PDA

View Full Version : "The requested URL was rejected" with only one site, everywhere else is ok



videobruce
2017-07-04, 21:23
I did a search first and that came up, but most of the supposed solutions were cleaning cookies & cache from the browser. I do that automatically when I close the browser as I have done for well over 15 years. The other solutions were fare more complicated and seemed to be directed at specific systems or circumstances.

Details;
Winy sp1 (no updates purposely)
Opera Classic v12.18
Firefox v53 Portable,
Spectrum Cable Internet (if that matters)
NO firewall or filters either in the router or software
Only one site is affected, my banks account login page. Other pages on their site are fine, only the login page; https://onlinebanking.mtb.com/

Now the kicker is, there is also a problem using Firefox, but I can login, but the "accounts" summary page didn't show the separate accounts as it should. I had to navigate off that specific page, then return for that missing portion of the page to display.

Now, what I did was to scan using Spybot (of course), CCleaner, HyjackThis, Kaspersky AVZ Toolkit, AVG & Panda. Other than some known false positives, nothing turned up other than some crap CCleaner & Spybot cleaned up but nothing suspecious.

Anyway, the special message on a blank page (I can't even get to the login page) is below;
The requested URL was rejected. If you experience issues browsing to this webpage please call the Online & Mobile Banking help line at 1-800-790-9130 and provide the Error Code below.

Your Error Code is: 6531125852694242027

videobruce
2017-07-04, 21:24
To add, I have a 2nd bootable HDD in my main tower with a (close to) mirror install as the drive I normally use. There is NO issue there as there is NO issue on a laptop running XP.

videobruce
2017-07-04, 21:32
I forgot to add, after I ran those programs, the problem disappeared last night, only to return this morning. Since I re-ran CCleaner & Spybot again today, the problem has gone away again as I type this. I'll post back when and if it returns, unless I'm lucky I bet it will. :devil:


(It would be nice if one could edit a post instead of adding one. :sad: )

Admin Edit
http://forums.spybot.info/showthread.php?t=288

"Can I edit my own posts?



In the Malware Removal Forum, members may not edit their posts."

videobruce
2017-07-04, 21:38
I closed the browser (Opera) and reopened it with the problem returning as it did last night. I tried FF, and as of now that is ok (same site of course). Two things I will add is I do run Ghostery, but that never was a problem here. The other is another 'bank' site login does work ok with Opera.

All of this is using just my main drive (not backup) in this tower. Ok I give up, ideas please????

Juliet
2017-07-04, 22:08
Let's try a couple of things

Let's try resetting the router since thats a simple task.

Turn off the computer
Turn off the router, unplug it. Let it sit for a good 4 to 5 minutes.

Plug the router back in to electrical, turn on router (if it has an on off switch in the back)

Boot up computer.

~~~
Following instructions below on how to
Flush DNS
http://www.wikihow.com/Flush-DNS


~~~

http://i.imgur.com/xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

Please download Farbar Recovery Scan Tool (x32) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/) or Farbar Recovery Scan Tool (x64) (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save the file to your Desktop.
Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

videobruce
2017-07-05, 01:13
Sheesh, no wonder M$ writes the worst O/S.
I almost NEVER run Idiot Exploiter.

I didn't flush the DNS yet, nor power cycle the router. I will after I post this this.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 04-07-2017
Ran by videoBruce (administrator) on VB1 (04-07-2017 18:01:51)
Running from F:\Backup Programs 1 16.7GB\_Virus programs
Loaded Profiles: videoBruce & Administrator (Available Profiles: videoBruce & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: "C:\Program Files\Opera V1218 x64\Opera.exe" "%1")
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\System32\CISVC.EXE
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(ITSamples.com) C:\Program Files\NetworkIndicator v17\NetworkIndicator.exe
( ) C:\Program Files (x86)\BitMeter v35\BitMeter2.exe
() C:\Portables in C\ResizeEnable V13 portable\ResizeEnable V14 1203.exe
(PortableApps.com) C:\Portables in C\Spybot Portable V23\SpybotPortable.exe
(Safer-Networking Ltd.) C:\Portables in C\Spybot Portable V23\App\Spybot\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Portables in C\Spybot Portable V23\App\Spybot\SDScan.exe
(Opera Software) C:\Program Files\Opera V1218 x64\opera.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Farbar) F:\Backup Programs 1 16.7GB\_Virus programs\Farbar Recovery Scan Tool x64.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [9186816 2016-12-23] (Realtek Semiconductor)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161728 2015-11-12] (IvoSoft)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ReminderApp] => [X]
HKU\PE_D_USER11\...\Run: [NetworkIndicator] => C:\Program Files\NetworkIndicator V17\NetworkIndicator.exe [367616 2014-12-12] (ITSamples.com)
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\Run: [SpybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.)
HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\Run: [NetworkIndicator] => C:\Program Files\NetworkIndicator v17\NetworkIndicator.exe [367616 2014-12-12] (ITSamples.com)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bitmeter2.lnk [2017-04-26]
ShortcutTarget: Bitmeter2.lnk -> C:\Program Files (x86)\BitMeter v35\BitMeter2.exe ( )
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ResizeEnable.lnk [2017-04-26]
ShortcutTarget: ResizeEnable.lnk -> C:\Portables in C\ResizeEnable V13 portable\ResizeEnable V14 1203.exe ()
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-2248871800-1667375335-2429770600-1000] => localhost:21320
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\..\Interfaces\{5F2F32C9-E09B-4295-8C37-9D792AD95458}: [NameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\.DEFAULT -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\PE_D_ADMINISTRATOR1 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\PE_D_ADMINISTRATOR1 -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\PE_D_DEFAULT -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\PE_D_DEFAULT1 -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\PE_D_USER11 -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000 -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-2248871800-1667375335-2429770600-500 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-2248871800-1667375335-2429770600-500 -> {758B870D-DF78-4A6A-9955-DEDDCACF94DC} URL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-11-12] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-11-12] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-11-12] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-11-12] (IvoSoft)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_25_0_0_171.dll [2017-05-09] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_171.dll [2017-05-09] ()

