Posted November 15, 20177 yr FPCH Staff My nephew Craig (a great guy) brought his computer to me because he was having problems with it. Turns out the hard drive was failing. I was able to image the drive and restore it on a new hard drive. While doing so, I ran a MBAM scan. MBAM found Rootkit.Fileless.MT Gen and quarantined it. I then installed Emsisoft AntiMalware - it found only adware. He was using AVG Free and Spybot S&D. Check out that host file. Can you please check to see if there's anything that needs to be addressed. Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-11-2017 03 Ran by Craig DiPiano (administrator) on CRAIGDIPIANO-HP (14-11-2017 19:27:09) Running from C:\Users\Craig DiPiano\Desktop Loaded Profiles: Craig DiPiano (Available Profiles: Craig DiPiano & Guest & DefaultAppPool) Platform: Windows 10 Home Version 1607 14393.693 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe (AMD) C:\Windows\System32\atiesrxx.exe (AMD) C:\Windows\System32\atieclxx.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (ArcSoft Inc.) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\SeagateManager\Sync\FreeAgentService.exe (Microsoft Corporation) C:\Windows\System32\mqsvc.exe () C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe (Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkypeHost.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe () C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2guard.exe () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe (SAC) C:\ProgramData\ClickFreeTformer\reminder\SacReminder.exe (Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe () C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe (Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe (Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2start.exe (Microsoft Corporation) C:\Windows\System32\InstallAgent.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DeviceAgent.exe (Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Service.exe (Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe (Seagate Technology LLC) C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Microsoft Corporation) C:\Windows\System32\wuapihost.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [smartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [568888 2010-01-18] () HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard) HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2776528 2016-12-14] (Malwarebytes) HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [8849832 2017-11-13] (Emsisoft Ltd) HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [Microsoft Default Manager] => "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume HKLM-x32\...\Run: [Philips Device Listener] => C:\Program Files (x86)\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe [380416 2012-03-19] () HKLM-x32\...\Run: [NortonOnlineBackupReminder] => "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED HKLM-x32\...\Run: [MaxMenuMgr] => C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe [197928 2009-12-18] (Seagate LLC) HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-05-26] (Apple Inc.) HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard) HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [976320 2009-12-03] (SEIKO EPSON CORPORATION) HKLM-x32\...\Run: [CarboniteSetupLite] => C:\Program Files (x86)\Carbonite\CarbonitePreinstaller.exe [318096 2009-08-04] (Carbonite, Inc.) HKLM-x32\...\Run: [ArcSoft Connection Service] => C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.) HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-04-23] (Apple Inc.) HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw HKLM-x32\...\Run: [sDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.) HKLM-x32\...\Run: [DBAgent] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1562304 2017-07-21] (Seagate Technology LLC) Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [sanDiskSecureAccess_Manager.exe] => C:\Users\Craig DiPiano\AppData\Roaming\SanDisk\SanDiskSecureAccess_Manager.exe [30705792 2012-07-10] (Gemalto N.V.) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2010-01-22] (Hewlett-Packard Company) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1712184 2010-02-09] () HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [CCleaner Monitoring] => C:\Program Files (x86)\CCleaner\CCleaner64.exe [9288408 2016-12-06] (Piriform Ltd) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [spybotPostWindows10UpgradeReInstall] => C:\Program Files\Common Files\AV\Spybot - Search and Destroy\Test.exe [1011200 2015-07-28] (Safer-Networking Ltd.) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [spybot-S&D Cleaning] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [5915776 2016-03-21] (Safer-Networking Ltd.) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [142568 2017-07-21] (Seagate Technology LLC) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\Run: [sacReminder] => C:\ProgramData\ClickfreeTformer\reminder\SacReminder.exe [825152 2009-09-04] (SAC) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\MountPoints2: {37773de6-c7c4-11e7-9dbd-78e7d1c8ebc7} - "F:\StartClickFreeBackup.exe" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\MountPoints2: {9e2ec690-8457-11e7-9db9-78e7d1c8ebc7} - "L:\VZW_Software_upgrade_assistant.exe" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...A8F59079A8D5}\localserver32: Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk [2012-07-01] ShortcutTarget: Adobe Gamma Loader.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NETGEAR WNA3100 Genie.lnk [2015-06-19] ShortcutTarget: NETGEAR WNA3100 Genie.lnk -> C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe () Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk [2010-05-09] ShortcutTarget: PictureMover.lnk -> C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company) Startup: C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson scanner Registration.lnk [2013-02-02] ShortcutTarget: Epson scanner Registration.lnk -> E:\Common\EpsonReg\v33\EpsonReg.exe (No File) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 Tcpip\..\Interfaces\{2e716942-8032-463e-baf2-25dd3e2304d1}: [DhcpNameServer] 75.75.75.75 75.75.76.76 Tcpip\..\Interfaces\{32f97b89-1668-40b9-8cc8-91ba1b275eb3}: [DhcpNameServer] 192.168.0.1 Internet Explorer: ================== SearchScopes: HKLM -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM -> {ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox SearchScopes: HKLM-x32 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM-x32 -> {ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} URL = BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File BHO-x32: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File Toolbar: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File DPF: HKLM-x32 {1851174C-97BD-4217-A0CC-E908F60D5B7A} hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File FireFox: ======== FF ProfilePath: C:\Users\Craig DiPiano\AppData\Roaming\Philips-Songbird\Profiles\1zpoz04t.default [2014-12-11] FF Extension: (Philips Branding) - C:\Users\Craig DiPiano\AppData\Roaming\Philips-Songbird\Profiles\1zpoz04t.default\Extensions\philips-branding@philips.com [2011-08-27] [not signed] FF Extension: (QuickTime Playback) - C:\Users\Craig DiPiano\AppData\Roaming\Philips-Songbird\Profiles\1zpoz04t.default\Extensions\quicktime@songbirdnest.com [2011-02-07] [not signed] FF Extension: (Windows Media Playback) - C:\Users\Craig DiPiano\AppData\Roaming\Philips-Songbird\Profiles\1zpoz04t.default\Extensions\windowsmedia@songbirdnest.com [2011-02-07] [not signed] FF Extension: (AAC Decoding Support) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\ewaacdec@songbirdnest.com [2014-07-28] [not signed] FF Extension: (Artwork Extras) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\albumart@songbirdnest.com [2014-07-28] [not signed] FF Extension: (CD Rip Support) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\cd-rip@songbirdnest.com [2014-07-28] [not signed] FF Extension: (File association) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\fileassociation@philips.com [2014-07-28] [not signed] FF Extension: (gonzo) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\gonzo@songbirdnest.com [2014-07-28] [not signed] FF Extension: (Gracenote Metadata Lookup Provider) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\gracenote@songbirdnest.com [2014-07-28] [not signed] FF Extension: (H.264 Video Decoding Support) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\ewh264dec@songbirdnest.com [2014-07-28] [not signed] FF Extension: (mashTape) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\mashTape@songbirdnest.com [2014-07-28] [not signed] FF Extension: (MP3 Encoding Support) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\ewmp3enc@songbirdnest.com [2014-07-28] [not signed] FF Extension: (MPEG-4 Video Decoding Support) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\ewmpeg4dec@songbirdnest.com [2014-07-28] [not signed] FF Extension: (MSC Device Support) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\msc@songbirdnest.com [2014-07-28] [not signed] FF Extension: (MTP Device Support) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\mtp@songbirdnest.com [2014-07-28] [not signed] FF Extension: (Philips addon manager) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-addon-manager@philips.com [2014-07-28] [not signed] FF Extension: (Philips auto msc-mtp switch) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-msc-mtp-switch@philips.com [2014-07-28] [not signed] FF Extension: (Philips Branding) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-branding@philips.com [2014-07-28] [not signed] FF Extension: (Philips GoGear Device Manager) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\gogear@songbirdnest.com [2014-07-28] [not signed] FF Extension: (Philips Skin) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-skin@philips.com [2014-07-28] [not signed] FF Extension: (Philips UI) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-ui@philips.com [2014-07-28] [not signed] FF Extension: (Purple Rain) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\purplerain@songbirdnest.com [2014-07-28] [not signed] FF Extension: (Concerts) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\concerts@songbirdnest.com [2014-07-28] [not signed] FF Extension: (LikeMusic) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-likemusic@philips.com [2014-07-28] [not signed] FF Extension: (MinimizeToTray Plus for Philips Songbird) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-minimizetotray@philips.com [2014-07-28] [not signed] FF Extension: (Philips Promotions) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\philips-promotions@philips.com [2014-07-28] [not signed] FF Extension: (rhapsody) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\rhapsody@songbirdnest.com [2014-07-28] [not signed] FF Extension: (Media Sharing) - C:\Program Files (x86)\Philips\Philips Songbird\extensions\sharing@songbirdnest.com [2014-07-28] [not signed] FF SearchPlugin: C:\Users\Craig DiPiano\AppData\Roaming\Philips-Songbird\Profiles\1zpoz04t.default\searchplugins\62fa0614-5d53-4857-a24a-46d24ee810a3.xml [2011-02-07] FF SearchPlugin: C:\Users\Craig DiPiano\AppData\Roaming\Philips-Songbird\Profiles\1zpoz04t.default\searchplugins\7c448e2e-7f1f-4329-965e-4fb614062ebf.xml [2014-07-28] FF ProfilePath: C:\Users\Craig DiPiano\AppData\Roaming\Mozilla\Firefox\Profiles\5akk4lm7.default [2017-11-14] FF user.js: detected! => C:\Users\Craig DiPiano\AppData\Roaming\Mozilla\Firefox\Profiles\5akk4lm7.default\user.js [2014-01-19] FF DefaultSearchEngine: Mozilla\Firefox\Profiles\5akk4lm7.default -> Google FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\5akk4lm7.default -> Google FF Homepage: Mozilla\Firefox\Profiles\5akk4lm7.default -> hxxp://www.google.com/ FF Extension: (Add Google Search To New Tab Page) - C:\Users\Craig DiPiano\AppData\Roaming\Mozilla\Firefox\Profiles\5akk4lm7.default\Extensions\newtabgoogle@graememcc.co.uk.xpi [2016-10-02] FF Extension: (Video Downloader) - C:\Users\Craig DiPiano\AppData\Roaming\Mozilla\Firefox\Profiles\5akk4lm7.default\Extensions\pbekeglhko@pbekeglhko.org.xpi [2013-03-27] [not signed] FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension => not found FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2 => not found FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-08-26] FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_27_0_0_183.dll [2017-10-25] () FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_27_0_0_183.dll [2017-10-25] () FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-21] () FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google) FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_33 -> C:\Windows\SysWOW64\npdeployJava1.dll [2012-07-23] (Sun Microsystems, Inc.) FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation) FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation) FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [2017-04-29] (Google Inc.) FF Plugin-x32: @videolan.org/vlc,version=1.