Zemana wiped out my wallpaper. The image was a Georgia Tech "GT" logo I found somewhere (don't recall where) and started using a couple of years ago.
Here's the Zemana log:
Zemana AntiMalware 2.74.2.150 (Installed)
-------------------------------------------------------
Scan Result : Completed
Scan Date : 2018/2/2
Operating System : Windows 7 32-bit
Processor : 2X Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz
BIOS Mode : Legacy
CUID : 129372FD922810D98B2369
Scan Type : System Scan
Duration : 15m 28s
Scanned Objects : 72967
Detected Objects : 2
Excluded Objects : 0
Read Level : SCSI
Auto Upload : Enabled
Detect All Extensions : Disabled
Scan Documents : Disabled
Domain Info : WORKGROUP,0,2
Detected Objects
-------------------------------------------------------
Suspicious Wallpaper
Status : Scanned
Object : HKCU\Control Panel\Desktop\Wallpaper
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Potentially Unwanted Modification
Cleaning Action : Delete
Related Objects :
Registry Entry - HKCU\Control Panel\Desktop\Wallpaper = C:\Users\Ed\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
Firefox Homepage
Status : Scanned
Object : https://www.toast.net/start/
MD5 : -
Publisher : -
Size : -
Version : -
Detection : Suspicious Browser Setting
Cleaning Action : Repair
Related Objects :
Browser Setting - Firefox Homepage
FP4AWEC.DLL
Status : Failed
Object : %commonprogramfiles%\microsoft shared\web server extensions\40\bin\fp4awec.dll
MD5 : 4B9B586FA57E590369754A113B189839
Publisher : -
Size : 450669
Version : 4.0.2.2611
Detection :
Cleaning Action : Quarantine
Related Objects :
File - %commonprogramfiles%\microsoft shared\web server extensions\40\bin\fp4awec.dll
Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{F6FD0A0F-43F0-11D1-BE58-00A0C90A4335}\InprocServer32\@ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\40\bin\FP4AWEC.DLL
Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{F6FD0A0E-43F0-11D1-BE58-00A0C90A4335}\InprocServer32\@ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\40\bin\FP4AWEC.DLL
Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}\InprocServer32\@ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\40\bin\FP4AWEC.DLL
Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{F6FD0A11-43F0-11D1-BE58-00A0C90A4335}\InprocServer32\@ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\40\bin\FP4AWEC.DLL
Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{F6FD0A01-43F0-11D1-BE58-00A0C90A4335}\InprocServer32\@ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\40\bin\FP4AWEC.DLL
Registry Entry - HKLM\SOFTWARE\Classes\CLSID\{F6FD0A00-43F0-11D1-BE58-00A0C90A4335}\InprocServer32\@ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\40\bin\FP4AWEC.DLL
Cleaning Result
-------------------------------------------------------
Cleaned : 2
Reported as safe : 0
Failed : 0
***
After HitmanPro 3.8.0 ran, I found no C:\ProgramData\HitmanPro\Logs but had saved this log:
Code:
HitmanPro 3.8.0.292
www.hitmanpro.com
Computer name . . . . : ED-PC
Windows . . . . . . . : 6.1.1.7601.X86/2
User name . . . . . . : Ed-PC\Ed
UAC . . . . . . . . . : Enabled
License . . . . . . . : Free
Scan date . . . . . . : 2018-02-02 07:55:46
Scan mode . . . . . . : Normal
Scan duration . . . . : 6m 46s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 0
Traces . . . . . . . : 91
Objects scanned . . . : 1,312,873
Files scanned . . . . : 35,994
Remnants scanned . . : 266,873 files / 1,010,006 keys
Suspicious files ____________________________________________________________
C:\Users\Ed\Desktop\FRST.exe
Size . . . . . . . : 1,754,112 bytes
Age . . . . . . . : 3.1 days (2018-01-30 04:22:06)
Entropy . . . . . : 7.6
SHA-256 . . . . . : 0EEE64881C35F01D68C682D0EEDA4B17FA3B8A1A6B3C504BAEBC946117D8F2DC
Needs elevation . : Yes
Fuzzy . . . . . . : 24.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Time indicates that the file appeared recently on this computer.
C:\Users\Ed\Desktop\Unused Icons\FRST.exe
Size . . . . . . . : 1,725,440 bytes
Age . . . . . . . : 680.5 days (2016-03-23 19:18:28)
Entropy . . . . . : 7.5
SHA-256 . . . . . : EDB662EF9C4A97718C0389AB1745337E8FAD0E627E2E7F3AFA81E680A12D815B
Needs elevation . : Yes
Fuzzy . . . . . . : 22.0
Program has no publisher information but prompts the user for permission elevation.
Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most programs.
Version control is missing. This file is probably created by an individual. This is not typical for most programs.
Potential Unwanted Programs _________________________________________________
HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}\ (CouponBar)
Cookies _____________________________________________________________________
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:254a.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:acuityplatform.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:ad.360yield.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adaptv.advertising.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adbrn.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:addthis.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adfarm1.adition.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adform.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adgrx.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adhigh.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adingo.jp
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adnxs.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:ads.avocet.io
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:ads.pubmatic.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:ads.stickyadstv.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adsrvr.org
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adsymptotic.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:adtechus.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:advertising.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:agkn.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:angsrvr.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:assets.rubiconproject.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:atdmt.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:basebanner.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:bidr.io
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:bidswitch.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:bluekai.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:casalemedia.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:connexity.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:contextweb.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:creative-serving.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:crwdcntrl.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:demdex.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:dlx.addthis.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:domdex.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:dotomi.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:doubleclick.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:dpm.demdex.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:dsp.linksynergy.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:erne.co
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:everesttech.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:go.sonobi.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:gssprt.jp
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:gwallet.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:ib.mookie1.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:imrworldwide.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:ipredictive.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:krxd.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:lijit.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:linksynergy.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:match.rundsp.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:mathtag.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:media6degrees.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:mediaplex.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:ml314.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:mookie1.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:mxptint.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:nexac.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:openx.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:optimatic.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:outbrain.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:owneriq.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:pixel.rubiconproject.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:pool.admedo.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:postrelease.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:pubmatic.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:rfihub.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:rlcdn.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:rubiconproject.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:scorecardresearch.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:simpli.fi
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:sitescout.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:skimresources.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:smartadserver.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:switchadhub.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:sxp.smartclip.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:taboola.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:tap-secure.rubiconproject.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:tap2-cdn.rubiconproject.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:tapad.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:tidaltv.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:trc.taboola.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:tremorhub.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:tribalfusion.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:turn.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:w55c.net
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:weborama.com
C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\vduktc57.default-1479757157401-1516982433966\cookies.sqlite:weborama.fr