: ntdll.dll, version: 6.1.7601.23418, time stamp: 0x5708a7a8
Exception code: 0xc015000f
Fault offset: 0x00083c30
Faulting process id: 0x2c0
Faulting application start time: 0x01d2020797cb5326
Faulting application path: f:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: d625a27a-6dfa-11e6-973e-74d02b282604

Error: (08/29/2016 09:27:51 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/28/2016 08:31:18 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (08/27/2016 11:07:51 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.


System errors:
=============
Error: (08/18/2016 11:23:28 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (08/18/2016 11:23:27 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (08/18/2016 11:23:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (08/18/2016 11:19:07 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (08/10/2016 01:41:40 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (08/09/2016 01:26:00 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (08/09/2016 01:25:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (08/09/2016 01:25:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (08/06/2016 05:12:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.

Error: (08/06/2016 05:12:45 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.


CodeIntegrity:
===================================
Date: 2016-08-31 12:33:26.905
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-31 11:06:37.731
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-30 23:31:13.479
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-30 21:59:18.365
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-30 13:02:37.224
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-30 12:33:31.219
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-30 12:23:10.475
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-30 11:52:51.631
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-30 09:51:59.460
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.

Date: 2016-08-29 21:53:38.345
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 40%
Total physical RAM: 3269.51 MB
Available physical RAM: 1952.22 MB
Total Virtual: 6537.34 MB
Available Virtual: 5140.77 MB

==================== Drives ================================

Drive c: (MWin) (Fixed) (Total:60 GB) (Free:28.66 GB) NTFS
Drive f: (MProgs) (Fixed) (Total:50 GB) (Free:39.32 GB) NTFS
Drive g: (MDataH) (Fixed) (Total:20 GB) (Free:11.77 GB) NTFS
Drive h: (MDataC) (Fixed) (Total:20 GB) (Free:10.53 GB) NTFS
Drive x: (KDataH) (Network) (Total:24.41 GB) (Free:18.86 GB)
Drive y: (KProgs) (Network) (Total:8.79 GB) (Free:2.93 GB)
Drive z: (KDataH2) (Network) (Total:488.28 GB) (Free:456.97 GB)

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 223.6 GB) (Disk ID: 92C3177A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=60 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=90 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

Your instructions say "Please make sure All Users is checked. I did not see such a checkbox.

The log file from aswMBR will be in my next post.
 
Here is the aswMBR log file:

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2016-08-31 15:38:03
-----------------------------
15:38:03.522 OS Version: Windows 6.1.7601 Service Pack 1
15:38:03.522 Number of processors: 4 586 0x3A09
15:38:03.523 ComputerName: MOLLY UserName: Chris
15:38:05.751 Initialize success
15:38:05.779 VM: initialized successfully
15:38:05.779 VM: Intel CPU BiosDisabled
15:39:46.667 AVAST engine defs: 16083000
15:40:04.388 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:40:04.388 Disk 0 Vendor: INTEL_SSDSC2CW240A3 400i Size: 228936MB BusType: 3
15:40:04.388 Disk 0 MBR read successfully
15:40:04.388 Disk 0 MBR scan
15:40:04.404 Disk 0 Windows 7 default MBR code
15:40:04.404 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:40:04.404 Disk 0 default boot code
15:40:04.404 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 61440 MB offset 206848
15:40:04.404 Disk 0 Partition - 00 0F Extended LBA 92163 MB offset 126035968
15:40:04.404 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 51200 MB offset 126038016
15:40:04.419 Disk 0 Partition - 00 05 Extended 20481 MB offset 230895616
15:40:04.419 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 20480 MB offset 230897664
15:40:04.419 Disk 0 Partition - 00 05 Extended 20481 MB offset 377700352
15:40:04.419 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 20480 MB offset 272842752
15:40:04.435 Disk 0 scanning sectors +314785792
15:40:04.435 Disk 0 scanning C:\Windows\system32\drivers
15:40:07.212 Service scanning
15:40:13.311 Modules scanning
15:40:13.311 Disk 0 trace - called modules:
15:40:13.311 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
15:40:13.311 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8601d030]
15:40:13.311 3 CLASSPNP.SYS[8c24b59e] -> nt!IofCallDriver -> [0x85b55810]
15:40:13.327 5 ACPI.sys[8ba1e3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85979610]
15:40:13.436 AVAST engine scan C:\Windows
15:40:13.811 AVAST engine scan C:\Windows\system32
15:40:17.664 File: C:\Windows\system32\csrsrv.dll **INFECTED** Win32:Aluroot-B [Rtk]
15:41:04.121 AVAST engine scan C:\Windows\system32\drivers
15:41:07.303 AVAST engine scan C:\Users\Chris
15:41:21.562 AVAST engine scan C:\ProgramData
15:41:35.508 Disk 0 statistics 2759980/0/0 @ 44.42 MB/s
15:41:35.524 Scan finished successfully
15:42:02.605 Disk 0 MBR has been saved successfully to "C:\Users\Chris\Desktop\MBR.dat"
15:42:02.605 The log file has been saved successfully to "C:\Users\Chris\Desktop\aswMBR.txt"