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2017-05-08] (McAfee, Inc.)
S3 NitroReaderDriverReadSpool5; C:\Program Files\Nitro Reader v559\NitroPDFReaderDriverService5x64.exe [327328 2016-08-02] (Nitro Software, Inc.)
S3 Panasonic Local Printer Service; C:\Program Files (x86)\Panasonic\LocalCom\LMSRVNT.EXE [49152 2010-01-09] (Panasonic System Networks Co., Ltd.) [File not signed]
R3 SDScannerService; C:\Portables in C\Spybot Portable V23\App\Spybot\SDFSSvc.exe [1738200 2014-04-25] (Safer-Networking Ltd.)
S3 WsDrvInst; C:\Program Files (x86)\KeepVid Pro v61\DriverInstall.exe [123080 2017-03-16] ()

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 amdkmafd; C:\Windows\System32\DRIVERS\amdkmafd.sys [23240 2016-05-10] (Advanced Micro Devices, Inc.)
R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
R3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
R4 KProcessHacker3; C:\Portables in C\Process Hacker Portable V239\kprocesshacker.sys [45208 2016-03-28] (wj32)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2017-05-08] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106120 2017-05-08] (McAfee, Inc.)
R0 pwdrvio; C:\Windows\System32\pwdrvio.sys [19152 2013-09-30] ()
S3 pwdspio; C:\Windows\system32\pwdspio.sys [12504 2013-09-30] ()
U5 UnlockerDriver5; C:\Program Files\Unlocker v192\UnlockerDriver5.sys [12352 2010-07-01] ()
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [225792 2014-10-31] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [305664 2014-10-31] (VIA Technologies, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-04 17:59 - 2017-07-04 18:01 - 00000000 ____D C:\FRST
2017-07-04 15:14 - 2017-07-04 15:14 - 00000000 ____D C:\Windows\SysWOW64\tmp0000197c
2017-07-04 14:25 - 2017-07-04 14:25 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy.BackupBySpybotPortable
2017-07-04 14:24 - 2009-06-10 17:00 - 00000824 _____ C:\Windows\system32\Drivers\etc\hosts.20170704-142428.backup
2017-07-04 14:08 - 2017-07-04 14:08 - 00000000 ____D C:\Program Files\stinger
2017-07-04 12:45 - 2017-07-04 12:45 - 00182214 _____ C:\TDSSKiller.3.1.0.12_04.07.2017_12.45.19_log.txt
2017-07-04 12:36 - 2017-07-04 12:36 - 00000000 ____D C:\KVRT_Data
2017-07-03 00:31 - 2017-07-03 00:31 - 00001206 _____ C:\Users\User1\Desktop\LA Player 4102.lnk
2017-06-29 07:16 - 2017-06-29 07:16 - 00002089 _____ C:\Users\User1\Desktop\LA Player.lnk
2017-06-10 08:12 - 2017-06-10 08:12 - 00000000 ____D C:\Users\User1\AppData\Roaming\772
2017-06-05 15:51 - 2017-06-14 07:23 - 00000954 __RSH C:\Users\User1\ntuser.pol

