Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Cannot access Safe Mode, System Restore and (most) anti-malware progra

Started by playwiffme , Mar 28 2017 11:00 AM

Please log in to reply

#1
playwiffme

Posted 28 March 2017 - 11:00 AM

Member

Member
61 posts

1) Windows 7

2) Cannot access Safe Mode or System Restore

3) Cannot open Malwarebytes, ADWCleaner or RKill (The requested resources is in use)

4) CAN open and run Hit Man Pro, RogueKiller, Zemana Antimalware - they have removed and quarantined several files

5) RogueKiller has quarantined several files - see attachment RogueKiller 1 and 2

6) HitManPro has quarantined a few files - see attachment HitManPro-1

7) Zemana has been run several times and has quarantied the following files -

A) c:\users\thomas\appdata\local\microlabs\ct.exe -

Detection : Adware:Win32/CTProxy.G!Neng
Cleaning Action : Quarantine

Quarantined Once, has not reappeared - yet

B) c:\users\thomas\appdata\local\ntuserlitelist

Detection : Adware:Win32/CTProxy.H!Neng
Cleaning Action : Quarantine

Quarantined each time but keeps reappearing

C) c:\windows\system32\drivers\ndistpr64.sys

Quarantined Once, has not reappeared

D) c:\windows\system32\tprdpw32.exe

Quarantined Once, has not reappeared - yet

8) When booting the computer the computer is requesting to choose myself or another user to open windows

9) Rebooting takes approximately 7-10 minutes with about 3-5 minutes in the middle of the reboot showing nothing but a black screen

Attached Thumbnails

#2
RKinner

Posted 28 March 2017 - 11:14 AM

Malware Expert

Expert
24,625 posts

I think i've got another one of these. It may require booting to a USB or CD to remove it.

Can you run FRST?

Get FRST from http://www.bleepingc...very-scan-tool/You need to download the appropriate tool for your PC. If you don't know if you have a 32 or 64 bit system get them both. Only one will work and that's the right one.

Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.

Check the Addition.txt box

Press Scan button.

It will produce a log called FRST.txt in the same directory the tool is run from.

Please copy and paste log back here.

It will generate another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

and/or Process Explorer:

Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).

View, Select Column, check Verified Signer, OK

Options, Verify Image Signatures

Click twice on the CPU column header to sort things by CPU usage with the big hitters at the top.

Wait a full minute then:

File, Save As, Save. Note the file name. Open the file on your desktop and copy and paste the text to a reply.