BTW when I ran Firefox this time, I got a web page telling me that my PC is infected and inviting me to call a telephone number for help. When I picked SS&D forum from the History, I was invited to play a game, something to do with angels.

Thank you for helping me!
 
I wrote: "BTW when I ran Firefox this time, I got a web page telling me that my PC is infected and inviting me to call a telephone number for help. When I picked SS&D forum from the History, I was invited to play a game, something to do with angels."

Clarification:

BTW when I ran Firefox this time, I got a web page telling me that my PC is infected and inviting me to call a telephone number for help. The only way I found out of it was to restart the PC. After restarting, When I ran Firefox and picked SS&D forum from the History, I was invited to play a game, something to do with angels. I was then able to access the SS&D forum by picking it from the History.
 
Those are scams and at this time avoid clicking on anything.

uninstall FileFinder from the Control Panel. It did not uninstall. When I tried again, it told me to wait for the first uninstall to complete.
Click to expand...
I've located some residue files from this, if your still wanting them removed leave the script as is.

Please uninstall/delete
Expresso (HKLM\...\{81A1B78B-69B5-4F71-950D-598FA62FCB73}) (Version: 3.0.4750 - Ultrapico) <==== ATTENTION
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)

~~~~~~~~~~~~~~
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)


FRSTfix.JPG



start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
AutoConfigURL: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
ManualProxies: 0hxxp://stoppblock.biz/wpad.dat?ea35fd3ae550deddb0663b33cdfe130215396243
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-21] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-21] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2015-03-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-21] (Oracle Corporation)
C:\Users\Chris\Desktop\FileFinder.lnk
C:\ProgramData\FileFinder
C:\Program Files\FileFinder
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}\InprocServer32 -> F:\Program Files\TextPad 7\System\shellext32.dll => No File
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End
Click to expand...

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~

BY4dvz9.png
AdwCleaner
  • Please download AdwCleaner and save the file to your Desktop.
    In order to use AdwCleaner, you have to agree the Eula:
  • Right-click AdwCleaner.exe and select
    AVOiBNU.jpg
    Run as administrator to run the programme.
  • Follow the prompts.
  • Click
    A49sxPr.png
    Scan.
  • Upon completion, click
    6cyn5v5.png
    Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
  • Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
  • Click
    MqHawIb.png
    Clean.
  • Follow the prompts and allow your computer to reboot.
  • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Junkware Removal Tool
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

~~~
please post
Fixlog.txt
AdwCleaner[C1].txt
JRT.txt


And btw, 15:40:17.664 File: C:\Windows\system32\csrsrv.dll **INFECTED** Win32:Aluroot-B [Rtk]
is coming back as a false/positive. They fixed it on the antivirus end but not the rootkit scanner.
https://forum.avast.com/index.php?topic=120791.15
 
I ran FRST from desktop icon.

