View Full Version : Downloaded an exe: Firefox starts with non-home pages
Chris Haslam
2016-08-30, 21:15
I downloaded and ran an exe, expecting to get a user manual. Instead, FileFinder icon appeared on my desktop. Also when I run Firefox, for which I normally have no home page, I see a variety of home pages, including tech-connect.biz, ww.reimageiplus.com and winhugebonus.com. On one Firefox startup, I was asked to call a 1 844 number to have someone fix the problem: sounds like Ransomeware to me.
I am able to run Firefox OK. The chances of my clicking on the malicious home page are few.
Is my PC compromised, and if so how?
I am running Win 7 SP1 with all important updates and SS&D 2.4.40.0 Professional. I don't use Outlook, and I store passwords on a USB stick that is plugged in only when needed (which is seldom).
If it is compromised, how should I proceed?
Doesn't sound like Ransomeware.
Please back up your registry!
Backup the Registry:
Credit: Dakeyras
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
Please download the installer for Registry Backup from here (http://www.bleepingcomputer.com/download/registry-backup/) or here (http://www.tweaking.com/files/setups/tweaking.com_registry_backup_setup.exe) and save to your desktop.
Right-click on tweaking.com_registry_backup_setup.exe and select Run as Administrator >> Follow the prompts for a default installation
Ensure the option Open "Tweaking.com - Registry Backup" When Install Completes is selected >> Next > >> Finish
Once the GUI(graphical user interface) has appeared/loaded:-
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/TCRB-1.jpg
Click on Backup Now >> once the process is complete the below will be displayed in the GUI:-
http://i280.photobucket.com/albums/kk173/Dakeyras_album2/TBRB-2.jpg
Close Tweaking.com - Registry Backup
Note: There will now be a folder at the root of the Hard-Drive named C:\RegBackup, do not delete this as it is the actual backup just created.
A tutorial for Registry Backup explaining the various features be viewed HERE (http://www.malwareremoval.com/forum/viewtopic.php?f=4&t=61325)
``````````````````````````````````````````````````````
Instruction for producing the Farbar Recovery Scan Tool (FRST) and aswMBR logs
Farbar Log
Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.
Note:
You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
(A simple way to check your system: Start --> Computer (right click) --> Properties
How to determine whether a computer is running a 32-bit version or 64-bit version (http://support.microsoft.com/kb/827218)of the Windows operating system
Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
Please make sure All Users is checked
Do not check
*List BCD
*Drivers MD5
*Shortcut txt
Or your logs will be too long to post.
Press Scan button.
It will produce a log called FRST.txt in the same directory the tool is run from.
Please don't run the Farbar Recovery Scan Tool (FRST.txt) from your "Downloads" folder or from "Temporary Internet Files"
Please copy and paste log into your topic.
The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please attach that along with the FRST.txt into your reply.
aswMBR Log
Important! Please do NOT perform any fix options offered in aswMBR, we just need to see the report.
Please download aswMBR (http://public.avast.com/%7Egmerek/aswMBR.exe) to your desktop.
Double click the aswMBR icon to run it.
If a prompt stating: The computer supports "Virtualization Technology" appears select Yes
Click the Scan button to start scan.
If you are asked to update the Avast Virus database please allow it to do so.
When it finishes, press the Save Log button, save the logfile to your desktop and post its contents in your reply with the Farbar (FRST) log.
Chris Haslam
2016-08-31, 22:35
Additional info: I tried to uninstall FileFinder from the Control Panel. It did not uninstall. When I tried again, it told me to wait for the first uninstall to complete.
Here is FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-08-2016
Ran by Chris (administrator) on MOLLY (31-08-2016 14:55:35)
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
(Dassault Systèmes) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe
( ) C:\Program Files\HP\HP UT\bin\hppusg.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
() F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
() F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
() F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
() F:\Program Files\Microsoft Office\Office\OSA.EXE
(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
(Avanquest Software) F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Acronis) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Foxit Corporation) C:\Users\Chris\AppData\Roaming\Foxit Software\Addon\Foxit Reader\FoxitReaderUpdater.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [5995152 2012-10-28] (Realtek Semiconductor)
HKLM\...\Run: [IndexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [46952 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [30568 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [QuickFinder Scheduler] => f:\Program Files\Corel\WordPerfect Office X6\Programs\QFSCHD160.EXE [155592 2012-10-31] (Corel Corporation)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [36864 2007-05-03] ( )
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [150208 2014-04-20] (IvoSoft)
HKLM\...\Run: [SDTray] => F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [TrueImageMonitor.exe] => C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [5343664 2015-07-20] (Acronis)
HKLM\...\Run: [AcronisTibMounterMonitor] => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [691056 2015-07-20] (Acronis International GmbH)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [408872 2014-08-14] (Acronis)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [PDHookServer] => F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe [60416 2012-12-14] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [LMab1err] => F:\Program Files\Lexmark\ErrorApp\lmab1err.exe [645296 2012-08-07] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [Spybot-S&D Cleaning] => F:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-18\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
AppInit_DLLs: C:\Windows\system32\FileMonitor32.dll => C:\Windows\system32\FileMonitor32.dll [107520 2012-12-14] ()
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-06] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk [2013-10-28]
ShortcutTarget: Microsoft Find Fast.lnk -> F:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk [2013-10-28]
ShortcutTarget: Office Startup.lnk -> F:\Program Files\Microsoft Office\Office\OSA.EXE ()
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dialog Helper.lnk [2013-10-25]
ShortcutTarget: Dialog Helper.lnk -> F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe (Avanquest Software)
BootExecute: autocheck autochk * sdnclean.exe
GroupPolicyScripts: Restriction <======= ATTENTION
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
ProxyServer: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
AutoConfigURL: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
Tcpip\..\Interfaces\{61A2128C-D99C-413E-B4E8-292F8A12B08D}: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
ManualProxies: 0hxxp://stoppblock.biz/wpad.dat?ea35fd3ae550deddb0663b33cdfe130215396243
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-21] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-21] (Oracle Corporation)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc.)
FireFox:
========
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2015-03-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-21] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Extension: (Print Edit) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\extensions\printedit@DW-dev.xpi [2016-08-30]
FF Extension: (Adblock Plus) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-30]
FF HKLM\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: (SmartPrintButton) - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [not signed]
StartMenuInternet: FIREFOX.EXE - F:\Program Files\Mozilla Firefox\firefox.exe
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [859456 2014-08-14] (Acronis)
R2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3996664 2015-07-31] (Acronis)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [277616 2012-12-14] (Intel Corporation)
R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [95232 2015-01-14] (Dassault Systèmes) [File not signed]
S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe [1074480 2015-03-01] (Flexera Software LLC)
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel(R) Corporation)
S3 iumsvc; C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RapportMgmtService; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2255128 2015-08-04] (IBM Corp.)
R2 SDScannerService; F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1740760 2014-09-03] (Safer-Networking Ltd.)
R2 SDUpdateService; F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 syncagentsrv; C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe [6847712 2014-09-13] (Acronis)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2009-07-13] (Microsoft Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [214304 2015-03-25] (Acronis International GmbH)
R3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [9344 2006-04-04] (Hewlett Packard) [File not signed]
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [15680 2012-05-20] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [350016 2012-05-20] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [793920 2012-05-20] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation)
R1 RapportCerberus_1507065; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_1507065.sys [555000 2015-09-01] (IBM Corp.)
R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [292280 2015-08-04] (IBM Corp.)
R0 RapportHades; C:\Windows\System32\Drivers\RapportHades.sys [70168 2015-08-04] (IBM Corp.)
R0 RapportKELL; C:\Windows\System32\Drivers\RapportKELL.sys [223000 2015-08-04] (IBM Corp.)
R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [349816 2015-08-04] (IBM Corp.)
R1 SDHookDriver; F:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys [46336 2014-04-25] ()
R2 tib; C:\Windows\System32\DRIVERS\tib.sys [685160 2015-07-31] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [184136 2015-07-31] (Acronis International GmbH)
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-08-31 14:55 - 2016-08-31 14:55 - 00016829 _____ C:\Users\Chris\Desktop\FRST.txt
2016-08-31 14:53 - 2016-08-31 14:55 - 00000000 ____D C:\FRST
2016-08-31 14:52 - 2016-08-31 14:52 - 01747968 _____ (Farbar) C:\Users\Chris\Desktop\FRST.exe
2016-08-31 12:38 - 2016-08-31 12:38 - 00000207 _____ C:\Windows\tweaking.com-regbackup-MOLLY-Windows-7-Professional-(32-bit).dat
2016-08-31 12:38 - 2016-08-31 12:38 - 00000000 ____D C:\RegBackup
2016-08-31 12:37 - 2016-08-31 12:37 - 00002189 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\Program Files\Tweaking.com
2016-08-31 12:34 - 2016-08-31 12:37 - 00018956 _____ C:\Windows\Tweaking.com - Registry Backup Setup Log.txt
2016-08-31 12:32 - 2016-08-31 12:32 - 05575304 _____ (Tweaking.com) C:\Users\Chris\Desktop\tweaking.com_registry_backup_setup.exe
2016-08-30 12:40 - 2016-08-30 12:40 - 00000000 ____D C:\Users\Chris\Desktop\Old Firefox Data
2016-08-30 12:12 - 2016-08-30 12:12 - 00000997 _____ C:\Users\Chris\Desktop\FileFinder.lnk
2016-08-30 12:12 - 2016-08-30 12:12 - 00000000 ____D C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\FileFinder
2016-08-30 12:12 - 2016-08-30 12:12 - 00000000 ____D C:\ProgramData\FileFinder
2016-08-30 12:12 - 2016-08-30 12:12 - 00000000 ____D C:\Program Files\FileFinder
2016-08-30 12:11 - 2016-08-30 12:12 - 00000000 ____D C:\ProgramData\yes
2016-08-25 21:50 - 2016-08-25 21:50 - 00000000 _____ C:\Windows\Textart.INI
2016-08-19 07:03 - 2016-07-08 11:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-08-10 16:00 - 2016-08-02 10:08 - 00346312 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-08-10 16:00 - 2016-08-02 02:03 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-08-10 16:00 - 2016-08-02 02:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-08-10 16:00 - 2016-08-02 01:54 - 20343808 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-08-10 16:00 - 2016-08-02 01:51 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-08-10 16:00 - 2016-08-02 01:50 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-08-10 16:00 - 2016-08-02 01:47 - 02286592 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-08-10 16:00 - 2016-08-02 01:45 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-08-10 16:00 - 2016-08-02 01:44 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-08-10 16:00 - 2016-08-02 01:42 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-08-10 16:00 - 2016-08-02 01:41 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-08-10 16:00 - 2016-08-02 01:36 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-08-10 16:00 - 2016-08-02 01:33 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-08-10 16:00 - 2016-08-02 01:29 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-08-10 16:00 - 2016-08-02 01:28 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-08-10 16:00 - 2016-08-02 01:26 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-08-10 16:00 - 2016-08-02 01:25 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-08-10 16:00 - 2016-08-02 01:24 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-08-10 16:00 - 2016-08-02 01:22 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-08-10 16:00 - 2016-08-02 01:21 - 04608000 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-08-10 16:00 - 2016-08-02 01:16 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-08-10 16:00 - 2016-08-02 01:15 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-08-10 16:00 - 2016-08-02 01:14 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-08-10 16:00 - 2016-08-02 01:11 - 13808128 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-08-10 16:00 - 2016-08-02 00:56 - 02393088 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-08-10 16:00 - 2016-08-02 00:53 - 01316352 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-08-10 16:00 - 2016-08-02 00:51 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-08-10 16:00 - 2016-07-08 11:22 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-08-10 16:00 - 2016-07-08 11:22 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-08-10 16:00 - 2016-07-08 11:16 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00260608 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00251392 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-08-10 16:00 - 2016-07-08 10:55 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-08-10 16:00 - 2016-07-08 10:53 - 02399232 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-08-10 16:00 - 2016-07-08 10:50 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-08-10 16:00 - 2016-07-08 10:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-08-10 16:00 - 2016-07-08 10:50 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-08-31 14:52 - 1997-07-11 00:00 - 00021310 ____H C:\Windows\system32\FFASTLOG.TXT
2016-08-31 14:15 - 2013-10-11 22:28 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-08-31 14:06 - 2009-07-14 00:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-08-31 13:59 - 2016-03-15 11:37 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-08-31 13:48 - 2013-11-25 10:56 - 00000000 ____D C:\Users\Chris\AppData\Roaming\ClassicShell
2016-08-31 11:59 - 2013-11-03 15:00 - 00000000 ____D C:\Users\Chris\AppData\Local\CutePDF Writer
2016-08-31 11:58 - 2013-10-22 18:58 - 00000000 ____D C:\Users\Chris\AppData\Local\CrashDumps
2016-08-31 10:58 - 2010-11-20 17:01 - 00795074 _____ C:\Windows\system32\PerfStringBackup.INI
2016-08-31 10:58 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\inf
2016-08-31 10:57 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-08-31 10:57 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-08-31 10:51 - 2013-10-11 22:28 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-08-31 10:51 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-08-30 13:17 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160831-123042.backup
2016-08-30 12:12 - 2013-10-24 14:36 - 00001060 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-08-30 12:12 - 2013-10-24 14:36 - 00001060 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-08-30 12:12 - 2013-10-11 20:27 - 00001511 _____ C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-08-27 11:07 - 2013-10-24 14:36 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-08-25 23:01 - 2016-04-03 23:32 - 00013068 _____ C:\Users\Chris\Documents\PDF_Log.txt
2016-08-24 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160830-131752.backup
2016-08-20 15:35 - 2014-02-01 01:20 - 00000000 ____D C:\Users\Chris\AppData\Roaming\HpUpdate
2016-08-19 08:00 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2016-08-17 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160824-123043.backup
2016-08-10 16:13 - 2009-07-14 00:33 - 00545640 _____ C:\Windows\system32\FNTCACHE.DAT
2016-08-10 16:04 - 2013-10-12 16:40 - 00000000 ____D C:\Windows\system32\MRT
2016-08-10 16:01 - 2013-10-12 16:40 - 144884648 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-08-10 14:34 - 2013-11-17 23:41 - 00000000 ____D C:\Users\Chris\Documents\My Scans
2016-08-10 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160817-123042.backup
2016-08-03 12:30 - 2009-07-13 22:04 - 00453276 ____R C:\Windows\system32\Drivers\etc\hosts.20160810-123044.backup
==================== Files in the root of some directories =======
2015-08-01 10:23 - 2015-08-01 10:23 - 0000059 _____ () C:\Users\Chris\AppData\Roaming\StringRegExpGUIPattern.dat
2013-11-17 23:27 - 2013-11-17 23:27 - 0000093 _____ () C:\Users\Chris\AppData\Local\fusioncache.dat
2013-10-23 09:20 - 2015-09-19 10:24 - 0007607 _____ () C:\Users\Chris\AppData\Local\resmon.resmoncfg
2013-11-17 22:48 - 2015-05-25 11:35 - 0001453 _____ () C:\ProgramData\hpzinstall.log
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2016-08-26 00:48
==================== End of FRST.txt ============================
Here is Addition.txt:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (31-08-2016 14:55:56)
Running from C:\Users\Chris\Desktop
Microsoft Windows 7 Professional Service Pack 1 (X86) (2013-10-12 00:27:21)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-4166634823-2150066620-1418166359-500 - Administrator - Disabled)
ASPNET (S-1-5-21-4166634823-2150066620-1418166359-1023 - Limited - Enabled)
Chris (S-1-5-21-4166634823-2150066620-1418166359-1000 - Administrator - Enabled) => C:\Users\Chris
Guest (S-1-5-21-4166634823-2150066620-1418166359-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-4166634823-2150066620-1418166359-1007 - Limited - Enabled)
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Spybot - Search and Destroy (Enabled - Up to date) {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
Acronis True Image 2015 (HKLM\...\{35CFA5F4-EE2D-4B13-AAED-BC643B6874B5}Visible) (Version: 18.0.6613 - Acronis)
Acronis True Image 2015 (Version: 18.0.6613 - Acronis) Hidden
Adobe Flash Player 22 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Autodesk DWG TrueView 2016 - English (HKLM\...\DWG TrueView 2016 - English) (Version: 20.1.49.0 - Autodesk)
AutoIt Debugger 0.47.0 (HKLM\...\AutoIt Debugger) (Version: 0.47.0 - Essential Software)
AutoIt v3.3.14.0 (HKLM\...\AutoItv3) (Version: 3.3.14.0 - AutoIt Team)
AutoIt v3.3.15.0 (Beta) (HKLM\...\AutoItv3beta) (Version: 3.3.15.0 - AutoIt Team)
BabaCAD (HKLM\...\{FF8C8DDD-70E5-493E-92B6-296334F0601B}) (Version: 1.3.4 - BabaCAD)
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Classic Shell (HKLM\...\{E0E49E80-19DE-43FE-BFF2-8C58DDF3C7F9}) (Version: 4.1.0 - IvoSoft)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
CuteFTP (HKLM\...\CuteFTP) (Version: - )
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
DraftSight 2015 SP1 (HKLM\...\{FA2DA057-6711-4830-9D29-8F7C9BA77BAD}) (Version: 13.1.1091 - Dassault Systemes)
DWG TrueView 2016 - English (Version: 20.1.49.0 - Autodesk) Hidden
eMachineShop version 1.910 (HKLM\...\eMachineShop_is1) (Version: 1.910 - )
Expresso (HKLM\...\{81A1B78B-69B5-4F71-950D-598FA62FCB73}) (Version: 3.0.4750 - Ultrapico) <==== ATTENTION
FileFinder (HKLM\...\FileFinder) (Version: 1.0.1 - Webitar Production Inc.)