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-07-04 18:02 - 2016-05-18 08:12 - 00000000 ____D C:\Temp
2017-07-04 18:01 - 2017-04-26 14:42 - 00000000 ____D C:\ProgramData\Bitmeter2
2017-07-04 15:03 - 2009-07-14 01:13 - 00785576 _____ C:\Windows\system32\PerfStringBackup.INI
2017-07-04 15:03 - 2009-07-14 00:45 - 00031088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-07-04 15:03 - 2009-07-14 00:45 - 00031088 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-07-04 15:03 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2017-07-04 14:58 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-07-04 14:54 - 2017-04-26 08:49 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2017-07-04 14:35 - 2017-05-10 17:56 - 00000000 ____D C:\Users\User1\AppData\Roaming\Mozilla
2017-07-04 14:35 - 2017-04-27 11:40 - 00000000 ____D C:\Users\User1\AppData\LocalLow\Mozilla
2017-07-04 14:13 - 2016-05-18 08:21 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2017-07-04 13:10 - 2017-04-26 15:45 - 00000125 ___SH C:\ProgramData\.zreglib
2017-07-04 13:10 - 2017-04-26 15:43 - 00000000 ____D C:\Program Files (x86)\AnyDVD v744
2017-07-04 12:41 - 2017-05-09 10:46 - 00000000 ____D C:\Users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Virus Programs
2017-07-04 12:40 - 2016-05-18 08:20 - 00000000 ____D C:\Portables in C
2017-07-03 19:29 - 2017-04-28 02:18 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2017-07-03 19:17 - 2017-04-27 07:45 - 00000000 ____D C:\Program Files\Revo Uninstaller Pro v316
2017-07-03 15:30 - 2017-05-30 10:00 - 00000000 ____D C:\Users\User1\AppData\Roaming\HandBrake
2017-06-26 14:11 - 2017-04-26 13:14 - 00000000 ____D C:\Users\User1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV Players
2017-06-25 08:49 - 2017-04-27 09:08 - 00000000 ____D C:\Users\User1\AppData\Roaming\ThumbsPlus
2017-06-25 08:49 - 2017-04-27 09:06 - 00000000 ____D C:\Program Files (x86)\ThumbsPlus v8
2017-06-14 07:23 - 2016-05-18 08:27 - 00000000 ____D C:\Users\User1
2017-06-13 16:42 - 2017-04-27 10:45 - 00000000 ____D C:\Users\User1\AppData\Roaming\vlc
2017-06-10 06:53 - 2017-04-29 13:13 - 00000000 ____D C:\Users\User1\AppData\Roaming\dvdcss
2017-06-09 13:26 - 2017-04-29 12:43 - 00000000 ____D C:\Program Files (x86)\DVDFab v9128
2017-06-08 07:19 - 2009-07-14 01:08 - 00032614 _____ C:\Windows\Tasks\SCHEDLGU.TXT

==================== Files in the root of some directories =======

2017-05-08 08:57 - 2017-05-08 08:57 - 0000000 _____ () C:\Users\User1\AppData\Roaming\chrtmp
2017-04-26 15:45 - 2017-07-04 13:10 - 0000125 ___SH () C:\ProgramData\.zreglib
2016-05-18 08:36 - 2016-05-18 08:36 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-07-03 09:31

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 04-07-2017
Ran by videoBruce (04-07-2017 18:02:23)
Running from F:\Backup Programs 1 16.7GB\_Virus programs
Windows 7 Professional Service Pack 1 (X64) (2016-05-18 12:11:58)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2248871800-1667375335-2429770600-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-2248871800-1667375335-2429770600-501 - Limited - Disabled)
videoBruce (S-1-5-21-2248871800-1667375335-2429770600-1000 - Administrator - Enabled) => C:\Users\User1