Fixlog.txt:

Fix result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (31-08-2016 22:39:38) Run:1
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
AutoConfigURL: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
ManualProxies: 0hxxp://stoppblock.biz/wpad.dat?ea35fd3ae550deddb0663b33cdfe130215396243
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-21] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-21] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2015-03-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-21] (Oracle Corporation)
C:\Users\Chris\Desktop\FileFinder.lnk
C:\ProgramData\FileFinder
C:\Program Files\FileFinder
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}\InprocServer32 -> F:\Program Files\TextPad 7\System\shellext32.dll => No File
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
"HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
"HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2 => key not found.
C:\Windows\system32\npDeployJava1.dll => not found.
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.40.2 => key not found.
C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll => not found.
C:\Users\Chris\Desktop\FileFinder.lnk => moved successfully
C:\ProgramData\FileFinder => moved successfully
C:\Program Files\FileFinder => moved successfully
"HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}" => key removed successfully.
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully..
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => Shortcut argument restored successfully
C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully..
C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\Users\Public\Desktop\Mozilla Firefox.lnk => Shortcut argument removed successfully..

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= bitsadmin /reset /allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.



========= End of Reg: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 54827963 B
Java, Flash, Steam htmlcache => 21117 B
Windows/system/drivers => 56817 B
Edge => 0 B
Chrome => 0 B
Firefox => 165875702 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 83391 B
LocalService => 66356 B
NetworkService => 1273300 B
Chris => 434905287 B

RecycleBin => 71907 B
EmptyTemp: => 634.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 22:41:31 ====

I will report on adwCleaner run a bit later.
 
I have run AdwCleaner. It found 7 threats, all in HKLM\Software\Classes. I unchecked VBCore.CSharedString because VBCore is legitimate.

Here is AdwCleaner[C1].txt:

# AdwCleaner v6.010 - Logfile created 31/08/2016 at 23:09:18
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-31.4 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X86)
# Username : Chris - MOLLY
# Running from : C:\Users\Chris\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[!] Key not deleted: HKLM\SOFTWARE\Classes\VBCore.CSharedString
[-] Key deleted: HKLM\SOFTWARE\Classes\CSieveATL.
[-] Key deleted: HKLM\SOFTWARE\Classes\SieveBasDllN.CSieveBasDllN
[-] Key deleted: HKLM\SOFTWARE\Classes\SieveBasDllP.CSieveBasDllP
[-] Key deleted: HKLM\SOFTWARE\Classes\sieveBasExeN.CSieveBasExeN
[-] Key deleted: HKLM\SOFTWARE\Classes\sieveBasExeP.CSieveBasExeP
[-] Key deleted: HKLM\SOFTWARE\Classes\s


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1174 Bytes] - [31/08/2016 23:09:18]
C:\AdwCleaner\AdwCleaner[S0].txt - [1489 Bytes] - [31/08/2016 23:02:11]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1320 Bytes] ##########

I will now run JRT.
 
  • I downloaded JRT
  • I exited SS&D Professional
  • I ran JRT
  • Within a few minutes, it got down to Shortcuts, and was still at Shortcuts after 20 minutes.
  • I exited JRT
  • I then thought hard about what other protection software runs on this PC. It occurred to me that Trusteer Endpoint Protection (TEP) is protection software
  • I stopped TEP
  • I ran JRT again
  • Again JRT got down to Shortcuts, and was still there after 15 minutes. About once per second, the hourglass flashed.
  • I exited JRT

I then looked at Task Manager > Processes to see what else could be conflicting with JRT. I saw that 3 SS&D processes are running: SFFSvc.exe, SDUpdSvc.exe, and SDonAccess.exe. Acronis True Image is on this PC.

~~~~~

Now I see that JRT.txt has been created on the Desktop. (It did not open automatically, per your instructions.)

JRT.txt contains:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Professional x86
Ran by Chris (Administrator) on 2016-08-31 at 23:47:44.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016-09-01 at 0:17:23.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Is this what you expect?
 
Sometimes JRT can be a stinker to run.

Please download the Malwarebytes Anti-Malware setup file to your Desktop.

OR from this location Malwarebytes' Anti-Malware

  • Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
  • On the Dashboard click on Update Now
  • Go to the Setting Tab
  • Under Setting go to Detection and Protection
  • Under PUP and PUM make sure both are set to show Treat Detections as Malware
  • Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
  • Then on the Dashboard click on Scan
  • Make sure to select THREAT SCAN
  • Then click on Scan
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs, followed by the first Scan Log.
  • Click Export, followed by Copy to Clipboard. Paste the log in your next reply.
~~~~~~~

For this next tool it's probably going to need you to temporarily disable the same protection software.

What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.