Fine Homebuilding Archive 2011 (HKLM\...\{FC3523BB-134E-494C-957F-53DD2651A0ED}) (Version: 1.3.0000 - )
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 7.3.4.311 - Foxit Software Inc.)
GoldWave v5.70 (HKLM\...\GoldWave v5.70) (Version: 5.70 - GoldWave Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden
HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP)
HP LaserJet 3050/3052/3055/3390/3392 4.0 (HKLM\...\HP LaserJet 3050/3052/3055/3390/3392) (Version: 4.0 - HP)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
hpp3390usg (Version: 000.105.00099 - Hewlett-Packard) Hidden
hppfaxdrv3390 (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppFaxUtility (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppFonts (Version: 001.001.00056 - Hewlett-Packard) Hidden
hppIOFiles (Version: 002.000.00030 - Hewlett-Packard) Hidden
hppLJ3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppManuals3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppscan3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppScanTo (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppSendFax (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppTooCool (Version: 003.000.00004 - Hewlett-Packard) Hidden
hppToolBoxFX (Version: 001.006.00099 - Hewlett-Packard) Hidden
hpzTLBXFX (Version: 002.005.00191 - Hewlett-Packard) Hidden
Intel(R) Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel(R) Update Manager (HKLM\...\{B991A1BC-DE0F-41B3-9037-B2F948F706EC}) (Version: 3.1.1228 - Intel Corporation)
Intel® SSD Toolbox (HKLM\...\{06D085C8-1F00-11B2-96A7-8f0CE39193ED}) (Version: 3.3.0.400 - Intel Corporation)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)
MarketResearch (Version: 82.0.174.000 - Hewlett-Packard) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 97, Professional Edition (HKLM\...\Office8.0) (Version: - )
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 48.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 48.0.2 (x86 en-US)) (Version: 48.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 48.0.2.6079 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MyBackup (HKLM\...\ST5UNST #1) (Version: - )
Notepad++ (HKLM\...\Notepad++) (Version: 6.5 - Notepad++ Team)
Nuance PaperPort 12 (HKLM\...\{D08D765A-2191-4210-9711-30FF98806770}) (Version: 12.1.0005 - Nuance Communications, Inc.)
PCRE Toolkit v3 (HKLM\...\PCRE Toolkit_is1) (Version: 3.0.1.13 - GEOSoft Software Development)
Pegasus Mail (HKLM\...\Pegasus Mail) (Version: - David Harris)
Pegasus Mail HTML Renderer 2.4.7.2 (HKLM\...\{A9F5E1E1-1281-4862-90B4-6CF8E6AF83CE}_is1) (Version: - Micha's Midnight Manufacture)
PowerDesk 9 (HKLM\...\{C4E1D1E5-0F67-463D-BD07-A24742AA7469}) (Version: 9.0.0.0 - Avanquest North America Inc.)
Rapport (Version: 3.5.1507.63 - Trusteer) Hidden
Realtek Ethernet Controller Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.65.1025.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6767 - Realtek Semiconductor Corp.)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
SciTE4AutoIt3 15.503.1200.0 (HKLM\...\SciTE4AutoIt3) (Version: 15.503.1200.0 - Jos van der Zande)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
StudioTax 2014 (HKLM\...\{5D8696DC-7DED-48D3-B0D1-8E1BB7F77FB5}) (Version: 10.0.12.1 - BHOK IT Consulting)
StudioTax 2015 (HKLM\...\{10DC0B0F-E7D6-4F37-9CF9-0A76A689AAB0}) (Version: 11.0.8.3 - BHOK IT Consulting)
System Requirements Lab for Intel (HKLM\...\{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}) (Version: 4.5.13.0 - Husdawg, LLC)
TextPad 5 (HKLM\...\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}) (Version: 5.4.0 - Helios)
Trusteer Endpoint Protection (HKLM\...\Rapport_msi) (Version: 3.5.1507.63 - Trusteer)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.5.0 - Tweaking.com)
Visual Basic 5.0 Professional Edition (HKLM\...\VB5) (Version: - )
WebReg (Version: 82.0.173.000 - Hewlett-Packard) Hidden
WordPerfect IFilter 32 bit (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.4 - Corel Corporation)
WordPerfect Office X6 - Common Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Common Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Extras (HKLM\...\{98F94B9C-9FF5-4053-85A6-3D4F3FA3EBA0}) (Version: 1.00.0000 - Corel Corporation)
WordPerfect Office X6 - IPM (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Oxford (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Setup Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - System Files (Version: 15.0 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files English (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WT (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 (HKLM\...\_{26D6D2A4-F08A-4212-86E7-7F1F75033610}) (Version: 16.0.0.428 - Corel Corporation)
WordPerfect Office X6 (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 SDK (HKLM\...\{D57A4C2B-C92F-46BF-9EFE-4EDD49E88628}) (Version: 16.0.0.388 - Corel Corporation)
WordPerfect OfficeReady (HKLM\...\{737D7CA8-D05C-46C7-AFED-A76616E8CA3B}) (Version: 1.0 - Corel Corporation.)
XML Notepad 2007 (HKLM\...\{FC7BACF0-1FFA-4605-B3B4-A66AB382752D}) (Version: 2.3.0.0 - Microsoft Corporation)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{149DD748-EA85-45A6-93C5-AC50D0260C98}\localserver32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\dwgviewr.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{3faa4380-a399-11cf-a466-00805fe418f6}\InprocServer32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\en-US\dwgviewrficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}\InprocServer32 -> F:\Program Files\TextPad 7\System\shellext32.dll => No File
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{ABECE8A0-FF84-4efb-82AE-9B3181CE097D}\InprocServer32 -> F:\Program Files\TextPad 5\System\shellext32.dll (Helios Software Solutions)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {0B6E885F-D349-4707-90FB-E92D8FE6010E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {23E49BE4-48D4-488C-86A5-AB3301C558BF} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => F:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {2F9EC57E-F920-4EF6-88F4-CA3DACFEAD02} - System32\Tasks\Intel_F_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {34A376B9-CFC2-4D4E-ABAC-68FF7C70A27A} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {4FC8919F-9E68-4818-A0E4-32229D69A286} - System32\Tasks\My Alarm003 => F:\Program Files\AutoIt3\Beta\AutoIt3.exe [2015-07-14] (AutoIt Team)
Task: {6B2525DF-EF2A-4C6A-BC96-56F8C04F59CC} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => F:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {71E34AD2-0884-4D08-B0A3-0E3B594D9A40} - System32\Tasks\Intel_C_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {837226FA-8B61-4344-AE73-B12C3D5D016C} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {85C317C4-0E0A-4C2D-8A94-8A096F45988C} - System32\Tasks\Intel_H_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {8F26E44C-8C62-4571-900F-17298ACD9C85} - System32\Tasks\My Alarm002 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {B4A21C92-41B5-4627-B5AB-91DFA73BAA16} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {BFC5DF99-3D59-4D1C-A40A-0632B292EAA6} - System32\Tasks\{82065A16-7231-4FA4-86D6-75CC5D970F17} => C:\QV2\QV2.EXE [1992-11-06] ()
Task: {C388E02D-C331-4983-8D65-0B46CF5AD7EB} - System32\Tasks\Intel_G_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {C848ADF7-CC79-4B99-B9DD-2E6B767B2DD3} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => F:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {D8876630-243E-4D7A-BAF6-7D5C8FA83EC5} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-07-14] (Adobe Systems Incorporated)
Task: {DE0EB309-7D55-4B4E-B076-ECCFCC1B45DE} - System32\Tasks\My Alarm001 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {E0F480EA-D1ED-4104-9F9C-2E18D75D94EE} - System32\Tasks\My Alarm005 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {E24E5581-902C-4661-ABBB-4834EB96726D} - System32\Tasks\_My Alarm => "F:\AutoIt scripts\MyAlarm schtasks v2_1.au3" [Argument = showIfSoon]
Task: {F8F06101-EB5F-4AE6-A67C-6F598971607F} - System32\Tasks\My Alarm007 => F:\Program Files\AutoIt3\autoit3.exe [2015-07-10] (AutoIt Team)
Task: {FF3BBFFD-5A72-4BDB-B4A3-E2382514770D} - System32\Tasks\My Alarm009 => F:\Program Files\AutoIt3\autoit3.exe [2015-07-10] (AutoIt Team)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
==================== Shortcuts =============================
(The entries could be listed to be restored or removed.)
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
==================== Loaded Modules (Whitelisted) ==============
2012-12-14 11:50 - 2012-12-14 11:50 - 00107520 _____ () C:\Windows\system32\FileMonitor32.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 00022016 _____ () C:\Windows\system32\docobj.dll
2013-11-03 14:51 - 2013-10-23 16:23 - 00089136 _____ () C:\Windows\System32\cpwmon2k.dll
2013-10-16 13:06 - 2012-08-31 15:01 - 00151552 _____ () C:\Windows\System32\HP1100LM.DLL
2013-10-16 13:08 - 2012-08-31 15:01 - 00069632 _____ () C:\Windows\system32\spool\PRTPROCS\W32X86\HP1100PP.DLL
2014-12-18 16:33 - 2014-05-13 13:04 - 00109400 _____ () F:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-12-18 16:33 - 2014-05-13 13:04 - 00416600 _____ () F:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-07-14 09:49 - 2014-05-13 13:04 - 00167768 _____ () F:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-07-14 09:49 - 2012-08-23 11:38 - 00574840 _____ () F:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-07-14 09:49 - 2012-04-03 17:06 - 00565640 _____ () F:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-12-14 11:51 - 2012-12-14 11:51 - 00011264 _____ () F:\Program Files\Avanquest\PowerDesk\DClickDesktopHook.dll
2014-09-09 10:00 - 2014-09-09 10:00 - 00023576 ____N () C:\Program Files\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
2012-12-14 11:36 - 2012-12-14 11:36 - 00011264 _____ () F:\Program Files\Avanquest\PowerDesk\mxcview.dll
2012-12-14 11:37 - 2012-12-14 11:37 - 00111616 _____ () F:\Program Files\Avanquest\PowerDesk\mxgview.dll
2013-10-29 11:08 - 2000-09-26 07:38 - 00143360 _____ () F:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll
2012-06-18 11:24 - 2012-06-18 11:24 - 00260096 _____ () F:\Program Files\Notepad++\NppShell_05.dll
2013-10-12 00:00 - 2012-11-12 01:34 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 03289088 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_d3f5dc3c\mscorlib.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 02994176 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_8cb17cfd\system.windows.forms.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 02076672 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_eadb1e09\system.xml.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 01929216 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_9009abfc\system.dll
2015-07-20 09:08 - 2015-07-20 09:08 - 00037696 _____ () C:\Program Files\Acronis\TrueImageHome\qt_icontray_ex.dll
2015-07-20 09:08 - 2015-07-20 09:08 - 00034624 _____ () C:\Program Files\Common Files\Acronis\Home\thread_pool.dll
2015-07-20 09:15 - 2015-07-20 09:15 - 00420160 _____ () C:\Program Files\Common Files\Acronis\Home\ulxmlrpcpp.dll
2014-11-27 10:44 - 2014-11-27 10:44 - 00129344 ____N () C:\Program Files\Common Files\Acronis\Home\EXPAT.dll
2012-12-14 11:51 - 2012-12-14 11:51 - 00060416 _____ () F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
2015-03-17 18:01 - 2012-08-07 08:40 - 00645296 ____N () F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
2015-03-17 18:01 - 2012-08-07 08:37 - 00217088 ____N () F:\Program Files\Lexmark\ErrorApp\lmab1err.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 00111376 _____ () F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
1997-07-11 00:00 - 1997-07-11 00:00 - 03782416 _____ () F:\Program Files\Microsoft Office\Office\MSO97.DLL
1997-07-11 00:00 - 1997-07-11 00:00 - 00051984 _____ () F:\Program Files\Microsoft Office\Office\OSA.EXE
2015-07-21 17:02 - 2015-07-21 17:02 - 00557056 _____ () C:\Program Files\Trusteer\Rapport\bin\js32.dll
2013-10-12 00:07 - 2012-06-25 10:41 - 01198912 _____ () C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Classes\.scr: DWGTrueViewScriptFile => C:\Windows\system32\notepad.exe "%1"
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com
There are 7915 more sites.
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123simsen.com -> www.123simsen.com
There are 7915 more sites.
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 22:04 - 2016-08-31 12:30 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com
There are 15555 more lines.