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN) FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-2794434498-725242176-3457425843-1001: sony.com/MediaGoDetector -> C:\Program Files (x86)\Sony\Media Go\npMediaGoDetector.dll [2014-03-24] (Sony Network Entertainment International LLC) FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-12-18] (Adobe Systems Inc.) Chrome: ======= CHR HomePage: Default -> javascript:location.href=%27mailto:?SUBJECT=%27+document.title+%27&BODY=%27+escape(location.href); CHR Profile: C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default [2017-11-14] CHR Extension: (Slides) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-13] CHR Extension: (Docs) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-13] CHR Extension: (Google Drive) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-05-04] CHR Extension: (YouTube) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-05-04] CHR Extension: (Google Docs Offline) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-05-04] CHR Extension: (Keywords Everywhere - Keyword Tool) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbapdpeemoojbophdfndmlgdhppljgmp [2017-11-13] CHR Extension: (Save to Facebook) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfikkaogpplgnfjmbjdpalkhclendgd [2017-08-13] CHR Extension: (Google Keep Chrome Extension) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpcaedmchfhocbbapmcbpinfpgnhiddi [2017-06-11] CHR Extension: (Chrome Web Store Payments) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-21] CHR Extension: (Send from Gmail (by Google)) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\pgphcomnlaojlmmcjmiddhdapjpbgeoc [2017-05-06] CHR Extension: (Gmail) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-05-04] CHR Extension: (Chrome Media Router) - C:\Users\Craig DiPiano\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-09-27] ==================== Services (Whitelisted) ==================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9173552 2017-11-13] (Emsisoft Ltd) S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY) R2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.) R2 HP Health Check Service; C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe [121344 2010-03-24] (Hewlett-Packard) [File not signed] S2 IHA_MessageCenter; C:\Program Files (x86)\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [363128 2015-01-27] (Verizon) [File not signed] R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-01-22] (Hewlett-Packard Company) [File not signed] R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-12-14] (Malwarebytes) S4 McciCMService; C:\Program Files (x86)\Common Files\Motive\McciCMService.exe [319488 2010-03-17] (Alcatel-Lucent) [File not signed] S3 PACSPTISVR-Sound_Organizer; C:\Program Files (x86)\Sony\Sound Organizer\Sony.Earth\PACSPTISVR.exe [157024 2010-11-19] (Sony Corporation) S2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.) S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [4088608 2016-09-21] (Safer-Networking Ltd.) [File not signed] S2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [235984 2016-11-24] (Safer-Networking Ltd.) [File not signed] R2 Seagate Dashboard Services; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16120 2017-07-21] (Seagate Technology LLC) S2 Seagate MobileBackup Service; C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\MobileService.exe [143560 2017-07-21] (Seagate Technology LLC) S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation) S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation) R2 WSWNA3100; C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe [316120 2014-08-18] () ===================== Drivers (Whitelisted) ====================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S3 61883; C:\WINDOWS\System32\drivers\61883.sys [61952 2016-07-16] (Microsoft Corporation) S3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [146856 2013-06-04] (Windows ® Win 7 DDK provider) S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [21928 2013-06-04] (Windows ® Win 7 DDK provider) R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [124552 2016-11-23] (Emsisoft Ltd) R3 GEARAspiWDM; C:\Windows\SysWOW64\DRIVERS\GEARAspiWDM.sys [15664 2012-04-04] (GEAR Software Inc.) R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [251832 2017-11-14] (Malwarebytes) S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] () S3 NPF; C:\WINDOWS\System32\DRIVERS\npf.sys [47632 2010-02-03] (CACE Technologies, Inc.) S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [23536 2010-01-19] (PC-Doctor, Inc.) R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek ) S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation) S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation) S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation) U3 idsvc; no ImagePath S3 MREMP50; \??\C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [X] S3 MRESP50; \??\C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-11-14 19:27 - 2017-11-14 19:27 - 000026894 _____ C:\Users\Craig DiPiano\Desktop\FRST.txt 2017-11-14 19:27 - 2017-11-14 19:27 - 000000000 ____D C:\FRST 2017-11-14 19:26 - 2017-11-14 19:26 - 002392576 _____ (Farbar) C:\Users\Craig DiPiano\Desktop\FRST64.exe 2017-11-14 19:07 - 2017-11-14 19:15 - 000000000 ____D C:\AdwCleaner 2017-11-14 18:52 - 2017-11-14 19:00 - 000000000 ____D C:\ProgramData\Emsisoft 2017-11-14 18:51 - 2017-11-14 18:51 - 000000939 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk 2017-11-14 18:51 - 2017-11-14 18:51 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware 2017-11-14 18:50 - 2017-11-14 19:22 - 000000000 ____D C:\Program Files\Emsisoft Anti-Malware 2017-11-14 18:39 - 2017-11-14 18:41 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\AvgSetupLog 2017-11-14 18:29 - 2017-11-14 18:49 - 291547704 _____ (Emsisoft Ltd. ) C:\Users\Craig DiPiano\Downloads\EmsisoftAntiMalwareSetup.exe 2017-11-14 18:26 - 2017-11-14 19:02 - 000004562 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task 2017-11-14 18:26 - 2017-11-14 18:26 - 000002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk 2017-11-14 18:18 - 2017-11-14 18:18 - 000001291 _____ C:\Users\Craig DiPiano\Desktop\MBAM scan.txt 2017-11-13 12:46 - 2017-11-13 13:22 - 000000000 _____ C:\Recovery.txt 2017-11-12 11:19 - 2017-11-12 14:50 - 000000000 ____D C:\ProgramData\ClickFreeTformer 2017-11-12 11:19 - 2017-11-12 11:19 - 000000000 ____D C:\ProgramData\ClickfreeIPTformer 2017-11-09 18:06 - 2017-11-09 18:06 - 005164530 _____ C:\Users\Craig DiPiano\Downloads\Painting Trees in Acrylic - Reference Images.pdf 2017-11-09 18:05 - 2017-11-09 18:06 - 000203037 _____ C:\Users\Craig DiPiano\Downloads\Painting Trees in Acrylic - Materials (1).pdf 2017-11-05 15:06 - 2017-11-05 15:06 - 000002200 _____ C:\Users\Craig DiPiano\AppData\Local\recently-used.xbel 2017-11-04 11:30 - 2017-10-24 17:53 - 000454674 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20171104-123031.backup 2017-10-29 12:42 - 2017-10-29 12:42 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\webkit 2017-10-29 12:33 - 2017-11-05 15:06 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\gtk-2.0 2017-10-29 12:32 - 2017-10-29 12:32 - 000000000 ____D C:\Users\Craig DiPiano\.thumbnails 2017-10-29 12:27 - 2017-11-05 15:13 - 000000000 ____D C:\Users\Craig DiPiano\.gimp-2.8 2017-10-29 12:27 - 2017-10-29 12:27 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\gegl-0.2 2017-10-29 12:27 - 2017-10-29 12:27 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\fontconfig 2017-10-29 12:26 - 2017-10-29 12:26 - 000000941 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk 2017-10-29 12:25 - 2017-10-29 12:26 - 000000000 ____D C:\Program Files\GIMP 2 2017-10-29 12:24 - 2017-10-29 12:25 - 089579672 _____ (The GIMP Team ) C:\Users\Craig DiPiano\Downloads\gimp-2.8.22-setup.exe 2017-10-24 17:53 - 2017-10-22 11:03 - 000454674 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20171024-185315.backup 2017-10-22 11:03 - 2017-10-13 17:09 - 000454674 ____R C:\WINDOWS\system32\Drivers\etc\hosts.20171022-120320.backup 2017-10-21 11:38 - 2017-10-21 11:38 - 000000925 _____ C:\Users\Craig DiPiano\Downloads\events.ics 2017-10-20 16:53 - 2017-10-20 16:53 - 000003890 _____ C:\WINDOWS\System32\Tasks\Craig DiPiano1 Merge 2017-10-20 16:53 - 2017-10-20 16:53 - 000003862 _____ C:\WINDOWS\System32\Tasks\Craig DiPiano1 2017-10-17 18:16 - 2017-10-17 18:16 - 000003638 _____ C:\WINDOWS\System32\Tasks\Craig DiPiano DBAgent 2 0 2017-10-17 18:16 - 2017-10-17 18:16 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\Nero 2017-10-17 18:15 - 2017-10-17 18:15 - 000003644 _____ C:\WINDOWS\System32\Tasks\Seagate_Install_Launch 2017-10-17 18:14 - 2017-10-17 18:14 - 000002180 _____ C:\Users\Public\Desktop\Seagate Dashboard.lnk 2017-10-17 18:14 - 2017-10-17 18:14 - 000000000 ____D C:\ProgramData\Nero 2017-10-17 18:14 - 2017-10-17 18:14 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Seagate Dashboard 2017-10-17 18:13 - 2017-10-17 18:13 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\Seagate 2017-10-17 18:08 - 2017-10-17 18:10 - 156799280 _____ (Seagate) C:\Users\Craig DiPiano\Downloads\Seagate_Dashboard_Installer.exe ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2017-11-14 19:25 - 2016-11-24 05:43 - 001427924 _____ C:\WINDOWS\system32\PerfStringBackup.INI 2017-11-14 19:21 - 2016-12-31 04:40 - 000251832 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys 2017-11-14 19:19 - 2016-11-24 06:18 - 000000006 ____H C:\WINDOWS\Tasks\SA.DAT 2017-11-14 19:19 - 2016-07-16 01:04 - 001310720 _____ C:\WINDOWS\system32\config\BBI 2017-11-14 19:15 - 2015-10-30 02:24 - 000000000 ____D C:\WINDOWS\system32\Tasks_Migrated 2017-11-14 19:15 - 2012-04-18 19:18 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\Yahoo! 2017-11-14 19:15 - 2012-04-18 19:18 - 000000000 ____D C:\Users\Craig DiPiano\AppData\LocalLow\Yahoo! 2017-11-14 19:15 - 2012-04-18 19:18 - 000000000 ____D C:\Program Files (x86)\Yahoo! 2017-11-14 18:58 - 2010-06-20 17:45 - 000000000 ____D C:\ProgramData\Adobe 2017-11-14 18:43 - 2016-11-11 04:08 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\AVG 2017-11-14 18:43 - 2016-11-11 03:39 - 000000000 ____D C:\ProgramData\Avg 2017-11-14 18:43 - 2010-06-20 17:45 - 000000000 ____D C:\Program Files\Google 2017-11-14 18:43 - 2010-06-20 17:45 - 000000000 ____D C:\Program Files (x86)\Google 2017-11-14 18:43 - 2010-06-20 13:19 - 000000000 ____D C:\Program Files (x86)\AVG 2017-11-14 18:27 - 2010-06-20 17:45 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\Adobe 2017-11-14 18:27 - 2010-06-20 13:09 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\Adobe 2017-11-14 18:26 - 2010-06-20 17:45 - 000000000 ____D C:\Program Files (x86)\Adobe 2017-11-14 18:22 - 2016-07-16 06:45 - 000000000 ____D C:\WINDOWS\INF 2017-11-14 18:19 - 2010-06-20 17:57 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\Google 2017-11-14 18:19 - 2010-06-20 17:45 - 000000000 ____D C:\ProgramData\Google 2017-11-14 18:06 - 2016-11-24 05:34 - 000000000 ____D C:\WINDOWS\system32\SleepStudy 2017-11-14 17:50 - 2017-05-04 15:33 - 000000000 _____ C:\WINDOWS\SysWOW64\last.dump 2017-11-11 13:44 - 2016-11-24 05:44 - 000000000 ____D C:\Users\Craig DiPiano 2017-11-06 20:18 - 2017-07-27 16:07 - 000003392 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-2794434498-725242176-3457425843-1001 2017-11-06 20:18 - 2016-05-20 17:23 - 000002436 _____ C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk 2017-11-06 20:18 - 2016-05-20 17:23 - 000000000 ___RD C:\Users\Craig DiPiano\OneDrive 2017-11-04 19:48 - 2013-02-02 10:01 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\ArcSoft 2017-10-25 16:35 - 2016-07-16 06:47 - 000000000 ____D C:\WINDOWS\SysWOW64\Macromed 2017-10-25 16:35 - 2016-07-16 06:47 - 000000000 ____D C:\WINDOWS\system32\Macromed 2017-10-22 14:52 - 2012-07-20 11:06 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\SanDisk 2017-10-22 14:50 - 2010-08-05 19:50 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\vlc 2017-10-22 12:34 - 2011-02-04 16:32 - 000000000 ____D C:\Users\Craig DiPiano\Documents\FINANCES 2017-10-22 12:32 - 2012-06-16 10:46 - 000000000 ____D C:\Users\Craig DiPiano\Documents\Auto 2017-10-17 18:14 - 2010-06-20 17:38 - 000000000 ____D C:\Program Files (x86)\Seagate 2017-10-17 17:24 - 2017-07-25 17:11 - 000000000 ____D C:\Users\Craig DiPiano\Documents\Sketches_Scanned ==================== Files in the root of some directories ======= 2010-07-12 17:48 - 2010-10-17 10:11 - 000033134 _____ () C:\Users\Craig DiPiano\AppData\Roaming\UserTile.png 2010-06-27 19:18 - 2017-08-03 17:02 - 000002500 _____ () C:\Users\Craig DiPiano\AppData\Roaming\wklnhst.dat 2017-01-24 17:27 - 2017-09-24 12:35 - 000016960 ____T (Un4seen Developments) C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\1eaadjc.dll 2017-01-24 17:27 - 2017-09-24 12:35 - 000018724 ____T () C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\bass.dll 2017-01-24 17:27 - 2017-09-24 12:35 - 000014392 ____T (Un4seen Developments) C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\kfgresk.dll 2017-01-24 17:27 - 2017-09-24 12:35 - 000014456 ____T () C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\mjcriu.dll 2017-01-24 17:27 - 2017-09-24 12:35 - 000010816 ____T (Un4seen Developments) C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\peaadje.dll 2017-01-24 17:27 - 2017-09-24 12:35 - 000028760 ____T ((: JOBnik! :) [Arthur Aminov, ISRAEL]) C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\qwadjb.dll 2017-01-24 17:27 - 2017-09-24 12:35 - 000015424 ____T (Un4seen Developments) C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\rsaadjd.dll 2017-01-24 17:27 - 2017-09-24 12:35 - 000098872 ____T (Un4seen Developments) C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\~DFK51ab8d40.tmp 2010-07-20 18:35 - 2017-09-24 12:34 - 000082432 _____ () C:\Users\Craig DiPiano\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini 2017-11-05 15:06 - 2017-11-05 15:06 - 000002200 _____ () C:\Users\Craig DiPiano\AppData\Local\recently-used.xbel 2012-05-24 17:11 - 2012-05-24 17:11 - 000000017 _____ () C:\Users\Craig DiPiano\AppData\Local\resmon.resmoncfg 2011-07-23 18:58 - 2011-07-23 18:58 - 000000000 _____ () C:\Users\Craig DiPiano\AppData\Local\{A5A7E4C1-9043-4FD1-8D28-C74B15880741} 2012-02-27 10:42 - 2013-02-24 12:24 - 000000629 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc Files to move or delete: ==================== C:\Users\Craig DiPiano\lametritonus_en.dll C:\Users\Craig DiPiano\lame_enc_en.dll ==================== Bamital & volsnap ====================== (There is no automatic fix for files that do not pass verification.) C:\WINDOWS\system32\winlogon.exe => File is digitally signed C:\WINDOWS\system32\wininit.exe => File is digitally signed C:\WINDOWS\explorer.exe => File is digitally signed C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed C:\WINDOWS\system32\svchost.exe => File is digitally signed C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed C:\WINDOWS\system32\services.exe => File is digitally signed C:\WINDOWS\system32\User32.dll => File is digitally signed C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed C:\WINDOWS\system32\userinit.exe => File is digitally signed C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed C:\WINDOWS\system32\rpcss.dll => File is digitally signed C:\WINDOWS\system32\dnsapi.dll => File is digitally signed C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2017-11-06 16:49 ==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version: 12-11-2017 03 Ran by Craig DiPiano (14-11-2017 19:28:40) Running from C:\Users\Craig DiPiano\Desktop Windows 10 Home Version 1607 14393.693 (X64) (2016-11-24 11:28:49) Boot Mode: Normal ========================================================== ==================== Accounts: ============================= Administrator (S-1-5-21-2794434498-725242176-3457425843-500 - Administrator - Disabled) Craig DiPiano (S-1-5-21-2794434498-725242176-3457425843-1001 - Administrator - Enabled) => C:\Users\Craig DiPiano DefaultAccount (S-1-5-21-2794434498-725242176-3457425843-503 - Limited - Disabled) Guest (S-1-5-21-2794434498-725242176-3457425843-501 - Limited - Disabled) => C:\Users\Guest HomeGroupUser$ (S-1-5-21-2794434498-725242176-3457425843-1002 - Limited - Enabled) ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D} AS: Spybot - Search and Destroy (Disabled - Up to date) {A16C3F68-9280-E053-1818-342707FECF4D} AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) ABBYY FineReader 9.0 Sprint (HKLM-x32\...