#3
playwiffme

Posted 28 March 2017 - 11:48 AM

Member

Topic Starter
Member
61 posts

Process Explorer -

Process   PID   CPU   Private Bytes   Working Set   Description   Company Name   Verified Signer
acrotray.exe   5812       2,492 K   6,476 K   AcroTray   Adobe Systems Inc.   (Verified) Adobe Systems
AdobeARM.exe   6068       2,232 K   4,384 K   Adobe Reader and Acrobat Manager   Adobe Systems Incorporated   (Verified) Adobe Systems
AdobeARM.exe   4816       3,952 K   1,360 K   Adobe Reader and Acrobat Manager   Adobe Systems Incorporated   (Verified) Adobe Systems
armsvc.exe   2280       1,328 K   4,200 K   Adobe Acrobat Update Service   Adobe Systems Incorporated   (Verified) Adobe Systems
audiodg.exe   5620       16,932 K   12,564 K   Windows Audio Device Graph Isolation    Microsoft Corporation   (Verified) Microsoft Windows
clear.fiAgent.exe   4464       1,824 K   768 K   clear.fi Resident Program   CyberLink Corp.   (Verified) CyberLink
csrss.exe   652       2,868 K   7,256 K   Client Server Runtime Process   Microsoft Corporation   (Verified) Microsoft Windows
csrss.exe   544       2,836 K   5,064 K   Client Server Runtime Process   Microsoft Corporation   (Verified) Microsoft Windows
CVHSVC.EXE   4256       8,008 K   15,632 K   Microsoft Office Client Virtualization Service    Microsoft Corporation   (Verified) Microsoft Corporation
DMREngine.exe   4476       5,312 K   1,376 K   DMREngine   CyberLink   (Verified) CyberLink
ExtractDeviceIcon.exe   160       4,928 K   3,116 K   clear.fi Client   Acer Inc.   (Verified) Acer Incorporated
FRST64(1).exe   5040       24,636 K   38,344 K   Farbar Recovery Scan Tool   Farbar   (No signature was present in the subject) Farbar
GoogleCrashHandler.exe   1988       1,732 K   668 K   Google Crash Handler   Google Inc.   (Verified) Google Inc
GoogleCrashHandler64.exe   2016       2,028 K   872 K   Google Crash Handler   Google Inc.   (Verified) Google Inc
GREGsvc.exe   2620       1,124 K   3,704 K   Global Registration Service   Acer Incorporated   (Verified) Acer Incorporated
jusched.exe   5828       2,652 K   5,792 K   Java Update Scheduler   Oracle Corporation   (Verified) Oracle America
lsass.exe   704       6,688 K   14,196 K   Local Security Authority Process   Microsoft Corporation   (Verified) Microsoft Windows
lsm.exe   716       3,204 K   5,136 K   Local Session Manager Service   Microsoft Corporation   (Verified) Microsoft Windows
mDNSResponder.exe   2516       2,832 K   6,488 K   Bonjour Service   Apple Inc.   (Verified) Apple Inc.
MSCamS64.exe   2756       5,768 K   10,060 K   MsCamSvc.exe   Microsoft Corporation   (Verified) Microsoft Corporation
msiexec.exe   1800       3,576 K   8,768 K   Windows® installer   Microsoft Corporation   (Verified) Microsoft Windows
msseces.exe   5420       7,244 K   15,316 K   Microsoft Security Client User Interface   Microsoft Corporation   (Verified) Microsoft Corporation
NetworkLicenseServer.exe   1992       15,640 K   20,068 K   ABBYY network license server   ABBYY Production LLC   (Verified) ABBYY Production LLC
notepad.exe   1132       2,588 K   7,444 K   Notepad   Microsoft Corporation   (Verified) Microsoft Windows
nvSCPAPISvr.exe   3356       2,524 K   5,860 K   Stereo Vision Control Panel API Server   NVIDIA Corporation   (Verified) NVIDIA Corporation
nvvsvc.exe   932       3,528 K   8,508 K   NVIDIA Driver Helper Service, Version 267.33   NVIDIA Corporation   (Verified) NVIDIA Corporation
NvXDSync.exe   1568       8,232 K   17,072 K   NVIDIA User Experience Driver Component   NVIDIA Corporation   (Verified) NVIDIA Corporation
procexp(1).exe   4724       2,660 K   8,020 K   Sysinternals Process Explorer   Sysinternals - www.sysinternals.com   (Verified) Microsoft Corporation
PsiService_2.exe   3020       2,156 K   4,624 K   PsiService PsiService   arvato digital services llc   (Verified) Arvato Digital Services Canada Inc
RAVCpl64.exe   5408       12,552 K   13,032 K   Realtek HD Audio Manager   Realtek Semiconductor   (Verified) Realtek Semiconductor Corp
SeaPort.EXE   2324       4,468 K   9,628 K   Microsoft SeaPort Search Enhancement Broker   Microsoft Corporation   (Verified) Microsoft Corporation
services.exe   684       7,068 K   10,772 K   Services and Controller app   Microsoft Corporation   (Verified) Microsoft Windows
sftvsa.exe   1984       1,720 K   5,156 K   Microsoft Application Virtualization Virtual Service Agent   Microsoft Corporation   (Verified) Microsoft Corporation
smss.exe   376       732 K   1,420 K   Windows Session Manager   Microsoft Corporation   (Verified) Microsoft Windows
spoolsv.exe   1408       9,012 K   14,968 K   Spooler SubSystem App   Microsoft Corporation   (Verified) Microsoft Windows
sppsvc.exe   3592       3,036 K   7,320 K   Microsoft Software Protection Platform Service   Microsoft Corporation   (Verified) Microsoft Windows
sqlbrowser.exe   2088       1,652 K   4,488 K   SQL Browser Service EXE   Microsoft Corporation   (Verified) Microsoft Corporation
sqlservr.exe   2832       56,708 K   2,964 K   SQL Server Windows NT   Microsoft Corporation   (Verified) Microsoft Corporation
sqlwriter.exe   2144       2,736 K   7,128 K   SQL Server VSS Writer - 64 Bit   Microsoft Corporation   (Verified) Microsoft Corporation