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 192.168.0.1 - 135.19.0.18
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
MSCONFIG\startupreg: ToolBoxFX => "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{EBDDD846-801E-48AE-B509-66D8B92650F6}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe
FirewallRules: [{26FC5F17-CF91-4358-AF93-570262B89E2C}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe
FirewallRules: [{98D9F9A5-C382-44C4-A820-78DBDDAEE185}] => (Allow) LPort=9100
FirewallRules: [{1F1D3D76-6FAA-499F-AA0B-038BC0B8D6E9}] => (Allow) LPort=427
FirewallRules: [{47E372C1-8768-4A61-A792-8B5D32A9B6B5}] => (Allow) LPort=161
FirewallRules: [{3E46316B-F4D2-42D3-8643-3DCED4413562}] => (Allow) LPort=427
FirewallRules: [{FE8E6E13-0E5E-4E05-B7C9-E8A1CD268090}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{CB74725E-4BDA-4B73-9059-10826BF72770}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [TCP Query User{054A7DAF-2D7E-4FAB-A276-79C5A342F349}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe
FirewallRules: [UDP Query User{AAD756BC-2D04-4728-BD30-1576279EBCC3}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe
FirewallRules: [{54A4E472-29D2-41CB-BADF-9CA40746588F}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{9E7A7DDD-0863-4017-836A-6DB11A0CDB00}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{9C82A641-0877-4AEE-BB08-BE75BE31644B}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{3653838F-07F7-4E0B-A200-119BC5EC4340}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{7ABA8A90-407B-430D-8929-2ADDC6CC53D8}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe
FirewallRules: [{C23F12FF-1779-4FC6-B5F7-25A61FA9D289}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{BFE09928-4791-40DB-B097-CEA2FDF4C003}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{7BEE059F-1A46-4951-8C0A-0E413FA3197F}] => (Allow) D:\Install\x86\InstallGui.exe
FirewallRules: [{4BEC2007-033C-40F2-8E04-EE7D8EF563F3}] => (Allow) D:\Install\x86\InstallGui.exe
FirewallRules: [{3432FBAD-0AF9-4118-8D73-A308AED73D4C}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{5914F22E-8C34-4EE1-BD3A-897141C38232}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{0C576296-EE11-410B-AF66-38D946733123}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{7CE4E130-5164-4971-AB19-58A66555663E}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{6A52C645-0B63-4A90-B661-F728E091C0DD}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{45800C23-03CE-431F-A108-73C806C72CE2}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{2F4F8DFF-6326-425D-8D16-4A87F4A5BB07}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
FirewallRules: [{ECD938F0-FCBA-49A9-8CFA-61A57F920A71}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
==================== Restore Points =========================
24-08-2016 09:46:37 Windows Update
29-08-2016 09:29:36 Windows Update
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (08/31/2016 11:58:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: ntdll.dll, version: 6.1.7601.23418, time stamp: 0x5708a7a8
Exception code: 0xc015000f
Fault offset: 0x00083c30
Faulting process id: 0xa4c
Faulting application start time: 0x01d203a07ac58913
Faulting application path: f:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: b91b15a7-6f93-11e6-9771-74d02b282604
Error: (08/31/2016 10:52:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (08/30/2016 12:35:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (08/30/2016 12:17:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (08/30/2016 09:36:22 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (08/29/2016 09:20:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: ntdll.dll, version: 6.1.7601.23418, time stamp: 0x5708a7a8
Exception code: 0xc015000f
Fault offset: 0x00083c30
Faulting process id: 0x3a64
Faulting application start time: 0x01d2025ca3bfe060
Faulting application path: f:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: e2392198-6e4f-11e6-973e-74d02b282604
Error: (08/29/2016 11:11:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: wpwin16.exe, version: 16.0.0.427, time stamp: 0x5091e4ef
Faulting module name: ntdll.dll, version: 6.1.7601.23418, time stamp: 0x5708a7a8
Exception code: 0xc015000f
Fault offset: 0x00083c30
Faulting process id: 0x2c0
Faulting application start time: 0x01d2020797cb5326
Faulting application path: f:\Program Files\Corel\WordPerfect Office X6\Programs\wpwin16.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: d625a27a-6dfa-11e6-973e-74d02b282604
Error: (08/29/2016 09:27:51 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (08/28/2016 08:31:18 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (08/27/2016 11:07:51 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
System errors:
=============
Error: (08/18/2016 11:23:28 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
Error: (08/18/2016 11:23:27 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
Error: (08/18/2016 11:23:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
Error: (08/18/2016 11:19:07 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
Error: (08/10/2016 01:41:40 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
Error: (08/09/2016 01:26:00 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
Error: (08/09/2016 01:25:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
Error: (08/09/2016 01:25:59 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.
Error: (08/06/2016 05:12:46 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
Error: (08/06/2016 05:12:45 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR2.
CodeIntegrity:
===================================
Date: 2016-08-31 12:33:26.905
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-31 11:06:37.731
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-30 23:31:13.479
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-30 21:59:18.365
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-30 13:02:37.224
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-30 12:33:31.219
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-30 12:23:10.475
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-30 11:52:51.631
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-30 09:51:59.460
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-08-29 21:53:38.345
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 40%
Total physical RAM: 3269.51 MB
Available physical RAM: 1952.22 MB
Total Virtual: 6537.34 MB
Available Virtual: 5140.77 MB
==================== Drives ================================
Drive c: (MWin) (Fixed) (Total:60 GB) (Free:28.66 GB) NTFS
Drive f: (MProgs) (Fixed) (Total:50 GB) (Free:39.32 GB) NTFS
Drive g: (MDataH) (Fixed) (Total:20 GB) (Free:11.77 GB) NTFS
Drive h: (MDataC) (Fixed) (Total:20 GB) (Free:10.53 GB) NTFS
Drive x: (KDataH) (Network) (Total:24.41 GB) (Free:18.86 GB)
Drive y: (KProgs) (Network) (Total:8.79 GB) (Free:2.93 GB)
Drive z: (KDataH2) (Network) (Total:488.28 GB) (Free:456.97 GB)
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 223.6 GB) (Disk ID: 92C3177A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=60 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=90 GB) - (Type=OF Extended)
==================== End of Addition.txt ============================
Your instructions say "Please make sure All Users is checked. I did not see such a checkbox.
The log file from aswMBR will be in my next post.
Chris Haslam
2016-08-31, 22:51
Here is the aswMBR log file:
aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2016-08-31 15:38:03
-----------------------------
15:38:03.522 OS Version: Windows 6.1.7601 Service Pack 1
15:38:03.522 Number of processors: 4 586 0x3A09
15:38:03.523 ComputerName: MOLLY UserName: Chris
15:38:05.751 Initialize success
15:38:05.779 VM: initialized successfully
15:38:05.779 VM: Intel CPU BiosDisabled
15:39:46.667 AVAST engine defs: 16083000
15:40:04.388 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:40:04.388 Disk 0 Vendor: INTEL_SSDSC2CW240A3 400i Size: 228936MB BusType: 3
15:40:04.388 Disk 0 MBR read successfully
15:40:04.388 Disk 0 MBR scan
15:40:04.404 Disk 0 Windows 7 default MBR code
15:40:04.404 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:40:04.404 Disk 0 default boot code
15:40:04.404 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 61440 MB offset 206848
15:40:04.404 Disk 0 Partition - 00 0F Extended LBA 92163 MB offset 126035968
15:40:04.404 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 51200 MB offset 126038016
15:40:04.419 Disk 0 Partition - 00 05 Extended 20481 MB offset 230895616
15:40:04.419 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 20480 MB offset 230897664
15:40:04.419 Disk 0 Partition - 00 05 Extended 20481 MB offset 377700352
15:40:04.419 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 20480 MB offset 272842752
15:40:04.435 Disk 0 scanning sectors +314785792
15:40:04.435 Disk 0 scanning C:\Windows\system32\drivers
15:40:07.212 Service scanning
15:40:13.311 Modules scanning
15:40:13.311 Disk 0 trace - called modules:
15:40:13.311 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
15:40:13.311 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8601d030]
15:40:13.311 3 CLASSPNP.SYS[8c24b59e] -> nt!IofCallDriver -> [0x85b55810]
15:40:13.327 5 ACPI.sys[8ba1e3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85979610]
15:40:13.436 AVAST engine scan C:\Windows
15:40:13.811 AVAST engine scan C:\Windows\system32
15:40:17.664 File: C:\Windows\system32\csrsrv.dll **INFECTED** Win32:Aluroot-B [Rtk]
15:41:04.121 AVAST engine scan C:\Windows\system32\drivers
15:41:07.303 AVAST engine scan C:\Users\Chris
15:41:21.562 AVAST engine scan C:\ProgramData
15:41:35.508 Disk 0 statistics 2759980/0/0 @ 44.42 MB/s
15:41:35.524 Scan finished successfully
15:42:02.605 Disk 0 MBR has been saved successfully to "C:\Users\Chris\Desktop\MBR.dat"
15:42:02.605 The log file has been saved successfully to "C:\Users\Chris\Desktop\aswMBR.txt"
BTW when I ran Firefox this time, I got a web page telling me that my PC is infected and inviting me to call a telephone number for help. When I picked SS&D forum from the History, I was invited to play a game, something to do with angels.
Thank you for helping me!
Chris Haslam
2016-08-31, 23:01
I wrote: "BTW when I ran Firefox this time, I got a web page telling me that my PC is infected and inviting me to call a telephone number for help. When I picked SS&D forum from the History, I was invited to play a game, something to do with angels."
Clarification:
BTW when I ran Firefox this time, I got a web page telling me that my PC is infected and inviting me to call a telephone number for help. The only way I found out of it was to restart the PC. After restarting, When I ran Firefox and picked SS&D forum from the History, I was invited to play a game, something to do with angels. I was then able to access the SS&D forum by picking it from the History.
Those are scams and at this time avoid clicking on anything.
uninstall FileFinder from the Control Panel. It did not uninstall. When I tried again, it told me to wait for the first uninstall to complete.
I've located some residue files from this, if your still wanting them removed leave the script as is.
Please uninstall/delete
Expresso (HKLM\...\{81A1B78B-69B5-4F71-950D-598FA62FCB73}) (Version: 3.0.4750 - Ultrapico) <==== ATTENTION
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)
~~~~~~~~~~~~~~
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
AutoConfigURL: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
ManualProxies: 0hxxp://stoppblock.biz/wpad.dat?ea35fd3ae550deddb0663b33cdfe130215396243
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-21] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-21] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2015-03-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-21] (Oracle Corporation)
C:\Users\Chris\Desktop\FileFinder.lnk
C:\ProgramData\FileFinder
C:\Program Files\FileFinder
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}\InprocServer32 -> F:\Program Files\TextPad 7\System\shellext32.dll => No File
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~~~~~
http://i.imgur.com/BY4dvz9.png AdwCleaner
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and save the file to your Desktop.
In order to use AdwCleaner, you have to agree the Eula:
Right-click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click http://i.imgur.com/A49sxPr.png Scan.
Upon completion, click http://i.imgur.com/6cyn5v5.png Logfile. A log (AdwCleaner[S1].txt) will open. Briefly check the log for anything you know to be legitimate.
Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
Click http://i.imgur.com/MqHawIb.png Clean.
Follow the prompts and allow your computer to reboot.
After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
~~~
please post
Fixlog.txt
AdwCleaner[C1].txt
JRT.txt
And btw, 15:40:17.664 File: C:\Windows\system32\csrsrv.dll **INFECTED** Win32:Aluroot-B [Rtk]
is coming back as a false/positive. They fixed it on the antivirus end but not the rootkit scanner.
https://forum.avast.com/index.php?topic=120791.15
Chris Haslam
2016-09-01, 05:49
I ran FRST from desktop icon.
Fixlog.txt:
Fix result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (31-08-2016 22:39:38) Run:1
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
AutoConfigURL: [S-1-5-21-4166634823-2150066620-1418166359-1000] => localhost:21320
ManualProxies: 0hxxp://stoppblock.biz/wpad.dat?ea35fd3ae550deddb0663b33cdfe130215396243
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-21] (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-21] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
FF Plugin: @java.com/DTPlugin,version=10.7.2 -> C:\Windows\system32\npDeployJava1.dll [2015-03-18] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-21] (Oracle Corporation)
C:\Users\Chris\Desktop\FileFinder.lnk
C:\ProgramData\FileFinder
C:\Program Files\FileFinder
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}\InprocServer32 -> F:\Program Files\TextPad 7\System\shellext32.dll => No File
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
ShortcutWithArgument: C:\Users\Public\Desktop\Mozilla Firefox.lnk -> F:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> "hxxp://tech-connect.biz/?ssid=1472573513&a=1101982&src=sh&uuid=ecb07899-cd1f-4c4a-aab3-99845e65ff1e,1472573342937"
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: bitsadmin /reset /allusers
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
EmptyTemp:
End
*****************
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\NlaSvc\Parameters\Internet\ManualProxies\\ => value removed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => key not found.
"HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found.
"HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2 => key not found.
C:\Windows\system32\npDeployJava1.dll => not found.
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.40.2 => key not found.
C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll => not found.
C:\Users\Chris\Desktop\FileFinder.lnk => moved successfully
C:\ProgramData\FileFinder => moved successfully
C:\Program Files\FileFinder => moved successfully
"HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{8A791F0C-C63C-4EC5-B97F-FBCE74EDBC54}" => key removed successfully.
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully..
C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk => Shortcut argument restored successfully
C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk => Shortcut argument removed successfully..
C:\Users\Chris\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk => Shortcut argument removed successfully..
C:\Users\Public\Desktop\Mozilla Firefox.lnk => Shortcut argument removed successfully..
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
========= netsh winsock reset all =========
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
========= End of CMD: =========
========= netsh int ipv4 reset =========
Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.
========= End of CMD: =========
========= netsh int ipv6 reset =========
Reseting Interface, OK!
Restart the computer to complete this action.
========= End of CMD: =========
========= bitsadmin /reset /allusers =========
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
0 out of 0 jobs canceled.
========= End of CMD: =========
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
=========== EmptyTemp: ==========
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 54827963 B
Java, Flash, Steam htmlcache => 21117 B
Windows/system/drivers => 56817 B
Edge => 0 B
Chrome => 0 B
Firefox => 165875702 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 83391 B
LocalService => 66356 B
NetworkService => 1273300 B
Chris => 434905287 B
RecycleBin => 71907 B
EmptyTemp: => 634.7 MB temporary data Removed.
================================
The system needed a reboot.
==== End of Fixlog 22:41:31 ====
I will report on adwCleaner run a bit later.
Chris Haslam
2016-09-01, 05:58
I uninstalled Expresso and Java 8 Update 40 before running FRST.
Chris Haslam
2016-09-01, 06:17
I have run AdwCleaner. It found 7 threats, all in HKLM\Software\Classes. I unchecked VBCore.CSharedString because VBCore is legitimate.
Here is AdwCleaner[C1].txt:
# AdwCleaner v6.010 - Logfile created 31/08/2016 at 23:09:18
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-31.4 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X86)
# Username : Chris - MOLLY
# Running from : C:\Users\Chris\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum
***** [ Services ] *****
***** [ Folders ] *****
***** [ Files ] *****
***** [ DLL ] *****
***** [ WMI ] *****
***** [ Shortcuts ] *****
***** [ Scheduled Tasks ] *****
***** [ Registry ] *****
[!] Key not deleted: HKLM\SOFTWARE\Classes\VBCore.CSharedString
[-] Key deleted: HKLM\SOFTWARE\Classes\CSieveATL.