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 16.00 (x64) (HKLM\...\7-Zip) (Version: 16.00 - Igor Pavlov)
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 25.0.0.171 - Adobe Systems Incorporated)
AnyDVD (HKLM-x32\...\AnyDVD) (Version: 7.4.4.0 - SlySoft)
BitMeter (HKLM-x32\...\BitMeter) (Version: - )
Classic Shell (HKLM\...\{D4B3454F-7529-4F5F-851D-2C36933F7D64}) (Version: 4.2.5 - IvoSoft)
CloneDVD2 (HKLM-x32\...\CloneDVD2) (Version: 2.9.3.0 - Elaborate Bytes)
Directory Tree List Maker (HKLM-x32\...\{0692174B-8402-4896-9A4C-3942A1FC5E02}) (Version: 1.0.0 - Olivier Sangala)
DVD Shrink 3.2 (HKLM-x32\...\DVD Shrink_is1) (Version: - DVD Shrink)
DVDFab 9.1.2.8 (19/02/2014) (HKLM-x32\...\DVDFab 9_is1) (Version: - Fengtao Software Inc.)
Greeting Card Factory Photo Card Maker (HKLM-x32\...\{9C627F78-DBB9-4293-AA89-E83119C39CE9}) (Version: 1.0.0.5 - Nova Development)
HandBrake 1.0.7 (HKLM-x32\...\HandBrake) (Version: 1.0.7 - )
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
KeepVid Pro(Build 6.1.2.4) (HKLM-x32\...\KeepVid Pro_is1) (Version: 6.1.2.4 - KeepVid Studio)
MakeMKV v1.10.4 (HKLM-x32\...\MakeMKV) (Version: v1.10.4 - GuinpinSoft inc)
Microsoft .NET Framework 4.6.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01590 - Microsoft Corporation)
MX-900 Editor (HKLM-x32\...\{30C6798C-2BA6-47AC-AD99-F60F0EBF665D}) (Version: 1.10.044 - Universal Remote Control, Inc.)
Myibidder Auction Bid Sniper for eBay 1.1.4 (HKLM-x32\...\myibay eBay bid sniper_is1) (Version: 1.1.4 (Build 551) - Myibidder.com)
Network Activity Indicator for Windows 7 - 8.1 (HKLM-x32\...\NetworkIndicator_is1) (Version: 1.7 - ITSamples.com)
Nitro Reader 5 (HKLM\...\{42BEF461-E91D-4C9E-94A2-790D973CE971}) (Version: 5.5.9.2 - Nitro)
Opera 12.18 (HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\Opera 12.18.1873) (Version: 12.18.1873 - Opera Software ASA)
Panasonic Multi-Function Station software (HKLM-x32\...\{53DE4FAD-F853-44F3-AC39-AD2940E5DD53}) (Version: 1.00 - Panasonic)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.8023 - Realtek Semiconductor Corp.)
Revo Uninstaller Pro 3.1.6 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.6 - VS Revo Group, Ltd.)
Snagit 9.1.2 (HKLM-x32\...\{B440D659-FECA-4BDD-A12B-5C9F05790FF3}) (Version: 9.1.2.304 - TechSmith Corporation)
ThumbsPlus (HKLM-x32\...\{AD1FE8DD-0A6A-46E7-9B5F-8A70DD75CA93}) (Version: 8.1.0.3537 - Cerious Software Inc.) Hidden
ThumbsPlus (HKU\PE_D_USER11\...\ThumbsPlus) (Version: - Cerious Software Inc.)
ThumbsPlus (HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\ThumbsPlus) (Version: - Cerious Software Inc.)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
VirusTotal Scanner (HKLM-x32\...\{43C5B500-38EB-456F-8C71-CE7B1F7F9976}) (Version: 6.5 - SecurityXploded) Hidden
VirusTotal Scanner (HKLM-x32\...\VirusTotal Scanner 6.5) (Version: 6.5 - SecurityXploded)
Winamp (HKLM-x32\...\Winamp) (Version: 5.666 - Nullsoft, Inc)
WinX DVD Ripper Platinum 8.5.0 (HKLM-x32\...\WinX DVD Ripper Platinum_is1) (Version: - Digiarty Software, Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2015-11-12] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2015-11-12] (IvoSoft)
ContextMenuHandlers01: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip v16\7-zip.dll [2016-05-10] (Igor Pavlov)
ContextMenuHandlers03: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => C:\Program Files\Unlocker v192\UnlockerCOM.dll [2010-07-15] ()
ContextMenuHandlers04: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip v16\7-zip.dll [2016-05-10] (Igor Pavlov)
ContextMenuHandlers06: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip v16\7-zip.dll [2016-05-10] (Igor Pavlov)
ContextMenuHandlers06: [StartMenuExt] -> {E595F05F-903F-4318-8B0A-7F633B520D2B} => C:\Windows\system32\StartMenuHelper64.dll [2015-11-12] (IvoSoft)
ContextMenuHandlers06: [UnlockerShellExtension] -> {DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} => C:\Program Files\Unlocker v192\UnlockerCOM.dll [2010-07-15] ()