svchost.exe   2656       3,524 K   8,508 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   2560       6,624 K   12,380 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   2900       1,748 K   4,280 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   2996       1,756 K   4,272 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   4752       3,060 K   6,628 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   3384       4,852 K   8,572 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   864       5,780 K   10,880 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   1464       13,672 K   17,148 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   520       17,948 K   19,960 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   972       5,716 K   9,448 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
taskeng.exe   4344       3,184 K   7,048 K   Task Scheduler Engine   Microsoft Corporation   (Verified) Microsoft Windows
taskeng.exe   828       3,656 K   7,656 K   Task Scheduler Engine   Microsoft Corporation   (Verified) Microsoft Windows
tprdpw32.exe   1748   Suspended   408 K   132 K
tprdpw32.exe   1764       2,876 K   8,564 K
UpdaterService.exe   2680       1,276 K   4,088 K   Updater Service   Acer Incorporated   (Verified) Acer Incorporated
w3dbsmgr.exe   3044       87,512 K   28,036 K   Database Service Manager   Pervasive Software Inc.   (Verified) Sage Software
wininit.exe   620       2,092 K   5,096 K   Windows Start-Up Application   Microsoft Corporation   (Verified) Microsoft Windows
winlogon.exe   1564       3,860 K   8,248 K   Windows Logon Application   Microsoft Corporation   (Verified) Microsoft Windows
WLIDSVCM.EXE   3608       2,084 K   4,276 K   Microsoft® Windows Live ID Service Monitor   Microsoft Corp.   (Verified) Microsoft Corporation
WmiPrvSE.exe   5372       3,448 K   7,376 K   WMI Provider Host   Microsoft Corporation   (Verified) Microsoft Windows
wuauclt.exe   5796       2,824 K   7,572 K   Windows Update   Microsoft Corporation   (Verified) Microsoft Windows
WUDFHost.exe   1392       2,704 K   6,892 K   Windows Driver Foundation - User-mode Driver Framework Host Process   Microsoft Corporation   (Verified) Microsoft Windows
ZAM.exe   3504   < 0.01   14,356 K   16,840 K   ZAM   Copyright 2017.   (No signature was present in the subject) Copyright 2017.
sftlist.exe   3684   < 0.01   7,964 K   17,328 K   Microsoft Application Virtualization Client Service   Microsoft Corporation   (Verified) Microsoft Corporation
nvvsvc.exe   4532   < 0.01   6,976 K   13,820 K   NVIDIA Driver Helper Service, Version 267.33   NVIDIA Corporation   (Verified) NVIDIA Corporation
SplitCamService.exe   1700   < 0.01   11,656 K   7,060 K   SplitCam Service   SplitCam Co.   (Verified) OMT-LIDER
wmpnetwk.exe   5608   < 0.01   12,384 K   7,748 K   Windows Media Player Network Sharing Service   Microsoft Corporation   (Verified) Microsoft Windows
WLIDSVC.EXE   3468   < 0.01   8,136 K   17,052 K   Microsoft® Windows Live ID Service   Microsoft Corp.   (Verified) Microsoft Corporation
svchost.exe   2592   < 0.01   7,544 K   14,288 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   1072   < 0.01   9,476 K   15,336 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
acrobat_sl.exe   5872   < 0.01   2,000 K   1,068 K   Adobe Acrobat SpeedLauncher   Adobe Systems Incorporated   (Verified) Adobe Systems
reader_sl.exe   4172   < 0.01   2,116 K   1,248 K   Adobe Acrobat SpeedLauncher   Adobe Systems Incorporated   (Verified) Adobe Systems
AppleMobileDeviceService.exe   2304   < 0.01   4,592 K   11,776 K   MobileDeviceService   Apple Inc.   (Verified) Apple Inc.
taskhost.exe   728   < 0.01   11,108 K   14,040 K   Host Process for Windows Tasks   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   1252   < 0.01   18,728 K   20,292 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   1096   < 0.01   41,896 K   53,620 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
SearchIndexer.exe   4372   < 0.01   38,916 K   15,632 K   Microsoft Windows Search Indexer   Microsoft Corporation   (Verified) Microsoft Windows
explorer.exe   2504   < 0.01   70,860 K   91,996 K   Windows Explorer   Microsoft Corporation   (Verified) Microsoft Windows
firefox.exe   2156   < 0.01   169,332 K   184,240 K   Firefox   Mozilla Corporation   (Verified) Mozilla Corporation
zipwhipw.exe   2316   0.01   140,104 K   109,080 K   Java™ Platform SE binary   Oracle Corporation   (Verified) Oracle America
NisSrv.exe   4652   0.02   20,596 K   10,820 K   Microsoft Network Realtime Inspection Service   Microsoft Corporation   (Verified) Microsoft Corporation
csrss.exe   5096   0.06   12,780 K   18,496 K   Client Server Runtime Process   Microsoft Corporation   (Verified) Microsoft Windows
svchost.exe   136   0.07   221,412 K   226,580 K   Host Process for Windows Services   Microsoft Corporation   (Verified) Microsoft Windows
dwm.exe   892   0.14   31,196 K   47,828 K   Desktop Window Manager   Microsoft Corporation   (Verified) Microsoft Windows
MsMpEng.exe   484   0.16   146,780 K   171,008 K   Antimalware Service Executable   Microsoft Corporation   (Verified) Microsoft Corporation
firefox.exe   4544   0.25   126,276 K   140,428 K   Firefox   Mozilla Corporation   (Verified) Mozilla Corporation
System   4   0.30   256 K   6,212 K
Interrupts   n/a   0.32   0 K   0 K   Hardware Interrupts and DPCs
ZAM.exe   5716   0.37   140,176 K   153,728 K   ZAM   Copyright 2017.   (No signature was present in the subject) Copyright 2017.
procexp(1)64.exe   3372   0.61   38,848 K   58,276 K   Sysinternals Process Explorer   Sysinternals - www.sysinternals.com   (Verified) Microsoft Corporation
System Idle Process   0   97.67   0 K   24 K