[-] Key deleted: HKLM\SOFTWARE\Classes\SieveBasDllN.CSieveBasDllN
[-] Key deleted: HKLM\SOFTWARE\Classes\SieveBasDllP.CSieveBasDllP
[-] Key deleted: HKLM\SOFTWARE\Classes\sieveBasExeN.CSieveBasExeN
[-] Key deleted: HKLM\SOFTWARE\Classes\sieveBasExeP.CSieveBasExeP
[-] Key deleted: HKLM\SOFTWARE\Classes\s
***** [ Web browsers ] *****
*************************
:: "Tracing" keys deleted
:: Winsock settings cleared
*************************
C:\AdwCleaner\AdwCleaner[C0].txt - [1174 Bytes] - [31/08/2016 23:09:18]
C:\AdwCleaner\AdwCleaner[S0].txt - [1489 Bytes] - [31/08/2016 23:02:11]
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1320 Bytes] ##########
I will now run JRT.
Chris Haslam
2016-09-01, 07:25
I downloaded JRT
I exited SS&D Professional
I ran JRT
Within a few minutes, it got down to Shortcuts, and was still at Shortcuts after 20 minutes.
I exited JRT
I then thought hard about what other protection software runs on this PC. It occurred to me that Trusteer Endpoint Protection (TEP) is protection software
I stopped TEP
I ran JRT again
Again JRT got down to Shortcuts, and was still there after 15 minutes. About once per second, the hourglass flashed.
I exited JRT
I then looked at Task Manager > Processes to see what else could be conflicting with JRT. I saw that 3 SS&D processes are running: SFFSvc.exe, SDUpdSvc.exe, and SDonAccess.exe. Acronis True Image is on this PC.
~~~~~
Now I see that JRT.txt has been created on the Desktop. (It did not open automatically, per your instructions.)
JRT.txt contains:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Professional x86
Ran by Chris (Administrator) on 2016-08-31 at 23:47:44.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File System: 0
Registry: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 2016-09-01 at 0:17:23.05
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Is this what you expect?
Chris Haslam
2016-09-01, 07:50
Correction: JRT did finish eventually, with Notepad opening. The log in my previous post is what it produced.
Sometimes JRT can be a stinker to run.
Please download the Malwarebytes Anti-Malware (https://downloads.malwarebytes.org/file/mbam) setup file to your Desktop.
OR from this location Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php)
Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
On the Dashboard click on Update Now
Go to the Setting Tab
Under Setting go to Detection and Protection
Under PUP and PUM make sure both are set to show Treat Detections as Malware
Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
Then on the Dashboard click on Scan
Make sure to select THREAT SCAN
Then click on Scan
Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
Upon completion of the scan (or after the reboot), click the History tab.
Click Application Logs, followed by the first Scan Log.
Click Export, followed by Copy to Clipboard. Paste the log in your next reply.
~~~~~~~
For this next tool it's probably going to need you to temporarily disable the same protection software.
What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
The settings I suggest will also show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.
Ensure your external and/or USB drives are inserted during the scan.
Please disable your Antivirus as shown in the following topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/)
Close all opened programs, open your browser and go to the following link: ESET Online Scanner (http://www.eset.com/us/online-scanner/).
Click on the SCAN NOW button under ESET Online Scanner.
Depending on which browser you are using, you might be prompted to download an executable file.
Please save it to your desktop.
Right-click on esetonlinescanner_enu.exe and select Run as administrator.
If you agree to the Terms of use, select Accept to continue.
Please check the following option:
Enable detection of potentially unwanted applications
Select Advanced settings and ensure that the following options are checked:
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Scan archives
Enable Anti-Stealth technology
Make sure that the following option is NOT checked: => Very important!
Clean threats automatically
Click Scan and the process will now begin. Please do not use your computer while the scan is running.
Once the scan is completed, click Copy to clipboard.
Open the Start menu and type notepad.exe in the search programs and files box.
Press Enter. A blank Notepad page should open, paste the contents inside the window.
Save the file as ESETScan.txt.
Please copy/paste the contents of ESETScan.txt in your next reply.
You can now safely close the program.
Do not forget to re-activate your Antivirus at this point.
Please post these 2 logs when finished.
How is your computer now?
Chris Haslam
2016-09-01, 22:30
Results of Malwarebytes' Anti-Malware:
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 2016-09-01
Scan Time: 15:22
Logfile:
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2016.09.01.10
Rootkit Database: v2016.08.15.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Chris
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 266681
Time Elapsed: 2 min, 41 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 0
(No malicious items detected)
Registry Values: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
(end)
-------
Eset results will be in my next post.
Chris Haslam
2016-09-01, 23:53
Here is ESETScan.txt:
H:\DL\Cute PDF free printer driver\CuteWriter.zip a variant of
Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of
Win32/Bundled.Toolbar.Ask potentially unsafe application
H:\DL\Cute PDF free printer driver\c\CuteWriter.exe a variant of
Win32/Bundled.Toolbar.Ask.G potentially unsafe application,a variant of
Win32/Bundled.Toolbar.Ask potentially unsafe application
H:\DL\CutePDF Writer 3.0\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially
unsafe application
H:\DL\PDFforge Images2PDF 0_9_2\pdfforge_Images2PDF-0_9_2-setup.exe Win32/OpenCandy
potentially unsafe application
H:\DL\ResHacker\cnet_ResHack_zip.exe a variant of Win32/InstallCore.D potentially
unwanted application
H:\DL\ZoneAlarm Cleanup Utility\clean.exe Win32/Toolbar.Conduit potentially unwanted
application
H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetupWeb_110_780_000.exe
Win32/Toolbar.Conduit potentially unwanted application
H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetup_110_000_054.exe
Win32/Toolbar.Conduit potentially unwanted application,Win32/Toolbar.Montiera.I potentially
unwanted application,a variant of Win32/Toolbar.Escort.A potentially unwanted application,a
variant of Win32/Toolbar.Montiera.A potentially unwanted
application,Win32/Toolbar.Montiera.J potentially unwanted application,a variant of
Win32/Toolbar.Montiera.F potentially unwanted application
H:\DL\ZoneAlarm Firewall Free 110_000_057 Stub\zafwSetupWeb_110_000_057.exe
Win32/Toolbar.Conduit potentially unwanted application
H:\DL\ZoneAlarm Free 110_000_20\zafwSetup_110_000_020.exe Win32/Toolbar.Conduit
potentially unwanted application,Win32/Toolbar.Montiera.I potentially unwanted application,a
variant of Win32/Toolbar.Escort.A potentially unwanted application,a variant of
Win32/Toolbar.Montiera.A potentially unwanted application,Win32/Toolbar.Montiera.J
potentially unwanted application,a variant of Win32/Toolbar.Montiera.F potentially unwanted
application
---------
None of these problems were detected by SS&D 2.4 Pro running once a week, but perhaps the last weekly run was before I downloaded that .exe!
The only difference in my PC that I notice is that Firefax opens to a blank page, which I expect.
The only difference in my PC that I notice is that Firefox opens to a blank page, which I expect.
OK
but perhaps the last weekly run was before I downloaded that .exe!
What was the name?
~~~~
Let's go over what it found
H:\DL\Cute PDF free printer driver\c\CuteWriter.exe <=a variant of Win32/Bundled.Toolbar.Ask.G
Are the below related to this entry?. If so, I would advise you to uninstall/delete.
CuteFTP (HKLM\...\CuteFTP) (Version: - )
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
~~~~~~~~~~~~~~~~~~~~~
https://www.virustotal.com/en/file/6af80c258d88a75fe36bcfeec14144600c9ea90c1f3754754ce1c837f57b664d/analysis/
H:\DL\PDFforge Images2PDF 0_9_2\pdfforge_Images2PDF-0_9_2-setup.exe
The above shows signs of infection. I'll leave this up to you to uninstall and delete.
ResHacker
No suspicious behavior reported so far.
The files found by ESET appear to be parts of CheckPoint's ZoneAlarm. You may delete those if you no longer need them.
H:\DL\ZoneAlarm Cleanup Utility\clean.exe
H:\DL\ZoneAlarm Firewall Free 110_000_054\zafwSetupWeb_110_780_000.exe
H:\DL\ZoneAlarm Firewall Free 110_000_057 Stub\zafwSetupWeb_110_000_057.exe
If you need help with deleting anything let me know.
Are we ready to delete tools and quarantine folders?
Chris Haslam
2016-09-03, 01:43
I have been reading through this thread, and have a few questions:
In FRST.txt i notice that there are application errors involving wpwin16.exe (Corel WordPrefect X6) and ntdll.dll. Do you have an idea why? I do know that, in recent months, if I leave an instance of WordPerfect open minimized for 1/2 an hour or so, restoring it to full screen doesn't work. I have to use Task Manager to switch to it, then it shows Not Responding.
In the System errors section, I see "The driver detected a controller error on \Device\Harddisk1\DR2". This PC is 3 years old. The only hard drive is an Intel SSD. Is the SSD failing?
You ask "what is the name" of the offending .exe file. Sorry, I don't know.I shift-deleted the file. It got me because I wasn't being as cautious as I usually am; I was concentrating on finding a manual for a heat pump!
On my PC, the subdirectories of the H:\DL directory contain stuff I have downloaded, as downloaded. I have removed all the files that are listed in ESETScan.txt.
Yes, we are ready to delete tools and quarantine folders.
I have been reading through this thread, and have a few questions:
In FRST.txt i notice that there are application errors involving wpwin16.exe (Corel WordPrefect X6) and ntdll.dll. Do you have an idea why? I do know that, in recent months, if I leave an instance of WordPerfect open minimized for 1/2 an hour or so, restoring it to full screen doesn't work. I have to use Task Manager to switch to it, then it shows Not Responding.
In the System errors section, I see "The driver detected a controller error on \Device\Harddisk1\DR2". This PC is 3 years old. The only hard drive is an Intel SSD. Is the SSD failing?
Yes, we are ready to delete tools and quarantine folders.
For these errors reported through FRST, don't be alarmed because we see them on most all of the reports that come through.
I did try to do a little research to see what others posted and if any answers were available.
I think the best course of action would be to update drivers.
The chances that ntdll.dll is damaged isn't likely. As it is core Windows files, I'd expect many more problems if it were damaged.
Additionally, Windows has many methods to protect and repair these files - so again, it's unlikely.
Finally, you can "repair" them in several ways (replacing it directly, using sfc.exe, or doing a repair install) - but as this isn't causing you problems - leave it alone.
if it's not causing you problems then I wouldn't worry about it now.
Windows 7: SFC /SCANNOW Command - System File Checker
http://www.sevenforums.com/tutorials/1538-sfc-scannow-command-system-file-checker.html
You'll need to go to the manufacturer web page for the make and model of your computer. Search for driver updates, if any, then download and install those.
I'd create a restore point first in case it kinda borks your machine.
~~~~
controller error on \Device\Harddisk1\DR2
https://community.spiceworks.com/topic/304581-driver-detected-a-controller-error-which-hdd-is-device-harddisk2-dr2
From this link they kinda point to USB drive, just read over the link, again, if nothing serious is wrong sometimes it's best to just leave things alone.
~~~~~~~~~~~~~~~~~~
DelFix
Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:
Activate UAC
Remove disinfection tools
Click the Run button.
-- This will remove the specialized tools we used to disinfect your system.
Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
************************************
Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP
AdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://i.imgur.com/6YRrgUC.png Malwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://i.imgur.com/jv4nhMJ.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://i.imgur.com/DgW1XL2.png Secunia PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://i.imgur.com/j1OLIec.png SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://i.imgur.com/sHjS79L.png Unchecky (http://unchecky.com/) automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
http://i.imgur.com/JEP5iWI.png Web of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
~~~
Want to help others? Join the ClassRoom (http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html) and learn how.
Chris Haslam
2016-09-05, 07:40
Thank you for your advice re application errors and the controller error. I will let sleeping dogs lie!
I have downloaded and run DelFix. I have deleted the leftover logs, files and tools.
Do you recommend that I install all of the software you list? I already run AdBlock. I have just installed WOT.
I did notice in Control Panel > Programs and Features that FileFinder is still on this PC, although its icon is gone from the Desktop. The Publisher shows as Webitar Production Inc. I tried to uninstall it but it is still there. When I tried again, Windows told me to wait until uninstall finished.
I notice that the following files/directories on the C: drive have the name FileFinder:
FileFinder 0 2016-08-30 12:12 d C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\
FileFinder.lnk 1,027 2016-08-30 12:12 a C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\FileFinder\
FileFinder 0 2016-08-30 12:12 d C:\ProgramData\yes\products\
FileFinder 0 2016-08-30 12:12 d C:\Users\All Users\yes\products\
C:\ProgramData\yes\products\ contains uninstall.arc, uninstall.cfg and uninstall.exe. The icon beside uninstall.exe is VPN in white on a green background.
What should I do?
BTW, by looking at the Firefox Download list, I am fairly sure that the file I downloaded is Waterfurnace_Envision_Installation_Manual_downloader.exe. For sure, I was looking for such a manual.
Those tips and tricks in preventions, are posted for users to see whats available to help secure their machines.
I think it would be overkill to download all of them and probably bog down the computer.
Ones you might want to think about is
Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
Secunia PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
**
I did notice in Control Panel > Programs and Features that FileFinder is still on this PC, although its icon is gone from the Desktop. The Publisher shows as Webitar Production Inc. I tried to uninstall it but it is still there. When I tried again, Windows told me to wait until uninstall finished.
Wonder if it would tell you that if you attempted to remove it in Safe mode?
**
I notice that the following files/directories on the C: drive have the name FileFinder:
Thats odd because our first run with FRST shows it had been removed.
Couple of things we can do here
Please download and install Revo Uninstaller Free (http://www.revouninstaller.com/)
Double click Revo Uninstaller to run it.
From the list of programs double click on FileFinder
When prompted if you want to uninstall click Yes.
Be sure the Moderate option is selected then click Next.
The program will run, If prompted again click Yes
when the built-in uninstaller is finished click on Next.
Once the program has searched for leftovers click Next.
Check/tick the bolded items only on the list then click Delete
when prompted click on Yes and then on next.
put a check on any folders that are found and select delete
when prompted select yes then on next
Once done click Finish.
~~~~
Emsisoft Emergency Kit
Please download Emsisoft Emergency Kit (http://dl.emsisoft.com/EmsisoftEmergencyKit.exe) and save it to your desktop.
Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop.
Leave all settings as they are and click the Extract button at the bottom.
A folder named EEK will be created in the root of the drive (usually c:\).
After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates.
Please click Yes so that it downloads the latest database updates.
When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
Click on Scan to be taken to the scan options.
If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
Click on the Malware Scan button to start the scan.
When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
Please save the log in Notepad on your desktop, and copy it to your next reply.