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {5C0AEEEA-C154-45BE-8499-BEA5F11BAFF6} - System32\Tasks\Microsoft\Windows\Defrag\ScheduledDefrag => C:\Windows\system32\defrag.exe
Task: {753C47AE-EC5E-44B3-95A9-2C8E553F0E39} - System32\Tasks\Microsoft\Windows\Windows Media Sharing\UpdateLibrary => C:\Program Files\Windows Media Player\wmpnscfg.exe
Task: {A1D60D55-A6B8-401B-BC05-2938E02DF2F2} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Scan => d:\program files\windows defender\MpCmdRun.exe
Task: {A6AF9377-77CE-47AB-AD7D-EC32CAD0C82D} - System32\Tasks\Microsoft\Windows\Location\Notifications => C:\Windows\System32\LocationNotifications.exe
Task: {C4E8B14A-4159-4C58-BDAD-281DBBFC97E8} - System32\Tasks\Microsoft\Windows Defender\MpIdleTask => d:\program files\windows defender\MpCmdRun.exe
Task: {D0250F3F-6480-484F-B719-42F659AC64D5} - System32\Tasks\Microsoft\Windows\Windows Error Reporting\QueueReporting => C:\Windows\system32\wermgr.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)


==================== Loaded Modules (Whitelisted) ==============

2010-07-15 00:44 - 2010-07-15 00:44 - 00020032 _____ () C:\Program Files\Unlocker v192\UnlockerCOM.dll
2016-05-18 08:21 - 2003-12-30 19:18 - 00040960 _____ () C:\Portables in C\ResizeEnable V13 portable\ResizeEnable V14 1203.exe
2017-04-26 11:33 - 2017-04-26 11:33 - 01022464 _____ () C:\Program Files\Opera V1218 x64\gstreamer\gstreamer.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00108544 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstaudioconvert.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00106496 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstaudioresample.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00062464 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstautodetect.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00108032 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstcoreplugins.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00073216 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstdecodebin2.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00074752 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstdirectsound.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00201216 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstffmpegcolorspace.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00340480 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstoggdec.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00045056 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstwaveform.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00077312 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstwavparse.dll
2017-04-26 11:33 - 2017-04-26 11:33 - 00115712 _____ () C:\Program Files\Opera V1218 x64\gstreamer\plugins\gstwebmdec.dll
2016-05-18 08:21 - 2003-12-30 19:18 - 00069632 _____ () C:\Portables in C\ResizeEnable V13 portable\ResizeEnable.dll
2017-07-04 15:05 - 2017-07-04 15:05 - 00011264 _____ () C:\Temp\nsxBC6D.tmp\System.dll
2017-07-04 15:05 - 2017-07-04 15:05 - 00013312 _____ () C:\Temp\nsxBC6D.tmp\UAC.dll
2017-07-04 15:05 - 2017-07-04 15:05 - 00029696 _____ () C:\Temp\nsxBC6D.tmp\registry.dll
2016-05-18 08:21 - 2014-04-25 14:11 - 00109400 _____ () C:\Portables in C\Spybot Portable V23\App\Spybot\snlThirdParty150.bpl
2016-05-18 08:21 - 2014-04-25 14:11 - 00416600 _____ () C:\Portables in C\Spybot Portable V23\App\Spybot\DEC150.bpl
2016-05-18 08:21 - 2014-04-25 14:11 - 00167768 _____ () C:\Portables in C\Spybot Portable V23\App\Spybot\snlFileFormats150.bpl
2016-05-18 08:21 - 2012-08-23 10:38 - 00574840 _____ () C:\Portables in C\Spybot Portable V23\App\Spybot\sqlite3.dll
2016-05-18 08:21 - 2012-04-03 17:06 - 00565640 _____ () C:\Portables in C\Spybot Portable V23\App\Spybot\av\BDSmartDB.dll
2016-05-18 08:21 - 2014-04-25 14:11 - 02972112 _____ () C:\Portables in C\Spybot Portable V23\App\Spybot\NotificationSpreader.dll
2015-12-02 12:58 - 2015-11-16 14:32 - 00919040 _____ () C:\Windows\mod_frst.exe

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\Software\Classes\.exe: => <==== ATTENTION
HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\Software\Classes\.scr: => <==== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7936 more sites.

IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\...\123simsen.com -> www.123simsen.com

There are 7936 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2017-07-04 14:24 - 00454512 ____R C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15598 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\PE_D_ADMINISTRATOR1\Control Panel\Desktop\\Wallpaper ->
HKU\PE_D_USER11\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-2248871800-1667375335-2429770600-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\User1\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-2248871800-1667375335-2429770600-500\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 0) (EnableLUA: 0)
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupreg: KeepVidProUpdateHelper.exe => C:\Program Files (x86)\KeepVid Pro v61\KeepVidProUpdateHelper.exe
MSCONFIG\startupreg: Panasonic Device Manager for Multi-Function Station software => C:\Program Files (x86)\Panasonic MFStation V122\PCCMFSDM.exe
MSCONFIG\startupreg: Panasonic PCFAX for Multi-Function Station software => C:\Program Files (x86)\Panasonic MFStation V122\KmPcFax.exe -1

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [ScanManagement-RCWS-Out-TCP] => (Allow) %SystemRoot%\System32\mmc.exe
FirewallRules: [ScanManagement-WSD-Out-TCP] => (Allow) %SystemRoot%\System32\mmc.exe

==================== Restore Points =========================

ATTENTION: System Restore is disabled
Check "winmgmt" service or repair WMI.


