JulieAnn9 Posted March 23, 2017 ID:1110860 Share Posted March 23, 2017 Hi and thanks in advance for any help. MBAM found Trojan.BlockAV and some other stuff. I removed/fixed/quarantine everything, except this: "PUP.Optional.IoloSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL". There are a bunch of letters and numbers behind the "uninstall", which I have not included in this post, but could if it's needed. This is on a different computer than the one I am currently using. Is this safe to remove from the registry key? I am concerned since it says uninstall and Windows... I don't want to uninstall Windows if that is what this is pointing to (I'm not very familiar with registry stuff). Thanks again for any help Link to post Share on other sites More sharing options...
Aura Posted March 23, 2017 ID:1110988 Share Posted March 23, 2017 Hi JulieAnn9 Are you able to copy/paste the Malwarebytes scan log here, so I can take a look at it (and see what was detected exactly)? Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 23, 2017 Author ID:1111020 Share Posted March 23, 2017 Thanks for your help. Here is that log: Malwarebytes Anti-Malwarewww.malwarebytes.org Scan Date: 3/21/2017 Scan Time: 9:31:49 AM Logfile: MBAM Results 3-21-17.txt Administrator: Yes Version: 2.2.1.1043 Malware Database: v2017.03.21.06 Rootkit Database: v2017.03.11.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows Vista Service Pack 2 CPU: x86 File System: NTFS User: Kip Scan Type: Threat Scan Result: Completed Objects Scanned: 320829 Time Elapsed: 1 hr, 4 min, 20 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Warn PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.IoloSC, HKLM\SOFTWARE\IOLO\System Checkup, , [4565ffcd0a9e4cea4035e9c0f30d718f], PUP.Optional.IoloSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{918D30D3-AD9B-43A8-9EF7-463075DC93CD}_is1, , [d8d2f3d9b9efd660821cc2e7f01040c0], Registry Values: 2 Trojan.BlockAV, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{F8F8B25A-1466-400F-8C5A-949BC70BD9C6}, v2.0|Action=Block|Active=FALSE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\AVG\AVG2012\avgmfapx.exe|Name=AVG Installer|Edge=FALSE|, , [c3e78448f0b83bfb7f6e5feead53a060] Trojan.BlockAV, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{62F63D66-9B75-40DA-BD39-18C26AC774C8}, v2.0|Action=Block|Active=FALSE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\AVG\AVG2012\avgmfapx.exe|Name=AVG Installer|Edge=FALSE|, , [aefccb01b4f42e080ce10a4354ac8b75] Registry Data: 0 (No malicious items detected) Folders: 2 PUP.Optional.IoloSC, C:\Program Files\iolo\System Checkup, , [affb11bbbeea0432cb077038bd43dd23], PUP.Optional.IoloSC, C:\ProgramData\iolo\SCU, , [08a2c903783040f675ee1694ad53cc34], Files: 9 PUP.Optional.IoloSC, C:\Users\USE\Downloads\SCUDownloader.exe, , [268428a466423afc33213f6b2bd57c84], PUP.Optional.IoloSC, C:\Users\Kip\Desktop\System Checkup.lnk, , [83273d8f099fd5610bc6b4f4748c758b], PUP.Optional.IoloSC, C:\Windows\System32\Tasks\iolo SCU task one, , [5a508646911779bdb6acc3e7bd43ea16], PUP.Optional.IoloSC, C:\Program Files\iolo\System Checkup\SysCheckup.exe, , [affb11bbbeea0432cb077038bd43dd23], PUP.Optional.IoloSC, C:\Program Files\iolo\System Checkup\uninstsms.exe, , [affb11bbbeea0432cb077038bd43dd23], PUP.Optional.IoloSC, C:\ProgramData\iolo\SCU\scuebhtml.dll, , [08a2c903783040f675ee1694ad53cc34], PUP.Optional.IoloSC, C:\ProgramData\iolo\SCU\sculnch.lnk, , [08a2c903783040f675ee1694ad53cc34], PUP.Optional.IoloSC, C:\ProgramData\iolo\SCU\scutstr.dll, , [08a2c903783040f675ee1694ad53cc34], PUP.Optional.IoloSC, C:\ProgramData\iolo\SCU\smscn.dll, , [08a2c903783040f675ee1694ad53cc34], Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Aura Posted March 23, 2017 ID:1111022 Share Posted March 23, 2017 Most of these entries are related to Iolo System Mechanic, which Malwarebytes flags as a PUP. Follow the instructions in the thread below and provide me the FRST.txt and Addition.txt logs. https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 23, 2017 Author ID:1111038 Share Posted March 23, 2017 Here are the reports. Thanks. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Aura Posted March 23, 2017 ID:1111040 Share Posted March 23, 2017 Please re-run FRST as Admin (right-click on FRST.exe, and select Run as Administrator), then provide me the new logs. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 23, 2017 Author ID:1111052 Share Posted March 23, 2017 Here are the new scans. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Aura Posted March 23, 2017 ID:1111053 Share Posted March 23, 2017 Open Notepad, click on the "Format" menu, and make sure that "Word Warp" isn't checked. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 23, 2017 Author ID:1111054 Share Posted March 23, 2017 It is not checked in either one. Link to post Share on other sites More sharing options...
Aura Posted March 24, 2017 ID:1111383 Share Posted March 24, 2017 When you open the logs, are the lines wrapped? Like this: Administrator (S-1-5-21-569404164-3270716429-1740154810-500 - Administrator - Disabled) Guest (S-1-5-21-569404164-3270716429-1740154810-501 - Limited - Disabled) Kip (S-1-5-21-569404164-3270716429-1740154810-1001 - Administrator - Enabled) => C:\Users\Kip USE (S-1-5-21-569404164-3270716429-1740154810-1000 - Limited - Enabled) => C:\Users\USE It should be like this (not wrapped): Administrator (S-1-5-21-569404164-3270716429-1740154810-500 - Administrator - Disabled) Guest (S-1-5-21-569404164-3270716429-1740154810-501 - Limited - Disabled) Kip (S-1-5-21-569404164-3270716429-1740154810-1001 - Administrator -Enabled) => C:\Users\Kip USE (S-1-5-21-569404164-3270716429-1740154810-1000 - Limited - Enabled) => C:\Users\USE Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 24, 2017 Author ID:1111413 Share Posted March 24, 2017 It is like the first one. I had to copy and paste the reports into an email and send to this computer. In case this is useful info for you, I tried to save them to the desktop and my documents folder of the suspect computer, but when I tried to find them, they were not in the documents folder or on my desktop. Link to post Share on other sites More sharing options...
Aura Posted March 24, 2017 ID:1111416 Share Posted March 24, 2017 I can't use the logs if they are word wrapped. By default, when you run FRST in Scan Mode, the FRST.txt and Addition.txt files will be created in the same folder where FRST.exe is run from. In your case, it should be the Desktop. So they are there, I can guarantee you it. Why do you have to email yourself the logs? Also, if it's easier, simply copy/paste the logs here from the computer directly after running FRST. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 24, 2017 Author ID:1111421 Share Posted March 24, 2017 I was/am not able to save FRST to my desktop. After it downloads, it opens and that is how I ran it. If you can tell me what I need to do so that I can save it to my desktop, I will gladly do that. I am having to use Chrome, as my Firefox is getting "Couldn't load XPCOM" error. The computer with the problems does not recognize any devices (been that way a long time, I suspect because of Vista from my research on the subject). Since it won't recognize a USB drive to save the files to, I had to email from the computer to this one. If you can tell how to save FRST to my desktop, I will go do that now and run new reports. Thank you very much. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 24, 2017 Author ID:1111441 Share Posted March 24, 2017 OK, Internet Explorer will load correctly on the computer that had the Trojan.BlockAV, so I am using it now. Here are the reports you need: Additional scan result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017 Ran by Kip (24-03-2017 09:38:52) Running from C:\Users\USE\Downloads Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) (2011-10-13 15:32:37) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-569404164-3270716429-1740154810-500 - Administrator - Disabled) Guest (S-1-5-21-569404164-3270716429-1740154810-501 - Limited - Disabled) Kip (S-1-5-21-569404164-3270716429-1740154810-1001 - Administrator - Enabled) => C:\Users\Kip USE (S-1-5-21-569404164-3270716429-1740154810-1000 - Limited - Enabled) => C:\Users\USE ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Kaspersky Total Security (Enabled - Up to date) {86367591-4BE4-AE08-2FD9-7FCB8259CD98} AS: Kaspersky Total Security (Enabled - Up to date) {3D579475-6DDE-A186-1569-44B9F9DE8725} AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0} FW: Kaspersky Total Security (Enabled) {BE0DF4B4-018B-AF50-0486-D6FE7C8A8AE3} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 32 Bit HP CIO Components Installer (Version: 8.1.4 - Hewlett-Packard) Hidden 7-Zip 9.22beta (HKLM\...\7-Zip) (Version: - ) Adobe Flash Player 25 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 25.0.0.127 - Adobe Systems Incorporated) Adobe Flash Player 25 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 25.0.0.127 - Adobe Systems Incorporated) Adobe Reader X (10.1.16) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.16 - Adobe Systems Incorporated) Advanced Audio FX Engine (HKLM\...\Advanced Audio FX Engine) (Version: 1.12.05 - Creative Technology Ltd) ANT Drivers Installer x86 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden Apple Application Support (32-bit) (HKLM\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{A75CA58D-DB9C-4D14-9428-E0C7B0F623DC}) (Version: 9.0.0.26 - Apple Inc.) Apple Software Update (HKLM\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.) Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.) Brother MFL-Pro Suite MFC-495CW (HKLM\...\{0A02D347-5E53-48A5-BC49-1469393103FA}) (Version: 1.0.0.0 - Brother Industries, Ltd.) BufferChm (Version: 120.0.194.000 - Hewlett-Packard) Hidden C4600 (Version: 120.0.235.000 - Hewlett-Packard) Hidden Catalina Savings Printer (HKLM\...\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}) (Version: 1.0.0 - Catalina Marketing Corp) <==== ATTENTION Cisco EAP-FAST Module (HKLM\...