When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
~~~
Hate to ask you to download FRST again but we'll check to see if it came out.
http://i.imgur.com/xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan
Please download Farbar Recovery Scan Tool (x32) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/) or Farbar Recovery Scan Tool (x64) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save the file to your Desktop.
Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
Chris Haslam
2016-09-05, 17:23
Log from EEK:
Emsisoft Emergency Kit - Version 11.9
Last update: 2016-09-05 10:15:27
User account: Molly\Chris
Computer name: MOLLY
OS version: Windows 7x86 Service Pack 1
Scan settings:
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
Scan start: 2016-09-05 10:19:02
Scanned 71247
Found 0
Scan end: 2016-09-05 10:19:23
Scan time: 0:00:21
FRST logs to follow
Instructions for RUF and EEK need updating for the current versions.
Chris Haslam
2016-09-05, 17:33
FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-08-2016
Ran by Chris (administrator) on MOLLY (05-09-2016 10:26:18)
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(Dassault Systèmes) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe
( ) C:\Program Files\HP\HP UT\bin\hppusg.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
() F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
() F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\agent.exe
() F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
() F:\Program Files\Microsoft Office\Office\OSA.EXE
(Avanquest Software) F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Acronis) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
() C:\Users\Chris\AppData\Local\Temp\baa3-a1b4-b569-fe48\uninstall.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [5995152 2012-10-28] (Realtek Semiconductor)
HKLM\...\Run: [IndexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [46952 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [30568 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [QuickFinder Scheduler] => f:\Program Files\Corel\WordPerfect Office X6\Programs\QFSCHD160.EXE [155592 2012-10-31] (Corel Corporation)
HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [36864 2007-05-03] ( )
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [150208 2014-04-20] (IvoSoft)
HKLM\...\Run: [SDTray] => F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [TrueImageMonitor.exe] => C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [5343664 2015-07-20] (Acronis)
HKLM\...\Run: [AcronisTibMounterMonitor] => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [691056 2015-07-20] (Acronis International GmbH)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [408872 2014-08-14] (Acronis)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [PDHookServer] => F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe [60416 2012-12-14] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [LMab1err] => F:\Program Files\Lexmark\ErrorApp\lmab1err.exe [645296 2012-08-07] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [Spybot-S&D Cleaning] => F:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-18\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
AppInit_DLLs: C:\Windows\system32\FileMonitor32.dll => C:\Windows\system32\FileMonitor32.dll [107520 2012-12-14] ()
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-06] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk [2013-10-28]
ShortcutTarget: Microsoft Find Fast.lnk -> F:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk [2013-10-28]
ShortcutTarget: Office Startup.lnk -> F:\Program Files\Microsoft Office\Office\OSA.EXE ()
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dialog Helper.lnk [2013-10-25]
ShortcutTarget: Dialog Helper.lnk -> F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe (Avanquest Software)
BootExecute: autocheck autochk * sdnclean.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
Tcpip\..\Interfaces\{61A2128C-D99C-413E-B4E8-292F8A12B08D}: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc.)
FireFox:
========
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Extension: (Print Edit) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\extensions\printedit@DW-dev.xpi [2016-08-30]
FF Extension: (WOT) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2016-09-03]
FF Extension: (Adblock Plus) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-30]
FF HKLM\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: (SmartPrintButton) - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [not signed]
StartMenuInternet: FIREFOX.EXE - F:\Program Files\Mozilla Firefox\firefox.exe
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [859456 2014-08-14] (Acronis)
R2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3996664 2015-07-31] (Acronis)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [277616 2012-12-14] (Intel Corporation)
R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [95232 2015-01-14] (Dassault Systèmes) [File not signed]
S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe [1074480 2015-03-01] (Flexera Software LLC)
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel(R) Corporation)
S3 iumsvc; C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RapportMgmtService; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2255128 2015-08-04] (IBM Corp.)
R2 SDScannerService; F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1740760 2014-09-03] (Safer-Networking Ltd.)
R2 SDUpdateService; F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 syncagentsrv; C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe [6847712 2014-09-13] (Acronis)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2009-07-13] (Microsoft Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [214304 2015-03-25] (Acronis International GmbH)
R3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [9344 2006-04-04] (Hewlett Packard) [File not signed]
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [15680 2012-05-20] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [350016 2012-05-20] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [793920 2012-05-20] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation)
R1 RapportCerberus_1507065; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_1507065.sys [555000 2015-09-01] (IBM Corp.)
R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [292280 2015-08-04] (IBM Corp.)
R0 RapportHades; C:\Windows\System32\Drivers\RapportHades.sys [70168 2015-08-04] (IBM Corp.)
R0 RapportKELL; C:\Windows\System32\Drivers\RapportKELL.sys [223000 2015-08-04] (IBM Corp.)
R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [349816 2015-08-04] (IBM Corp.)
R1 SDHookDriver; F:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys [46336 2014-04-25] ()
R2 tib; C:\Windows\System32\DRIVERS\tib.sys [685160 2015-07-31] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [184136 2015-07-31] (Acronis International GmbH)
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-09-05 10:26 - 2016-09-05 10:26 - 00015939 _____ C:\Users\Chris\Desktop\FRST.txt
2016-09-05 10:25 - 2016-09-05 10:26 - 00000000 ____D C:\FRST
2016-09-05 10:24 - 2016-09-05 10:24 - 01747968 _____ (Farbar) C:\Users\Chris\Desktop\FRST.exe
2016-09-05 10:07 - 2016-09-05 10:25 - 00000000 ____D C:\EEK
2016-09-05 09:31 - 2016-09-05 09:32 - 248386808 _____ C:\Users\Chris\Desktop\EmsisoftEmergencyKit.exe
2016-09-05 09:16 - 2016-09-05 09:16 - 00001238 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\Users\Chris\AppData\Local\VS Revo Group
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\ProgramData\VS Revo Group
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\Program Files\VS Revo Group
2016-09-05 09:16 - 2009-12-30 11:21 - 00027192 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2016-09-05 09:14 - 2016-09-05 09:14 - 11374528 _____ (VS Revo Group ) C:\Users\Chris\Desktop\RevoUninProSetup.exe
2016-09-03 22:18 - 2016-09-03 22:18 - 00000836 _____ C:\DelFix.txt
2016-09-01 15:59 - 2016-09-01 15:59 - 00000000 ____D C:\Users\Chris\AppData\Local\ESET
2016-09-01 15:17 - 2016-09-01 15:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-31 12:38 - 2016-08-31 12:38 - 00000207 _____ C:\Windows\tweaking.com-regbackup-MOLLY-Windows-7-Professional-(32-bit).dat
2016-08-31 12:37 - 2016-08-31 12:37 - 00002189 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\Program Files\Tweaking.com
2016-08-31 12:34 - 2016-08-31 12:37 - 00018956 _____ C:\Windows\Tweaking.com - Registry Backup Setup Log.txt
2016-08-31 12:32 - 2016-08-31 12:32 - 05575304 _____ (Tweaking.com) C:\Users\Chris\Desktop\tweaking.com_registry_backup_setup.exe
2016-08-30 12:40 - 2016-08-30 12:40 - 00000000 ____D C:\Users\Chris\Desktop\Old Firefox Data
2016-08-30 12:11 - 2016-09-05 09:27 - 00000000 ____D C:\ProgramData\yes
2016-08-25 21:50 - 2016-08-25 21:50 - 00000000 _____ C:\Windows\Textart.INI
2016-08-19 07:03 - 2016-07-08 11:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-08-10 16:00 - 2016-08-02 10:08 - 00346312 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-08-10 16:00 - 2016-08-02 02:03 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-08-10 16:00 - 2016-08-02 02:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-08-10 16:00 - 2016-08-02 01:54 - 20343808 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-08-10 16:00 - 2016-08-02 01:51 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-08-10 16:00 - 2016-08-02 01:50 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-08-10 16:00 - 2016-08-02 01:47 - 02286592 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-08-10 16:00 - 2016-08-02 01:45 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-08-10 16:00 - 2016-08-02 01:44 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-08-10 16:00 - 2016-08-02 01:42 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-08-10 16:00 - 2016-08-02 01:41 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-08-10 16:00 - 2016-08-02 01:36 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-08-10 16:00 - 2016-08-02 01:33 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-08-10 16:00 - 2016-08-02 01:29 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-08-10 16:00 - 2016-08-02 01:28 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-08-10 16:00 - 2016-08-02 01:26 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-08-10 16:00 - 2016-08-02 01:25 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-08-10 16:00 - 2016-08-02 01:24 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-08-10 16:00 - 2016-08-02 01:22 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-08-10 16:00 - 2016-08-02 01:21 - 04608000 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-08-10 16:00 - 2016-08-02 01:16 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-08-10 16:00 - 2016-08-02 01:15 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-08-10 16:00 - 2016-08-02 01:14 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-08-10 16:00 - 2016-08-02 01:11 - 13808128 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-08-10 16:00 - 2016-08-02 00:56 - 02393088 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-08-10 16:00 - 2016-08-02 00:53 - 01316352 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-08-10 16:00 - 2016-08-02 00:51 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-08-10 16:00 - 2016-07-08 11:22 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-08-10 16:00 - 2016-07-08 11:22 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-08-10 16:00 - 2016-07-08 11:16 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00260608 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00251392 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-08-10 16:00 - 2016-07-08 10:55 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-08-10 16:00 - 2016-07-08 10:53 - 02399232 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-08-10 16:00 - 2016-07-08 10:50 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-08-10 16:00 - 2016-07-08 10:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-08-10 16:00 - 2016-07-08 10:50 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-09-05 10:15 - 2013-10-11 22:28 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-05 10:14 - 2013-11-25 10:56 - 00000000 ____D C:\Users\Chris\AppData\Roaming\ClassicShell
2016-09-05 09:59 - 2016-03-15 11:37 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-05 09:13 - 2010-11-20 17:01 - 00795074 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-05 09:13 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\inf
2016-09-05 09:11 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-05 09:11 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-05 09:06 - 2013-10-11 22:28 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-05 09:06 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-05 09:06 - 1997-07-11 00:00 - 00022701 ____H C:\Windows\system32\FFASTLOG.TXT
2016-09-03 14:43 - 2016-04-03 23:32 - 00016444 _____ C:\Users\Chris\Documents\PDF_Log.txt
2016-09-03 01:36 - 2009-07-14 00:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-09-03 00:33 - 2013-11-17 23:41 - 00000000 ____D C:\Users\Chris\Documents\My Scans
2016-09-02 22:48 - 2013-11-03 15:00 - 00000000 ____D C:\Users\Chris\AppData\Local\CutePDF Writer
2016-09-02 19:30 - 2013-10-22 18:58 - 00000000 ____D C:\Users\Chris\AppData\Local\CrashDumps
2016-08-31 22:42 - 2015-09-22 01:33 - 00000008 __RSH C:\ProgramData\ntuser.pol
2016-08-31 22:39 - 2013-10-24 14:36 - 00000749 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-08-31 22:39 - 2013-10-24 14:36 - 00000749 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-08-31 22:39 - 2013-10-11 20:27 - 00001164 _____ C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-08-31 22:39 - 2009-07-13 22:37 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-08-30 13:17 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160831-123042.backup
2016-08-27 11:07 - 2013-10-24 14:36 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-08-24 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160830-131752.backup
2016-08-20 15:35 - 2014-02-01 01:20 - 00000000 ____D C:\Users\Chris\AppData\Roaming\HpUpdate
2016-08-19 08:00 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2016-08-17 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160824-123043.backup
2016-08-10 16:13 - 2009-07-14 00:33 - 00545640 _____ C:\Windows\system32\FNTCACHE.DAT
2016-08-10 16:04 - 2013-10-12 16:40 - 00000000 ____D C:\Windows\system32\MRT
2016-08-10 16:01 - 2013-10-12 16:40 - 144884648 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-08-10 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160817-123042.backup
==================== Files in the root of some directories =======
2015-08-01 10:23 - 2015-08-01 10:23 - 0000059 _____ () C:\Users\Chris\AppData\Roaming\StringRegExpGUIPattern.dat
2013-11-17 23:27 - 2013-11-17 23:27 - 0000093 _____ () C:\Users\Chris\AppData\Local\fusioncache.dat
2013-10-23 09:20 - 2015-09-19 10:24 - 0007607 _____ () C:\Users\Chris\AppData\Local\resmon.resmoncfg
2013-11-17 22:48 - 2015-05-25 11:35 - 0001453 _____ () C:\ProgramData\hpzinstall.log
Some files in TEMP:
====================
C:\Users\Chris\AppData\Local\Temp\libeay32.dll
C:\Users\Chris\AppData\Local\Temp\msvcr120.dll
C:\Users\Chris\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2016-09-05 10:04
==================== End of FRST.txt ============================
Addition.txt:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (05-09-2016 10:26:36)
Running from C:\Users\Chris\Desktop
Microsoft Windows 7 Professional Service Pack 1 (X86) (2013-10-12 00:27:21)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-4166634823-2150066620-1418166359-500 - Administrator - Disabled)
ASPNET (S-1-5-21-4166634823-2150066620-1418166359-1023 - Limited - Enabled)
Chris (S-1-5-21-4166634823-2150066620-1418166359-1000 - Administrator - Enabled) => C:\Users\Chris
Guest (S-1-5-21-4166634823-2150066620-1418166359-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-4166634823-2150066620-1418166359-1007 - Limited - Enabled)
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Spybot - Search and Destroy (Enabled - Up to date) {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
Acronis True Image 2015 (HKLM\...\{35CFA5F4-EE2D-4B13-AAED-BC643B6874B5}Visible) (Version: 18.0.6613 - Acronis)
Acronis True Image 2015 (Version: 18.0.6613 - Acronis) Hidden
Adobe Flash Player 22 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 22.0.0.210 - Adobe Systems Incorporated)
Adobe Flash Player 22 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 22.0.0.209 - Adobe Systems Incorporated)
Autodesk DWG TrueView 2016 - English (HKLM\...\DWG TrueView 2016 - English) (Version: 20.1.49.0 - Autodesk)
AutoIt Debugger 0.47.0 (HKLM\...\AutoIt Debugger) (Version: 0.47.0 - Essential Software)
AutoIt v3.3.14.0 (HKLM\...\AutoItv3) (Version: 3.3.14.0 - AutoIt Team)
AutoIt v3.3.15.0 (Beta) (HKLM\...\AutoItv3beta) (Version: 3.3.15.0 - AutoIt Team)
BabaCAD (HKLM\...\{FF8C8DDD-70E5-493E-92B6-296334F0601B}) (Version: 1.3.4 - BabaCAD)
Belarc Advisor 8.4 (HKLM\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Classic Shell (HKLM\...\{E0E49E80-19DE-43FE-BFF2-8C58DDF3C7F9}) (Version: 4.1.0 - IvoSoft)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
CuteFTP (HKLM\...\CuteFTP) (Version: - )
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
DraftSight 2015 SP1 (HKLM\...\{FA2DA057-6711-4830-9D29-8F7C9BA77BAD}) (Version: 13.1.1091 - Dassault Systemes)
DWG TrueView 2016 - English (Version: 20.1.49.0 - Autodesk) Hidden
eMachineShop version 1.910 (HKLM\...\eMachineShop_is1) (Version: 1.910 - )
FileFinder (HKLM\...\FileFinder) (Version: 1.0.1 - Webitar Production Inc.)