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (07/04/2017 03:00:12 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (07/04/2017 02:27:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
Element not found. (HRESULT : 0x80070490) (0x80070490)

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
The content index database is corrupt. (HRESULT : 0xc0041800) (0xc0041800)

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/04/2017 02:26:22 PM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)


System errors:
=============
Error: (07/04/2017 02:58:23 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
amdkmafd
storflt

Error: (07/04/2017 02:58:16 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

Error: (07/04/2017 02:26:52 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
An instance of the service is already running.

Error: (07/04/2017 02:26:22 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (07/04/2017 02:26:22 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (07/04/2017 02:26:06 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
amdkmafd
storflt

Error: (07/04/2017 02:26:00 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

Error: (07/04/2017 12:00:10 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
amdkmafd
storflt

Error: (07/04/2017 12:00:09 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:01:42 PM on ‎7/‎3/‎2017 was unexpected.

Error: (07/04/2017 12:00:04 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!


CodeIntegrity:
===================================
Date: 2017-07-04 15:37:03.908
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmdag.sys because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 15:37:03.674
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmdag.sys because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 15:37:03.440
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmdag.sys because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 15:37:03.097
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmdag.sys because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 15:22:39.900
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 15:22:39.885
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 15:22:39.853
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 15:22:39.822
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 12:48:24.483
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmdag.sys because the set of per-page image hashes could not be found on the system.

Date: 2017-07-04 12:48:24.146
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\atikmdag.sys because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: AMD FX(tm)-8350 Eight-Core Processor
Percentage of memory in use: 27%
Total physical RAM: 8158.63 MB
Available physical RAM: 5894.63 MB
Total Virtual: 8156.81 MB
Available Virtual: 5833.15 MB

==================== Drives ================================

Drive c: (Main 1) (Fixed) (Total:31.25 GB) (Free:19.2 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (Backup 1) (Fixed) (Total:30.65 GB) (Free:20.33 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (Direct 1) (Fixed) (Total:201.63 GB) (Free:136.78 GB) NTFS
Drive f: (Storage 1) (Fixed) (Total:472.48 GB) (Free:299.5 GB) NTFS
Drive g: (A-V Archive 1) (Fixed) (Total:1359.89 GB) (Free:513.76 GB) NTFS
Drive j: (Video 1) (Fixed) (Total:1208.56 GB) (Free:678.94 GB) NTFS
Drive k: (Archive 1) (Fixed) (Total:654.45 GB) (Free:487.96 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: B266878D)
Partition 1: (Active) - (Size=31.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=201.6 GB) - (Type=05)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: F1325C4C)
Partition 1: (Active) - (Size=30.6 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1832.4 GB) - (Type=05)

========================================================
Disk: 2 (Size: 1863 GB) (Disk ID: 24744FDB)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

Juliet
2017-07-05, 13:25
Let's see if we can turn on system restore to enable the tool so we can create a restore point.
System Restore - Enable or Disable
https://www.sevenforums.com/tutorials/81500-system-restore-enable-disable.html
***************

I see a connect by proxy setting, is this something you set on the machine?
ProxyServer: [S-1-5-21-2248871800-1667375335-2429770600-1000] => localhost:21320

***

Right click on the FRST icon and select Run as administrator.

copy the text below


Start::
EndProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ReminderApp] => [X]
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
CMD: ipconfig /flushdns
Emptytemp:
End::


Now Press the Fix button.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

**
Zemana AntiMalware Free

download it from here (https://www.zemana.com/Download/AntiMalware/Setup/Free/Zemana.AntiMalware.Setup.exe):
Double-click on the file named “Zemana.AntiMalware.Portable” to perform a system scan with Zemana AntiMalware Free.

You may be presented with a User Account Control dialog asking you if you want to run this program. If this happens, you should click “Yes” to allow Zemana AntiMalware to run.

When Zemana AntiMalware starts, click on the “Scan” button to perform a system scan.
without changing any options, press Scan

When Zemana has finished finished scanning it will show a screen that displays any malware that has been detected. To remove all the malicious files, click on the “Next” button.

Zemana AntiMalware will now start to remove all the malicious programs from your computer.

Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.

open Zemana AntiMalware again and locate the latest report
please paste the contents into your reply


When the process is complete, you can close Zemana AntiMalware

********************

http://i.imgur.com/h3qKPnn.png Malwarebytes AdwCleaner

Please download [b]Malwarebytes AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/dl/125/) and save the file to your Desktop
Right-click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click http://i.imgur.com/A49sxPr.png Scan.
Upon completion, click http://i.imgur.com/6cyn5v5.png Logfile. A log (AdwCleaner[S0].txt) will open. Briefly check the log for anything you know to be legitimate.
Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
Click [img=http://i.imgur.com/MqHawIb.png] Clean.
Follow the prompts and allow your computer to reboot.
After the reboot, a log (AdwCleaner[C0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File, folder and registry backups are made for items removed using this programme. Should a legitimate file, folder or registry item be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[S0].txt.

**

Please post these 3 logs when finished.

videobruce
2017-07-05, 15:42
First I would like to tank you for your time. I have come across many things in the past 18 or so years, but nothing as bizarre as this. :thanks:

I would at least understand if it was a whole slew of security sites (financial etc.), but why just one?? When I searched for a solution, one site had a response to the solution almost exactly as I am responding; "why only one?" :confused:

Anyway, I powered cycled the router, but no change. Another thing I noticed, upon one reboot the probelm sites login page did appear as normal. I didn't login purposely. I rebooted, went back to that page and the redirect blank page was there again.

I noticed a few entries in those logs which didn't make sense. One; defender is not installed here, but the log showed it was active. Also, those two "Attention" lines you have in your text which I noticed, I use GroupEdit for a few 'tweaks' but used a copy that was modified so it will save the settings that M$ doesn't allow (window size, columns, spacing etc) which are annoying to keep on resetting. I don't know if that is that flagged that or not.

videobruce
2017-07-05, 16:24
I just noticed, those previous attachments were only suppose to be 'attachments', I did not check "inline". I was surprised to see them opened within the post.

I did not add that proxy setting. I'm not versed in that department. Whatever/whenever I have no idea. That got flagged (and now removed) with Zemara.

Malwarebytes found 6 entries, all named "SecurityXploded".

Juliet
2017-07-05, 21:09
I've heard of only one website being blocked but I didn't find a good fix/cure for it either, and it doesn't happen often from what I've read.

Let's try resetting browsers.

Instructions on how to backup your Favourites/Bookmarks and other data can be found below.

http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xehzOq95.png.pagespeed.ic.1o1xpAkZbO.png Backup Internet Explorer Favourites (http://www.wikihow.com/Back-Up-Favorites-in-Internet-Explorer)
http://2-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xQlf57ne.png.pagespeed.ic.SnwgqhVB9v.jpg Backup Firefox Bookmarks (https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer)
http://i.imgur.com/U5NwUGc.png Backup Chrome Bookmarks (http://www.wikihow.com/Export-Bookmarks-from-Chrome)
http://i.imgur.com/MMFS6Lg.png Backup Opera Bookmarks (http://www.howtogeek.com/136116/how-to-easily-back-up-and-migrate-your-browser-bookmarks/) (scroll down)


Proceed with the reset once done.