\{415B2719-AD3A-4944-B404-C472DB6085B3}) (Version: 2.1.6 - Cisco Systems, Inc.) Cisco LEAP Module (HKLM\...\{83770D14-21B9-44B3-8689-F7B523F94560}) (Version: 1.0.12 - Cisco Systems, Inc.) Cisco PEAP Module (HKLM\...\{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}) (Version: 1.0.13 - Cisco Systems, Inc.) Citrix Online Launcher (HKLM\...\{678753E6-E526-4AE5-A144-00240772543A}) (Version: 1.0.393 - Citrix) Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows5.0.1.6) (Version: 5.0.1.6 - Coupons.com Incorporated) Dell Driver Download Manager (HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\bd4d3a0508d364f5) (Version: 3.0.0.0 - Dell Inc) Dell System Detect (HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\58d94f3ce2c27db0) (Version: 7.3.0.6 - Dell) Dell System Detect (HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\9204f5692a8faf3b) (Version: 5.10.0.8 - Dell) Dell Webcam Central (HKLM\...\Dell Webcam Central) (Version: 1.20.10 - Creative Technology Ltd) Dell Wireless WLAN Card Utility (HKLM\...\Broadcom 802.11 Application) (Version: 5.10.38.30 - Dell Inc.) Destination Component (Version: 110.0.0.0 - Hewlett-Packard) Hidden DeviceDiscovery (Version: 120.0.194.000 - Hewlett-Packard) Hidden DHTML Editing Component (HKLM\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation) Elevated Installer (Version: 3.2.17.0 - Garmin Ltd or its subsidiaries) Hidden ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version: - ) FinePixViewer Resource (HKLM\...\{B44529FF-501E-47CD-A06D-223C161BE058}) (Version: 1.2 - FUJIFILM Corporation) FinePixViewer Ver.5.5 (HKLM\...\{24ED4D80-8294-11D5-96CD-0040266301AD}) (Version: 5.5 - FUJIFILM Corporation) FinePixViewer YTUPL (HKLM\...\{65EB09A3-993B-401E-8936-C9708CBFAB26}) (Version: 1.0 - FUJIFILM Corporation) Fujifilm USB MemoryCard ReaderWriter (HKLM\...\InstallShield_{F87F471C-66C0-4F70-B493-6E59E4D402E6}) (Version: 1.00 - Fuji Photo Film Co.,Ltd.) Garmin Express (HKLM\...\{b43ffffb-1adc-4bcb-b277-7844ebff94da}) (Version: 3.2.17.0 - Garmin Ltd or its subsidiaries) Garmin Express (Version: 3.2.17.0 - Garmin Ltd or its subsidiaries) Hidden Garmin Express Tray (Version: 3.2.17.0 - Garmin Ltd or its subsidiaries) Hidden GIMP 2.8.2 (HKLM\...\GIMP-2_is1) (Version: 2.8.2 - The GIMP Team) Google Chrome (HKLM\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.) Google Update Helper (Version: 1.3.32.7 - Google Inc.) Hidden GoToMeeting 7.16.0.4800 (HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\GoToMeeting) (Version: 7.16.0.4800 - CitrixOnline) GPBaseService2 (Version: 120.0.194.000 - Hewlett-Packard) Hidden HiJackThis (HKLM\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro) HP Customer Participation Program 12.0 (HKLM\...\HPExtendedCapabilities) (Version: 12.0 - HP) HP Imaging Device Functions 12.0 (HKLM\...\HP Imaging Device Functions) (Version: 12.0 - HP) HP LaserJet 200 color M251 (HKLM\...\{6682B5C4-530A-4FB8-ACAC-80DB5CCC68DD}) (Version: 5.0.12200.1036 - Hewlett-Packard) HP Photosmart C4600 All-In-One Driver Software 12.0 Rel .5 (HKLM\...\{DC245BDC-9974-4fe0-8A9F-6031C26E2DC7}) (Version: 12.0 - HP) HP Photosmart Essential 3.5 (HKLM\...\HP Photosmart Essential) (Version: 3.5 - HP) HP Solution Center 12.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 12.0 - HP) HP Support Solutions Framework (HKLM\...\{348A1F5B-07B3-4436-9A47-FFE44EFE856E}) (Version: 11.51.0004 - Hewlett-Packard Company) HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard) hpbDSService (Version: 002.002.07399 - Hewlett-Packard) Hidden hpbM251DSService (Version: 001.001.05874 - Hewlett-Packard) Hidden HPDiagnosticAlert (Version: 1.00.0001 - Microsoft) Hidden HPLaserJet200color-M251_HelpLearnCenter_SI (HKLM\...\{DDEBEA89-2B5A-4E5B-8702-369882BB3F52}) (Version: 1.01.0000 - Hewlett-Packard) HPPhotoGadget (Version: 120.0.150.000 - Hewlett-Packard) Hidden HPPhotoSmartDiscLabelContent1 (Version: 2.04.0000 - Hewlett-Packard) Hidden HPPhotosmartEssential (Version: 2.04.0000 - Hewlett-Packard) Hidden HPProductAssistant (Version: 120.0.194.000 - Hewlett-Packard) Hidden IDT Audio (HKLM\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6272.0 - IDT) Integrated Webcam Driver (1.02.01.0320) (HKLM\...\Creative OA009) (Version: 1.02.01.0320 - Creative Technology Ltd.) Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: - Intel Corporation) Intel(R) Rapid Storage Technology (HKLM\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.5.0.1029 - Intel Corporation) ISO Recorder (HKLM\...\{1235083F-52F9-44CC-9DF5-F9B7802BB9B7}) (Version: 3.0.0 - Alex Feinman) iTunes (HKLM\...\{868B9974-4F23-494D-B6BC-4FAB92B2755D}) (Version: 12.1.3.6 - Apple Inc.) Java 8 Update 31 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation) Kaspersky Total Security (HKLM\...\InstallWIX_{77E7AE5C-181C-4CAF-ADBF-946F11C1CE26}) (Version: 16.0.0.614 - Kaspersky Lab) Kaspersky Total Security (Version: 16.0.0.614 - Kaspersky Lab) Hidden Live! Cam Avatar Creator (HKLM\...\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}) (Version: 4.6.2303.1 - Creative Technology Ltd) Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes) MarketResearch (Version: 120.0.226.000 - Hewlett-Packard) Hidden Marvell Miniport Driver (HKLM\...\{C950420B-4182-49EA-850A-A6A2ABF06C6B}) (Version: 10.63.3.3 - Marvell) Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation) Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation) Microsoft Office PowerPoint Viewer 2007 (English) (HKLM\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office Word Viewer 2003 (HKLM\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation) Microsoft Works (HKLM\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation) Microsoft Works 6-9 Converter (HKLM\...\{95140000-0137-0409-0000-0000000FF1CE}) (Version: 14.0.6120.5002 - Microsoft Corporation) Mozilla Firefox 51.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 51.0.1.6234 - Mozilla) Mozilla Thunderbird 17.0.7 (x86 en-US) (HKLM\...\Mozilla Thunderbird 17.0.7 (x86 en-US)) (Version: 17.0.7 - Mozilla) MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) MSXML 4.0 SP3 Parser (HKLM\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation) MSXML 4.0 SP3 Parser (KB2758694) (HKLM\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation) My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.) NetBalancer (HKLM\...\NetBalancer_is1) (Version: - SeriousBit) PaperPort Image Printer (HKLM\...\{2BC2781A-F7F6-452E-95EB-018A522F1B2C}) (Version: 1.00.0000 - Nuance Communications, Inc.) PS_AIO_05_C4600_Software_Min (Version: 120.0.235.000 - Hewlett-Packard) Hidden QuickSet32 (HKLM\...\{C4972073-2BFE-475D-8441-564EA97DA161}) (Version: 9.6.21 - Dell Inc.) QuickTime 7 (HKLM\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.) Scan (Version: 12.0.0.0 - Hewlett-Packard) Hidden ScanSoft PaperPort 11 (HKLM\...\{02570AE0-BEE0-4A6C-BE3F-D806E9F2EA17}) (Version: 11.2.0000 - Nuance Communications, Inc.) Shared C Run-time for x86 (Version: 10.0.0 - McAfee) Hidden SolutionCenter (Version: 120.0.194.000 - Hewlett-Packard) Hidden Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.0.12 - Safer-Networking Ltd.) Status (Version: 120.0.194.000 - Hewlett-Packard) Hidden SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.0.1144 - SUPERAntiSpyware.com) System Checkup 4.0 (HKLM\...\{918D30D3-AD9B-43A8-9EF7-463075DC93CD}_is1) (Version: 4.0.0.146 - iolo technologies, LLC) Toolbox (Version: 120.0.194.000 - Hewlett-Packard) Hidden TrayApp (Version: 120.0.194.000 - Hewlett-Packard) Hidden TreeSize Free V3.1 (HKLM\...\TreeSize Free_is1) (Version: 3.1 - JAM Software) Turbo Lister 2 (HKLM\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.) UnloadSupport (Version: 11.0.0 - Hewlett-Packard) Hidden USB_RW (Version: 1.00 - Fuji Photo Film Co.,Ltd.) Hidden WebFerret (HKLM\...\WebFerret) (Version: - CNET Networks) WebReg (Version: 120.0.194.000 - Hewlett-Packard) Hidden Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.) Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software) wxkpg 0.6 (HKLM\...\wxkpg_is1) (Version: - ) ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-569404164-3270716429-1740154810-1000_Classes\CLSID\{32C15893-74C0-4478-879B-FE14EB684AB4}\InprocServer32 -> C:\Users\USE\AppData\Local\Microsoft\Windows Sidebar\Gadgets\HPPhoto.gadget\x86\hpqgps01.dll (TODO: <Company name>) CustomCLSID: HKU\S-1-5-21-569404164-3270716429-1740154810-1000_Classes\CLSID\{53B5243F-8302-4DAD-BE8F-1D0665E8225E}\InprocServer32 -> C:\Program Files\HP\Common\FWUpdateEDO3.dll (Hewlett-Packard Company) CustomCLSID: HKU\S-1-5-21-569404164-3270716429-1740154810-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\USE\AppData\Local\Citrix\GoToMeeting\4190\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.) CustomCLSID: HKU\S-1-5-21-569404164-3270716429-1740154810-1000_Classes\CLSID\{9CC1FE07-02F9-49A6-A3F4-63AD8BAE9E49}\InprocServer32 -> C:\Users\USE\AppData\Local\Microsoft\Windows Sidebar\Gadgets\HPPhoto.gadget\x86\hpqgps01.dll (TODO: <Company name>) CustomCLSID: HKU\S-1-5-21-569404164-3270716429-1740154810-1000_Classes\CLSID\{AD848A76-F236-5EE2-819B-2BDE7ED40AE7}\InprocServer32 -> C:\Users\USE\AppData\Roaming\Catalina – Print Savings\npBcsKtTcHW.dll (Catalina Marketing Corporation) CustomCLSID: HKU\S-1-5-21-569404164-3270716429-1740154810-1001_Classes\CLSID\{53B5243F-8302-4DAD-BE8F-1D0665E8225E}\InprocServer32 -> C:\Program Files\HP\Common\FWUpdateEDO3.dll (Hewlett-Packard Company) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {0022B201-F8CD-49DF-B00E-280004B1C2ED} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-10] (PC-Doctor, Inc.) Task: {009AAB3B-B805-4A0A-B43F-5613ED41E7E1} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2014-01-10] (PC-Doctor, Inc.) Task: {36175CDF-3BBF-4D54-ADD9-E4E424248ACE} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe Task: {3EA2EC8D-9CAD-42B9-85EE-EE8B209B418F} - System32\Tasks\Microsoft\Windows Defender\MP Scheduled Signature Update => c:\program files\windows defender\MpCmdRun.exe [2008-01-20] (Microsoft Corporation) Task: {81BAC95C-F139-439C-AF56-208278DCBF0E} - System32\Tasks\GoogleUpdateTaskMachineCore1d13ab99bed03e1 => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-12-19] (Google Inc.) Task: {95418DD4-375D-412D-A6CB-60047205E9BA} - \avast! Emergency Update -> No File <==== ATTENTION Task: {9CDA6DAD-729B-4B75-837C-839DAFBACDE8} - System32\Tasks\Refresh immunization (Spybot - Search & Destroy) => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-11-13] (Safer-Networking Ltd.) Task: {A0770D58-1F02-41A5-8016-37E931F87C17} - System32\Tasks\Scan the system (Spybot - Search & Destroy) => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe [2012-11-13] (Safer-Networking Ltd.) Task: {AA88FF2D-A7ED-4FE1-9B5C-205004E3B10C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2017-03-14] (Adobe Systems Incorporated) Task: {C18DC3DC-48B3-409C-9C97-59ED8446C44E} - \iolo SCU task one -> No File <==== ATTENTION Task: {C255161A-EF75-43C0-9049-2554F716B4A3} - System32\Tasks\Spybot - Search & Destroy Updater - Scheduled Task => C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe Task: {D09DDCC9-0F4D-434B-8568-B3656FC8E276} - System32\Tasks\{E60E8008-30D9-4879-A2A8-F12ECEE6F89A} => pcalua.exe -a D:\instmsiw.exe -d D:\ Task: {D47B3533-A249-4EE5-974E-8C8793AA414C} - System32\Tasks\GarminUpdaterTask => C:\Program Files\Garmin\Express Self Updater\ExpressSelfUpdater.exe [2014-08-07] () Task: {D4D9A633-FAFC-4D09-8124-3D4F3BB15741} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2015-08-27] (Apple Inc.) Task: {D7423F14-492F-4F3F-A858-A092D2DE69CE} - System32\Tasks\Check for updates (Spybot - Search & Destroy) => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-11-13] (Safer-Networking Ltd.) Task: {E04D5AF3-D81C-4B62-A2B7-DA4AE6450968} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-14] (Adobe Systems Incorporated) Task: {FAB04D94-1CFE-4ADE-9899-F58AD6C14A5E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2015-12-19] (Google Inc.) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe Task: C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe Task: C:\Windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job => C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe ==================== Shortcuts ============================= (The entries could be listed to be restored or removed.) ==================== Loaded Modules (Whitelisted) ============== 2011-10-13 08:27 - 2008-11-17 06:29 - 00026112 _____ () C:\Windows\System32\WLTRYSVC.EXE 2011-10-13 08:27 - 2008-11-17 06:29 - 00054784 _____ () C:\Windows\System32\bcmwlrmt.dll 2004-08-02 08:32 - 2004-08-02 08:32 - 00094274 _____ () C:\Windows\System32\HPBHealr.dll 2015-03-20 18:12 - 2015-03-20 18:12 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll 2015-03-20 18:12 - 2015-03-20 18:12 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll 2015-07-09 00:18 - 2015-07-09 00:18 - 00794920 _____ () C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\kpcengine.2.3.dll 2013-03-08 00:14 - 2012-11-13 15:06 - 00108960 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl 2013-03-08 00:14 - 2012-11-13 15:06 - 00416160 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl 2013-03-08 00:14 - 2012-11-13 15:06 - 00158624 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl 2013-03-08 00:14 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll 2013-03-08 00:14 - 2012-11-13 15:06 - 00528288 _____ () C:\Program Files\Spybot - Search & Destroy 2\JSDialogPack150.bpl 2013-03-08 00:14 - 2012-11-13 15:06 - 00554400 _____ () C:\Program Files\Spybot - Search & Destroy 2\VirtualTreesDXE150.bpl 2013-10-14 10:01 - 2016-02-10 23:08 - 00023040 _____ () C:\Program Files\WebFerret\FerretBand.dll 2013-06-25 16:52 - 2013-06-25 16:53 - 02244504 _____ () C:\Program Files\Mozilla Thunderbird\mozjs.dll 2013-06-25 16:52 - 2013-06-25 16:53 - 00158104 _____ () C:\Program Files\Mozilla Thunderbird\NSLDAP32V60.dll 2013-06-25 16:52 - 2013-06-25 16:53 - 00022424 _____ () C:\Program Files\Mozilla Thunderbird\NSLDAPPR32V60.dll 2017-03-23 09:53 - 2016-09-06 12:00 - 05197312 _____ () C:\Users\USE\AppData\Local\Google\Chrome\User Data\SwiftShader\3.3.0.1\libglesv2.dll 2017-03-23 09:53 - 2016-09-06 12:00 - 00147456 _____ () C:\Users\USE\AppData\Local\Google\Chrome\User Data\SwiftShader\3.3.0.1\libegl.dll ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [105] AlternateDataStreams: C:\Users\USE\Desktop\treadmill.mpeg:TOC.WMV [130] ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\25699025.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\70303641.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\85697061.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\25699025.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\70303641.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\85697061.sys => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McMPFSvc => ""="Service" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com There are 7865 more sites. IE trusted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\dell.com -> dell.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\007guard.com -> install.007guard.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\008i.com -> 008i.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\008k.com -> www.008k.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\00hq.com -> www.00hq.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\010402.com -> 010402.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\0scan.com -> www.0scan.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\10sek.com -> www.10sek.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\12-26.net -> user1.12-26.net IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\12-27.net -> user1.12-27.net IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\123simsen.com -> www.123simsen.com There are 7865 more sites. IE trusted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\dell.com -> dell.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\007guard.com -> install.007guard.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\008i.com -> 008i.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\008k.com -> www.008k.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\00hq.com -> www.00hq.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\010402.com -> 010402.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\0scan.com -> www.0scan.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\10sek.com -> www.10sek.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\12-26.net -> user1.12-26.net IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\12-27.net -> user1.12-27.net IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\123simsen.com -> www.123simsen.com There are 7865 more sites. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2006-11-02 05:23 - 2014-03-06 10:26 - 00450686 ____R C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com 127.0.0.1 10sek.com 127.0.0.1 www.10sek.com 127.0.0.1 www.1-2005-search.com 127.0.0.1 1-2005-search.com 127.0.0.1 123fporn.info 127.0.0.1 www.123fporn.info 127.0.0.1 123haustiereundmehr.com 127.0.0.1 www.123haustiereundmehr.com 127.0.0.1 123moviedownload.com 127.0.0.1 www.123moviedownload.com 127.0.0.1 123simsen.com There are 15461 more lines. ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-569404164-3270716429-1740154810-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\USE\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg HKU\S-1-5-21-569404164-3270716429-1740154810-1001\Control Panel\Desktop\\Wallpaper -> C:\windows\Web\Wallpaper\img24.jpg DNS Servers: Media is not connected to internet. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1) Windows Firewall is enabled. ==================== MSCONFIG/TASK MANAGER disabled items == MSCONFIG\startupreg: PlayOn => C:\Program Files\MediaMall\PlayOn.exe MSCONFIG\startupreg: REGSHAVE => C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe FirewallRules: [WMPNSS-Out-TCP] => (Allow) C:\Program Files\Windows Media Player\wmpnetwk.exe FirewallRules: [WMPNSS-In-TCP] => (Allow) C:\Program Files\Windows Media Player\wmpnetwk.exe FirewallRules: [WMPNSS-Out-UDP] => (Allow) C:\Program Files\Windows Media Player\wmpnetwk.exe FirewallRules: [WMPNSS-In-UDP] => (Allow) C:\Program Files\Windows Media Player\wmpnetwk.exe FirewallRules: [WMPNSS-WMP-Out-TCP] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [WMPNSS-WMP-Out-UDP] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [WMPNSS-WMP-In-UDP] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [WMP-Out-TCP] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [WMP-Out-UDP] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [WMP-In-UDP] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [{2C68A54F-89FC-4A1E-B963-ECA9C210F185}] => (Allow) LPort=80 FirewallRules: [{015B434C-8D00-4B85-A0E2-0FBDF9115031}] => (Allow) LPort=80 FirewallRules: [{EC4F8C51-C8B9-4751-9A3D-75E918B54FFF}] => (Allow) LPort=80 FirewallRules: [{0B31C313-9DC2-47E1-A749-FA25945019C5}] => (Allow) C:\Program Files\AVG\AVG2012\avgnsx.exe FirewallRules: [{14796095-D1A8-4F18-AF7B-8F06D927B90B}] => (Allow) C:\Program Files\AVG\AVG2012\avgnsx.exe FirewallRules: [{28D364C0-BB39-449B-9DBB-6FAF37401CF9}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe FirewallRules: [{B1899902-CA52-40DE-B8E3-DAEE3F462CDF}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe FirewallRules: [{27353723-D503-4F1E-970D-F21A608970CE}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hposid01.exe FirewallRules: [{6CFB59D7-A58B-4AC0-BB1B-3164E3DBA8C0}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe FirewallRules: [{371018D3-E343-4C5E-ABB1-7829D2123854}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe FirewallRules: [{2C6C0E13-B7AE-4D23-98CC-6C637A342480}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe FirewallRules: [{25EC971F-E057-45ED-9D4B-D0F7F8286F83}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe FirewallRules: [{A7052A04-A4CE-4F90-B24C-9C2731C4D89E}] => (Allow) C:\Program Files\common files\hp\digital imaging\bin\hpqphotocrm.exe FirewallRules: [{4C1F8E27-27EA-489B-AA2A-FDAEBD0C554C}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe FirewallRules: [{516057A8-7EFD-48BE-978E-10CAB0E9B448}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe FirewallRules: [{2299B725-9503-40C5-9D5A-8AC966924C16}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe FirewallRules: [{F94920B5-C3DF-432D-87CB-9C3E8D745CC0}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe FirewallRules: [{366D1DDA-2408-491A-98E0-F3E1DAD80942}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe FirewallRules: [{78BBAEE9-1F70-4A1B-975F-F2BB7A637ADA}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpfccopy.exe FirewallRules: [{786E1108-AC8F-491C-B0C6-B6C7EE0CAE8C}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe FirewallRules: [{C7EBB6D1-5550-4A9F-8DFC-C43BB2777654}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe FirewallRules: [{80A708CA-9438-4351-9ADB-8A0D031B63FE}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hposid01.exe FirewallRules: [{12F55B59-F15C-402C-A61B-EEF57FB7FBF4}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe FirewallRules: [{A913613A-242E-4BBD-A399-072A447E55E6}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqgplgtupl.exe FirewallRules: [{C775482A-953B-49F0-8D5C-A79B807E553B}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe FirewallRules: [{2647A016-4182-4597-B02F-4BF327DE3EA6}] => (Allow) C:\Program Files\common files\hp\digital imaging\bin\hpqphotocrm.exe FirewallRules: [{9CA53936-E5AB-42DB-84CB-FE567ACB9972}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqpsapp.exe FirewallRules: [{FE26D131-7364-439C-9DAE-6FF9D5ACF3F8}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqpse.exe FirewallRules: [{2EAC15B7-F7BB-44E2-8038-D29BB129CF9E}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe FirewallRules: [{2003B6B8-3A2F-4E70-A036-3BCFD16FC71F}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqsudi.exe FirewallRules: [{793463CB-1A83-43C3-A00D-AC09C0055A1E}] => (Allow) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe FirewallRules: [TCP Query User{2CF3312F-B006-4CDF-9F15-81AE7CC052AD}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe FirewallRules: [UDP Query User{FC5C3C5F-BC39-480C-A155-12C9B9F10E59}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe FirewallRules: [cdf6606e-3540-4df9-839b-bf4907c2e9be] => (Block) LPort=135 FirewallRules: [RemoteAssistance-SSDPSrv-In-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe FirewallRules: [RemoteAssistance-UPnP-Out-TCP-Active] => (Block) %SystemRoot%\system32\svchost.exe FirewallRules: [RemoteAssistance-Out-TCP-Active] => (Block) %SystemRoot%\system32\msra.exe FirewallRules: [RemoteAssistance-SSDPSrv-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe FirewallRules: [NETDIS-SSDPSrv-Out-UDP-Active] => (Block) %SystemRoot%\system32\svchost.exe FirewallRules: [NETDIS-UPnP-Out-TCP-Active] => (Block) %SystemRoot%\system32\svchost.exe FirewallRules: [00367b29-e37e-45fc-8766-834407d23550] => (Block) LPort=593 FirewallRules: [e63ff66b-c3d1-4361-94de-9f69c2e33032] => (Block) LPort=593 FirewallRules: [5f8e3ce5-17da-4e50-8cec-05c1032323e6] => (Block) LPort=593 FirewallRules: [23e93383-7bcf-4684-b33e-00ac12bfef0f] => (Block) LPort=593 FirewallRules: [0496b64b-ad68-49c8-847a-02931b709fc4] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{435AE16B-6425-4C7E-AC22-8B8784A827CC}] => (Block) C:\Program Files\AVG\AVG2012\avgdiagex.exe FirewallRules: [{2ACF617B-1251-4131-A624-AAF618D4114C}] => (Block) C:\Program Files\AVG\AVG2012\avgdiagex.exe FirewallRules: [af72a4b1-86fa-4e2d-9cec-3e3f1c00afd3] => (Block) C:\Program Files\Spybot - Search & Destroy 2 FirewallRules: [{800DEF50-5173-46F1-A1DA-6D04C4CD9A6E}] => (Block) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe FirewallRules: [e5b05dd6-9616-41bc-914a-8c030c0874d3] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{3CF8E8A3-A929-4934-8D98-1AF3202865AD}] => (Allow) C:\Program Files\AVAST Software\Avast\AvastUI.exe FirewallRules: [15cb52b9-4649-4eb8-bb7e-6b41034f6ccd] => (Block) C:Windows\system32\lsass.exe FirewallRules: [2279e7ab-0ff9-472d-9857-604ebd5f010a] => (Block) C:\Windows\System32\services.exe FirewallRules: [ff86364a-326e-4e8c-966c-17c5cf7e394c] => (Block) C:\Windows\System32\spoolsv.exe FirewallRules: [bb068878-a491-445a-b9e9-119cc3cc7463] => (Block) C:\Windows\System32\wininit.exe FirewallRules: [TCP Query User{A9D64A01-B8B5-4BCE-AFE8-9B919208F7B6}C:\program files\spybot - search & destroy 2\sdfiles.exe] => (Block) C:\program files\spybot - search & destroy 2\sdfiles.exe FirewallRules: [UDP Query User{458FD0A4-875D-476B-986F-AB2116C5C2D7}C:\program files\spybot - search & destroy 2\sdfiles.exe] => (Block) C:\program files\spybot - search & destroy 2\sdfiles.exe FirewallRules: [{B0471702-41F7-4A62-87CF-2015DA3E4430}] => (Allow) C:\Program Files\Spybot - Search & Destroy 2\SDWelcome.exe FirewallRules: [{2FAAD037-C400-4686-9198-3CA088FF1814}] => (Allow) C:\Program Files\Spybot - Search & Destroy 2\SDWelcome.exe FirewallRules: [{28C5AB2D-219A-499D-87BD-136F35C1C4A8}] => (Allow) C:\Program Files\WebFerret\WebFerret.exe FirewallRules: [{E2F11B80-67D7-4A1D-A7FD-E4D38429BEFE}] => (Allow) C:\Program Files\WebFerret\WebFerret.exe FirewallRules: [TCP Query User{8F20294B-1F0D-4B18-9A1A-E2B073A01C0F}C:\windows\explorer.exe] => (Allow) C:\windows\explorer.exe FirewallRules: [UDP Query User{6F49719E-FE98-4FD8-8BF5-616A0CA1219C}C:\windows\explorer.exe] => (Allow) C:\windows\explorer.exe FirewallRules: [{6FFD087F-994F-4CE4-A1FF-DE8559FB13A5}] => (Allow) C:\Program Files\Twonky\TwonkyServer\twonkystarter.exe FirewallRules: [{781A2367-0026-4143-B981-BE78AEB4D705}] => (Allow) C:\Program Files\Twonky\TwonkyServer\twonkystarter.exe FirewallRules: [{1962DA3E-8E8B-4D10-B078-9A3A3E07D0EB}] => (Allow) C:\Program Files\Twonky\TwonkyServer\twonkyserver.exe FirewallRules: [{1D9BBE43-2D1F-49E2-9231-99F5EE6CFF8D}] => (Allow) C:\Program Files\Twonky\TwonkyServer\twonkyserver.exe FirewallRules: [{4A4700B0-3B6F-46E4-BDFF-CA5755A84C26}] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [{514522F4-3AAD-4D65-AAB2-EC0B541B3679}] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [{CEDA5BA3-5548-4CF0-B702-DA7539E75327}] => (Allow) C:\Program Files\Windows Media Player\wmplayer.exe FirewallRules: [TCP Query User{53FEA700-F6A6-4F38-BC0B-C02DAAB4B4CF}C:\program files\mediamall\playmark.exe] => (Allow) C:\Program Files\MediaMall\PlayMark.exe FirewallRules: [TCP Query User{1518E1B5-23B8-4C8F-8483-3200896E0DC5}C:\program files\videolan\vlc\vlc.exe] => (Allow) C:\program files\videolan\vlc\vlc.exe FirewallRules: [UDP Query User{8FCCC53F-55E9-4F58-A597-0F74FA9CD04E}C:\program files\videolan\vlc\vlc.exe] => (Allow) C:\program files\videolan\vlc\vlc.exe FirewallRules: [{DC712243-09AD-4090-8BF9-863D0AD1BD78}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe FirewallRules: [TCP Query User{40C2061C-4652-48CC-83AF-885C28F79C06}C:\program files\spybot - search & destroy 2\sdupdate.exe] => (Block) C:\program files\spybot - search & destroy 2\sdupdate.exe FirewallRules: [UDP Query User{DA6A1B94-3DAD-40BE-A55F-DAFF3E3D3AFB}C:\program files\spybot - search & destroy 2\sdupdate.exe] => (Block) C:\program files\spybot - search & destroy 2\sdupdate.exe FirewallRules: [{92A17188-3E1F-4ACB-981C-2AA765E181E5}] => (Allow) C:\Program Files\FinePixViewer\FinePixViewer.exe FirewallRules: [{A4A64A1F-C449-4E8E-A73C-6AAA17E47E82}] => (Allow) C:\Program Files\FinePixViewer\FinePixViewer.exe FirewallRules: [{F26D8B4C-E06B-497D-B354-2CFD8E9C6DB0}] => (Allow) C:\Program Files\Garmin\Express\Express.exe FirewallRules: [{D98B865D-18D2-4EEF-9E73-C411ACA7EAB0}] => (Allow) C:\Program Files\Garmin\Express\Express.exe FirewallRules: [{6527B5CE-65CA-44A0-A1EB-AD503EA02EE2}] => (Allow) C:\Program Files\Internet Explorer\iexplore.exe FirewallRules: [{50C90560-BE58-4AB0-934F-F4A6523C78D8}] => (Allow) C:\Program Files\Internet Explorer\iexplore.exe FirewallRules: [{9F601F4F-104F-4A33-B752-2E0B8871757B}] => (Allow) C:\Program Files\AVAST Software\Avast\AvastUI.exe FirewallRules: [{99606D28-4915-4109-B6A7-DB2FD9023AFF}] => (Allow) C:\Program Files\AVAST Software\Avast\AvastUI.exe FirewallRules: [{B59FB263-E602-44BB-AF97-2202A561D6BD}] => (Allow) C:\Program Files\HP\HP LaserJet 200 color M251\Bin\HPNetworkCommunicator.exe FirewallRules: [{ED4C7ABC-3D48-4C13-930C-014437E3AAE7}] => (Allow) C:\Program Files\HP\HP LaserJet 200 color M251\bin\EWSProxy.exe FirewallRules: [{F1C3067C-E615-4A19-9198-CD73E3ACB52B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{7FCA6E6B-655C-456A-8922-9F5947FC2B95}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{19551E38-0829-40C8-B825-6B1EB56962E1}] => (Allow) C:\Users\Kip\AppData\Local\Temp\nso4234.tmp\CnetInstaller-75699482.exe FirewallRules: [{388E07AB-A821-4596-9F84-EB5CBF636557}] => (Allow) C:\Users\Kip\AppData\Local\Temp\nso4234.tmp\CnetInstaller-75699482.exe FirewallRules: [{C3352386-D13B-4A2E-8776-8437F7815087}] => (Allow) C:\Users\Kip\AppData\Local\Temp\nss657C.tmp\CnetInstaller-75699482.exe FirewallRules: [{E2D653E9-F0B6-49AE-80BB-A1992B77D002}] => (Allow) C:\Users\Kip\AppData\Local\Temp\nss657C.tmp\CnetInstaller-75699482.exe FirewallRules: [{FFEE29B4-097C-4269-A3FE-F791F8635414}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{720B914C-FB02-4CD9-BA87-94D431C76452}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{97A37D0B-0624-4804-AA14-7C27957CD697}] => (Allow) C:\Program Files\iTunes\iTunes.exe FirewallRules: [{7BE40815-54FB-488E-AF45-054BE74E7EC8}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{5E191865-A1AC-46C9-A261-E686F7395F0B}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe FirewallRules: [{1F5B4739-0A42-468D-B487-846FAC97C64C}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot-S&D 2 Tray Icon StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater StandardProfile\AuthorizedApplications: [C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service ==================== Restore Points ========================= 07-03-2017 08:29:53 Windows Update 10-03-2017 04:48:09 Scheduled Checkpoint 10-03-2017 11:21:43 Windows Update 11-03-2017 05:00:13 Scheduled Checkpoint 12-03-2017 04:48:12 Scheduled Checkpoint 14-03-2017 08:54:42 Windows Update 14-03-2017 