Fine Homebuilding Archive 2011 (HKLM\...\{FC3523BB-134E-494C-957F-53DD2651A0ED}) (Version: 1.3.0000 - )
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 7.3.4.311 - Foxit Software Inc.)
GoldWave v5.70 (HKLM\...\GoldWave v5.70) (Version: 5.70 - GoldWave Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.31.5 - Google Inc.) Hidden
HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP)
HP LaserJet 3050/3052/3055/3390/3392 4.0 (HKLM\...\HP LaserJet 3050/3052/3055/3390/3392) (Version: 4.0 - HP)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
hpp3390usg (Version: 000.105.00099 - Hewlett-Packard) Hidden
hppfaxdrv3390 (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppFaxUtility (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppFonts (Version: 001.001.00056 - Hewlett-Packard) Hidden
hppIOFiles (Version: 002.000.00030 - Hewlett-Packard) Hidden
hppLJ3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppManuals3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppscan3390 (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppScanTo (Version: 001.102.00067 - Hewlett-Packard) Hidden
hppSendFax (Version: 001.102.00066 - Hewlett-Packard) Hidden
hppTooCool (Version: 003.000.00004 - Hewlett-Packard) Hidden
hppToolBoxFX (Version: 001.006.00099 - Hewlett-Packard) Hidden
hpzTLBXFX (Version: 002.005.00191 - Hewlett-Packard) Hidden
Intel(R) Management Engine Components (HKLM\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Intel(R) Update Manager (HKLM\...\{B991A1BC-DE0F-41B3-9037-B2F948F706EC}) (Version: 3.1.1228 - Intel Corporation)
Intel® SSD Toolbox (HKLM\...\{06D085C8-1F00-11B2-96A7-8f0CE39193ED}) (Version: 3.3.0.400 - Intel Corporation)
IrfanView (remove only) (HKLM\...\IrfanView) (Version: 4.36 - Irfan Skiljan)
MarketResearch (Version: 82.0.174.000 - Hewlett-Packard) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft Office 97, Professional Edition (HKLM\...\Office8.0) (Version: - )
Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50428.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 48.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 48.0.2 (x86 en-US)) (Version: 48.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 48.0.2.6079 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MyBackup (HKLM\...\ST5UNST #1) (Version: - )
Notepad++ (HKLM\...\Notepad++) (Version: 6.5 - Notepad++ Team)
Nuance PaperPort 12 (HKLM\...\{D08D765A-2191-4210-9711-30FF98806770}) (Version: 12.1.0005 - Nuance Communications, Inc.)
PCRE Toolkit v3 (HKLM\...\PCRE Toolkit_is1) (Version: 3.0.1.13 - GEOSoft Software Development)
Pegasus Mail (HKLM\...\Pegasus Mail) (Version: - David Harris)
Pegasus Mail HTML Renderer 2.4.7.2 (HKLM\...\{A9F5E1E1-1281-4862-90B4-6CF8E6AF83CE}_is1) (Version: - Micha's Midnight Manufacture)
PowerDesk 9 (HKLM\...\{C4E1D1E5-0F67-463D-BD07-A24742AA7469}) (Version: 9.0.0.0 - Avanquest North America Inc.)
Rapport (Version: 3.5.1507.63 - Trusteer) Hidden
Realtek Ethernet Controller Driver (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.65.1025.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6767 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 3.1.6 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.6 - VS Revo Group, Ltd.)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
SciTE4AutoIt3 15.503.1200.0 (HKLM\...\SciTE4AutoIt3) (Version: 15.503.1200.0 - Jos van der Zande)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
StudioTax 2014 (HKLM\...\{5D8696DC-7DED-48D3-B0D1-8E1BB7F77FB5}) (Version: 10.0.12.1 - BHOK IT Consulting)
StudioTax 2015 (HKLM\...\{10DC0B0F-E7D6-4F37-9CF9-0A76A689AAB0}) (Version: 11.0.8.3 - BHOK IT Consulting)
System Requirements Lab for Intel (HKLM\...\{C7CA731B-BF9A-46D9-92CF-8A8737AE9240}) (Version: 4.5.13.0 - Husdawg, LLC)
TextPad 5 (HKLM\...\{B6EC7388-E277-4A5B-8C8F-71067A41BA64}) (Version: 5.4.0 - Helios)
Trusteer Endpoint Protection (HKLM\...\Rapport_msi) (Version: 3.5.1507.63 - Trusteer)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 3.5.0 - Tweaking.com)
Visual Basic 5.0 Professional Edition (HKLM\...\VB5) (Version: - )
WebReg (Version: 82.0.173.000 - Hewlett-Packard) Hidden
WordPerfect IFilter 32 bit (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.4 - Corel Corporation)
WordPerfect Office X6 - Common Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Common Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Extras (HKLM\...\{98F94B9C-9FF5-4053-85A6-3D4F3FA3EBA0}) (Version: 1.00.0000 - Corel Corporation)
WordPerfect Office X6 - IPM (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Lightning Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Oxford (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Presentations Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - Quattro Pro Files English (Version: 16.2 - Corel Corporation) Hidden
WordPerfect Office X6 - Setup Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - System Files (Version: 15.0 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WordPerfect Files English (Version: 16.2.1 - Corel Corporation) Hidden
WordPerfect Office X6 - WT (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 (HKLM\...\_{26D6D2A4-F08A-4212-86E7-7F1F75033610}) (Version: 16.0.0.428 - Corel Corporation)
WordPerfect Office X6 (Version: 16.1 - Corel Corporation) Hidden
WordPerfect Office X6 SDK (HKLM\...\{D57A4C2B-C92F-46BF-9EFE-4EDD49E88628}) (Version: 16.0.0.388 - Corel Corporation)
WordPerfect OfficeReady (HKLM\...\{737D7CA8-D05C-46C7-AFED-A76616E8CA3B}) (Version: 1.0 - Corel Corporation.)
XML Notepad 2007 (HKLM\...\{FC7BACF0-1FFA-4605-B3B4-A66AB382752D}) (Version: 2.3.0.0 - Microsoft Corporation)
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{149DD748-EA85-45A6-93C5-AC50D0260C98}\localserver32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\dwgviewr.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{3faa4380-a399-11cf-a466-00805fe418f6}\InprocServer32 -> F:\Program Files\Autodesk\DWG TrueView 2016 - English\en-US\dwgviewrficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000_Classes\CLSID\{ABECE8A0-FF84-4efb-82AE-9B3181CE097D}\InprocServer32 -> F:\Program Files\TextPad 5\System\shellext32.dll (Helios Software Solutions)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {0B6E885F-D349-4707-90FB-E92D8FE6010E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {23E49BE4-48D4-488C-86A5-AB3301C558BF} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => F:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {2F9EC57E-F920-4EF6-88F4-CA3DACFEAD02} - System32\Tasks\Intel_F_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {34A376B9-CFC2-4D4E-ABAC-68FF7C70A27A} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {4FC8919F-9E68-4818-A0E4-32229D69A286} - System32\Tasks\My Alarm003 => F:\Program Files\AutoIt3\Beta\AutoIt3.exe [2015-07-14] (AutoIt Team)
Task: {6B2525DF-EF2A-4C6A-BC96-56F8C04F59CC} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => F:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2014-06-24] (Safer-Networking Ltd.)
Task: {71E34AD2-0884-4D08-B0A3-0E3B594D9A40} - System32\Tasks\Intel_C_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {837226FA-8B61-4344-AE73-B12C3D5D016C} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {85C317C4-0E0A-4C2D-8A94-8A096F45988C} - System32\Tasks\Intel_H_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {8F26E44C-8C62-4571-900F-17298ACD9C85} - System32\Tasks\My Alarm002 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {B4A21C92-41B5-4627-B5AB-91DFA73BAA16} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {BFC5DF99-3D59-4D1C-A40A-0632B292EAA6} - System32\Tasks\{82065A16-7231-4FA4-86D6-75CC5D970F17} => C:\QV2\QV2.EXE [1992-11-06] ()
Task: {C388E02D-C331-4983-8D65-0B46CF5AD7EB} - System32\Tasks\Intel_G_CVCV3191005V240FGN => C:\Program Files\Intel\Intel(R) SSD Toolbox\Intel SSD Toolbox.exe [2015-05-05] (Intel)
Task: {C848ADF7-CC79-4B99-B9DD-2E6B767B2DD3} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => F:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)
Task: {D8876630-243E-4D7A-BAF6-7D5C8FA83EC5} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-07-14] (Adobe Systems Incorporated)
Task: {DE0EB309-7D55-4B4E-B076-ECCFCC1B45DE} - System32\Tasks\My Alarm001 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {E0F480EA-D1ED-4104-9F9C-2E18D75D94EE} - System32\Tasks\My Alarm005 => F:\Program Files\AutoIt3\AutoIt3.exe [2015-07-10] (AutoIt Team)
Task: {E24E5581-902C-4661-ABBB-4834EB96726D} - System32\Tasks\_My Alarm => "F:\AutoIt scripts\MyAlarm schtasks v2_1.au3" [Argument = showIfSoon]
Task: {F8F06101-EB5F-4AE6-A67C-6F598971607F} - System32\Tasks\My Alarm007 => F:\Program Files\AutoIt3\autoit3.exe [2015-07-10] (AutoIt Team)
Task: {FF3BBFFD-5A72-4BDB-B4A3-E2382514770D} - System32\Tasks\My Alarm009 => F:\Program Files\AutoIt3\autoit3.exe [2015-07-10] (AutoIt Team)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
==================== Shortcuts =============================
(The entries could be listed to be restored or removed.)
==================== Loaded Modules (Whitelisted) ==============
2012-12-14 11:50 - 2012-12-14 11:50 - 00107520 _____ () C:\Windows\system32\FileMonitor32.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 00022016 _____ () C:\Windows\system32\docobj.dll
2013-11-03 14:51 - 2013-10-23 16:23 - 00089136 _____ () C:\Windows\System32\cpwmon2k.dll
2013-10-16 13:06 - 2012-08-31 15:01 - 00151552 _____ () C:\Windows\System32\HP1100LM.DLL
2013-10-16 13:08 - 2012-08-31 15:01 - 00069632 _____ () C:\Windows\system32\spool\PRTPROCS\W32X86\HP1100PP.DLL
2014-12-18 16:33 - 2014-05-13 13:04 - 00109400 _____ () F:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-12-18 16:33 - 2014-05-13 13:04 - 00416600 _____ () F:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-07-14 09:49 - 2014-05-13 13:04 - 00167768 _____ () F:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-07-14 09:49 - 2012-08-23 11:38 - 00574840 _____ () F:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-07-14 09:49 - 2012-04-03 17:06 - 00565640 _____ () F:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-12-14 11:51 - 2012-12-14 11:51 - 00011264 _____ () F:\Program Files\Avanquest\PowerDesk\DClickDesktopHook.dll
2014-09-09 10:00 - 2014-09-09 10:00 - 00023576 ____N () C:\Program Files\Acronis\TrueImageHome\ti_managers_proxy_stub.dll
2012-12-14 11:36 - 2012-12-14 11:36 - 00011264 _____ () F:\Program Files\Avanquest\PowerDesk\mxcview.dll
2012-12-14 11:37 - 2012-12-14 11:37 - 00111616 _____ () F:\Program Files\Avanquest\PowerDesk\mxgview.dll
2013-10-29 11:08 - 2000-09-26 07:38 - 00143360 _____ () F:\Program Files\GlobalSCAPE\CuteFTP\CuteShell.dll
2012-06-18 11:24 - 2012-06-18 11:24 - 00260096 _____ () F:\Program Files\Notepad++\NppShell_05.dll
2013-10-12 00:00 - 2012-11-12 01:34 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 03289088 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_d3f5dc3c\mscorlib.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 02994176 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.windows.forms\1.0.5000.0__b77a5c561934e089_8cb17cfd\system.windows.forms.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 02076672 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system.xml\1.0.5000.0__b77a5c561934e089_eadb1e09\system.xml.dll
2013-11-17 23:26 - 2013-11-17 23:26 - 01929216 _____ () c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_9009abfc\system.dll
2015-07-20 09:08 - 2015-07-20 09:08 - 00037696 _____ () C:\Program Files\Acronis\TrueImageHome\qt_icontray_ex.dll
2015-07-20 09:08 - 2015-07-20 09:08 - 00034624 _____ () C:\Program Files\Common Files\Acronis\Home\thread_pool.dll
2012-12-14 11:51 - 2012-12-14 11:51 - 00060416 _____ () F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
2015-03-17 18:01 - 2012-08-07 08:40 - 00645296 ____N () F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
2015-03-17 18:01 - 2012-08-07 08:37 - 00217088 ____N () F:\Program Files\Lexmark\ErrorApp\lmab1err.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 00111376 _____ () F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
1997-07-11 00:00 - 1997-07-11 00:00 - 03782416 _____ () F:\Program Files\Microsoft Office\Office\MSO97.DLL
2015-07-21 17:02 - 2015-07-21 17:02 - 00557056 _____ () C:\Program Files\Trusteer\Rapport\bin\js32.dll
1997-07-11 00:00 - 1997-07-11 00:00 - 00051984 _____ () F:\Program Files\Microsoft Office\Office\OSA.EXE
2015-07-20 09:15 - 2015-07-20 09:15 - 00420160 _____ () C:\Program Files\Common Files\Acronis\Home\ulxmlrpcpp.dll
2014-11-27 10:44 - 2014-11-27 10:44 - 00129344 ____N () C:\Program Files\Common Files\Acronis\Home\EXPAT.dll
2013-10-12 00:07 - 2012-06-25 10:41 - 01198912 _____ () C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2016-09-05 09:17 - 2016-08-30 12:11 - 05068288 _____ () C:\Users\Chris\AppData\Local\Temp\baa3-a1b4-b569-fe48\uninstall.exe
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)
==================== Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Classes\.scr: DWGTrueViewScriptFile => C:\Windows\system32\notepad.exe "%1"
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com
There are 7915 more sites.
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\123simsen.com -> www.123simsen.com
There are 7915 more sites.
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 22:04 - 2016-08-31 12:30 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com
There are 15555 more lines.