\{F9000000-0018-0000-0000-074957833700}) (Version: 9.01.513.58212 - ABBYY) Hidden ABBYY FineReader 9.0 Sprint (HKLM-x32\...\ABBYY FineReader 9.0 Sprint) (Version: 9.01.513.58212 - ABBYY) Acrobat.com (HKLM-x32\...\{F8131A35-47FD-27AD-116D-0E79AF5DE5EE}) (Version: 2.1.0 - Adobe Systems Incorporated) Hidden Acrobat.com (HKLM-x32\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.1.0.0 - Adobe Systems Incorporated) ActiveCheck component for HP Active Support Library (HKLM-x32\...\{254C37AA-6B72-4300-84F6-98A82419187E}) (Version: 3.0.0.3 - Hewlett-Packard) Hidden Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20056 - Adobe Systems Incorporated) Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.0.2.12610 - Adobe Systems Inc.) Adobe Flash Player 27 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 27.0.0.183 - Adobe Systems Incorporated) Adobe Photoshop CS (HKLM-x32\...\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}) (Version: CS - Adobe Systems, Inc.) AMD USB Filter Driver (HKLM-x32\...\{5BDA2F58-1F21-4D10-9910-92B01EBCC958}) (Version: 1.0.14.91 - Advanced Micro Devices, Inc.) Any Video Converter 3.4.0 (HKLM-x32\...\Any Video Converter_is1) (Version: - Any-Video-Converter.com) Apple Application Support (HKLM-x32\...\{D9DAD0FF-495A-472B-9F10-BAE430A26682}) (Version: 3.0.3 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.) Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.) ArcSoft MediaImpression 2 (HKLM-x32\...\{FB46F473-333E-4A06-A777-31C54188593E}) (Version: 2.0.14.672 - ArcSoft) ArcSoft Scan-n-Stitch Deluxe (HKLM-x32\...\{FF8455A9-21E8-457D-AC64-510A705D53B3}) (Version: 1.1.2.27 - ArcSoft) ATI Catalyst Install Manager (HKLM\...\{E50A5077-1654-BEAE-986B-7B7133DA7C48}) (Version: 3.0.762.0 - ATI Technologies, Inc.) Audacity 2.0 (HKLM-x32\...\Audacity_is1) (Version: - Audacity Team) Bejeweled 2 Deluxe (HKLM-x32\...\WT082192) (Version: 2.2.0.82 - WildTangent) Hidden Bing Bar (HKLM-x32\...\{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}) (Version: 7.0.609.0 - Microsoft Corporation) Bing Rewards Client Installer (HKLM-x32\...\{61EDBE71-5D3E-4AB7-AD95-E53FEAF68C17}) (Version: 16.0.345.0 - Microsoft Corporation) Hidden Blackhawk Striker 2 (HKLM-x32\...\WT082122) (Version: 2.2.0.82 - WildTangent) Hidden Blasterball 3 (HKLM-x32\...\WT082124) (Version: 2.2.0.82 - WildTangent) Hidden Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.) Build-a-lot 2 (HKLM-x32\...\WT082438) (Version: 2.2.0.82 - WildTangent) Hidden Cake Mania (HKLM-x32\...\WT083477) (Version: 2.2.0.82 - WildTangent) Hidden CamStudio (HKLM-x32\...\CamStudio) (Version: - ) Carbonite Online Backup Setup (HKLM-x32\...\Carbonite Setup Lite) (Version: 3.8.0 - Carbonite Inc.) ccc-core-static (HKLM-x32\...\{AF4A82A7-F453-CE12-A942-E55FAC234387}) (Version: 2010.0202.2335.42270 - ATI) Hidden CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform) Chuzzle Deluxe (HKLM-x32\...\WT082200) (Version: 2.2.0.82 - WildTangent) Hidden CinemaNow Media Manager (HKLM-x32\...\{6C122441-1861-4CD7-B1C5-A163A6984E12}) (Version: 1.9.1.105 - CinemaNow, Inc.) ClickCharts Diagram Flowchart Software (HKLM-x32\...\ClickCharts) (Version: 1.55 - NCH Software) Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) CyberLink DVD Suite Deluxe (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 7.0.2712 - CyberLink Corp.) D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden Diner Dash 2 Restaurant Rescue (HKLM-x32\...\WT082396) (Version: 2.2.0.82 - WildTangent) Hidden Dora's Carnival Adventure (HKLM-x32\...\WT082133) (Version: 2.2.0.82 - WildTangent) Hidden DVD Menu Pack for HP MediaSmart Video (HKLM-x32\...\{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}) (Version: 4.0.3715 - Hewlett-Packard) Hidden DVD Menu Pack for HP MediaSmart Video (HKLM-x32\...\InstallShield_{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}) (Version: 4.0.3715 - Hewlett-Packard) DVD Shrink 3.2 (HKLM-x32\...\DVD Shrink_is1) (Version: - DVD Shrink) DVD Shrink Packages (HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\DVD Shrink Packages) (Version: - ) Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 2017.10 - Emsisoft Ltd.) Epson Copy Utility 3.5 (HKLM-x32\...\{AA72FB28-73B4-49E5-B6B4-E78F44BBD0AD}) (Version: 3.5.0.0 - ) Epson Event Manager (HKLM-x32\...\{03B8AA32-F23C-4178-B8E6-09ECD07EAA47}) (Version: 2.40.0001 - SEIKO EPSON CORPORATION) EPSON Perfection V33/V330 Photo Scanner Driver Update (HKLM-x32\...\{3B03E732-6150-4D0A-849F-C6F4141EA78C}) (Version: - ) EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - Seiko Epson Corporation) Escape Rosecliff Island (HKLM-x32\...\WT083484) (Version: 2.2.0.82 - WildTangent) Hidden Express Points Presentation Software (HKLM-x32\...\ExpressPoints) (Version: 1.13 - NCH Software) EZ Vinyl/Tape Converter 10 by Ion Audio (HKLM-x32\...\EZ Vinyl/Tape Converter by Ion Audio_is1) (Version: - Ion Audio LLC) Faerie Solitaire (HKLM-x32\...\WT082442) (Version: 2.2.0.82 - WildTangent) Hidden FATE (HKLM-x32\...\WT082141) (Version: 2.2.0.82 - WildTangent) Hidden ffdshow (HKLM-x32\...\ffdshow_is1) (Version: 1.0 - ) FFmpeg v0.6.2 for Audacity (HKLM-x32\...\FFmpeg for Audacity_is1) (Version: - ) Free Mp3 Wma Converter V 1.91 (HKLM-x32\...\Free Mp3 Wma Converter_is1) (Version: 1.91.0.0 - Koyote Soft) GIMP 2.8.22 (HKLM\...\GIMP-2_is1) (Version: 2.8.22 - The GIMP Team) Google Chrome (HKLM-x32\...\Google Chrome) (Version: 61.0.3163.100 - Google Inc.) Google Earth Plug-in (HKLM-x32\...\{57BB4801-61C8-4E74-9672-2160728A461E}) (Version: 7.1.5.1557 - Google) Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.33.5 - Google Inc.) Hidden Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden H&R Block Deluxe + Efile + State 2013 (HKLM-x32\...\{EDE796DE-0A72-464D-9D21-F04BC41A092B}) (Version: 13.05.6401 - HRB Technology, LLC.) H&R Block Deluxe + Efile + State 2015 (HKLM-x32\...\{E7BFC29A-9459-4534-9E35-BF1D66A18BAA}) (Version: 15.05.7401 - HRB Technology, LLC.) H&R Block Pennsylvania 2013 (HKLM-x32\...\{7F62C83B-2474-498A-8F5C-E5C452DF2D15}) (Version: 1.13.4501 - HRB Technology, LLC.) HandBrake 0.9.9.1 (HKLM-x32\...\HandBrake) (Version: 0.9.9.1 - ) Hardware Diagnostic Tools (HKLM\...\PC-Doctor for Windows) (Version: 6.0.5418.39 - PC-Doctor, Inc.) HP Advisor (HKLM-x32\...\{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}) (Version: 3.4.10262.3295 - Hewlett-Packard) HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.0.80 - WildTangent) HP MediaSmart CinemaNow 2.0 (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard) HP MediaSmart DVD (HKLM-x32\...\InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}) (Version: 4.0.3902 - Hewlett-Packard) HP MediaSmart Music (HKLM-x32\...\InstallShield_{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}) (Version: 4.0.3910 - Hewlett-Packard) HP MediaSmart Photo (HKLM-x32\...\InstallShield_{6DAF8CDC-9B04-413B-A0F2-BCC13CF8A5BF}) (Version: 4.0.3911 - Hewlett-Packard) HP MediaSmart SmartMenu (HKLM\...\{5B08AF35-B699-4A44-BB89-3E51E70611E8}) (Version: 3.1.1.12 - Hewlett-Packard) HP MediaSmart Video (HKLM-x32\...\InstallShield_{D12E3E7F-1B13-4933-A915-16C7DD37A095}) (Version: 4.0.3911 - Hewlett-Packard) HP MediaSmart/TouchSmart Netflix (HKLM-x32\...\{35021DFB-F9CA-402A-89A2-47F91E506465}) (Version: 1.0.2.0 - Hewlett-Packard) HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard) HP Setup (HKLM-x32\...\{F5C7FD70-2C0A-401E-95E9-916363567DDA}) (Version: 1.2.4048.3310 - Hewlett-Packard) HP Support Assistant (HKLM-x32\...\{B60DCA15-56A3-4D2D-8747-22CF7D7B588B}) (Version: 4.4.6.3 - Hewlett-Packard) HP Support Information (HKLM-x32\...\{B9A03B7B-E0FF-4FB3-BA83-762E58A1B0AA}) (Version: 10.1.0002 - Hewlett-Packard) HP Update (HKLM-x32\...\{DE77FE3F-A33D-499A-87AD-5FC406617B40}) (Version: 5.002.003.003 - Hewlett-Packard) HPAsset component for HP Active Support Library (HKLM-x32\...\{669D4A35-146B-4314-89F1-1AC3D7B88367}) (Version: 3.0.0.3 - Hewlett-Packard) Hidden IHA_MessageCenter (HKLM-x32\...\{80813829-BE27-4799-8BC7-2F75A7B6CB50}) (Version: 1.1.0 - Verizon) InterActual Player (HKLM-x32\...\InterActual Player) (Version: - ) iSEEK AnswerWorks English Runtime (HKLM-x32\...\{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}) (Version: 010.000.0101 - Vantage Linguistics) iTunes (HKLM\...\{5A68A656-979F-4168-8795-E2E368AA4DC2}) (Version: 11.2.2.3 - Apple Inc.) Jewel Quest 3 (HKLM-x32\...\WT082443) (Version: 2.2.0.82 - WildTangent) Hidden Jewel Quest Solitaire 2 (HKLM-x32\...\WT082468) (Version: 2.2.0.82 - WildTangent) Hidden Junk Mail filter update (HKLM-x32\...\{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden Keyword Strategy Studio Pro v2010.010311 (HKLM-x32\...\Keyword Strategy Studio Pro_is1) (Version: - Softnik Technologies) LabelPrint (HKLM-x32\...\{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2610 - CyberLink Corp.) Hidden LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2610 - CyberLink Corp.) LAME v3.98.3 for Audacity (HKLM-x32\...\LAME for Audacity_is1) (Version: - ) LightScribe Applications (HKLM-x32\...\{16F5ADDD-6EFD-411A-9013-8DD2C629FE53}) (Version: 1.18.27.10 - LightScribe) LightScribe System Software (HKLM-x32\...\{FA8BFB25-BF48-4F8B-8859-B30810745190}) (Version: 1.18.11.1 - LightScribe) Malwarebytes version 3.0.5.1299 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.5.1299 - Malwarebytes) Media Go (HKLM-x32\...\{F66C4A41-C3A8-4523-AB6C-BAA1DB38305C}) (Version: 2.7.357 - Sony) Media Go Network Downloader (HKLM-x32\...\{5562F05F-908C-4F15-9B3C-98D5FD32DCAB}) (Version: 1.5.19.0 - Sony) Media Go Video Playback Engine 2.4.128.12060 (HKLM-x32\...\{7C5AEEE1-6D7C-8922-4548-7BF9096077EC}) (Version: 2.4.128.12060 - Sony) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Office Home and Student 60 day trial (HKLM-x32\...\OfficeTrial) (Version: - ) Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office Standard 2007 (HKLM-x32\...\STANDARD) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft OneDrive (HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\OneDriveSetup.exe) (Version: 17.3.7076.1026 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation) Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation) Microsoft Works (HKLM-x32\...\{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}) (Version: 9.7.0621 - Microsoft Corporation) Movie Theme Pack for HP MediaSmart Video (HKLM-x32\...\{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 4.0.3715 - Hewlett-Packard) Hidden Movie Theme Pack for HP MediaSmart Video (HKLM-x32\...\InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 4.0.3715 - Hewlett-Packard) Mozilla Firefox 47.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0.2 (x86 en-US)) (Version: 47.0.2 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.2.6148 - Mozilla) Mp3 My Mp3 3.1 (HKLM-x32\...\{F92A74E1-D56E-4B83-A8C3-5DB85759A3FA}) (Version: 3.1 - Digital Liquid Ltd) Hidden Mp3 My Mp3 3.1 (HKLM-x32\...\Mp3 My Mp3 3.1) (Version: 3.1 - Digital Liquid Ltd) MP3MyMP3 4.2 (HKLM-x32\...\MP3MyMP3_is1) (Version: - Bruce McArthur) MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation) muvee Reveal Seagate Edition (HKLM-x32\...\{78E9A751-5616-233F-1249-16AC5758C646}) (Version: 7.0.41.11017 - muvee Technologies Pte Ltd) Mystery P.I. - The New York Fortune (HKLM-x32\...\WT082456) (Version: 2.2.0.82 - WildTangent) Hidden NETGEAR WNA3100 wireless USB 2.0 adapter (HKLM-x32\...\{C2425F91-1F7B-4037-9A05-9F290184798D}) (Version: 2.2.0.4 - NETGEAR) Norton Online Backup (HKLM-x32\...\{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}) (Version: 2.0.0.34 - Symantec) NWZ-E380 WALKMAN Guide (HKLM-x32\...\{D98ED583-338D-4425-B2EF-A4C7FB93CE88}) (Version: 2.2.0.05230 - Sony Corporation) OLYMPUS Digital Camera Updater (HKLM-x32\...\{D18925CE-5AF9-4394-8EF7-1081FFE7E98B}) (Version: 1.2.0 - OLYMPUS IMAGING CORP.) Penguins! (HKLM-x32\...\WT082168) (Version: 2.2.0.82 - WildTangent) Hidden Philips Songbird (HKLM-x32\...\Philips Songbird) (Version: 6.1.2265 (2265) - Koninklijke Philips Electronics N.V.) PhotoNow! (HKLM-x32\...\{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.6904 - CyberLink Corp.) Hidden PhotoNow! (HKLM-x32\...\InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.6904 - CyberLink Corp.) PictureMover (HKLM-x32\...\{1896E712-2B3D-45eb-BCE9-542742A51032}) (Version: 3.3.1.19 - Hewlett-Packard Company) Plants vs. Zombies (HKLM-x32\...\WT082170) (Version: 2.2.0.82 - WildTangent) Hidden PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation) Poker Superstars III (HKLM-x32\...\WT082171) (Version: 2.2.0.82 - WildTangent) Hidden Polar Bowler (HKLM-x32\...\WT082172) (Version: 2.2.0.82 - WildTangent) Hidden Polar Golfer (HKLM-x32\...\WT082173) (Version: 2.2.0.82 - WildTangent) Hidden Power2Go (HKLM-x32\...\{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.3810 - CyberLink Corp.) Hidden Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.3810 - CyberLink Corp.) PowerDirector (HKLM-x32\...\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.2704 - CyberLink Corp.) Hidden PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.2704 - CyberLink Corp.) Prism Video File Converter (HKLM-x32\...\Prism) (Version: 2.25 - NCH Software) Python 2.7.1 (64-bit) (HKLM\...