21:23:04 Scheduled Checkpoint 19-03-2017 22:56:35 First Restore Point 19-03-2017 22:58:28 Device Driver Package Install: Kaspersky Lab System devices 19-03-2017 23:00:41 Device Driver Package Install: Kaspersky Lab Network Service 19-03-2017 23:01:25 Device Driver Package Install: Kaspersky Lab 19-03-2017 23:01:49 Device Driver Package Install: AO Kaspersky Lab System devices 19-03-2017 23:02:25 Device Driver Package Install: Kaspersky Lab 19-03-2017 23:02:59 Device Driver Package Install: Kaspersky Lab 19-03-2017 23:03:34 Device Driver Package Install: Kaspersky Lab 19-03-2017 23:04:13 Device Driver Package Install: Kaspersky Lab 19-03-2017 23:06:55 First Restore Point 19-03-2017 23:13:28 Device Driver Package Install: Kaspersky Lab 19-03-2017 23:15:05 Device Driver Package Install: Kaspersky Lab 19-03-2017 23:18:42 Device Driver Package Install: Kaspersky Lab Network Service ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (03/22/2017 08:16:34 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (03/21/2017 10:14:51 PM) (Source: EventSystem) (EventID: 4609) (User: ) Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. Error: (03/21/2017 09:51:52 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (03/21/2017 02:27:13 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (03/21/2017 01:23:25 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (03/21/2017 12:13:58 PM) (Source: EventSystem) (EventID: 4609) (User: ) Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. Error: (03/21/2017 12:12:49 PM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (03/21/2017 09:25:27 AM) (Source: WinMgmt) (EventID: 10) (User: ) Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. Error: (03/21/2017 09:25:12 AM) (Source: EventSystem) (EventID: 4609) (User: ) Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. Error: (03/21/2017 09:06:35 AM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program gmer.exe version 1.0.15.15641 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: 1284 Start Time: 01d2a24c037d6750 Termination Time: 0 System errors: ============= Error: (03/24/2017 09:37:50 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:47 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:44 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:41 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:38 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:35 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:32 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:29 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:26 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. Error: (03/24/2017 09:37:23 AM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. CodeIntegrity: =================================== Date: 2017-03-24 09:38:22.050 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:20.977 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:19.976 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:18.958 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kneps.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:17.822 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kltdi.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:16.764 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kltdi.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:15.747 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kltdi.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:14.677 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kltdi.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:13.601 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kltdf.sys because the set of per-page image hashes could not be found on the system. Date: 2017-03-24 09:38:12.571 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\kltdf.sys because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz Percentage of memory in use: 64% Total physical RAM: 3033.63 MB Available physical RAM: 1080.14 MB Total Virtual: 6279.36 MB Available Virtual: 3073.75 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:232.88 GB) (Free:157.65 GB) NTFS ==>[drive with boot components (obtained from BCD)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 232.9 GB) (Disk ID: DBE57CF2) Partition 1: (Active) - (Size=232.9 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================ Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 15-03-2017 Ran by Kip (administrator) on USE-PC (24-03-2017 09:37:14) Running from C:\Users\USE\Downloads Loaded Profiles: USE & Kip (Available Profiles: USE & Kip) Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) Language: English (United States) Internet Explorer Version 9 (Default browser: FF) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\stacsv.exe (Microsoft Corporation) C:\Windows\System32\SLsvc.exe () C:\Windows\System32\WLTRYSVC.EXE (Dell Inc.) C:\Windows\System32\BCMWLTRY.EXE (Microsoft Corporation) C:\Windows\System32\wlanext.exe (SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore.exe (Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\AEstSrv.exe (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\avp.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Hewlett-Packard Company) C:\Program Files\HP\Common\HPSupportSolutionsFrameworkService.exe (Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Microsoft Corporation) C:\Windows\System32\rundll32.exe (Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe (Kaspersky Lab ZAO) C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\avpui.exe (Intel Corporation) C:\Windows\System32\hkcmd.exe (Dell Inc.) C:\Windows\System32\WLTRAY.EXE (Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe (Intel Corporation) C:\Windows\System32\igfxsrvc.exe (Intel Corporation) C:\Windows\System32\igfxpers.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe (Dell Inc.) C:\Program Files\Dell\QuickSet\quickset.exe (Microsoft Corporation) C:\Windows\ehome\ehtray.exe (Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation) C:\Windows\ehome\ehmsas.exe (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe (Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe (Mozilla Corporation) C:\Program Files\Mozilla Thunderbird\thunderbird.exe (Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) ==================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [] => [X] HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation) HKLM\...\Run: [Broadcom Wireless Manager UI] => C:\Windows\system32\WLTRAY.exe [3810304 2008-11-17] (Dell Inc.) HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard) HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.) HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157456 2015-09-12] (Apple Inc.) HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [495708 2010-02-26] (IDT, Inc.) HKLM\...\Run: [QuickSet] => C:\Program Files\Dell\QuickSet\QuickSet.exe [2960032 2010-06-09] (Dell Inc.) HKLM\...\RunOnce: [*WerKernelReporting] => C:\Windows\SYSTEM32\WerFault.exe [217088 2009-04-11] (Microsoft Corporation) HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes) HKLM\...\RunOnce: [*Restore] => C:\Windows\System32\rstrui.exe [318464 2008-01-20] (Microsoft Corporation) Winlogon\Notify\!SASWinLogon: C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2011-05-04] (SUPERAntiSpyware.com) HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-20] (Microsoft Corporation) HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\Run: [Spybot-S&D Cleaning] => C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [3713032 2012-11-13] (Safer-Networking Ltd.) HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation) HKU\S-1-5-21-569404164-3270716429-1740154810-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [704512 2009-04-11] (Microsoft Corporation) HKU\S-1-5-21-569404164-3270716429-1740154810-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [3713032 2012-11-13] (Safer-Networking Ltd.) ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [113024 2011-07-18] (SuperAdBlocker.com) ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2014-09-11] () ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Winsock: Catalog5 05 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 Tcpip\..\Interfaces\{BDD55997-0299-4A2A-B97B-926B40038C5D}: [NameServer] 208.67.222.222,208.67.220.220 Tcpip\..\Interfaces\{BDD55997-0299-4A2A-B97B-926B40038C5D}: [DhcpNameServer] 192.168.1.1 Internet Explorer: ================== HKU\S-1-5-21-569404164-3270716429-1740154810-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = HKU\S-1-5-21-569404164-3270716429-1740154810-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/ HKU\S-1-5-21-569404164-3270716429-1740154810-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp SearchScopes: HKLM -> DefaultScope value is missing SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-569404164-3270716429-1740154810-1000 -> DefaultScope {7BE108F3-4164-4764-AEB2-4F5325596BF5} URL = hxxp://search.yahoo.com/search?fr=mcafee&p={SearchTerms} SearchScopes: HKU\S-1-5-21-569404164-3270716429-1740154810-1000 -> {7BE108F3-4164-4764-AEB2-4F5325596BF5} URL = hxxp://search.yahoo.com/search?fr=mcafee&p={SearchTerms} SearchScopes: HKU\S-1-5-21-569404164-3270716429-1740154810-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-569404164-3270716429-1740154810-1001 -> {688B6F2A-6679-4CEB-A689-3D7DC9DD441E} URL = hxxp://www.search.com/search?q={searchTerms}&sourceid=iesp BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO: SDHelper -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll [2012-11-13] (Safer-Networking Ltd.) BHO: No Name -> {56bc31de-97ab-4563-8599-ad5d4e9800f9} -> No File BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll [2015-01-20] (Oracle Corporation) BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File BHO: Kaspersky Protection plugin -> {C66D064F-82FE-4E1A-B06A-B2490BA48B18} -> C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\IEExt\ie_plugin.dll [2016-10-27] (AO Kaspersky Lab) BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-20] (Oracle Corporation) BHO: No Name -> {f8ac5ce3-4b50-49d6-b632-faea1734fd29} -> C:\Program Files\WebFerret\FerretBand.dll [2016-02-10] () Toolbar: HKLM - WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\WebFerret\FerretBand.dll [2016-02-10] () Toolbar: HKLM - Kaspersky Protection toolbar - {3507FA00-ADA2-4A02-99B9-51AD26CA9120} - C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\IEExt\ie_plugin.dll [2016-10-27] (AO Kaspersky Lab) DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll [2007-06-08] (Microsoft Corporation) Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File FireFox: ======== FF DefaultProfile: zhp05awu.default FF ProfilePath: C:\ProgramData\Kaspersky Lab\SafeBrowser\S-1-5-21-569404164-3270716429-1740154810-1001\FireFox [not found] FF ProfilePath: C:\Users\Kip\AppData\Roaming\Mozilla\Firefox\Profiles\zhp05awu.default [2015-12-14] FF user.js: detected! => C:\Users\Kip\AppData\Roaming\Mozilla\Firefox\Profiles\zhp05awu.default\user.js [2014-12-16] FF Extension: (PlayOn) - C:\Users\Kip\AppData\Roaming\Mozilla\Firefox\Profiles\zhp05awu.default\Extensions\ [2013-11-06] [not signed] FF Extension: (WebFerret Toolbar) - C:\Users\Kip\AppData\Roaming\Mozilla\Firefox\Profiles\zhp05awu.default\Extensions\{bdf6c059-21b4-4aab-84c1-e16d9179c37e} [2013-10-14] [not signed] FF Extension: (No Name) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\ [not found] FF Extension: (No Name) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\ [not found] FF Extension: (No Name) - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 15.0.1\FFExt\ [not found] FF SearchPlugin: C:\Users\Kip\AppData\Roaming\Mozilla\Firefox\Profiles\zhp05awu.default\searchplugins\{688B6F2A-6679-4CEB-A689-3D7DC9DD441E}.xml [2014-01-14] FF Extension: (No Name) - C:\Program Files\Mozilla Firefox\extensions\ [2017-03-21] [not signed] FF Extension: (No Name) - C:\Program Files\Mozilla Firefox\extensions\ [2017-03-21] [not signed] FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: (Microsoft .NET Framework Assistant) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-10-19] [not signed] FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4 => not found FF HKLM\...\Firefox\Extensions: [] - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\FFExt\ => not found FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\SiteAdvisor => not found FF HKLM\...\Firefox\Extensions: [] - C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\FFExt\light_plugin_firefox FF Extension: (Kaspersky Protection) - C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\FFExt\light_plugin_firefox [2017-03-21] FF HKU\S-1-5-21-569404164-3270716429-1740154810-1000\...\Firefox\Extensions: [] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 => not found FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-14] () FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2015-09-04] () FF Plugin: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-20] (Oracle Corporation) FF Plugin: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-20] (Oracle Corporation) FF Plugin: @mcafee.com/SAFFPlugin -> C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll [No File] FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-09-24] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-569404164-3270716429-1740154810-1000: @citrixonline.com/appdetectorplugin -> C:\Users\USE\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-10-01] (Citrix Online) FF Plugin HKU\S-1-5-21-569404164-3270716429-1740154810-1000: @spoon.net/Spoon Plugin 3.33 -> C:\Users\USE\AppData\Local\Spoon\3.33.6.119\npMozillaSpoonPlugin.dll [No File] FF Plugin HKU\S-1-5-21-569404164-3270716429-1740154810-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\USE\AppData\Roaming\CATALI~1\NPBCSK~1.DLL [2013-06-07] (Catalina Marketing Corporation) FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-09-24] (Adobe Systems Inc.) Chrome: ======= CHR HKLM\...\Chrome\Extension: [dbhjdbfgekjfcfkkfjjmlmojhbllhbho] - hxxps://chrome.google.com/webstore/detail/dbhjdbfgekjfcfkkfjjmlmojhbllhbho CHR HKLM\...\Chrome\Extension: [eahebamiopdhefndnmappcihfajigkka] - hxxps://chrome.google.com/webstore/detail/eahebamiopdhefndnmappcihfajigkka CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files\McAfee\SiteAdvisor\McChPlg.crx <not found> ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [116608 2011-08-11] (SUPERAntiSpyware.com) [File not signed] R2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\aestsrv.exe [81920 2009-03-03] (Andrea Electronics Corporation) R2 AVP16.0.0; C:\Program Files\Kaspersky Lab\Kaspersky Total Security 16.0.0 (1)\avp.exe [194000 2015-12-19] (Kaspersky Lab ZAO) S4 Garmin Core Update Service; C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [438616 2014-08-07] (Garmin Ltd or its subsidiaries) S3 HP DS Service; C:\Program Files\HP\HPBDSService\HPBDSService.exe [13824 2011-10-17] (Hewlett-Packard Company) [File not signed] R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [217088 2008-10-16] (Hewlett-Packard Co.) [File not signed] R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [135168 2008-10-16] (Hewlett-Packard Co.) [File not signed] R2 HPSupportSolutionsFrameworkService; C:\Program Files\Hp\Common\HPSupportSolutionsFrameworkService.exe [78088 2014-08-26] (Hewlett-Packard Company) S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [45568 2011-04-13] (Hewlett-Packard) [File not signed] S4 NetBalancerService; C:\Program Files\NetBalancer\SeriousBit.NetBalancer.Service.exe [10752 2013-03-25] (SeriousBit) [File not signed] S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [55808 2011-04-13] (Hewlett-Packard) [File not signed] R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1103392 2012-11-13] (Safer-Networking Ltd.) R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [1369624 2012-11-13] (Safer-Networking Ltd.) R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [168384 2012-11-13] (Safer-Networking Ltd.) R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_0145da1d\STacSV.exe [229458 2010-02-26] (IDT, Inc.) R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-20] (Microsoft Corporation) R2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2809856 2008-11-17] (Dell Inc.) [File not signed] S4 McMPFSvc; "C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe" /McCoreSvc [X] R2 yksvc; RUNDLL32.EXE ykx32coinst,serviceStartProc [X] ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R3 BCM42RLY; C:\Windows\System32\drivers\BCM42RLY.sys [18424 2008-11-17] (Broadcom Corporation) S3 BVRPMPR5; C:\Windows\system32\drivers\BVRPMPR5.SYS [49904 2008-06-18] (Avanquest Software) [File not signed] R0 cm_km; C:\Windows\System32\DRIVERS\cm_km.sys [201912 2015-07-06] (Kaspersky Lab ZAO) R0 kl1; C:\Windows\System32\DRIVERS\kl1.sys [153784 2015-06-22] (Kaspersky Lab ZAO) R0 klbackupdisk; C:\Windows\System32\DRIVERS\klbackupdisk.sys [46776 2015-06-06] (Kaspersky Lab ZAO) R1 klbackupflt; C:\Windows\System32\DRIVERS\klbackupflt.sys [58224 2015-06-27] (Kaspersky Lab ZAO) R2 kldisk; C:\Windows\System32\DRIVERS\kldisk.sys [66976 2016-03-07] (AO Kaspersky Lab) R3 klflt; C:\Windows\System32\DRIVERS\klflt.sys [147328 2015-12-19] (AO Kaspersky Lab) R1 klhk; C:\Windows\System32\DRIVERS\klhk.sys [53168 2016-05-25] (AO Kaspersky Lab) R1 KLIF; C:\Windows\System32\DRIVERS\klif.sys [785328 2016-05-25] (AO Kaspersky Lab) R1 KLIM6; C:\Windows\System32\DRIVERS\klim6.sys [44120 2016-05-25] (AO Kaspersky Lab) R3 klkbdflt; C:\Windows\System32\DRIVERS\klkbdflt.sys [37048 2015-06-06] (Kaspersky Lab ZAO) R3 klmouflt; C:\Windows\System32\DRIVERS\klmouflt.sys [38072 2015-06-07] (Kaspersky Lab ZAO) R1 klpd; C:\Windows\System32\DRIVERS\klpd.sys [39304 2015-12-19] (AO Kaspersky Lab) R1 kltdf; C:\Windows\System32\DRIVERS\kltdf.sys [73912 2015-06-10] (Kaspersky Lab ZAO) R1 kltdi; C:\Windows\System32\DRIVERS\kltdi.sys [54328 2015-06-11] (Kaspersky Lab ZAO) S3 KMWDFILTER; C:\Windows\System32\DRIVERS\KMWDFILTER.sys [17408 2008-10-09] (Windows (R) Codename Longhorn DDK provider) R1 kneps; C:\Windows\System32\DRIVERS\kneps.sys [156856 2015-06-23] (Kaspersky Lab ZAO) R3 msvad_simple; C:\Windows\System32\drivers\povrtdev.sys [23920 2013-03-05] (MediaMall Technologies, Inc.) R1 nbdrv; C:\Windows\System32\DRIVERS\nbdrv.sys [35712 2013-01-17] (SeriousBit) S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation) R3 OA009Ufd; C:\Windows\System32\DRIVERS\OA009Ufd.sys [133632 2009-03-06] (Creative Technology Ltd.) R3 OA009Vid; C:\Windows\System32\DRIVERS\OA009Vid.sys [271552 2009-03-19] (Creative Technology Ltd.) R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com) R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com) S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-03-24 09:36 - 2017-03-24 09:36 - 01766912 _____ (Farbar) C:\Users\USE\Downloads\FRST (3) (1).exe 2017-03-24 09:36 - 2017-03-24 09:36 - 00000805 _____ C:\Users\USE\Desktop\FRST.exe - Shortcut.lnk 2017-03-24 08:58 - 2017-03-24 08:58 - 01766912 _____ (Farbar) C:\Users\USE\Downloads\FRST (3).exe 2017-03-23 11:05 - 2017-03-23 11:05 - 00057333 _____ C:\Users\Kip\Desktop\Report2.txt 2017-03-23 11:05 - 2017-03-23 11:05 - 00030120 _____ C:\Users\Kip\Desktop\Report1.txt 2017-03-23 11:02 - 2017-03-23 11:02 - 00030120 _____ C:\Users\Kip\Documents\FRSTAdmin1.txt 2017-03-23 11:01 - 2017-03-23 11:01 - 00057333 _____ C:\Users\Kip\Documents\AdditionAdmin.txt 2017-03-23 10:58 - 2017-03-23 11:00 - 00057333 _____ C:\Users\Kip\Desktop\AdditionAdmin.txt 2017-03-23 10:58 - 2017-03-23 10:58 - 00030120 _____ C:\Users\Kip\Desktop\FRSTAdmin1.txt 2017-03-23 10:46 - 2017-03-23 10:46 - 00030455 _____ C:\Users\Kip\Desktop\FRSTADMIN.txt 2017-03-23 10:31 - 2017-03-23 10:32 - 01766912 _____ (Farbar) C:\Users\USE\Downloads\FRST (2).exe 2017-03-23 09:49 - 2017-03-23 10:57 - 00057330 _____ C:\Users\USE\Downloads\Addition.txt 2017-03-23 09:47 - 2017-03-24 09:37 - 00020633 _____ C:\Users\USE\Downloads\FRST.txt 2017-03-23 09:46 - 2017-03-23 09:46 - 01766912 _____ (Farbar) C:\Users\USE\Downloads\FRST (1).exe 2017-03-23 09:45 - 2017-03-24 09:37 - 00000000 ____D C:\FRST 2017-03-23 09:44 - 2017-03-23 09:44 - 01766912 _____ (Farbar) C:\Users\USE\Downloads\FRST.exe 2017-03-23 09:22 - 2017-03-23 09:22 - 00000000 _____ C:\Users\USE\Desktop\FRST_exe.0h1sldg.partial 2017-03-22 11:17 - 2017-03-22 11:17 - 00001294 _____ C:\Users\USE\Desktop\3-22-17 MBAM Scan.txt 2017-03-21 11:33 - 2017-03-21 11:33 - 00002983 _____ C:\MBAM Results 3-21-17.txt 2017-03-21 09:18 - 2017-03-21 09:19 - 00062216 _____ C:\Users\Kip\Desktop\Show-Hidden-3-21-17.txt 2017-03-20 17:35 - 2017-03-20 17:35 - 00000000 ____D C:\Users\USE\Downloads\ksc 2017-03-20 15:14 - 2017-03-20 15:16 - 00192480 _____ C:\TDSSKiller.3.1.0.12_20.03.2017_15.14.27_log.txt 2017-03-20 15:13 - 2017-03-20 15:14 - 04656523 _____ C:\Users\USE\Downloads\tdsskiller(1).zip 2017-03-20 15:13 - 2017-03-20 15:13 - 00000366 _____ C:\TDSSKiller.3.0.0.16_20.03.2017_15.13.38_log.txt 2017-03-20 12:02 - 2017-03-20 12:02 - 00000000 ____D C:\Users\Kip\AppData\Local\ESET 2017-03-20 12:01 - 2017-03-20 12:01 - 00000000 ____D C:\Users\USE\AppData\Local\ESET 2017-03-20 11:58 - 2017-03-20 11:58 - 00000972 _____ C:\Users\Kip\Desktop\checkup.txt 2017-03-20 10:35 - 2017-03-20 10:35 - 00002983 _____ C:\Users\Kip\Desktop\Malwarebytes Scan-3-20-17.txt 2017-03-20 09:32 - 2017-03-20 09:32 - 00000000 ____D C:\KVRT_Data 2017-03-17 21:48 - 2017-03-19 08:29 - 00000000 ____D C:\Program Files\Mozilla Firefox(576) 2017-03-17 11:56 - 2017-03-17 11:56 - 09093404 _____ C:\Users\USE\Downloads\Lose-Weight-the-Fast-Way-eBook.pdf 2017-03-15 13:48 - 2017-03-15 13:48 - 28579149 _____ C:\Users\USE\Desktop\Johanna-Budwig-Center-Guide-Diet-health.pdf 2017-03-15 13:33 - 2017-03-15 13:34 - 28752475 _____ C:\Users\USE\Downloads\Johanna-Budwig-Center-Guide-Diet-health.pdf 2017-03-08 21:18 - 2017-03-21 08:30 - 00000000 ____D C:\Program Files\Mozilla Firefox ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-03-24 09:35 - 2013-03-08 00:15 - 00000616 _____ C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job 2017-03-24 08:25 - 2016-03-02 09:44 - 01745148 _____ C:\Windows\ntbtlog.txt 2017-03-23 20:56 - 2006-11-02 07:47 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2017-03-23 20:56 - 2006-11-02 07:47 - 00003712 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2017-03-23 14:17 - 2013-03-08 00:15 - 00000620 _____ C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job 2017-03-23 09:36 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\inf 2017-03-23 09:36 - 2006-11-02 05:33 - 00761596 _____ C:\Windows\system32\PerfStringBackup.INI 2017-03-23 09:20 - 2016-01-08 13:20 - 00170200 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2017-03-22 08:42 - 2012-02-06 23:50 - 00000000 ____D C:\ProgramData\Kaspersky Lab 2017-03-22 08:16 - 2006-11-02 08:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2017-03-21 21:49 - 2006-11-02 08:01 - 00032642 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2017-03-21 14:26 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\MSAgent 2017-03-21 14:25 - 2016-04-13 22:30 - 00000000 ____D C:\Program Files\iolo 2017-03-21 14:25 - 2014-08-24 22:44 - 00000000 ____D C:\ProgramData\iolo 2017-03-21 12:37 - 2011-10-13 07:41 - 00000680 _____ C:\Users\USE\AppData\Local\d3d9caps.dat 2017-03-21 09:13 - 2014-09-15 18:49 - 00062216 _____ C:\Users\Kip\Desktop\Show-Hidden.txt 2017-03-21 08:56 - 2016-01-08 13:20 - 00000899 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2017-03-21 08:56 - 2016-01-08 13:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2017-03-21 08:56 - 2016-01-08 13:20 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware 2017-03-21 08:30 - 2013-03-12 08:54 - 00000000 ____D C:\Users\Kip 2017-03-21 08:30 - 2012-07-07 13:18 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service 2017-03-21 08:30 - 2011-10-13 07:41 - 00000000 ____D C:\Users\USE 2017-03-21 08:30 - 2006-11-02 05:22 - 54525952 _____ C:\Windows\system32\config\software_previous 2017-03-21 08:30 - 2006-11-02 05:22 - 46399488 _____ C:\Windows\system32\config\components_previous 2017-03-21 08:30 - 2006-11-02 05:22 - 109838336 _____ C:\Windows\system32\config\system_previous 2017-03-21 08:30 - 2006-11-02 05:22 - 04980736 _____ C:\Windows\system32\config\default_previous 2017-03-21 08:30 - 2006-11-02 05:22 - 00262144 _____ C:\Windows\system32\config\security_previous 2017-03-21 08:30 - 2006-11-02 05:22 - 00262144 _____ C:\Windows\system32\config\sam_previous 2017-03-21 08:29 - 2016-12-16 13:38 - 00000000 ____D C:\Users\USE\Desktop\Computer Security Programs and or Test Results 2017-03-21 08:29 - 2015-12-19 16:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kaspersky Total Security 2017-03-21 08:29 - 2013-11-09 10:35 - 00000000 ____D C:\Program Files\Coupons 2017-03-21 08:29 - 2011-11-05 11:26 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy 2017-03-21 08:29 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\spool 2017-03-21 08:29 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\system32\Msdtc 2017-03-21 08:29 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\registration 2017-03-21 08:19 - 2013-03-02 18:03 - 00000000 ____D C:\Users\USE\Downloads\TMRBLog 2017-03-20 19:27 - 2016-12-07 19:26 - 00000000 ____D C:\Users\USE\AppData\LocalLow\Mozilla 2017-03-20 10:37 - 2006-11-02 06:18 - 00000000 ____D C:\Windows\LiveKernelReports 2017-03-20 09:21 - 2013-12-06 12:38 - 00000000 ____D C:\ProgramData\Kaspersky Lab Setup Files 2017-03-19 23:18 - 2014-12-16 18:42 - 00000000 ____D C:\Program Files\Kaspersky Lab 2017-03-14 16:41 - 2012-03-31 15:50 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe 2017-03-14 16:41 - 2012-03-31 15:50 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl 2017-03-14 16:41 - 2012-02-09 20:33 - 00000000 ____D C:\Windows\system32\Macromed 2017-03-09 17:39 - 2011-11-04 17:27 - 00031908 _____ C:\Users\USE\AppData\Roaming\wklnhst.dat 2017-03-01 10:20 - 2013-03-08 00:15 - 00000446 _____ C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job 2017-02-28 22:53 - 2013-01-02 19:54 - 00000000 ____D C:\Users\USE\AppData\Roaming\HpUpdate 2017-02-28 12:38 - 2013-09-20 20:42 - 00000000 ____D C:\Windows\system32\MRT 2017-02-28 12:22 - 2006-11-02 05:24 - 135086848 ____C (Microsoft Corporation) C:\Windows\system32\mrt.exe ==================== Files in the root of some directories ======= 2013-04-19 19:10 - 2013-04-19 19:10 - 0000030 _____ () C:\Users\Kip\AppData\Roaming\mbam.context.scan 2013-05-21 10:06 - 2013-06-17 21:38 - 0000680 _____ () C:\Users\Kip\AppData\Local\d3d9caps.dat 2013-10-27 15:59 - 2013-10-27 15:59 - 0000011 _____ () C:\ProgramData\.tv7 2012-12-19 15:47 - 2013-12-06 12:04 - 0003963 _____ () C:\ProgramData\hpzinstall.log Some files in TEMP: ==================== 2014-11-16 01:47 - 2014-11-03 11:24 - 0121936 _____ (RealNetworks, Inc.) C:\Users\Kip\AppData\Local\Temp\lowproc.exe 2014-11-16 01:47 - 2014-11-03 11:24 - 0090624 _____ (RealNetworks, Inc.) C:\Users\Kip\AppData\Local\Temp\stubhelper.dll 2015-01-20 20:13 - 2015-01-20 20:13 - 0641448 _____ (Oracle Corporation) C:\Users\USE\AppData\Local\Temp\jre-8u31-windows-au.exe 2014-08-11 21:03 - 2014-08-11 21:04 - 36359240 _____ (Garmin Ltd or its subsidiaries) C:\Users\USE\AppData\Local\Temp\tmp111D.exe 2006-05-24 12:10 - 2006-05-24 12:10 - 0455600 ____R (Macrovision Corporation) C:\Users\USE\AppData\Local\Temp\_is5AE.exe 2006-05-24 12:10 - 2006-05-24 12:10 - 0455600 ____R (Macrovision Corporation) C:\Users\USE\AppData\Local\Temp\_is71E5.exe 2006-05-24 12:10 - 2006-05-24 12:10 - 0455600 ____R (Macrovision Corporation) C:\Users\USE\AppData\Local\Temp\_isB885.exe ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\dnsapi.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-03-22 20:32 ==================== End of FRST.txt ============================ Link to post Share on other sites More sharing options...
Aura Posted March 27, 2017 ID:1112410 Share Posted March 27, 2017 Sorry for the late reply. Here, let's run a first FRST fix, followed by a sweep with JRT and AdwCleaner. Malicious Programs Warning! I noticed that you have malicious programs installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up. Catalina Savings Printer If you have an issue when uninstalling a program, please let me know. Farbar Recovery Scan Tool (FRST) - Fix mode Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located); Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Click on the Fix button; On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Copy and paste its content in your next reply; Junkware Removal Tool (JRT) Download Junkware Removal Tool (JRT) and move it to your Desktop; Right-click on JRT.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Press on any key to launch the scan and let it complete;Credits : BleepingComputer.com Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply; AdwCleaner - Fix Mode Download AdwCleaner and move it to your Desktop; Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users); Accept the EULA (I accept), let the database update, then click on Scan; Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes; Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it; After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply; Your next reply(ies) should include: Confirmation that you uninstalled the program listed above; Copy/pasted content of FRST's fixlog.txt; Copy/pasted content of JRT.txt; Copy/pasted content of AdwCleaner's clean log; fixlist.txt Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 27, 2017 Author ID:1112444 Share Posted March 27, 2017 I deleted the Catalina program without any problems. When I tried to open the fixlist.txt from the desktop (right click), it didn't give the option to run as Admin. I then logged out and then logged back in as Kip (admin), thinking I could just run the file and it would be as admin. It took a little while to load the desktop and there were a couple small windows that opened in left hand corner of desktop screen. Then I got an error message saying something along the lines of system recovery. I don't know what that was all about. I am wondering if I can just run without being admin or what my next step should be. Thank you. Link to post Share on other sites More sharing options...