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Desktop Background.bmp
DNS Servers: 192.168.0.1 - 135.19.0.18
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
MSCONFIG\startupreg: ToolBoxFX => "C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{EBDDD846-801E-48AE-B509-66D8B92650F6}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe
FirewallRules: [{26FC5F17-CF91-4358-AF93-570262B89E2C}] => (Allow) C:\LJP1100_P1560_P1600_Full_Solution\ProductInst.exe
FirewallRules: [{98D9F9A5-C382-44C4-A820-78DBDDAEE185}] => (Allow) LPort=9100
FirewallRules: [{1F1D3D76-6FAA-499F-AA0B-038BC0B8D6E9}] => (Allow) LPort=427
FirewallRules: [{47E372C1-8768-4A61-A792-8B5D32A9B6B5}] => (Allow) LPort=161
FirewallRules: [{3E46316B-F4D2-42D3-8643-3DCED4413562}] => (Allow) LPort=427
FirewallRules: [{FE8E6E13-0E5E-4E05-B7C9-E8A1CD268090}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{CB74725E-4BDA-4B73-9059-10826BF72770}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [TCP Query User{054A7DAF-2D7E-4FAB-A276-79C5A342F349}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe
FirewallRules: [UDP Query User{AAD756BC-2D04-4728-BD30-1576279EBCC3}F:\program files\globalscape\cuteftp\cutftp32.exe] => (Allow) F:\program files\globalscape\cuteftp\cutftp32.exe
FirewallRules: [{54A4E472-29D2-41CB-BADF-9CA40746588F}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{9E7A7DDD-0863-4017-836A-6DB11A0CDB00}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{9C82A641-0877-4AEE-BB08-BE75BE31644B}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{3653838F-07F7-4E0B-A200-119BC5EC4340}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{7ABA8A90-407B-430D-8929-2ADDC6CC53D8}F:\program files\mozilla firefox\firefox.exe] => (Block) F:\program files\mozilla firefox\firefox.exe
FirewallRules: [{C23F12FF-1779-4FC6-B5F7-25A61FA9D289}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{BFE09928-4791-40DB-B097-CEA2FDF4C003}] => (Allow) F:\Program Files\Lexmark\Status Center\lmsmc.exe
FirewallRules: [{7BEE059F-1A46-4951-8C0A-0E413FA3197F}] => (Allow) D:\Install\x86\InstallGui.exe
FirewallRules: [{4BEC2007-033C-40F2-8E04-EE7D8EF563F3}] => (Allow) D:\Install\x86\InstallGui.exe
FirewallRules: [{3432FBAD-0AF9-4118-8D73-A308AED73D4C}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{5914F22E-8C34-4EE1-BD3A-897141C38232}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{0C576296-EE11-410B-AF66-38D946733123}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{7CE4E130-5164-4971-AB19-58A66555663E}] => (Allow) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
FirewallRules: [{6A52C645-0B63-4A90-B661-F728E091C0DD}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{45800C23-03CE-431F-A108-73C806C72CE2}] => (Allow) F:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{2F4F8DFF-6326-425D-8D16-4A87F4A5BB07}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
FirewallRules: [{ECD938F0-FCBA-49A9-8CFA-61A57F920A71}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
==================== Restore Points =========================
02-09-2016 14:37:02 Windows Update
05-09-2016 09:17:38 Revo Uninstaller Pro's restore point - FileFinder
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (09/05/2016 09:17:38 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.
Operation:
Gathering Writer Data
Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {3bd381e7-cf33-4e89-aaf2-d1d3103f3424}
Error: (09/05/2016 09:06:42 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (09/04/2016 09:24:58 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (09/03/2016 11:00:02 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (09/03/2016 10:40:46 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (09/02/2016 07:30:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: winpm-32.exe, version: 4.6.2.0, time stamp: 0x4e4341cf
Faulting module name: winpm-32.exe, version: 4.6.2.0, time stamp: 0x4e4341cf
Exception code: 0xc0000005
Fault offset: 0x00291251
Faulting process id: 0x250c
Faulting application start time: 0x01d2056772390877
Faulting application path: F:\PMAIL\winpm-32.exe
Faulting module path: F:\PMAIL\winpm-32.exe
Report Id: 468a3337-7165-11e6-a9e0-74d02b282604
Error: (09/02/2016 11:04:14 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (09/02/2016 07:29:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Error: (09/01/2016 09:24:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: qpw16.exe, version: 16.0.0.427, time stamp: 0x5091e243
Faulting module name: ntdll.dll, version: 6.1.7601.23418, time stamp: 0x5708a7a8
Exception code: 0xc0000005
Fault offset: 0x00052891
Faulting process id: 0x2034
Faulting application start time: 0x01d204b892f0bac9
Faulting application path: F:\Program Files\Corel\WordPerfect Office X6\Programs\qpw16.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 0c64f167-70ac-11e6-95da-74d02b282604
Error: (09/01/2016 05:00:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 2.3.173.0, time stamp: 0x56e065b4
Faulting module name: Qt5Widgets.dll, version: 5.4.1.0, time stamp: 0x555bbfbd
Exception code: 0xc0000005
Fault offset: 0x001bb582
Faulting process id: 0xac4
Faulting application start time: 0x01d20493d38d54cc
Faulting application path: C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
Faulting module path: C:\Program Files\Malwarebytes Anti-Malware\Qt5Widgets.dll
Report Id: 25759201-7087-11e6-95da-74d02b282604
System errors:
=============
Error: (09/02/2016 07:29:55 AM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: Service 'WMPNetworkSvc' did not start correctly because CoCreateInstance(CLSID_UPnPDeviceFinder) encountered error '0x80004005'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Management and Security Application User Notification Service service terminated unexpectedly. It has done this 1 time(s).
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Acronis Sync Agent Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Spybot-S&D 2 Security Center Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Spybot-S&D 2 Updating Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Protexis Licensing V2 service terminated unexpectedly. It has done this 1 time(s).
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Dynamic Application Loader Host Interface Service service terminated unexpectedly. It has done this 1 time(s).
Error: (08/31/2016 11:09:08 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Intel(R) Capability Licensing Service Interface service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
CodeIntegrity:
===================================
Date: 2016-09-04 23:53:07.429
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-03 14:27:30.055
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-03 11:24:36.169
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-03 10:49:51.528
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-02 19:19:26.779
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-02 18:44:39.723
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-02 08:11:29.134
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-02 07:57:05.439
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-02 07:37:29.413
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-09-01 17:17:01.048
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Spybot - Search & Destroy 2\SDHook32.dll because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Processor: Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz
Percentage of memory in use: 35%
Total physical RAM: 3269.51 MB
Available physical RAM: 2098.55 MB
Total Virtual: 6537.34 MB
Available Virtual: 5247.56 MB
==================== Drives ================================
Drive c: (MWin) (Fixed) (Total:60 GB) (Free:29.04 GB) NTFS
Drive f: (MProgs) (Fixed) (Total:50 GB) (Free:39.5 GB) NTFS
Drive g: (MDataH) (Fixed) (Total:20 GB) (Free:11.77 GB) NTFS
Drive h: (MDataC) (Fixed) (Total:20 GB) (Free:10.76 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 223.6 GB) (Disk ID: 92C3177A)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=60 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=90 GB) - (Type=OF Extended)
==================== End of Addition.txt ============================
I see FileFinder is still listed.
Chris Haslam
2016-09-05, 17:48
FileFinder still shows in Control Panel > Programs and Features. I did not try to uninstall it there, nor have I rebooted.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
start
CreateRestorePoint:
CloseProcesses:
C:\Windows\FileFinder.ini
C:\Program Files\FileFinder\FileFinder.exe
C:\Program Files\FileFinder
FirewallRules: [{2F4F8DFF-6326-425D-8D16-4A87F4A5BB07}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
FirewallRules: [{ECD938F0-FCBA-49A9-8CFA-61A57F920A71}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
C:\Users\Chris\AppData\Local\Temp\libeay32.dll
C:\Users\Chris\AppData\Local\Temp\msvcr120.dll
C:\Users\Chris\AppData\Local\Temp\sqlite3.dll
EmptyTemp:
End
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~~
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following quotebox into the main textfield:
:folderfind
FileFinder
:filefind
FileFinder
:regfind
FileFinder
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Chris Haslam
2016-09-05, 20:48
fixlog.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 31-08-2016
Ran by Chris (administrator) on MOLLY (05-09-2016 10:26:18)
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe
(Acronis) C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
(Dassault Systèmes) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe
( ) C:\Program Files\HP\HP UT\bin\hppusg.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Acronis) C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
(Acronis International GmbH) C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe
() F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
() F:\Program Files\Lexmark\ErrorApp\lmab1err.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\agent.exe
() F:\Program Files\Microsoft Office\Office\FINDFAST.EXE
(IBM Corp.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
() F:\Program Files\Microsoft Office\Office\OSA.EXE
(Avanquest Software) F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Safer-Networking Ltd.) F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Acronis) C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Intel Corporation) C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
() C:\Users\Chris\AppData\Local\Temp\baa3-a1b4-b569-fe48\uninstall.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe [5995152 2012-10-28] (Realtek Semiconductor)
HKLM\...\Run: [IndexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [46952 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [30568 2012-02-01] (Nuance Communications, Inc.)
HKLM\...\Run: [QuickFinder Scheduler] => f:\Program Files\Corel\WordPerfect Office X6\Programs\QFSCHD160.EXE [155592 2012-10-31] (Corel Corporation)
HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [36864 2007-05-03] ( )
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [150208 2014-04-20] (IvoSoft)
HKLM\...\Run: [SDTray] => F:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [TrueImageMonitor.exe] => C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [5343664 2015-07-20] (Acronis)
HKLM\...\Run: [AcronisTibMounterMonitor] => C:\Program Files\Common Files\Acronis\TibMounter\TibMounterMonitor.exe [691056 2015-07-20] (Acronis International GmbH)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [408872 2014-08-14] (Acronis)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [PDHookServer] => F:\Program Files\Avanquest\PowerDesk\PDHookServer.exe [60416 2012-12-14] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [ISUSPM] => C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [LMab1err] => F:\Program Files\Lexmark\ErrorApp\lmab1err.exe [645296 2012-08-07] ()
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [Spybot-S&D Cleaning] => F:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-18\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
AppInit_DLLs: C:\Windows\system32\FileMonitor32.dll => C:\Windows\system32\FileMonitor32.dll [107520 2012-12-14] ()
ShellIconOverlayIdentifiers: [AcronisSyncError] -> {934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncInProgress] -> {00F848DC-B1D4-4892-9C25-CAADC86A215D} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AcronisSyncOk] -> {71573297-552E-46fc-BE3D-3DFAF88D47B7} => C:\Program Files\Acronis\TrueImageHome\tishell.dll [2014-09-09] (Acronis)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2015-02-06] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk [2013-10-28]
ShortcutTarget: Microsoft Find Fast.lnk -> F:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk [2013-10-28]
ShortcutTarget: Office Startup.lnk -> F:\Program Files\Microsoft Office\Office\OSA.EXE ()
Startup: C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dialog Helper.lnk [2013-10-25]
ShortcutTarget: Dialog Helper.lnk -> F:\Program Files\Avanquest\PowerDesk\pddlghlp.exe (Avanquest Software)
BootExecute: autocheck autochk * sdnclean.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
Tcpip\..\Interfaces\{61A2128C-D99C-413E-B4E8-292F8A12B08D}: [DhcpNameServer] 192.168.0.1 135.19.0.18 70.80.0.66
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2013-04-16] (Belarc, Inc.)
FireFox:
========
FF ProfilePath: C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-12] ()
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> F:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2015-12-29] (Foxit Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Extension: (Print Edit) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\extensions\printedit@DW-dev.xpi [2016-08-30]
FF Extension: (WOT) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2016-09-03]
FF Extension: (Adblock Plus) - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\asmcms8v.default-1472575210563\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-08-30]
FF HKLM\...\Firefox\Extensions: [quickprint@hp.com] - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension
FF Extension: (SmartPrintButton) - C:\Program Files\Hewlett-Packard\SmartPrint\QPExtension [2011-01-26] [not signed]
StartMenuInternet: FIREFOX.EXE - F:\Program Files\Mozilla Firefox\firefox.exe
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AcrSch2Svc; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [859456 2014-08-14] (Acronis)
R2 afcdpsrv; C:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exe [3996664 2015-07-31] (Acronis)
S3 cphs; C:\Windows\system32\IntelCpHeciSvc.exe [277616 2012-12-14] (Intel Corporation)
R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [95232 2015-01-14] (Dassault Systèmes) [File not signed]
S3 FlexNet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe [1074480 2015-03-01] (Flexera Software LLC)
S3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-01-02] (Hewlett-Packard Co.) [File not signed]
R2 Intel(R) Capability Licensing Service Interface; C:\Program Files\Intel\iCLS Client\HeciServer.exe [462048 2012-04-20] (Intel(R) Corporation)
S3 iumsvc; C:\Program Files\Intel\Intel(R) Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RapportMgmtService; C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe [2255128 2015-08-04] (IBM Corp.)
R2 SDScannerService; F:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1740760 2014-09-03] (Safer-Networking Ltd.)
R2 SDUpdateService; F:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; F:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 syncagentsrv; C:\Program Files\Common Files\Acronis\SyncAgent\syncagentsrv.exe [6847712 2014-09-13] (Acronis)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 Dot4Scan; C:\Windows\System32\DRIVERS\Dot4Scan.sys [10752 2009-07-13] (Microsoft Corporation)
R0 file_tracker; C:\Windows\System32\DRIVERS\file_tracker.sys [214304 2015-03-25] (Acronis International GmbH)
R3 HPFXBULK; C:\Windows\System32\drivers\hpfxbulk.sys [9344 2006-04-04] (Hewlett Packard) [File not signed]
R0 iusb3hcs; C:\Windows\System32\DRIVERS\iusb3hcs.sys [15680 2012-05-20] (Intel Corporation)
R3 iusb3hub; C:\Windows\System32\DRIVERS\iusb3hub.sys [350016 2012-05-20] (Intel Corporation)
R3 iusb3xhc; C:\Windows\System32\DRIVERS\iusb3xhc.sys [793920 2012-05-20] (Intel Corporation)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [55104 2012-07-02] (Intel Corporation)
R1 RapportCerberus_1507065; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_1507065.sys [555000 2015-09-01] (IBM Corp.)
R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [292280 2015-08-04] (IBM Corp.)
R0 RapportHades; C:\Windows\System32\Drivers\RapportHades.sys [70168 2015-08-04] (IBM Corp.)
R0 RapportKELL; C:\Windows\System32\Drivers\RapportKELL.sys [223000 2015-08-04] (IBM Corp.)
R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [349816 2015-08-04] (IBM Corp.)