\{32939827-d8e5-470a-b126-870db3c69fd0}) (Version: 2.7.1150 - Python Software Foundation) Quicken 2012 (HKLM-x32\...\{0A1E0BDA-5E8F-436d-8BE5-7E97C5CB899D}) (Version: 21.1.7.18 - Intuit) Quicken 2013 (HKLM-x32\...\{034DD4BB-F0D6-4ECF-B064-8E39E3EF7076}) (Version: 22.1.12.7 - Intuit) Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6662 - Realtek Semiconductor Corp.) Recovery Manager (HKLM-x32\...\{44B2A0AB-412E-4F8C-B058-D1E8AECCDFF5}) (Version: 5.5.2719 - CyberLink Corp.) Hidden Riva FLV Encoder 2.0 (HKLM-x32\...\Riva FLV Encoder 2.0_is1) (Version: 2.00.0005 - Rothenberger & Partner) SanDiskSecureAccess_Manager.exe (HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\@@__UNKNOWN__@@SanDiskSecureAccess_Manager.exe) (Version: 1.1.19755 - Gemalto N.V.) Seagate Dashboard (HKLM-x32\...\{EA266F00-A8E7-43A0-8DED-FBFE3F076934}) (Version: 4.8.5.0 - Seagate) Seagate Manager Installer (HKLM-x32\...\{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}) (Version: 2.01.0700 - Seagate) Hidden Seagate Manager Installer (HKLM-x32\...\InstallShield_{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}) (Version: 2.01.0700 - Seagate) Sound Organizer (HKLM-x32\...\{95B9D945-C782-44F8-AD12-F9FE48EE7C94}) (Version: 1.1.0.12070 - Sony Corporation) Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited) Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.) Switch Sound File Converter (HKLM-x32\...\Switch) (Version: 5.12 - NCH Software) TextTwist 2 (HKLM-x32\...\WT083491) (Version: 2.2.0.82 - WildTangent) Hidden TurboTax 2011 (HKLM-x32\...\TurboTax 2011) (Version: - Intuit, Inc) TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc) Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0012-0000-0000-0000000FF1CE}_STANDARD_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) VideoPad Video Editor (HKLM-x32\...\VideoPad) (Version: 4.48 - NCH Software) Virtual Families (HKLM-x32\...\WT082188) (Version: 2.2.0.82 - WildTangent) Hidden Virtual Villagers - The Secret City (HKLM-x32\...\WT082241) (Version: 2.2.0.82 - WildTangent) Hidden Visual C++ 8.0 Runtime Setup Package (x64) (HKLM-x32\...\{2FDBBCEA-62DB-45F4-B6E5-0E1FB2A1F29D}) (Version: 9.0.0.623 - AVG Technologies CZ, s.r.o.) Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies) Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies) Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies) Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.) VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN) Vz In Home Agent (HKLM-x32\...\{6916E491-8BBF-4E8A-AFAD-D01307C059E5}) (Version: 8.02.23 - Verizon) Wav to Mp3 (HKLM-x32\...\{729E66B3-1B80-4F2F-8D19-342A89631E0A}_is1) (Version: - ) Wheel of Fortune 2 (HKLM-x32\...\WT082189) (Version: 2.2.0.82 - WildTangent) Hidden Windows Driver Package - Google, Inc. (WinUSB) AndroidUsbDeviceClass (08/11/2009 2.0.0010.00002) (HKLM\...\B81055EA372C9E3EA5000B4BD9585D992D51F1DE) (Version: 08/11/2009 2.0.0010.00002 - Google, Inc.) Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0) (HKLM\...\2C1C2F29FADF39F533CEEE67B90F07A5306A4BDB) (Version: 09/09/2009 1.0.0.0 - OLYMPUS IMAGING CORP.) Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation) Windows Movie Maker 2.6 (HKLM-x32\...\{B3DAF54F-DB25-4586-9EF1-96D24BB14088}) (Version: 2.6.4038.0 - Microsoft Corporation) Zuma's Revenge (HKLM-x32\...\WT082463) (Version: 2.2.0.82 - WildTangent) Hidden ==================== Custom CLSID (Whitelisted): ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) CustomCLSID: HKU\S-1-5-21-2794434498-725242176-3457425843-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> no filepath ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers2-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU.DLL [2015-10-21] (Emsisoft Ltd) ContextMenuHandlers2-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd) ContextMenuHandlers3-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU.DLL [2015-10-21] (Emsisoft Ltd) ContextMenuHandlers3-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd) ContextMenuHandlers3-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2016-12-14] (Malwarebytes) ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File ContextMenuHandlers6-x32: [Emsisoft Shell Extension] -> {AB77609F-2178-4E6F-9C4B-44AC179D937A} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU.DLL [2015-10-21] (Emsisoft Ltd) ContextMenuHandlers6-x32: [Emsisoft Shell Extension x64] -> {E3F21FC7-6D65-48E7-B62B-E9ED8200C764} => C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\A2CONTMENU64.DLL [2015-10-21] (Emsisoft Ltd) ContextMenuHandlers6-x32: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2016-12-14] (Malwarebytes) ==================== Scheduled Tasks (Whitelisted) ============= (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) Task: {00E7E66A-146A-4D91-AE0E-8E041E5EEEFC} - System32\Tasks\DVDAgent => c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe Task: {0614E216-9586-4DC9-9417-9663E71FFA81} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe Task: {09DD22EA-249F-4834-94E9-2F324E944E0D} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {0E8551ED-005D-40C6-90E3-80D5843F8DBB} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe Task: {128FDC75-746D-4480-869A-A87D6AEBB636} - System32\Tasks\CCleanerSkipUAC => C:\Program Files (x86)\CCleaner\CCleaner.exe [2016-12-06] (Piriform Ltd) Task: {1294C8DE-F2BA-4269-871D-756095C3B09E} - System32\Tasks\ServicePlan => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-02-24] () Task: {198BA291-FB1B-4265-A118-6FE6B55EBBE7} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe Task: {1BB38B11-01D4-4FC3-9105-370BB8C11A21} - System32\Tasks\CLMLSvc => c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Music\Kernel\CLML\CLMLSvc.exe Task: {27C411B7-E322-486B-938E-48EF225CFC07} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe Task: {2F0B2903-9F5B-4E96-8394-51698C1980DD} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe Task: {356D20A1-53E6-435D-A1F2-FDCAA78D276B} - System32\Tasks\Craig DiPiano1 Merge => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\NBCore.exe [2017-07-21] (Seagate Technology LLC) Task: {3691FF85-D708-409B-BE7A-284ADA2BCFB2} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe Task: {392AAB2B-15F7-48B1-B07E-0BE480D834F6} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe Task: {3FDDFACE-600F-41C0-A521-C7119F1B6508} - System32\Tasks\OneDrive Standalone Update Task => C:\Users\Craig DiPiano\AppData\Local\Microsoft\OneDrive\17.3.6517.0809\OneDriveStandaloneUpdater.exe Task: {4174D0B1-D662-4442-BE05-E74FDA7AB687} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {4F146EF9-1584-4BF8-A020-3A9E37525BCE} - System32\Tasks\Craig DiPiano DBAgent 2 0 => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\DBAgent.exe [2017-07-21] (Seagate Technology LLC) Task: {5A2CC048-721F-46A1-AC35-80DD405DFAEF} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-10-25] (Adobe Systems Incorporated) Task: {5DCCE427-23A6-4FC9-ACF2-657BA1A698C9} - System32\Tasks\Craig DiPiano1 => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\NBCore.exe [2017-07-21] (Seagate Technology LLC) Task: {5F522CEB-EAA3-4E97-96FF-BF8425DF56F6} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File Task: {71415035-9F51-485A-BF58-AE3A62E8BB0D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.) Task: {75E207A5-0575-446A-974A-D178024369F1} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe Task: {77CDE8FA-743E-4BC5-8128-8886F7D50B1D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File Task: {7864E796-9F78-4F98-95A9-80E968BB9BEB} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe [2016-03-21] (Safer-Networking Ltd.) Task: {7B0DFFF0-6088-41CF-A75A-878BA845C91F} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe Task: {7B414C1E-650B-461C-A36D-14FB655627C0} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.) Task: {841465EF-77FE-40EF-8138-287423A1BD12} - System32\Tasks\{F030C5F5-3535-40C8-82A9-4FBBB3FA519D} => C:\Windows\system32\pcalua.exe -a "C:\Users\Craig DiPiano\Videos\Riva_FLV_Encoder.exe" -d "C:\Users\Craig DiPiano\Videos" Task: {8451AEC7-438A-47ED-AAF8-43DA021933CF} - System32\Tasks\iMeshNAG => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe Task: {8465E2C1-36AD-4EA3-8ECA-5C561635B621} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe Task: {88B0061E-71BD-4E62-B1BA-8AD9866A077C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File Task: {8CEC57CE-9D89-4DAC-B4A6-7A110184F37A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File Task: {9D68AD1A-3850-45B6-BC03-009D74EB709E} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe Task: {A1D35F98-7D4F-4EC2-9239-00601DC46FCE} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe Task: {A2637C3B-1E40-44BD-AB8C-4383AC6C1F7C} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File Task: {A489B528-91C6-4184-A0AF-723508AC6495} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe Task: {A4E1A579-D414-4C8E-AD66-03A0538F4503} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.) Task: {A7F13F2E-7E40-4342-A3EF-A78884CC1813} - \Microsoft\Windows\Setup\gwx\rundetector -> No File Task: {A894259E-D7D0-41BB-AED3-1D8F66401E39} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe Task: {AA665A59-A688-419E-B83D-465C6651FBB7} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File Task: {AC825DFB-BBC0-430E-9DBA-4A946ACA8B53} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File Task: {B081616E-0B12-4425-9E08-A245118C7CCE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File Task: {B0FAD8D3-529C-4402-94D7-4D44F8DB6D78} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File Task: {B10439E1-E185-4DB2-807B-DD6AC98B530E} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe Task: {B564AB98-F1CF-4EF4-B044-F7492A523700} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File Task: {B92A5C1F-2083-497F-B44F-60F380623673} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe Task: {BA287D0E-8F40-4EF9-BAA0-1EACC7B4B577} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe Task: {BB119898-E216-4E4D-93DB-E693B6921D84} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File Task: {C4D5D3CC-58F8-43D2-AC4F-FA91F4439F57} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe Task: {C53DD36B-A1E7-4C6E-A433-B17773342A7E} - System32\Tasks\PCDRScheduledMaintenance => C:\Program Files\PC-Doctor for Windows\pcdrcui.exe [2010-02-01] (PC-Doctor, Inc.) Task: {CE4316C6-3AE3-4120-ACFF-FB8A88428B1A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File Task: {D13884A6-4010-4AC9-99F8-7BA15C9287F8} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2017-02-02] (Adobe Systems Incorporated) Task: {D2766357-4D1A-4D75-A2FB-E426DC50D624} - System32\Tasks\SidebarExecute => C:\Program Files\Windows Sidebar\sidebar.exe Task: {D34FC6E8-B440-4E73-A3B7-7D93D9CF0DC2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File Task: {DC292CBE-591A-4837-B7BD-C5A523F33642} - System32\Tasks\Seagate_Install_Launch => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Dashboard.exe [2017-07-21] (Seagate Technology LLC) Task: {E8FA7856-F1C0-48C9-88EE-4613503C97E8} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe Task: {EDC1CEBF-721A-43DF-97F4-6333C572872D} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2016-03-21] (Safer-Networking Ltd.) Task: {F809B3DB-23B7-4759-B88C-17638039582F} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe Task: {FC168DBD-8327-4CC8-BEBE-28B294DC8806} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\WINDOWS\Tasks\iMeshNAG.job => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe Task: C:\WINDOWS\Tasks\PCDRScheduledMaintenance.job => C:\Program Files\PC-Doctor for Windows\pcdrcui.exe5-fh scripts\monthly.xml ==================== Shortcuts & WMI ======================== (The entries could be listed to be restored or removed.) Shortcut: C:\Users\Craig DiPiano\Favorites\NCH Software Download Site.lnk -> hxxp://www.nch.com.au/index.htm Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Account.lnk -> hxxp://www22.verizon.com/ForYourHome/MyAccount/Protected/Account/MyAccountProfile.asp Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Message Center.lnk -> hxxp://webmail.verizon.com Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\My Verizon.lnk -> hxxp://www22.verizon.com/Foryourhome/MyAccount/Unprotected/UserManagement/Login/Login.asp Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Shop Verizon.lnk -> hxxp://my.verizon.com/shop/portlets/shop/ShopVas.js Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Support.lnk -> hxxp://www22.verizon.com/residentialhelp Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Verizon Links\About Verizon.lnk -> hxxp://wapp.verizon.com/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=ho_cor Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Verizon Links\Safety & Security.lnk -> hxxp://surround.verizon.com/Shop/Utilities/InternetSecuritySuite.asp Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Verizon Links\Search.lnk -> hxxp://my.verizon.com/central/bookmark?action=advancedwebsearc Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Verizon Links\Support.lnk -> hxxp://www22.verizon.com/residentialhelp Shortcut: C:\Users\Craig DiPiano\Favorites\My Verizon\Verizon Links\Welcome Page.lnk -> hxxp://wapp.verizon.com/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0unattached&bm=wc_welcom ==================== Loaded Modules (Whitelisted) ============== 2016-07-16 06:42 - 2016-07-16 06:42 - 000231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll 2016-12-14 16:35 - 2016-12-09 05:29 - 002681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll 2015-06-09 20:20 - 2014-08-18 16:50 - 000316120 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvc.exe 2016-12-31 04:40 - 2017-04-20 02:42 - 002271520 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll 2016-11-24 08:07 - 2016-11-24 08:07 - 000134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll 2017-01-11 16:21 - 2016-12-21 02:09 - 000474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll 2017-01-11 16:21 - 2016-12-21 01:54 - 009760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll 2017-01-11 16:21 - 2016-12-21 01:48 - 001401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll 2017-01-11 16:21 - 2016-12-21 01:48 - 000757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll 2017-01-11 16:21 - 