Aura Posted March 27, 2017 ID:1112465 Share Posted March 27, 2017 You need to run FRST.txt as Admin, not the fixlist.txt. Download the attached fixlist.txt in my previous post, save it on your desktop (where FRST.txt should be located), then right-click on FRST.exe, select Run as Administrator and in FRST click on the Fix button. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 27, 2017 Author ID:1112492 Share Posted March 27, 2017 Deleted Catalina Savings Printer. Fix result of Farbar Recovery Scan Tool (x86) Version: 15-03-2017 Ran by Kip (27-03-2017 10:45:08) Run:1 Running from C:\Users\USE\Downloads Loaded Profiles: USE & Kip (Available Profiles: USE & Kip) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. =========== EmptyTemp: ========== BITS transfer queue => 8388608 B DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 5384962 B Java, Flash, Steam htmlcache => 960 B Windows/system/drivers => 211487135 B Edge => 0 B Chrome => 0 B Firefox => 21096590 B Opera => 0 B Temp, IE cache, history, cookies, recent: Users => 0 B Default => 66228 B Public => 0 B ProgramData => 0 B systemprofile => 40356192 B LocalService => 5080442 B NetworkService => 1847384 B USE => 1790909380 B Kip => 102701925 B RecycleBin => 9951 B EmptyTemp: => 2 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 10:48:42 ==== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.1.2 (03.10.2017) Operating System: Windows Vista (TM) Home Premium x86 Ran by Kip (Limited) on Mon 03/27/2017 at 10:58:22.69 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 21 Successfully deleted: C:\ProgramData\Start Menu\Programs\coupons (Folder) Successfully deleted: C:\Users\Kip\AppData\Roaming\Mozilla\Firefox\Profiles\zhp05awu.default\user.js (File) Successfully deleted: C:\Windows\System32\Tasks\PCDEventLauncherTask (Task) Successfully deleted: C:\Windows\System32\Tasks\PCDoctorBackgroundMonitorTask (Task) Successfully deleted: C:\Program Files\coupons (Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1GT7BGLU (Temporary Internet Files Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\49IOMVPT (Temporary Internet Files Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\60IU61MM (Temporary Internet Files Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\92IRHUH7 (Temporary Internet Files Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KCKZ659 (Temporary Internet Files Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKLQ9OTB (Temporary Internet Files Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5QQQL2O (Temporary Internet Files Folder) Successfully deleted: C:\Users\Kip\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUBZ0OCF (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1GT7BGLU (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\49IOMVPT (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\60IU61MM (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\92IRHUH7 (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KCKZ659 (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AKLQ9OTB (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5QQQL2O (Temporary Internet Files Folder) Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XUBZ0OCF (Temporary Internet Files Folder) Registry: 4 Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{688B6F2A-6679-4CEB-A689-3D7DC9DD441E} (Registry Key) Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{56bc31de-97ab-4563-8599-ad5d4e9800f9} (Registry Key) Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f8ac5ce3-4b50-49d6-b632-faea1734fd29} (Registry Key) Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{A58686ED-FC46-44C3-95C6-4A812AB776F1} (Registry Value) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Mon 03/27/2017 at 11:10:07.87 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I messed up the AdwCleaner and ran it twice. The second time, my Kaspersky was not allowing changes (errors were popping up), I'm assuming it wouldn't make more changes since AdwCleaner has just done changes)??? I had to open AdwCleaner to find the logfiles. Here are the files I found: # AdwCleaner v6.044 - Logfile created 27/03/2017 at 11:15:46 # Updated on 28/02/2017 by Malwarebytes # Database : 2017-03-27.1 [Server] # Operating System : Windows Vista (TM) Home Premium Service Pack 2 (X86) # Username : Kip - USE-PC # Running from : C:\Users\USE\Downloads\AdwCleaner (1).exe # Mode: Scan # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} Key Found: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} Key Found: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.1.6 Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.1.6 ***** [ Web browsers ] ***** Firefox pref Found: [C:\Users\USE\AppData\Roaming\Mozilla\Firefox\Profiles\yzncpxei.default\prefs.js] - "weboftrust.search.ask.display" - "Ask.com Web Search" Firefox pref Found: [C:\Users\USE\AppData\Roaming\Mozilla\Firefox\Profiles\yzncpxei.default\prefs.js] - "weboftrust.search.avg.url" - "^hxxp(s)?\\:\\/\\/isearch\\.avg\\.com\\/search\\?" No malicious Chromium based browser items found. ************************* \AdwCleaner\AdwCleaner[S0].txt - [2010 Bytes] - [27/03/2017 11:15:46] ########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [2081 Bytes] ########## # AdwCleaner v6.044 - Logfile created 27/03/2017 at 11:15:46 # Updated on 28/02/2017 by Malwarebytes # Database : 2017-03-27.1 [Server] # Operating System : Windows Vista (TM) Home Premium Service Pack 2 (X86) # Username : Kip - USE-PC # Running from : C:\Users\USE\Downloads\AdwCleaner (1).exe # Mode: Scan # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** No malicious folders found. ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious keys found. ***** [ Shortcuts ] ***** No infected shortcut found. ***** [ Scheduled Tasks ] ***** No malicious task found. ***** [ Registry ] ***** Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} Key Found: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} Key Found: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.1.6 Key Found: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.1.6 ***** [ Web browsers ] ***** Firefox pref Found: [C:\Users\USE\AppData\Roaming\Mozilla\Firefox\Profiles\yzncpxei.default\prefs.js] - "weboftrust.search.ask.display" - "Ask.com Web Search" Firefox pref Found: [C:\Users\USE\AppData\Roaming\Mozilla\Firefox\Profiles\yzncpxei.default\prefs.js] - "weboftrust.search.avg.url" - "^hxxp(s)?\\:\\/\\/isearch\\.avg\\.com\\/search\\?" No malicious Chromium based browser items found. ************************* \AdwCleaner\AdwCleaner[S0].txt - [2010 Bytes] - [27/03/2017 11:15:46] ########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [2081 Bytes] ########## # AdwCleaner v6.044 - Logfile created 27/03/2017 at 11:20:44 # Updated on 28/02/2017 by Malwarebytes # Database : 2017-03-27.1 [Server] # Operating System : Windows Vista (TM) Home Premium Service Pack 2 (X86) # Username : Kip - USE-PC # Running from : C:\Users\USE\Downloads\AdwCleaner (1).exe # Mode: Clean # Support : https://www.malwarebytes.com/support ***** [ Services ] ***** ***** [ Folders ] ***** ***** [ Files ] ***** ***** [ DLL ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled Tasks ] ***** ***** [ Registry ] ***** [-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} [-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C} [-] Key deleted: HKU\S-1-5-21-569404164-3270716429-1740154810-1000\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.1.6 [-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.1.6 ***** [ Web browsers ] ***** [-] Firefox preferences cleaned: "weboftrust.search.ask.display" - "Ask.com Web Search" [-] Firefox preferences cleaned: "weboftrust.search.avg.url" - "^hxxp(s)?\\:\\/\\/isearch\\.avg\\.com\\/search\\?" ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* \AdwCleaner\AdwCleaner[C0].txt - [1743 Bytes] - [27/03/2017 11:20:44] \AdwCleaner\AdwCleaner[S0].txt - [2158 Bytes] - [27/03/2017 11:15:46] ########## EOF - \AdwCleaner\AdwCleaner[C0].txt - [1885 Bytes] ########## Thanks. Link to post Share on other sites More sharing options...
Aura Posted March 27, 2017 ID:1112497 Share Posted March 27, 2017 The logs have been word wrapped again, but I can understand most of it. If you run Malwarebytes again, does it still detects anything? Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 27, 2017 Author ID:1112504 Share Posted March 27, 2017 I even checked to make sure they weren't word wrapped. When I go to update MBAM, it says "unable to access update server", but I think it may have updated. My version says 2017.3.27.05. I am starting to run the scan... I think it took a long time to run last time. I appreciate your help. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 27, 2017 Author ID:1112518 Share Posted March 27, 2017 Yes, it found the same thing that I had in my original post. Also, as an FYI, my Kaspersky had found some things too, but they were put into quarantine. They came from Thunderbird, my email program. What should I do next? Thanks again. Link to post Share on other sites More sharing options...
Aura Posted March 27, 2017 ID:1112520 Share Posted March 27, 2017 Quarantine the threats Malwarebytes detected, and give me the report here after (copy/paste it). Once done, run Malwarebytes again and tell me if the detections cameback. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 27, 2017 Author ID:1112528 Share Posted March 27, 2017 This is my report. I am running MBAM again. Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 3/27/2017 Scan Time: 12:09:21 PM Logfile: Administrator: Yes Version: 2.2.1.1043 Malware Database: v2017.03.27.05 Rootkit Database: v2017.03.11.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows Vista Service Pack 2 CPU: x86 File System: NTFS User: Kip Scan Type: Threat Scan Result: Completed Objects Scanned: 317325 Time Elapsed: 43 min, 56 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Warn PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 1 PUP.Optional.IoloSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{918D30D3-AD9B-43A8-9EF7-463075DC93CD}_is1, Quarantined, [14eda9264f594beb4643d2d7837dca36], Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Aura Posted March 27, 2017 ID:1112535 Share Posted March 27, 2017 Alright, Malwarebytes shouldn't return anything now. Link to post Share on other sites More sharing options...
JulieAnn9 Posted March 27, 2017 Author ID:1112554 Share Posted March 27, 2017 MBAM did not find anything this time. Does that mean my machine is clean? If so, is there any way I can get my Firefox to start working again? It's very important that I at least be able to access my bookmarks, if possible. I realize the history is probably gone now with the steps you had me take. My adult son has a very serious condition that I have many pages bookmarked about and really would like to be able to go back to for reference. Thank you so much if this is a possibility. Link to post Share on other sites More sharing options...
Recommended Posts