R1 SDHookDriver; F:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys [46336 2014-04-25] ()
R2 tib; C:\Windows\System32\DRIVERS\tib.sys [685160 2015-07-31] (Acronis International GmbH)
R2 tib_mounter; C:\Windows\System32\DRIVERS\tib_mounter.sys [184136 2015-07-31] (Acronis International GmbH)
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-09-05 10:26 - 2016-09-05 10:26 - 00015939 _____ C:\Users\Chris\Desktop\FRST.txt
2016-09-05 10:25 - 2016-09-05 10:26 - 00000000 ____D C:\FRST
2016-09-05 10:24 - 2016-09-05 10:24 - 01747968 _____ (Farbar) C:\Users\Chris\Desktop\FRST.exe
2016-09-05 10:07 - 2016-09-05 10:25 - 00000000 ____D C:\EEK
2016-09-05 09:31 - 2016-09-05 09:32 - 248386808 _____ C:\Users\Chris\Desktop\EmsisoftEmergencyKit.exe
2016-09-05 09:16 - 2016-09-05 09:16 - 00001238 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\Users\Chris\AppData\Local\VS Revo Group
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\ProgramData\VS Revo Group
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2016-09-05 09:16 - 2016-09-05 09:16 - 00000000 ____D C:\Program Files\VS Revo Group
2016-09-05 09:16 - 2009-12-30 11:21 - 00027192 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2016-09-05 09:14 - 2016-09-05 09:14 - 11374528 _____ (VS Revo Group ) C:\Users\Chris\Desktop\RevoUninProSetup.exe
2016-09-03 22:18 - 2016-09-03 22:18 - 00000836 _____ C:\DelFix.txt
2016-09-01 15:59 - 2016-09-01 15:59 - 00000000 ____D C:\Users\Chris\AppData\Local\ESET
2016-09-01 15:17 - 2016-09-01 15:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-31 12:38 - 2016-08-31 12:38 - 00000207 _____ C:\Windows\tweaking.com-regbackup-MOLLY-Windows-7-Professional-(32-bit).dat
2016-08-31 12:37 - 2016-08-31 12:37 - 00002189 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2016-08-31 12:37 - 2016-08-31 12:37 - 00000000 ____D C:\Program Files\Tweaking.com
2016-08-31 12:34 - 2016-08-31 12:37 - 00018956 _____ C:\Windows\Tweaking.com - Registry Backup Setup Log.txt
2016-08-31 12:32 - 2016-08-31 12:32 - 05575304 _____ (Tweaking.com) C:\Users\Chris\Desktop\tweaking.com_registry_backup_setup.exe
2016-08-30 12:40 - 2016-08-30 12:40 - 00000000 ____D C:\Users\Chris\Desktop\Old Firefox Data
2016-08-30 12:11 - 2016-09-05 09:27 - 00000000 ____D C:\ProgramData\yes
2016-08-25 21:50 - 2016-08-25 21:50 - 00000000 _____ C:\Windows\Textart.INI
2016-08-19 07:03 - 2016-07-08 11:16 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-08-10 16:00 - 2016-08-02 10:08 - 00346312 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2016-08-10 16:00 - 2016-08-02 02:03 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-08-10 16:00 - 2016-08-02 02:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2016-08-10 16:00 - 2016-08-02 01:54 - 20343808 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00497664 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00341504 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-08-10 16:00 - 2016-08-02 01:51 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2016-08-10 16:00 - 2016-08-02 01:51 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2016-08-10 16:00 - 2016-08-02 01:50 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2016-08-10 16:00 - 2016-08-02 01:47 - 02286592 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-08-10 16:00 - 2016-08-02 01:45 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-08-10 16:00 - 2016-08-02 01:44 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2016-08-10 16:00 - 2016-08-02 01:42 - 00476160 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00663552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2016-08-10 16:00 - 2016-08-02 01:41 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-08-10 16:00 - 2016-08-02 01:41 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2016-08-10 16:00 - 2016-08-02 01:36 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2016-08-10 16:00 - 2016-08-02 01:33 - 00416256 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-08-10 16:00 - 2016-08-02 01:29 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2016-08-10 16:00 - 2016-08-02 01:28 - 00091136 _____ (Microsoft Corporation) C:\Windows\system32\inseng.dll
2016-08-10 16:00 - 2016-08-02 01:26 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2016-08-10 16:00 - 2016-08-02 01:25 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-08-10 16:00 - 2016-08-02 01:24 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-08-10 16:00 - 2016-08-02 01:22 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\occache.dll
2016-08-10 16:00 - 2016-08-02 01:21 - 04608000 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-08-10 16:00 - 2016-08-02 01:16 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll
2016-08-10 16:00 - 2016-08-02 01:15 - 00692736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 02055680 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-08-10 16:00 - 2016-08-02 01:14 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2016-08-10 16:00 - 2016-08-02 01:14 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2016-08-10 16:00 - 2016-08-02 01:11 - 13808128 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-08-10 16:00 - 2016-08-02 00:56 - 02393088 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-08-10 16:00 - 2016-08-02 00:53 - 01316352 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-08-10 16:00 - 2016-08-02 00:51 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-08-10 16:00 - 2016-07-08 11:22 - 00137960 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-08-10 16:00 - 2016-07-08 11:22 - 00067304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-08-10 16:00 - 2016-07-08 11:16 - 01062912 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00655360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00553472 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00260608 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00251392 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\rpchttp.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2016-08-10 16:00 - 2016-07-08 11:16 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2016-08-10 16:00 - 2016-07-08 10:55 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2016-08-10 16:00 - 2016-07-08 10:53 - 02399232 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00226304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-08-10 16:00 - 2016-07-08 10:51 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-08-10 16:00 - 2016-07-08 10:50 - 00036352 _____ (Microsoft Corporation) C:\Windows\system32\cryptbase.dll
2016-08-10 16:00 - 2016-07-08 10:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2016-08-10 16:00 - 2016-07-08 10:50 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-09-05 10:15 - 2013-10-11 22:28 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-05 10:14 - 2013-11-25 10:56 - 00000000 ____D C:\Users\Chris\AppData\Roaming\ClassicShell
2016-09-05 09:59 - 2016-03-15 11:37 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-05 09:13 - 2010-11-20 17:01 - 00795074 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-05 09:13 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\inf
2016-09-05 09:11 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-05 09:11 - 2009-07-14 00:34 - 00032096 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-05 09:06 - 2013-10-11 22:28 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-05 09:06 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-05 09:06 - 1997-07-11 00:00 - 00022701 ____H C:\Windows\system32\FFASTLOG.TXT
2016-09-03 14:43 - 2016-04-03 23:32 - 00016444 _____ C:\Users\Chris\Documents\PDF_Log.txt
2016-09-03 01:36 - 2009-07-14 00:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-09-03 00:33 - 2013-11-17 23:41 - 00000000 ____D C:\Users\Chris\Documents\My Scans
2016-09-02 22:48 - 2013-11-03 15:00 - 00000000 ____D C:\Users\Chris\AppData\Local\CutePDF Writer
2016-09-02 19:30 - 2013-10-22 18:58 - 00000000 ____D C:\Users\Chris\AppData\Local\CrashDumps
2016-08-31 22:42 - 2015-09-22 01:33 - 00000008 __RSH C:\ProgramData\ntuser.pol
2016-08-31 22:39 - 2013-10-24 14:36 - 00000749 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-08-31 22:39 - 2013-10-24 14:36 - 00000749 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-08-31 22:39 - 2013-10-11 20:27 - 00001164 _____ C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-08-31 22:39 - 2009-07-13 22:37 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-08-30 13:17 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160831-123042.backup
2016-08-27 11:07 - 2013-10-24 14:36 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2016-08-24 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160830-131752.backup
2016-08-20 15:35 - 2014-02-01 01:20 - 00000000 ____D C:\Users\Chris\AppData\Roaming\HpUpdate
2016-08-19 08:00 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\rescache
2016-08-17 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160824-123043.backup
2016-08-10 16:13 - 2009-07-14 00:33 - 00545640 _____ C:\Windows\system32\FNTCACHE.DAT
2016-08-10 16:04 - 2013-10-12 16:40 - 00000000 ____D C:\Windows\system32\MRT
2016-08-10 16:01 - 2013-10-12 16:40 - 144884648 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-08-10 12:30 - 2009-07-13 22:04 - 00453324 ____R C:\Windows\system32\Drivers\etc\hosts.20160817-123042.backup
==================== Files in the root of some directories =======
2015-08-01 10:23 - 2015-08-01 10:23 - 0000059 _____ () C:\Users\Chris\AppData\Roaming\StringRegExpGUIPattern.dat
2013-11-17 23:27 - 2013-11-17 23:27 - 0000093 _____ () C:\Users\Chris\AppData\Local\fusioncache.dat
2013-10-23 09:20 - 2015-09-19 10:24 - 0007607 _____ () C:\Users\Chris\AppData\Local\resmon.resmoncfg
2013-11-17 22:48 - 2015-05-25 11:35 - 0001453 _____ () C:\ProgramData\hpzinstall.log
Some files in TEMP:
====================
C:\Users\Chris\AppData\Local\Temp\libeay32.dll
C:\Users\Chris\AppData\Local\Temp\msvcr120.dll
C:\Users\Chris\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2016-09-05 10:04
==================== End of FRST.txt ============================
Chris Haslam
2016-09-05, 20:54
SystemLook:
SystemLook 30.07.11 by jpshortstuff
Log created at 13:52 on 05/09/2016 by Chris
Administrator - Elevation successful
========== folderfind ==========
Searching for "FileFinder"
No folders found.
========== filefind ==========
Searching for "FileFinder"
No files found.
========== regfind ==========
Searching for "FileFinder"
[HKEY_CURRENT_USER\Software\FLEXnet\Connect\db\FileFinder.ini]
[HKEY_CURRENT_USER\Software\Helios\TextPad 5\Recent File List]
"File4"="C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\ProgID]
@="HHCtrl.FileFinder.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\VersionIndependentProgID]
@="HHCtrl.FileFinder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"DisplayName"="FileFinder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"UninstallString"=""C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"QuietUninstallString"=""C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe" -s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"DisplayIcon"=""C:\Program Files\FileFinder\icon.ico""
[HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\FLEXnet\Connect\db\FileFinder.ini]
[HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Helios\TextPad 5\Recent File List]
"File4"="C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
-= EOF =-
Look back to post #23, did you run that FRST script?
Chris Haslam
2016-09-05, 22:44
My error: I saved the contents of the quote box to the wrong file name.
I have now saved to the correct file name.
Now fixlog.txt:
Fix result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (05-09-2016 15:31:32) Run:2
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Windows\FileFinder.ini
C:\Program Files\FileFinder\FileFinder.exe
C:\Program Files\FileFinder
FirewallRules: [{2F4F8DFF-6326-425D-8D16-4A87F4A5BB07}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
FirewallRules: [{ECD938F0-FCBA-49A9-8CFA-61A57F920A71}] => (Allow) C:\Program Files\FileFinder\FileFinder.exe
C:\Users\Chris\AppData\Local\Temp\libeay32.dll
C:\Users\Chris\AppData\Local\Temp\msvcr120.dll
C:\Users\Chris\AppData\Local\Temp\sqlite3.dll
EmptyTemp:
End
*****************
Restore point was successfully created.
Processes closed successfully.
"C:\Windows\FileFinder.ini" => not found.
"C:\Program Files\FileFinder\FileFinder.exe" => not found.
"C:\Program Files\FileFinder" => not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2F4F8DFF-6326-425D-8D16-4A87F4A5BB07} => value not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{ECD938F0-FCBA-49A9-8CFA-61A57F920A71} => value not found.
"C:\Users\Chris\AppData\Local\Temp\libeay32.dll" => not found.
"C:\Users\Chris\AppData\Local\Temp\msvcr120.dll" => not found.
"C:\Users\Chris\AppData\Local\Temp\sqlite3.dll" => not found.
=========== EmptyTemp: ==========
BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10997638 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 0 B
Firefox => 11394730 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 0 B
LocalService => 0 B
NetworkService => 0 B
Chris => 20631 B
RecycleBin => 0 B
EmptyTemp: => 21.4 MB temporary data Removed.
================================
The system needed a reboot.
==== End of Fixlog 15:31:41 ====
----
SystemLook.txt:
SystemLook 30.07.11 by jpshortstuff
Log created at 15:34 on 05/09/2016 by Chris
Administrator - Elevation successful
========== folderfind ==========
Searching for "FileFinder"
No folders found.
========== filefind ==========
Searching for "FileFinder"
No files found.
========== regfind ==========
Searching for "FileFinder"
[HKEY_CURRENT_USER\Software\FLEXnet\Connect\db\FileFinder.ini]
[HKEY_CURRENT_USER\Software\Helios\TextPad 5\Recent File List]
"File4"="C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\ProgID]
@="HHCtrl.FileFinder.1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\VersionIndependentProgID]
@="HHCtrl.FileFinder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder.1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"DisplayName"="FileFinder"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"UninstallString"=""C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"QuietUninstallString"=""C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe" -s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
"DisplayIcon"=""C:\Program Files\FileFinder\icon.ico""
[HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\FLEXnet\Connect\db\FileFinder.ini]
[HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\Helios\TextPad 5\Recent File List]
"File4"="C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
-= EOF =-
Fix result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (05-09-2016 15:31:32) Run:2
I don't think the first run is saved, and I think thats why we see
value not found.
file not found.
I've created a script for FRST, and since the above was run 2 times, chances are it isn't going to find much
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
start
CreateRestorePoint:
CloseProcesses:
Deletekey:[HKEY_CURRENT_USER\Software\FLEXnet\Connect\db\FileFinder.ini]
DeleteKey:C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\ProgID]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\VersionIndependentProgID]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder.1]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
C:\Program Files\FileFinder\icon.ico
DeleteKey:[HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\FLEXnet\Connect\db\FileFinder.ini]
C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
end
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
Chris Haslam
2016-09-06, 01:16
fixlog.txt:
Fix result of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Ran by Chris (05-09-2016 18:06:07) Run:3
Running from C:\Users\Chris\Desktop
Loaded Profiles: Chris (Available Profiles: Chris)
Boot Mode: Normal
==============================================
fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
Deletekey:[HKEY_CURRENT_USER\Software\FLEXnet\Connect\db\FileFinder.ini]
DeleteKey:C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\ProgID]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\VersionIndependentProgID]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder.1]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe
DeleteKey:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder]
C:\Program Files\FileFinder\icon.ico
DeleteKey:[HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\FLEXnet\Connect\db\FileFinder.ini]
C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg"
end
*****************
Restore point was successfully created.
Processes closed successfully.
HKEY_CURRENT_USER\Software\FLEXnet\Connect\db\FileFinder.ini => key removed successfully.
C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg => key not found: incorrect path.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\ProgID => key removed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ADB880A4-D8FF-11CF-9377-00AA003B7A11}\VersionIndependentProgID => key removed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder => could not remove at first attempt (ErrorCode: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder => key removed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder.1 => could not remove at first attempt (ErrorCode: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HHCtrl.FileFinder.1 => key removed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder => key removed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder => key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder => key not found.
"C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe" => not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder => key not found.
"C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.exe" => not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileFinder => key not found.
"C:\Program Files\FileFinder\icon.ico" => not found.
HKEY_USERS\S-1-5-21-4166634823-2150066620-1418166359-1000\Software\FLEXnet\Connect\db\FileFinder.ini => key not found.
"C:\ProgramData\yes\products\FileFinder\uninstall\uninstall.cfg" => not found.
The system needed a reboot.
==== End of Fixlog 18:06:16 ====
Chris Haslam
2016-09-06, 01:24
Directory C:\ProgramData\yes is now empty.
FileFinder is no longer listed in Control Panel > Programs and features.
YES!
ready to remove tools and folders again?
Chris Haslam
2016-09-06, 22:17
Yes I am
DelFix
Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:
Activate UAC
Remove disinfection tools
Click the Run button.
-- This will remove the specialized tools we used to disinfect your system.
Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
************************************
Chris Haslam
2016-09-07, 07:50
Done
Revo:
DelFix left it behind. on the Desktop, I right-clicked on Revo's icon and chose Delete. This removed the icon, but Revo was still in Control Panel > Programs and Features. So I uninstalled it there.
I think that my troubles are over, thanks to you!
I will be donating to Spybot.
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif
Since this issue appears resolved ... this Topic is closed.