2016-12-21 01:48 - 001033216 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Actions.dll 2017-01-11 16:21 - 2016-12-21 01:48 - 002424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll 2017-01-11 16:21 - 2016-12-21 01:53 - 004853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll 2016-12-14 15:50 - 2016-12-14 15:51 - 000072192 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkypeHost.exe 2016-12-14 15:50 - 2016-12-14 15:51 - 000179712 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkypeBackgroundTasks.dll 2016-12-14 15:50 - 2016-12-14 15:51 - 042130432 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\SkyWrap.dll 2016-12-14 15:50 - 2016-12-14 15:51 - 002216448 _____ () C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.10.145.0_x64__kzf8qxf38zg5c\roottools.dll 2010-01-18 12:21 - 2010-01-18 12:21 - 000568888 _____ () C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe 2010-02-09 21:01 - 2010-02-09 21:01 - 001712184 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe 2015-06-09 20:20 - 2014-08-18 16:49 - 008274648 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WNA3100.exe 2017-09-26 15:40 - 2017-09-21 02:29 - 004022616 _____ () C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.100\libglesv2.dll 2017-09-26 15:40 - 2017-09-21 02:29 - 000100184 _____ () C:\Program Files (x86)\Google\Chrome\Application\61.0.3163.100\libegl.dll 2015-06-09 20:20 - 2015-02-26 19:19 - 000380928 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WifiLib.dll 2015-06-09 20:20 - 2014-07-22 09:18 - 000278528 _____ () C:\Program Files (x86)\NETGEAR\WNA3100\WifiSvcLib.dll 2016-11-28 16:35 - 2014-05-13 12:04 - 000109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl 2016-11-28 16:35 - 2014-05-13 12:04 - 000167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl 2016-11-28 16:35 - 2014-05-13 12:04 - 000416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl ==================== Alternate Data Streams (Whitelisted) ========= (If an entry is included in the fixlist, only the ADS will be removed.) ==================== Safe Mode (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service" ==================== Association (Whitelisted) =============== (If an entry is included in the fixlist, the registry item will be restored to default or removed.) ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com There are 7936 more sites. IE trusted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\google.com -> hxxps://www.google.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\007guard.com -> install.007guard.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\008i.com -> 008i.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\008k.com -> www.008k.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\00hq.com -> www.00hq.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\010402.com -> 010402.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\0scan.com -> www.0scan.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\10sek.com -> www.10sek.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\12-26.net -> user1.12-26.net IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\12-27.net -> user1.12-27.net IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123simsen.com -> www.123simsen.com There are 7937 more sites. ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2009-07-13 21:34 - 2017-11-04 11:30 - 000454674 ____R C:\WINDOWS\system32\Drivers\etc\hosts 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 127.0.0.1 www.0scan.com 127.0.0.1 0scan.com 127.0.0.1 1000gratisproben.com 127.0.0.1 www.1000gratisproben.com 127.0.0.1 1001namen.com 127.0.0.1 www.1001namen.com 127.0.0.1 100888290cs.com 127.0.0.1 www.100888290cs.com 127.0.0.1 www.100sexlinks.com 127.0.0.1 100sexlinks.com 127.0.0.1 10sek.com 127.0.0.1 www.10sek.com 127.0.0.1 www.1-2005-search.com 127.0.0.1 1-2005-search.com 127.0.0.1 www.123fporn.info 127.0.0.1 123fporn.info 127.0.0.1 123haustiereundmehr.com 127.0.0.1 www.123haustiereundmehr.com 127.0.0.1 123moviedownload.com 127.0.0.1 www.123moviedownload.com There are 15603 more lines. ==================== Other Areas ============================ (Currently there is no automatic fix for this section.) HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Craig DiPiano\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe\LocalState\PhotosAppBackground\{41c40453-4351-48d4-a54d-4ee28bcbd18e}.jpg DNS Servers: 192.168.0.1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer => (SmartScreenEnabled: RequireAdmin) ==================== MSCONFIG/TASK MANAGER disabled items == HKLM\...\StartupApproved\StartupFolder: => "Adobe Gamma Loader.lnk" HKLM\...\StartupApproved\Run: => "Malwarebytes TrayApp" HKLM\...\StartupApproved\Run: => "WindowsDefender" HKLM\...\StartupApproved\Run32: => "Adobe Reader Speed Launcher" HKLM\...\StartupApproved\Run32: => "Adobe ARM" HKLM\...\StartupApproved\Run32: => "APSDaemon" HKLM\...\StartupApproved\Run32: => "ArcSoft Connection Service" HKLM\...\StartupApproved\Run32: => "CarboniteSetupLite" HKLM\...\StartupApproved\Run32: => "Microsoft Default Manager" HKLM\...\StartupApproved\Run32: => "EEventManager" HKLM\...\StartupApproved\Run32: => "MaxMenuMgr" HKLM\...\StartupApproved\Run32: => "iTunesHelper" HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched" HKLM\...\StartupApproved\Run32: => "Philips Device Listener" HKLM\...\StartupApproved\Run32: => "VerizonServicepoint.exe" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\StartupApproved\StartupFolder: => "Epson scanner Registration.lnk" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\StartupApproved\Run: => "Amazon Music" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\StartupApproved\Run: => "CCleaner Monitoring" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\StartupApproved\Run: => "LightScribe Control Panel" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\StartupApproved\Run: => "OneDrive" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\StartupApproved\Run: => "SanDiskSecureAccess_Manager.exe" HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\StartupApproved\Run: => "Spybot-S&D Cleaning" ==================== FirewallRules (Whitelisted) =============== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) FirewallRules: [{84F0FFF7-3488-4ABC-9164-87540A4450AD}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{E21A872A-C4F0-414F-A48E-43B01FEA01D3}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{F4DF446F-8109-42A7-8A3C-5CEA123C3B17}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartMusic.exe FirewallRules: [{040FE419-F64E-4E34-9618-964CAC54E6A4}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartPhoto.exe FirewallRules: [{F55682A5-BB17-4610-8261-3BA16FF2AE55}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPTouchSmartVideo.exe FirewallRules: [{C6A48249-3893-4B45-8CA0-A2E6FEA1C7B5}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\TSMAgent.exe FirewallRules: [{C5933230-372D-40B1-BCF8-605DC672CD67}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\Kernel\CLML\CLMLSvc.exe FirewallRules: [{F4C1E844-CDF5-4F9D-9548-E5BF12D82D71}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\HPDVDSmart.exe FirewallRules: [{B9483F56-D54B-4EB7-BD5F-52813A76590A}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDirector\PDR.EXE FirewallRules: [{42412653-06AB-4834-9BA3-E41793587266}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\CinemaNow\CinemaNow.exe FirewallRules: [{610413EF-3EE6-4079-AEE5-7208123F2080}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\CinemaNow\CinemaNow.exe FirewallRules: [{C517426F-ED19-40EE-9BCB-517227F2B515}] => (Allow) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe FirewallRules: [{0851FF14-6F85-4097-A4CD-30DAB60DDE90}] => (Allow) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe FirewallRules: [{A758F163-F159-4EBD-9E94-CBD795225D78}] => (Allow) c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Music\HPTouchSmartMusic.exe FirewallRules: [TCP Query User{C7894759-182D-4A84-A0E7-AE37A01B828C}C:\program files (x86)\google\google earth\plugin\geplugin.exe] => (Allow) C:\program files (x86)\google\google earth\plugin\geplugin.exe FirewallRules: [uDP Query User{7818AB9B-32A9-4D78-BF6C-D11C5E1DB339}C:\program files (x86)\google\google earth\plugin\geplugin.exe] => (Allow) C:\program files (x86)\google\google earth\plugin\geplugin.exe FirewallRules: [{F1534492-FFC7-44FA-A3FD-3002899CDCE1}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1ECD3752-A781-41B9-906B-2CEC23495D8B}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{44EA520B-6459-44DE-BB91-052225AFB5C8}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{61A8A447-6D0A-4A34-8F44-46F35231DC42}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{82F48685-F443-43F4-A62F-46F02843C857}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{4650292E-F11B-41AF-BAF0-928FA75891DD}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{D2AE60FD-EE99-475C-BC88-9818B4AE6F21}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [{D6420937-ED58-486A-B363-7D432BF18108}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [TCP Query User{12B30242-047A-4C84-BC53-664CFD9A1F49}J:\techwizard.exe] => (Allow) J:\techwizard.exe FirewallRules: [uDP Query User{3EA45341-C127-4672-A71C-6D3692CCBEEE}J:\techwizard.exe] => (Allow) J:\techwizard.exe FirewallRules: [{0CEDAE81-58B5-4D30-9708-43A709EA40E6}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe FirewallRules: [{79EDC441-6588-490A-9992-B539F12EFDEE}] => (Allow) LPort=2869 FirewallRules: [{7169B85C-CF6F-47CD-A940-2C9068FF12C4}] => (Allow) LPort=1900 FirewallRules: [{CD2009EE-4A3A-42C5-A467-38E94FA40718}] => (Allow) C:\Program Files (x86)\Verizon\VSP\ServicepointService.exe FirewallRules: [{F952453A-F885-47C8-8385-7D9CE94B75D8}] => (Allow) C:\Program Files (x86)\Verizon\VSP\ServicepointService.exe FirewallRules: [{424B25CA-A9BE-4111-9EC7-6B916BA059A6}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1D41B792-B8C3-4BEC-AF53-618D22E102B9}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{B4AB2586-BAEF-4C9C-9772-A26C7533716F}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{DB969FDF-B805-4825-8380-132D25BEB736}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{BB4480CA-BB40-4E94-8CFE-36D8F181FB93}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{25B86D4D-4AE6-4C0E-BA65-4CA8630BCC78}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe FirewallRules: [{B60FED6B-8345-403D-9E6D-00848A6042E7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{A453C1B3-7472-49C8-B09E-7DB7EF0DACE7}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe FirewallRules: [{C5E07347-C24A-4F3B-818A-E7D4117417E9}] => (Allow) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe FirewallRules: [{4FE7B64C-9666-4CE9-A0B1-B845FB4227E1}] => (Allow) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe FirewallRules: [{8ABF4E99-0728-4DD7-9049-E35EC71CB8F1}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{6FDD09DF-2AA8-4C27-912D-F884522B89D2}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{75BD3109-6053-4A0B-BDFD-E6D0AB05EEA5}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe FirewallRules: [{C8128898-BF1C-4574-A6E3-C37BF0AB1BA4}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{F44A61A3-387E-4081-AC7B-5888ADD5C6EA}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{D52E6CEA-CB0B-4FBD-877F-3FBDA503636E}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{1F42BD20-8EE8-4B19-B2D9-87898CA8E8A6}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{095C1336-5773-43A5-A65D-357BF0B618B7}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe FirewallRules: [{FCEE68FC-A2DE-415D-8D57-F62A9E9991E7}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe FirewallRules: [{5CF5B394-5F4A-4A96-9E62-05C1E63BE4E1}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{BEB6D0F4-69C3-4A83-9AF0-54A1AEE83814}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{F8883C2F-171C-4FFD-9422-E58486D41221}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{3B25487C-EB7E-4C60-98FC-3324F9848BE1}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{888E4841-F389-4EE7-9635-0716BC22B379}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{BF6B0E1F-6C90-457C-AAFC-1F36582990D2}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe FirewallRules: [{2A3F78FA-F6C8-4D87-8BD8-BBD0BD8FADD4}] => (Allow) LPort=50001 FirewallRules: [{CCF8AC7A-0119-42D7-A67E-1A6CA0656801}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe FirewallRules: [{5F082340-5123-462D-869B-D518AB85D892}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe FirewallRules: [TCP Query User{481D3776-A41E-4B93-A4A7-31D3B769372C}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe FirewallRules: [uDP Query User{6A379BD4-5D5A-4799-890C-9CEC27931A5D}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe FirewallRules: [{CDB978FF-B6CA-47C4-AF0A-0E6CC45F1F8F}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe FirewallRules: [{EE4A9AEE-8BDC-46FC-8558-DAB0420E6360}] => (Allow) LPort=8888 FirewallRules: [TCP Query User{5955BE02-79FB-471D-A0F7-5A6763BAA940}C:\program files (x86)\seagate\seagate dashboard 2.0\dashboard.exe] => (Allow) C:\program files (x86)\seagate\seagate dashboard 2.0\dashboard.exe FirewallRules: [uDP Query User{FD258FF1-7BE7-484A-95DD-DB430030D361}C:\program files (x86)\seagate\seagate dashboard 2.0\dashboard.exe] => (Allow) C:\program files (x86)\seagate\seagate dashboard 2.0\dashboard.exe StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service ==================== Restore Points ========================= Check "winmgmt" service or repair WMI. ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (11/14/2017 07:30:49 PM) (Source: ESENT) (EventID: 454) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery/restore failed with unexpected error -551. Error: (11/14/2017 07:30:49 PM) (Source: ESENT) (EventID: 517) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery failed with error -551 because it encountered references to a database, 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message. Error: (11/14/2017 07:28:48 PM) (Source: ESENT) (EventID: 454) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery/restore failed with unexpected error -551. Error: (11/14/2017 07:28:48 PM) (Source: ESENT) (EventID: 517) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery failed with error -551 because it encountered references to a database, 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message. Error: (11/14/2017 07:26:48 PM) (Source: ESENT) (EventID: 454) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery/restore failed with unexpected error -551. Error: (11/14/2017 07:26:48 PM) (Source: ESENT) (EventID: 517) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery failed with error -551 because it encountered references to a database, 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message. Error: (11/14/2017 07:24:48 PM) (Source: ESENT) (EventID: 454) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery/restore failed with unexpected error -551. Error: (11/14/2017 07:24:48 PM) (Source: ESENT) (EventID: 517) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery failed with error -551 because it encountered references to a database, 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message. Error: (11/14/2017 07:22:48 PM) (Source: ESENT) (EventID: 454) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery/restore failed with unexpected error -551. Error: (11/14/2017 07:22:48 PM) (Source: ESENT) (EventID: 517) (User: ) Description: wuaueng.dll (364) SUS20ClientDataStore: Database recovery failed with error -551 because it encountered references to a database, 'C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb', which does not match the current set of logs. The database engine will not permit recovery to complete for this instance until the mismatching database is re-instated. If the database is truly no longer available or no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the "more information" link at the bottom of this message. System errors: ============= Error: (11/14/2017 07:30:49 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Windows Update service terminated with the following error: %%3355443751 Error: (11/14/2017 07:30:48 PM) (Source: DCOM) (EventID: 10010) (User: CRAIGDIPIANO-HP) Description: The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout. Error: (11/14/2017 07:28:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Windows Update service terminated with the following error: %%3355443751 Error: (11/14/2017 07:28:48 PM) (Source: DCOM) (EventID: 10010) (User: CRAIGDIPIANO-HP) Description: The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout. Error: (11/14/2017 07:26:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Windows Update service terminated with the following error: %%3355443751 Error: (11/14/2017 07:26:48 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY) Description: The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout. Error: (11/14/2017 07:24:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Windows Update service terminated with the following error: %%3355443751 Error: (11/14/2017 07:24:48 PM) (Source: DCOM) (EventID: 10010) (User: CRAIGDIPIANO-HP) Description: The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout. Error: (11/14/2017 07:22:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: ) Description: The Windows Update service terminated with the following error: %%3355443751 Error: (11/14/2017 07:22:05 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY) Description: The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout. CodeIntegrity: =================================== Date: 2017-11-14 19:27:41.700 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-14 19:27:41.696 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-14 19:27:41.650 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-14 19:27:41.646 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-14 19:22:36.293 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MpCmdRun.exe) attempted to load \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Custom 3 / Antimalware signing level requirements. Date: 2017-11-14 19:22:06.270 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\NisSrv.exe) attempted to load \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Custom 3 / Antimalware signing level requirements. Date: 2017-11-14 19:21:53.562 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MpCmdRun.exe) attempted to load \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Custom 3 / Antimalware signing level requirements. Date: 2017-11-14 19:21:49.349 Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Custom 3 / Antimalware signing level requirements. Date: 2017-11-14 19:20:46.829 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2017-11-14 19:20:46.776 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. ==================== Memory info =========================== Processor: AMD Athlon II X4 630 Processor Percentage of memory in use: 42% Total physical RAM: 5879.89 MB Available physical RAM: 3383.18 MB Total Virtual: 8695.89 MB Available Virtual: 6107.8 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:919.32 GB) (Free:678.87 GB) NTFS Drive d: (HP_RECOVERY) (Fixed) (Total:11.46 GB) (Free:1.38 GB) NTFS ==>[system with boot components (obtained from drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 931.3 GB) (Disk ID: C8002F2A) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=919.3 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=450 MB) - (Type=27) Partition 4: (Not Active) - (Size=11.5 GB) - (Type=07 NTFS) ==================== End of Addition.txt ============================Addition.txtFRST.txtMBAM scan.txtAdwCleaner[C0].txt
November 15, 20177 yr Hi Tony, He was using AVG Free and Spybot S&D. Check out that host file.I know, it's terrible. I see that AVG has been removed...... we'll cleanup the leftovers ( there's quite a lot, AVG has an awful uninstaller ) To be honest we stopped recommending Spybot quite awhile ago..... the detection rates are just not good enough any more. I really do suggest that you remove SpyBot from the system. EAM and MalwareBytes will do a good job. A couple of things about the MalwareBytes scan.... Version: 3.0.5.1299This version is about 11 months out of date. Although the definitions update, the software doesn't always. The current version is 3.3.1 I recommend that you remove MalwareBytes and download a fresh copy. -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled I recommend running another MalwareBytes scan with the Rootkit option selected (just to make sure..) Settings >> Protection >> Under Scan Options turn on Scan for Rootkits. ----------------- Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop. NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.fixlist.txt
November 15, 20177 yr Author FPCH Staff Thank you. Here's the log. Now on to MBAM program update. Fix result of Farbar Recovery Scan Tool (x64) Version: 15-11-2017 Ran by Craig DiPiano (15-11-2017 14:58:57) Run:1 Running from C:\Users\Craig DiPiano\Desktop Loaded Profiles: Craig DiPiano (Available Profiles: Craig DiPiano & Guest & DefaultAppPool) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...A8F59079A8D5}\localserver32: Startup: C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson scanner Registration.lnk [2013-02-02] ShortcutTarget: Epson scanner Registration.lnk -> E:\Common\EpsonReg\v33\EpsonReg.exe (No File) SearchScopes: HKLM -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM-x32 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} URL = BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File BHO-x32: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File Toolbar: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension => not found FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2 => not found FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-08-26] U3 idsvc; no ImagePath S3 MREMP50; \??\C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [X] S3 MRESP50; \??\C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [X] 2017-11-14 18:39 - 2017-11-14 18:41 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\AvgSetupLog 2017-11-14 18:43 - 2016-11-11 04:08 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\AVG 2017-11-14 18:43 - 2016-11-11 03:39 - 000000000 ____D C:\ProgramData\Avg 2017-11-14 18:43 - 2010-06-20 13:19 - 000000000 ____D C:\Program Files (x86)\AVG C:\Users\Craig DiPiano\lametritonus_en.dll C:\Users\Craig DiPiano\lame_enc_en.dll 2011-07-23 18:58 - 2011-07-23 18:58 - 000000000 _____ () C:\Users\Craig DiPiano\AppData\Local\{A5A7E4C1-9043-4FD1-8D28-C74B15880741} CustomCLSID: HKU\S-1-5-21-2794434498-725242176-3457425843-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> no filepath ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File Task: {5F522CEB-EAA3-4E97-96FF-BF8425DF56F6} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File Task: {77CDE8FA-743E-4BC5-8128-8886F7D50B1D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File Task: {8451AEC7-438A-47ED-AAF8-43DA021933CF} - System32\Tasks\iMeshNAG => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe Task: {88B0061E-71BD-4E62-B1BA-8AD9866A077C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File Task: {8CEC57CE-9D89-4DAC-B4A6-7A110184F37A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File Task: {A2637C3B-1E40-44BD-AB8C-4383AC6C1F7C} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File Task: {A7F13F2E-7E40-4342-A3EF-A78884CC1813} - \Microsoft\Windows\Setup\gwx\rundetector -> No File Task: {AA665A59-A688-419E-B83D-465C6651FBB7} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File Task: {AC825DFB-BBC0-430E-9DBA-4A946ACA8B53} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File Task: {B081616E-0B12-4425-9E08-A245118C7CCE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File Task: {B0FAD8D3-529C-4402-94D7-4D44F8DB6D78} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File Task: {B564AB98-F1CF-4EF4-B044-F7492A523700} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File Task: {BB119898-E216-4E4D-93DB-E693B6921D84} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File Task: {CE4316C6-3AE3-4120-ACFF-FB8A88428B1A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File Task: {D34FC6E8-B440-4E73-A3B7-7D93D9CF0DC2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File Task: C:\WINDOWS\Tasks\iMeshNAG.job => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe FirewallRules: [{84F0FFF7-3488-4ABC-9164-87540A4450AD}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{E21A872A-C4F0-414F-A48E-43B01FEA01D3}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{F1534492-FFC7-44FA-A3FD-3002899CDCE1}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1ECD3752-A781-41B9-906B-2CEC23495D8B}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{44EA520B-6459-44DE-BB91-052225AFB5C8}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{61A8A447-6D0A-4A34-8F44-46F35231DC42}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{82F48685-F443-43F4-A62F-46F02843C857}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{4650292E-F11B-41AF-BAF0-928FA75891DD}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{D2AE60FD-EE99-475C-BC88-9818B4AE6F21}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [{D6420937-ED58-486A-B363-7D432BF18108}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [{424B25CA-A9BE-4111-9EC7-6B916BA059A6}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1D41B792-B8C3-4BEC-AF53-618D22E102B9}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{B4AB2586-BAEF-4C9C-9772-A26C7533716F}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{DB969FDF-B805-4825-8380-132D25BEB736}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{8ABF4E99-0728-4DD7-9049-E35EC71CB8F1}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{6FDD09DF-2AA8-4C27-912D-F884522B89D2}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{5CF5B394-5F4A-4A96-9E62-05C1E63BE4E1}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{BEB6D0F4-69C3-4A83-9AF0-54A1AEE83814}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{F8883C2F-171C-4FFD-9422-E58486D41221}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{3B25487C-EB7E-4C60-98FC-3324F9848BE1}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{CCF8AC7A-0119-42D7-A67E-1A6CA0656801}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe FirewallRules: [{5F082340-5123-462D-869B-D518AB85D892}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe CMD: ipconfig /flushdns Hosts: EmptyTemp: ***************** Processes closed successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AvgUi => value removed successfully HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => key removed successfully HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key removed successfully C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson scanner Registration.lnk => moved successfully E:\Common\EpsonReg\v33\EpsonReg.exe => not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key removed successfully HKLM\Software\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key removed successfully HKLM\Software\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} => key removed successfully HKLM\Software\Classes\CLSID\{ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} => key not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully HKLM\Software\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => key removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully
November 15, 20177 yr Author FPCH Staff I was surprised that it took only 12 minutes, 30 seconds. I'm used to MBAM scans taking about 45 minutes. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 11/15/17 Scan Time: 3:03 PM Log File: 08d2a52c-ca40-11e7-b0a4-78e7d1c8ebc7.json Administrator: Yes -Software Information- Version: 3.2.2.2029 Components Version: 1.0.212 Update Package Version: 1.0.3265 License: Trial -System Information- OS: Windows 10 (Build 14393.693) CPU: x64 File System: NTFS User: CRAIGDIPIANO-HP\Craig DiPiano -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 474207 Threats Detected: 0 (No malicious items detected) Threats Quarantined: 0 (No malicious items detected) Time Elapsed: 12 min, 32 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 0 (No malicious items detected) Physical Sector: 0 (No malicious items detected) (end)
November 15, 20177 yr Hi Tony, The fixlog.txt seems to have been cut off. Could you re-post it for me. Thanks.