Ensure your external and/or USB drives are inserted during the scan.

Please disable your Antivirus as shown in the following topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs


  • Close all opened programs, open your browser and go to the following link: ESET Online Scanner.
  • Click on the SCAN NOW button under ESET Online Scanner.
    • Depending on which browser you are using, you might be prompted to download an executable file.
    • Please save it to your desktop.
    • Right-click on esetonlinescanner_enu.exe and select Run as administrator.
    • If you agree to the Terms of use, select Accept to continue.
  • Please check the following option:
    • Enable detection of potentially unwanted applications
    Click to expand...
  • Select Advanced settings and ensure that the following options are checked:
    • Enable detection of potentially unsafe applications
    • Enable detection of suspicious applications
    • Scan archives
    • Enable Anti-Stealth technology
    Click to expand...
  • Make sure that the following option is NOT checked: => Very important!
    • Clean threats automatically
    Click to expand...
  • Click Scan and the process will now begin. Please do not use your computer while the scan is running.
  • Once the scan is completed, click Copy to clipboard.
  • Open the Start menu and type notepad.exe in the search programs and files box.
  • Press Enter. A blank Notepad page should open, paste the contents inside the window.
  • Save the file as ESETScan.txt.
  • Please copy/paste the contents of ESETScan.txt in your next reply.
  • You can now safely close the program.
    Do not forget to re-activate your Antivirus at this point.

Please post these 2 logs when finished.

How is your computer now?
 
Results of Malwarebytes' Anti-Malware:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2016-09-01
Scan Time: 15:22
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.09.01.10
Rootkit Database: v2016.08.15.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Chris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 266681
Time Elapsed: 2 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

-------

Eset results will be in my next post.
 
Here is ESETScan.txt:

H:\DL\Cute PDF free printer driver\CuteWriter.zip a variant of

Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of

Win32/Bundled.Toolbar.Ask potentially unsafe application
H:\DL\Cute PDF free printer driver\c\CuteWriter.exe a variant of

Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of

Win32/Bundled.Toolbar.Ask potentially unsafe application
H:\DL\CutePDF Writer 3.0\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially

unsafe application
H:\DL\PDFforge Images2PDF 0_9_2\pdfforge_Images2PDF-0_9_2-setup.exe Win32/OpenCandy

potentially unsafe application
H:\DL\ResHacker\cnet_ResHack_zip.exe a variant of Win32/InstallCore.D potentially

unwanted application
H:\DL\ZoneAlarm Cleanup Utility\clean.exe Win32/Toolbar.Conduit potentially unwanted

application
H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetupWeb_110_780_000.exe

Win32/Toolbar.Conduit potentially unwanted application
H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetup_110_000_054.exe

Win32/Toolbar.Conduit potentially unwanted application,Win32/Toolbar.Montiera.I potentially

unwanted application,a variant of Win32/Toolbar.Escort.A potentially unwanted application,a

variant of Win32/Toolbar.Montiera.A potentially unwanted

application,Win32/Toolbar.Montiera.J potentially unwanted application,a variant of

Win32/Toolbar.Montiera.F potentially unwanted application
H:\DL\ZoneAlarm Firewall Free 110_000_057 Stub\zafwSetupWeb_110_000_057.exe

Win32/Toolbar.Conduit potentially unwanted application
H:\DL\ZoneAlarm Free 110_000_20\zafwSetup_110_000_020.exe Win32/Toolbar.Conduit

potentially unwanted application,Win32/Toolbar.Montiera.I potentially unwanted application,a

variant of Win32/Toolbar.Escort.A potentially unwanted application,a variant of

Win32/Toolbar.Montiera.A potentially unwanted application,Win32/Toolbar.Montiera.J

potentially unwanted application,a variant of Win32/Toolbar.Montiera.F potentially unwanted

application

---------

None of these problems were detected by SS&D 2.4 Pro running once a week, but perhaps the last weekly run was before I downloaded that .exe!

The only difference in my PC that I notice is that Firefax opens to a blank page, which I expect.
 
The only difference in my PC that I notice is that Firefox opens to a blank page, which I expect.
Click to expand...
OK

but perhaps the last weekly run was before I downloaded that .exe!
Click to expand...