#4
playwiffme

Posted 28 March 2017 - 12:03 PM

Member

Topic Starter
Member
61 posts

FRST has been stuck on "scanning shortcuts" for about 15 minutes...advise?

#5
playwiffme

Posted 28 March 2017 - 12:29 PM

Member

Topic Starter
Member
61 posts

FRST - Notepad -

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by Thomas (administrator) on THOMAS-PC (28-03-2017 13:34:57)
Running from C:\Users\Thomas\Documents\Software Programs\Farbar

Recovery Tool - 1
Loaded Profiles: Thomas (Available Profiles: Thomas)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English

(United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool:

http://www.geekstogo...ial-how-to-use-

farbar-recovery-scan-tool/

==================== Processes (Whitelisted)

=================

(If an entry is included in the fixlist, the process will be closed. The file will

not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client

\MsMpEng.exe
() C:\Windows\System32\tprdpw32.exe
() C:\Windows\System32\tprdpw32.exe
(ABBYY Production LLC) C:\Program Files (x86)\ABBYY FineReader

12\NetworkLicenseServer.exe
(Google Inc.) C:\Program Files (x86)\Google\Update

\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update

\1.3.32.7\GoogleCrashHandler64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support

\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Acer Incorporated) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Microsoft Corporation) C:\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe
(arvato digital services llc) C:\Program Files\Common Files\Protexis\License

Service\PsiService_2.exe
(Pervasive Software Inc.) C:\Program Files (x86)\Pervasive Software\PSQL\bin

\w3dbsmgr.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application

Virtualization Client\sftvsa.exe
(SplitCam Co.) C:\Program Files (x86)\SplitCam\SplitCamService.exe
(Microsoft Corporation) C:\Program Files (x86)\MICROSOFT SQL SERVER

\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared

\sqlwriter.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision

\nvSCPAPISvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WLIDSVC.EXE
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application

Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft

shared\Virtualization Handler\CVHSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display

\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client

\msseces.exe
(Copyright 2017.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat

\acrotray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update

\jusched.exe
(CyberLink Corp.) C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
(CyberLink) C:\Program Files (x86)\Acer\clear.fi\MVP\Kernel\DMR

\DMREngine.exe
(Acer Inc.) C:\Program Files (x86)\Acer\clear.fi Client\ExtractDeviceIcon.exe
() C:\Program Files (x86)\Acer\clear.fi\MVP\Kernel\DMR\DeviceStage.exe
(Oracle Corporation) C:\Program Files\Frontier Texting\java_vm\bin

\zipwhipw.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe

\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat Reader

DC\Reader\reader_sl.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Acrobat

11.0\Acrobat\acrobat_sl.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\Thomas\Documents\Software Programs\Farbar Recovery

Tool - 1\FRST64(1).exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted)

====================

(If an entry is included in the fixlist, the registry item will be restored to

default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA

\RAVCpl64.exe [11580520 2010-11-10] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client

\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe

[14471408 2017-03-06] (Copyright 2017.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe

\Acrobat 11.0\Acrobat\Acrotray.exe [3498720 2015-12-17] (Adobe Systems

Inc.)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam

\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common

Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle

Corporation)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist

Corporate\1121\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix

Systems, Inc.)
HKU\S-1-5-21-2364491048-255812346-798213191-1001\...\Run: [Frontier

Texting] => C:\Program Files\Frontier Texting\Frontier Texting.lnk [1832

2016-11-08] ()
HKU\S-1-5-21-2364491048-255812346-798213191-1001\Control Panel

\Desktop\\SCRNSAVE.EXE -> C:\Windows\System32\Acer.scr [456224 2010-

07-29] ()
HKU\S-1-5-18\...\Run: [] => [X]
HKU\S-1-5-18\...\RunOnce: [IsMyWinLockerReboot] => msiexec.exe /qn /x

{voidguid}
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-

4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive

\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7

-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive

\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7

-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive

\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-

7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-

95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-

C78F2274A524} => -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-

8CF7-7085BA96DA5A} => -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-

BEE9-95FFCCAEF20E} => -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-

9D7A-C78F2274A524} => -> No File
BootExecute: autocheck autochk * bootdeletebootdelete

==================== Internet (Whitelisted)

====================

(If an item is included in the fixlist, if it is a registry item it will be removed

or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{95C5EA71-8623-416C-AAEC-D3AA4AF7581A}:

[DhcpNameServer] 192.168.254.254
Tcpip\..\Interfaces\{9612667B-16FF-47A2-8AC8-4084E6EAD0FB}:

[DhcpNameServer] 192.168.254.254

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction

<======= ATTENTION
HKU\S-1-5-21-2364491048-255812346-798213191-1001\SOFTWARE

\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page =

about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page =

hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page =

hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2364491048-255812346-798213191-1001\Software

\Microsoft\Internet Explorer\Main,Search Page =

hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

hxxp://www.bing.com/search?q={searchTerms}

&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-

5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared

\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-

CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar

\GoogleToolbar_64.dll [2016-04-27] (Google Inc.)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-

0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat

\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems

Incorporated)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-

9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe

\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems

Incorporated)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-

9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE

\AdblockPlus64.dll [2015-09-22] (Eyeo GmbH)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61}

-> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing

\hpswp_printenhancer.dll [2009-09-20] (Hewlett-Packard Co.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll

[2017-02-12] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-

5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared

\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-

CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar

\GoogleToolbar_32.dll [2016-04-27] (Google Inc.)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273

-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat

\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems Incorporated)
BHO-x32: Bing Bar Helper -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} ->

C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-06-07] (Microsoft

Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-

9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll

[2017-02-12] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-

4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe

\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems

Incorporated)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-

4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE

\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}

-> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing

\hpswp_BHO.dll [2009-09-20] (Hewlett-Packard Co.)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125

-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe

\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems

Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-

009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar

\GoogleToolbar_64.dll [2016-04-27] (Google Inc.)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f}