November 15, 20177 yr I was surprised that it took only 12 minutes, 30 seconds. That's one of the things with the latest versions..... They have made the scans a lot quicker. That report looks good now.
November 15, 20177 yr Author FPCH Staff Here it is again, but it's the same. I see where it cut off in the closing processes area. That's what is in the text file. I'll run the FRST fix again. Fix result of Farbar Recovery Scan Tool (x64) Version: 15-11-2017 Ran by Craig DiPiano (15-11-2017 14:58:57) Run:1 Running from C:\Users\Craig DiPiano\Desktop Loaded Profiles: Craig DiPiano (Available Profiles: Craig DiPiano & Guest & DefaultAppPool) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...A8F59079A8D5}\localserver32: Startup: C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson scanner Registration.lnk [2013-02-02] ShortcutTarget: Epson scanner Registration.lnk -> E:\Common\EpsonReg\v33\EpsonReg.exe (No File) SearchScopes: HKLM -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM-x32 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} URL = BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File BHO-x32: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File Toolbar: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension => not found FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2 => not found FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-08-26] U3 idsvc; no ImagePath S3 MREMP50; \??\C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [X] S3 MRESP50; \??\C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [X] 2017-11-14 18:39 - 2017-11-14 18:41 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\AvgSetupLog 2017-11-14 18:43 - 2016-11-11 04:08 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\AVG 2017-11-14 18:43 - 2016-11-11 03:39 - 000000000 ____D C:\ProgramData\Avg 2017-11-14 18:43 - 2010-06-20 13:19 - 000000000 ____D C:\Program Files (x86)\AVG C:\Users\Craig DiPiano\lametritonus_en.dll C:\Users\Craig DiPiano\lame_enc_en.dll 2011-07-23 18:58 - 2011-07-23 18:58 - 000000000 _____ () C:\Users\Craig DiPiano\AppData\Local\{A5A7E4C1-9043-4FD1-8D28-C74B15880741} CustomCLSID: HKU\S-1-5-21-2794434498-725242176-3457425843-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> no filepath ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File Task: {5F522CEB-EAA3-4E97-96FF-BF8425DF56F6} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File Task: {77CDE8FA-743E-4BC5-8128-8886F7D50B1D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File Task: {8451AEC7-438A-47ED-AAF8-43DA021933CF} - System32\Tasks\iMeshNAG => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe Task: {88B0061E-71BD-4E62-B1BA-8AD9866A077C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File Task: {8CEC57CE-9D89-4DAC-B4A6-7A110184F37A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File Task: {A2637C3B-1E40-44BD-AB8C-4383AC6C1F7C} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File Task: {A7F13F2E-7E40-4342-A3EF-A78884CC1813} - \Microsoft\Windows\Setup\gwx\rundetector -> No File Task: {AA665A59-A688-419E-B83D-465C6651FBB7} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File Task: {AC825DFB-BBC0-430E-9DBA-4A946ACA8B53} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File Task: {B081616E-0B12-4425-9E08-A245118C7CCE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File Task: {B0FAD8D3-529C-4402-94D7-4D44F8DB6D78} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File Task: {B564AB98-F1CF-4EF4-B044-F7492A523700} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File Task: {BB119898-E216-4E4D-93DB-E693B6921D84} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File Task: {CE4316C6-3AE3-4120-ACFF-FB8A88428B1A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File Task: {D34FC6E8-B440-4E73-A3B7-7D93D9CF0DC2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File Task: C:\WINDOWS\Tasks\iMeshNAG.job => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe FirewallRules: [{84F0FFF7-3488-4ABC-9164-87540A4450AD}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{E21A872A-C4F0-414F-A48E-43B01FEA01D3}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{F1534492-FFC7-44FA-A3FD-3002899CDCE1}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1ECD3752-A781-41B9-906B-2CEC23495D8B}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{44EA520B-6459-44DE-BB91-052225AFB5C8}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{61A8A447-6D0A-4A34-8F44-46F35231DC42}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{82F48685-F443-43F4-A62F-46F02843C857}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{4650292E-F11B-41AF-BAF0-928FA75891DD}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{D2AE60FD-EE99-475C-BC88-9818B4AE6F21}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [{D6420937-ED58-486A-B363-7D432BF18108}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [{424B25CA-A9BE-4111-9EC7-6B916BA059A6}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1D41B792-B8C3-4BEC-AF53-618D22E102B9}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{B4AB2586-BAEF-4C9C-9772-A26C7533716F}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{DB969FDF-B805-4825-8380-132D25BEB736}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{8ABF4E99-0728-4DD7-9049-E35EC71CB8F1}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{6FDD09DF-2AA8-4C27-912D-F884522B89D2}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{5CF5B394-5F4A-4A96-9E62-05C1E63BE4E1}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{BEB6D0F4-69C3-4A83-9AF0-54A1AEE83814}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{F8883C2F-171C-4FFD-9422-E58486D41221}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{3B25487C-EB7E-4C60-98FC-3324F9848BE1}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{CCF8AC7A-0119-42D7-A67E-1A6CA0656801}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe FirewallRules: [{5F082340-5123-462D-869B-D518AB85D892}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe CMD: ipconfig /flushdns Hosts: EmptyTemp: ***************** Processes closed successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AvgUi => value removed successfully HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key removed successfully HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => key removed successfully HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key removed successfully C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson scanner Registration.lnk => moved successfully E:\Common\EpsonReg\v33\EpsonReg.exe => not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key removed successfully HKLM\Software\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key removed successfully HKLM\Software\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} => key removed successfully HKLM\Software\Classes\CLSID\{ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} => key not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully HKLM\Software\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => key removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully HKLM\Software\Wow6432Node\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key removed successfully
November 15, 20177 yr Author FPCH Staff I ran the FRST fix again. I think I know what happened the first time. Emsisoft AntiMalware doesn't like FRST. EAM popped up a few times when I ran FRST. You have to watch it and Allow FRST to continue. I should have disabled protection while FRST ran. Fix result of Farbar Recovery Scan Tool (x64) Version: 15-11-2017 Ran by Craig DiPiano (15-11-2017 15:32:42) Run:2 Running from C:\Users\Craig DiPiano\Desktop Loaded Profiles: Craig DiPiano & Guest & DefaultAppPool (Available Profiles: Craig DiPiano & Guest & DefaultAppPool) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe" /lps=fmw Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X] HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...A8F59079A8D5}\localserver32: Startup: C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson scanner Registration.lnk [2013-02-02] ShortcutTarget: Epson scanner Registration.lnk -> E:\Common\EpsonReg\v33\EpsonReg.exe (No File) SearchScopes: HKLM -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM-x32 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {5F7433B8-9CB1-45E8-95A9-65BB044ACC20} URL = SearchScopes: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> {ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} URL = BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll => No File BHO-x32: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll => No File Toolbar: HKU\S-1-5-21-2794434498-725242176-3457425843-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll No File FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension => not found FF HKLM-x32\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2 => not found FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2014-08-26] U3 idsvc; no ImagePath S3 MREMP50; \??\C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [X] S3 MRESP50; \??\C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [X] 2017-11-14 18:39 - 2017-11-14 18:41 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Local\AvgSetupLog 2017-11-14 18:43 - 2016-11-11 04:08 - 000000000 ____D C:\Users\Craig DiPiano\AppData\Roaming\AVG 2017-11-14 18:43 - 2016-11-11 03:39 - 000000000 ____D C:\ProgramData\Avg 2017-11-14 18:43 - 2010-06-20 13:19 - 000000000 ____D C:\Program Files (x86)\AVG C:\Users\Craig DiPiano\lametritonus_en.dll C:\Users\Craig DiPiano\lame_enc_en.dll 2011-07-23 18:58 - 2011-07-23 18:58 - 000000000 _____ () C:\Users\Craig DiPiano\AppData\Local\{A5A7E4C1-9043-4FD1-8D28-C74B15880741} CustomCLSID: HKU\S-1-5-21-2794434498-725242176-3457425843-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> no filepath ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File Task: {5F522CEB-EAA3-4E97-96FF-BF8425DF56F6} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File Task: {77CDE8FA-743E-4BC5-8128-8886F7D50B1D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File Task: {8451AEC7-438A-47ED-AAF8-43DA021933CF} - System32\Tasks\iMeshNAG => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe Task: {88B0061E-71BD-4E62-B1BA-8AD9866A077C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File Task: {8CEC57CE-9D89-4DAC-B4A6-7A110184F37A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File Task: {A2637C3B-1E40-44BD-AB8C-4383AC6C1F7C} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File Task: {A7F13F2E-7E40-4342-A3EF-A78884CC1813} - \Microsoft\Windows\Setup\gwx\rundetector -> No File Task: {AA665A59-A688-419E-B83D-465C6651FBB7} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File Task: {AC825DFB-BBC0-430E-9DBA-4A946ACA8B53} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File Task: {B081616E-0B12-4425-9E08-A245118C7CCE} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File Task: {B0FAD8D3-529C-4402-94D7-4D44F8DB6D78} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File Task: {B564AB98-F1CF-4EF4-B044-F7492A523700} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File Task: {BB119898-E216-4E4D-93DB-E693B6921D84} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File Task: {CE4316C6-3AE3-4120-ACFF-FB8A88428B1A} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File Task: {D34FC6E8-B440-4E73-A3B7-7D93D9CF0DC2} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File Task: C:\WINDOWS\Tasks\iMeshNAG.job => C:\Users\CRAIGD~1\AppData\Local\Temp\iMesh_setup.exe FirewallRules: [{84F0FFF7-3488-4ABC-9164-87540A4450AD}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{E21A872A-C4F0-414F-A48E-43B01FEA01D3}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe FirewallRules: [{F1534492-FFC7-44FA-A3FD-3002899CDCE1}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1ECD3752-A781-41B9-906B-2CEC23495D8B}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{44EA520B-6459-44DE-BB91-052225AFB5C8}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{61A8A447-6D0A-4A34-8F44-46F35231DC42}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgdiagex.exe FirewallRules: [{82F48685-F443-43F4-A62F-46F02843C857}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{4650292E-F11B-41AF-BAF0-928FA75891DD}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgnsa.exe FirewallRules: [{D2AE60FD-EE99-475C-BC88-9818B4AE6F21}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [{D6420937-ED58-486A-B363-7D432BF18108}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgemca.exe FirewallRules: [{424B25CA-A9BE-4111-9EC7-6B916BA059A6}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{1D41B792-B8C3-4BEC-AF53-618D22E102B9}] => (Allow) C:\Program Files (x86)\AVG\AVG10\avgmfapx.exe FirewallRules: [{B4AB2586-BAEF-4C9C-9772-A26C7533716F}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{DB969FDF-B805-4825-8380-132D25BEB736}] => (Allow) C:\Program Files (x86)\AVG\AVG2012\avgmfapx.exe FirewallRules: [{8ABF4E99-0728-4DD7-9049-E35EC71CB8F1}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{6FDD09DF-2AA8-4C27-912D-F884522B89D2}] => (Allow) C:\Program Files (x86)\AVG\AVG2013\avgmfapx.exe FirewallRules: [{5CF5B394-5F4A-4A96-9E62-05C1E63BE4E1}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{BEB6D0F4-69C3-4A83-9AF0-54A1AEE83814}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{F8883C2F-171C-4FFD-9422-E58486D41221}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{3B25487C-EB7E-4C60-98FC-3324F9848BE1}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe FirewallRules: [{CCF8AC7A-0119-42D7-A67E-1A6CA0656801}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe FirewallRules: [{5F082340-5123-462D-869B-D518AB85D892}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe CMD: ipconfig /flushdns Hosts: EmptyTemp: ***************** Processes closed successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value not found. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\AvgUi => value not found. HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SDWinLogon => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key not found. C:\Users\Craig DiPiano\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Epson scanner Registration.lnk => not found. E:\Common\EpsonReg\v33\EpsonReg.exe => not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKLM\Software\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKLM\Software\Wow6432Node\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKLM\Software\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKLM\Software\Classes\CLSID\{5F7433B8-9CB1-45E8-95A9-65BB044ACC20} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} => key not found. HKLM\Software\Classes\CLSID\{ACF86F11-B2C2-421B-94B3-B7EAFAC8BB2A} => key not found. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. HKLM\Software\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => key not found. HKLM\Software\Wow6432Node\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} => key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. HKLM\Software\Wow6432Node\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => key not found. HKU\S-1-5-21-2794434498-725242176-3457425843-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value removed successfully HKLM\Software\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found. HKLM\Software\Classes\PROTOCOLS\Handler\linkscanner => key removed successfully HKLM\Software\Classes\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => key removed successfully HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e} => value removed successfully HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\avg@toolbar => value removed successfully C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml => moved successfully HKLM\System\CurrentControlSet\Services\idsvc => key removed successfully idsvc => service removed successfully HKLM\System\CurrentControlSet\Services\MREMP50 => key removed successfully MREMP50 => service removed successfully HKLM\System\CurrentControlSet\Services\MRESP50 => key removed successfully MRESP50 => service removed successfully C:\Users\Craig DiPiano\AppData\Local\AvgSetupLog => moved successfully C:\Users\Craig DiPiano\AppData\Roaming\AVG => moved successfully C:\ProgramData\Avg => moved successfully C:\Program Files (x86)\AVG => moved successfully C:\Users\Craig DiPiano\lametritonus_en.dll => moved successfully C:\Users\Craig DiPiano\lame_enc_en.dll => moved successfully C:\Users\Craig DiPiano\AppData\Local\{A5A7E4C1-9043-4FD1-8D28-C74B15880741} => moved successfully HKU\S-1-5-21-2794434498-725242176-3457425843-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => key not found. HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => key removed successfully HKLM\Software\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\Gadgets => key removed successfully HKLM\Software\Classes\CLSID\{6B9228DA-9C15-419e-856C-19E768A13BDC} => key not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5F522CEB-EAA3-4E97-96FF-BF8425DF56F6} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5F522CEB-EAA3-4E97-96FF-BF8425DF56F6} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{77CDE8FA-743E-4BC5-8128-8886F7D50B1D} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{77CDE8FA-743E-4BC5-8128-8886F7D50B1D} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{8451AEC7-438A-47ED-AAF8-43DA021933CF} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8451AEC7-438A-47ED-AAF8-43DA021933CF} => key removed successfully C:\WINDOWS\System32\Tasks\iMeshNAG => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\iMeshNAG => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{88B0061E-71BD-4E62-B1BA-8AD9866A077C} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{88B0061E-71BD-4E62-B1BA-8AD9866A077C} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8CEC57CE-9D89-4DAC-B4A6-7A110184F37A} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8CEC57CE-9D89-4DAC-B4A6-7A110184F37A} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A2637C3B-1E40-44BD-AB8C-4383AC6C1F7C} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2637C3B-1E40-44BD-AB8C-4383AC6C1F7C} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A7F13F2E-7E40-4342-A3EF-A78884CC1813} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7F13F2E-7E40-4342-A3EF-A78884CC1813} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\rundetector => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{AA665A59-A688-419E-B83D-465C6651FBB7} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AA665A59-A688-419E-B83D-465C6651FBB7} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AC825DFB-BBC0-430E-9DBA-4A946ACA8B53} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AC825DFB-BBC0-430E-9DBA-4A946ACA8B53} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B081616E-0B12-4425-9E08-A245118C7CCE} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B081616E-0B12-4425-9E08-A245118C7CCE} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B0FAD8D3-529C-4402-94D7-4D44F8DB6D78} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0FAD8D3-529C-4402-94D7-4D44F8DB6D78} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B564AB98-F1CF-4EF4-B044-F7492A523700} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B564AB98-F1CF-4EF4-B044-F7492A523700} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BB119898-E216-4E4D-93DB-E693B6921D84} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BB119898-E216-4E4D-93DB-E693B6921D84} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CE4316C6-3AE3-4120-ACFF-FB8A88428B1A} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CE4316C6-3AE3-4120-ACFF-FB8A88428B1A} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D34FC6E8-B440-4E73-A3B7-7D93D9CF0DC2} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D34FC6E8-B440-4E73-A3B7-7D93D9CF0DC2} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully C:\WINDOWS\Tasks\iMeshNAG.job => moved successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{84F0FFF7-3488-4ABC-9164-87540A4450AD} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E21A872A-C4F0-414F-A48E-43B01FEA01D3} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F1534492-FFC7-44FA-A3FD-3002899CDCE1} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1ECD3752-A781-41B9-906B-2CEC23495D8B} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{44EA520B-6459-44DE-BB91-052225AFB5C8} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{61A8A447-6D0A-4A34-8F44-46F35231DC42} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{82F48685-F443-43F4-A62F-46F02843C857} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4650292E-F11B-41AF-BAF0-928FA75891DD} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D2AE60FD-EE99-475C-BC88-9818B4AE6F21} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D6420937-ED58-486A-B363-7D432BF18108} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{424B25CA-A9BE-4111-9EC7-6B916BA059A6} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1D41B792-B8C3-4BEC-AF53-618D22E102B9} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B4AB2586-BAEF-4C9C-9772-A26C7533716F} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{DB969FDF-B805-4825-8380-132D25BEB736} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8ABF4E99-0728-4DD7-9049-E35EC71CB8F1} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6FDD09DF-2AA8-4C27-912D-F884522B89D2} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5CF5B394-5F4A-4A96-9E62-05C1E63BE4E1} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BEB6D0F4-69C3-4A83-9AF0-54A1AEE83814} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F8883C2F-171C-4FFD-9422-E58486D41221} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{3B25487C-EB7E-4C60-98FC-3324F9848BE1} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CCF8AC7A-0119-42D7-A67E-1A6CA0656801} => value could not remove. HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5F082340-5123-462D-869B-D518AB85D892} => value could not remove. ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= C:\Windows\System32\Drivers\etc\hosts => moved successfully Hosts restored successfully. =========== EmptyTemp: ========== BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 71534141 B Java, Flash, Steam htmlcache => 506 B Windows/system/drivers => 141807 B Edge => 320154 B Chrome => 488912446 B Firefox => 86503083 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 16674 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 128 B systemprofile32 => 128 B LocalService => 74386 B NetworkService => 970732 B Craig DiPiano => 51220078 B Guest => 186758 B DefaultAppPool => 33058 B RecycleBin => 0 B EmptyTemp: => 667.5 MB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 15:35:02 ====
November 15, 20177 yr Thanks for that Tony, fix ran fine that time. Emsisoft AntiMalware doesn't like FRST. EAM popped up a few times when I ran FRST. You have to watch it and Allow FRST to continue.I'll have to look into that. Is the system running ok in general?
November 15, 20177 yr Author FPCH Staff Thanks Starbuck. It's running GREAT! I'm pretty sure FRST didn't finish initially because I missed a popup from EAM alerting me to suspicious behavior caused by FRST. It probably shut down FRST. One question: What about Spybot S&D immunization which populates the hosts file? Is there any value to that these days?
November 15, 20177 yr What about Spybot S&D immunization which populates the hosts file? Is there any value to that these days? All you would probably benefit from would be the 'hosts' file. You'd get no benefit from the IE trusted/restricted entries as these only apply to IE...... and I see the default browser is Chrome. ==================== Internet Explorer trusted/restricted =============== (If an entry is included in the fixlist, it will be removed from the registry.) IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com There are 7936 more sites. IE trusted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\google.com -> hxxps://www.google.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\007guard.com -> install.007guard.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\008i.com -> 008i.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\008k.com -> www.008k.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\00hq.com -> www.00hq.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\010402.com -> 010402.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\0scan.com -> www.0scan.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1-2005-search.com -> www.1-2005-search.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1-domains-registrations.com -> www.1-domains-registrations.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1000gratisproben.com -> www.1000gratisproben.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\1001namen.com -> www.1001namen.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\100888290cs.com -> mir.100888290cs.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\100sexlinks.com -> www.100sexlinks.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\10sek.com -> www.10sek.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\12-26.net -> user1.12-26.net IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\12-27.net -> user1.12-27.net IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123fporn.info -> www.123fporn.info IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123haustiereundmehr.com -> www.123haustiereundmehr.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123moviedownload.com -> www.123moviedownload.com IE restricted site: HKU\S-1-5-21-2794434498-725242176-3457425843-1001\...\123simsen.com -> www.123simsen.com There are 7937 more sites.Entirely up to you if you think this is worth it.
November 15, 20177 yr Author FPCH Staff Thanks, I'll tell Craig. I think I'll just let it continue with EAM and MBAM trial. That seems to work well.
November 19, 20177 yr Hi Tony, I mentioned the FRST/EAM problem to Farbar. He thinks that because the 'CloseProcesses:' directive was used, it was EAM self protecting itself. If we hadn't used the directive to close the processes, it may not have happened.
November 19, 20177 yr Author FPCH Staff EAM protecting itself ... gotta love it. I ran this script with FRST. CloseProcesses: CMD: ipconfig /flushdns Hosts: EmptyTemp: EAM popped up twice and I had to allow FRST to continue. I then ran the script without "CloseProcesses: - EAM didn't pop up.
November 19, 20177 yr Hi Tony, then ran the script without "CloseProcesses: - EAM didn't pop up.Thanks for that, so that proves the theory then. You actually saved me a job.... I was going to test that theory on one of my systems this evening. Nice to know that EAM protects itself like that.
November 19, 20177 yr Author FPCH Staff Maybe not so fast. I ran the script again with the "CloseProsesses:" directive because i wanted to take a screen shot of the EAM pop up notification. EAM didn't complain - no pop up. I tried it a third time. Again, there was no pop up notification from EAM. I did check this time to make sure EAM was running when I ran the script. Maybe EAM learned.
November 19, 20177 yr Author FPCH Staff Thinking back, I probably clicked on EAM's "Always Allow" button. That's why the pop up didn't occur on subsequent runs.
November 19, 20177 yr That would bare out what an Emsisoft employee told me earlier.... There is no reason to disable EAM protection while using FRST; just click "allow always" if it ever pops up. We try to keep on top of whitelisting FRST, but because it's not signed, we can't automatically trust the certificate (it doesn't exist) - so have to do it by hand every time there's a revision.