What was the name?

~~~~
Let's go over what it found

H:\DL\Cute PDF free printer driver\c\CuteWriter.exe <=a variant of Win32/Bundled.Toolbar.Ask.G
Are the below related to this entry?. If so, I would advise you to uninstall/delete.
CuteFTP (HKLM\...\CuteFTP) (Version: - )
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
~~~~~~~~~~~~~~~~~~~~~

https://www.virustotal.com/en/file/...4600c9ea90c1f3754754ce1c837f57b664d/analysis/
H:\DL\PDFforge Images2PDF 0_9_2\pdfforge_Images2PDF-0_9_2-setup.exe
The above shows signs of infection. I'll leave this up to you to uninstall and delete.

ResHacker
No suspicious behavior reported so far.


The files found by ESET appear to be parts of CheckPoint's ZoneAlarm. You may delete those if you no longer need them.
H:\DL\ZoneAlarm Cleanup Utility\clean.exe
H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetupWeb_110_780_000.exe
H:\DL\ZoneAlarm Firewall Free 110_000_057 Stub\zafwSetupWeb_110_000_057.exe

If you need help with deleting anything let me know.

Are we ready to delete tools and quarantine folders?
 
I have been reading through this thread, and have a few questions:

  • In FRST.txt i notice that there are application errors involving wpwin16.exe (Corel WordPrefect X6) and ntdll.dll. Do you have an idea why? I do know that, in recent months, if I leave an instance of WordPerfect open minimized for 1/2 an hour or so, restoring it to full screen doesn't work. I have to use Task Manager to switch to it, then it shows Not Responding.
  • In the System errors section, I see "The driver detected a controller error on \Device\Harddisk1\DR2". This PC is 3 years old. The only hard drive is an Intel SSD. Is the SSD failing?

You ask "what is the name" of the offending .exe file. Sorry, I don't know.I shift-deleted the file. It got me because I wasn't being as cautious as I usually am; I was concentrating on finding a manual for a heat pump!

On my PC, the subdirectories of the H:\DL directory contain stuff I have downloaded, as downloaded. I have removed all the files that are listed in ESETScan.txt.

Yes, we are ready to delete tools and quarantine folders.
 
Chris Haslam said:
I have been reading through this thread, and have a few questions:

  • In FRST.txt i notice that there are application errors involving wpwin16.exe (Corel WordPrefect X6) and ntdll.dll. Do you have an idea why? I do know that, in recent months, if I leave an instance of WordPerfect open minimized for 1/2 an hour or so, restoring it to full screen doesn't work. I have to use Task Manager to switch to it, then it shows Not Responding.
  • In the System errors section, I see "The driver detected a controller error on \Device\Harddisk1\DR2". This PC is 3 years old. The only hard drive is an Intel SSD. Is the SSD failing?

Yes, we are ready to delete tools and quarantine folders.
Click to expand...
For these errors reported through FRST, don't be alarmed because we see them on most all of the reports that come through.

I did try to do a little research to see what others posted and if any answers were available.
I think the best course of action would be to update drivers.

The chances that ntdll.dll is damaged isn't likely. As it is core Windows files, I'd expect many more problems if it were damaged.
Additionally, Windows has many methods to protect and repair these files - so again, it's unlikely.

Finally, you can "repair" them in several ways (replacing it directly, using sfc.exe, or doing a repair install) - but as this isn't causing you problems - leave it alone.
if it's not causing you problems then I wouldn't worry about it now.
Click to expand...
Windows 7: SFC /SCANNOW Command - System File Checker
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html

You'll need to go to the manufacturer web page for the make and model of your computer. Search for driver updates, if any, then download and install those.
I'd create a restore point first in case it kinda borks your machine.
~~~~
controller error on \Device\Harddisk1\DR2
https://community.spiceworks.com/to...oller-error-which-hdd-is-device-harddisk2-dr2
From this link they kinda point to USB drive, just read over the link, again, if nothing serious is wrong sometimes it's best to just leave things alone.