http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xehzOq95.png.pagespeed.ic.1o1xpAkZbO.png Internet Explorer: How to reset Internet Explorer settings (http://support.microsoft.com/kb/923737)
http://2-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xQlf57ne.png.pagespeed.ic.SnwgqhVB9v.jpg Firefox: Reset Firefox (https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-most-problems)
http://i.imgur.com/U5NwUGc.png Chrome: Chrome - Reset browser settings (https://support.google.com/chrome/answer/3296214?hl=en)
http://i.imgur.com/MMFS6Lg.png Opera: How to perform a clean reinstall of Opera (http://my.opera.com/spadija/blog/2011/10/17/how-to-perform-a-really-clean-reinstall-of-opera)


~~~


Download Emsisoft Emergency Kit (http://www.emsisoft.com/en/software/eek/download/) and save it to your desktop.
Double-click icon then click Install
A Window should open highlighting Start Emergency Kit Scanner
Right click on the icon and select Run as administrator
Click 1. Update now!
Once the update is completed select Settings under Scan
Uncheck Join the Emsisoft Anti-Malware Network
Click Scan at the top
Click On scan completion
Click Quarantine detected objects, then click OK
Click Malware Scan
Once completed click View Report
Save the file to your Desktop using the default file name
Copy and paste the report in your reply

===============


If you would, open Farbar Recovery Scan Tool and run a fresh scan, I'd like to see if host files have changed and if the Proxy settings are still there.

Open Farbar Recovery Scan Tool

Right-Click FRST.exe / FRST64.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Click Yes to the disclaimer.
Ensure the Addition.txt box is checked.
Click the Scan button and let the programme run.
Upon completion, click OK, then OK on the Addition.txt pop up screen.
Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

videobruce
2017-07-05, 21:36
Update;
This backup HDD, now, at least twice the login page does not appear as opposed to the main HDD where the reverse is true. The laptop is still good, no failures. These testes were done opening I closing the browser thou most times I didn't bother loggin since that isn't the problem as long as the page doesn't get re-directed.

I don't use Idiot Exploiter, nor Chrome-dome (Google spies enough on me as it is). Just FireFox as my backup. I'll do a fresh install of Opera, but I do have a 'portable' version I will try first.
I cleared the 'hosts' file that was full of addresses Spybot added. :confused:

Wow, you sure come up with interesting programs. :bigthumb:

Juliet
2017-07-06, 00:08
This backup HDD, now, at least twice the login page does not appear as opposed to the main HDD where the reverse is true.
Are both HDD set up exactly security app wise?

If it's not malware, it has to be settings or security.


When finished, let me know how you made with with the Eset scanner.

And the new FRST logs.

videobruce
2017-07-06, 00:38
Specifically what/where security settings. Within the browser or the O/S? Nothing has changed with either, especially with the backup drive.

That Emsisoft is coming up with too many false positives. :hair:

Juliet
2017-07-06, 00:47
Specifically what/where security settings. Within the browser
Yes, Opera browser is thats the main browser you use. Checking the net some were able to go into the web sites after following the below.

Some say it's related to firewall rules but I find that unlikely.

Delete cookies
Opera 10.50, 11, and Newer

Click on the Opera button in the top left corner > Settings > Delete Private Data... NOTE: You can also access this menu by holding Ctrl + Shift + Delete.
Click on Detailed Options to show the rest of the options. Make sure only the following are checked: Delete temporary cookies.

Opera (Win) - Clearing Cache and Cookies
https://kb.wisc.edu/helpdesk/page.php?id=12381

To ensure that cookie information is kept in the browser, select Settings > Preferences > Advanced > Cookies and check "Delete new cookies when exiting Opera" and close Opera when you have finished browsing


***

If you think the scanner is finding false positives, don't allow it to delete or quarantine anything, just save the log and I'll look at it.

videobruce
2017-07-06, 01:27
Those security setting are mostly default. Anyway no changes.
I delete cookies & cache on exit, SOP with me in all browsers. There are a few sites that I leave cookies for easier re-login purposes.

Would a wired vs wireless network connection make any difference? The tower is wired, the laptop is wireless.

videobruce
2017-07-06, 01:40
Question:
What is rejecting the specific bank address? The bank site itself, or something/somewhere else? Is there some way to trace that down, I'm not good with Internet paths etc.

Juliet
2017-07-06, 03:47
Would a wired vs wireless network connection make any difference? The tower is wired, the laptop is wireless.
I would certainly try this, it wont hurt anything and should only take a minute to find out.


Question:
What is rejecting the specific bank address? The bank site itself, or something/somewhere else? I
I don't know.
My first thought was antivirus/firewall but if that was true you could temporarily disable it and reset rules.
A gateway rejection that a verification request did not pass certain settings or rules in your Control Panel.
I've read where, delete the bookmark for the site, reboot, then go back to the site and reset it in bookmarks to work.

All the above are guesses.

I can suggest you visit another forum, where I am also a member, and create a new topic (include a link to this one here) and let's see if the tech guys there can figure this out.
https://forums.whatthetech.com/index.php?showforum=123

videobruce
2017-07-06, 18:43
This keeps on getting better.

I connected the Laptop to a wired connection. For the most part all was fine EXCEPT for ONE time where I received the message, but this time it was AFTER I login on the accounts summary page (the page I would/should normally see). I refreshed the page, it went to that blank white page with the same message. Again, this only happened once. I closed and reopened the browser a number of times, reboot4ed etc, but the probelm didn't return. I unplugged thje cable, went back to wire;less and all was still ok.

I should add the O/S id XP Pro.

I called that bank online help number again, told the story, I was told to go here and enter my IP address in;
http://brightcloud.com/tools/url-ip-lookup.php

See the attachment, scroll down to the bottom, the score was 40 which put it 'just in' their "Suspicious" status (the lower the number the worse it is). She told me to request an IP address change. This current one I have had for more than two months. That contradicts the above green checkmarks. :confused:

videobruce
2017-07-06, 19:02
FYI: their 2017 threat report from that company in pdf form;

https://www.webroot.com/download_file/view/946

Juliet
2017-07-07, 03:46
You can follow her advise to try and change out IP address.....this takes me out of my field.

It worked being hard wired?, does this mean router is the problem? and then it worked and stopped?

so much guess work.

see if the tech guys there can figure this out.
https://forums.whatthetech.com/index.php?showforum=123
I would think they can figure out problems with routers and IP addresses.