~~~~~~~~~~~~~~~~~~

DelFix

  • Please download DelFix or from Here and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
  • Activate UAC
  • Remove disinfection tools
  • Click the Run button.
  • -- This will remove the specialized tools we used to disinfect your system.
    Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete    ).
************************************
  • AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.png
    CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
  • EG85Vjt.png
    Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • 6YRrgUC.png
    Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • jv4nhMJ.png
    NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • DgW1XL2.png
    Secunia PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
  • j1OLIec.png
    SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • sHjS79L.png
    Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
  • JEP5iWI.png
    Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
~~~

Want to help others? Join the ClassRoom and learn how.
 
Thank you for your advice re application errors and the controller error. I will let sleeping dogs lie!

I have downloaded and run DelFix. I have deleted the leftover logs, files and tools.

Do you recommend that I install all of the software you list? I already run AdBlock. I have just installed WOT.

I did notice in Control Panel > Programs and Features that FileFinder is still on this PC, although its icon is gone from the Desktop. The Publisher shows as Webitar Production Inc. I tried to uninstall it but it is still there. When I tried again, Windows told me to wait until uninstall finished.

I notice that the following files/directories on the C: drive have the name FileFinder:

FileFinder 0 2016-08-30 12:12 d C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\
FileFinder.lnk 1,027 2016-08-30 12:12 a C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\FileFinder\
FileFinder 0 2016-08-30 12:12 d C:\ProgramData\yes\products\
FileFinder 0 2016-08-30 12:12 d C:\Users\All Users\yes\products\

C:\ProgramData\yes\products\ contains uninstall.arc, uninstall.cfg and uninstall.exe. The icon beside uninstall.exe is VPN in white on a green background.

What should I do?

BTW, by looking at the Firefox Download list, I am fairly sure that the file I downloaded is Waterfurnace_Envision_Installation_Manual_downloader.exe. For sure, I was looking for such a manual.
 
Those tips and tricks in preventions, are posted for users to see whats available to help secure their machines.
I think it would be overkill to download all of them and probably bog down the computer.

Ones you might want to think about is
Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
Secunia PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.

**
I did notice in Control Panel > Programs and Features that FileFinder is still on this PC, although its icon is gone from the Desktop. The Publisher shows as Webitar Production Inc. I tried to uninstall it but it is still there. When I tried again, Windows told me to wait until uninstall finished.
Click to expand...
Wonder if it would tell you that if you attempted to remove it in Safe mode?

**
I notice that the following files/directories on the C: drive have the name FileFinder:
Click to expand...
Thats odd because our first run with FRST shows it had been removed.

Couple of things we can do here

Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on FileFinder
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.

~~~~

[font=helvetica, sans-serif]Emsisoft Emergency Kit[/font]

[font=helvetica, sans-serif]Please download [/font][font=helvetica, sans-serif]Emsisoft Emergency Kit[/font][font=helvetica, sans-serif] and save it to your desktop.
Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop.
  • Leave all settings as they are and click the Extract button at the bottom.
  • A folder named EEK will be created in the root of the drive (usually c:\).[/font]
  • [font=helvetica, sans-serif]After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.[/font]
  • [font=helvetica, sans-serif]The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates.
  • Please click Yes so that it downloads the latest database updates.[/font]
  • [font=helvetica, sans-serif]When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.[/font]
  • [font=helvetica, sans-serif]Click on Scan to be taken to the scan options.
  • If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.[/font]
  • [font=helvetica, sans-serif]Click on the Malware Scan button to start the scan.[/font]
  • [font=helvetica, sans-serif]When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.[/font]
  • [font=helvetica, sans-serif]When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.[/font]
  • [font=helvetica, sans-serif]Please save the log in Notepad on your desktop, and copy it to your next reply.[/font]
  • [font=helvetica, sans-serif]When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.[/font]

~~~

Hate to ask you to download FRST again but we'll check to see if it came out.

xlK5Hdb.png
Farbar Recovery Scan Tool (FRST) Scan
  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe / FRST64.exe and select
    AVOiBNU.jpg
    Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
 
Log from EEK:

Emsisoft Emergency Kit - Version 11.9
Last update: 2016-09-05 10:15:27
User account: Molly\Chris
Computer name: MOLLY
OS version: Windows 7x86 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 2016-09-05 10:19:02

Scanned 71247
Found 0

Scan end: 2016-09-05 10:19:23
Scan time: 0:00:21

FRST logs to follow

Instructions for RUF and EEK need updating for the current versions.
 
Status
Not open for further replies.
Back
Top