- C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll [2011-06-07]

(Microsoft Corporation.)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-

4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe

\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2014-05-08] (Adobe Systems

Incorporated)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-

009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar

\GoogleToolbar_32.dll [2016-04-27] (Google Inc.)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000}

hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258}

hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5}

hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {E7DA7F8D-27AB-4EE9-8FC0-3FEC9ECFE758}

hxxps://access.wisconsin.gov/access/DynamicWebTWAIN.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:

\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:

\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692}

- c:\progra~2\mcafee\msc\mcsniepl.dll No File

FireFox:
========
FF DefaultProfile: ixg7h6xy.default-1476596056535
FF ProfilePath: C:\Users\Thomas\AppData\Roaming\Mozilla\Firefox\Profiles

\vf9r2hzq.default [not found]
FF ProfilePath: C:\Users\Thomas\AppData\Roaming\Mozilla\Firefox\Profiles

\ixg7h6xy.default-1476596056535 [2017-03-28]
FF Homepage: Mozilla\Firefox\Profiles\ixg7h6xy.default-1476596056535 ->

www.msn.com/
FF Extension: (AdBlocker for YouTube™) - C:\Users\Thomas\AppData

\Roaming\Mozilla\Firefox\Profiles\ixg7h6xy.default-

1476596056535\Extensions\[email protected] [2016-12-

05]
FF Extension: (Site Deployment Checker) - C:\Users\Thomas\AppData

\Roaming\Mozilla\Firefox\Profiles\ixg7h6xy.default-

1476596056535\features\{ec85e9e5-61a9-4f62-884b-

d3976b9e3ed7}\[email protected] [2017-03-24]
FF ProfilePath: C:\Users\Thomas\AppData\Roaming\Mozilla\Firefox\Profiles

\embvo3sn.Default User [2017-03-27]
FF Homepage: Mozilla\Firefox\Profiles\embvo3sn.Default User ->

hxxp://www.msn.com/
FF Extension: (Site Deployment Checker) - C:\Program Files (x86)\Mozilla

Firefox\browser\features\[email protected] [2017-03-28]

[not signed]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:

\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: (HP Smart Web Printing) - C:\Program Files (x86)\HP\Digital

Imaging\Smart Web Printing\MozillaAddOn3 [2012-06-30] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{CF13FA66-1F4F-426d-BB1B-

E07A13BFF2C8}] - C:\Program Files (x86)\Aimersoft\Video Converter

Ultimate\SVRFirefoxExt => not found
FF HKLM-x32\...\Firefox\Extensions:

[[email protected]] - C:\Program Files (x86)\Adobe

\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: (Adobe Acrobat - Create PDF) - C:\Program Files (x86)\Adobe

\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2016-11-06]
FF HKU\S-1-5-21-2364491048-255812346-798213191-1001\...\Firefox

\Extensions: [[email protected]] - C:\Program Files (x86)\HP\Digital

Imaging\Smart Web Printing\MozillaAddOn3
FF HKU\S-1-5-21-2364491048-255812346-798213191-1001\...\Firefox

\Extensions: [{CF13FA66-1F4F-426d-BB1B-E07A13BFF2C8}] - C:\Program

Files (x86)\Aimersoft\Video Converter Ultimate\SVRFirefoxExt => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed

\Flash\NPSWF64_25_0_0_127.dll [2017-03-21] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft

Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common

Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2014-04

-29] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows

\SysWOW64\Macromed\Flash\NPSWF32_25_0_0_127.dll [2017-03-21] ()
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files

(x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files

(x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-12]

(Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files

(x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-12] (Oracle

Corporation)
FF Plugin-x32:

@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:

\Program Files (x86)\Yahoo!\Shared\npYState.dll [2012-05-25] (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files

(x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft

Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:

\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft

Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:

\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12]

(Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:

\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12]

(Microsoft Corporation)
FF Plugin-x32: @Nero.com/KM -> C:\PROGRA~2\COMMON~1\Nero

\BROWSE~1\NPBROW~1.DLL [2015-08-28] (Nero AG)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA

Corporation\3D Vision\npnv3dv.dll [2011-02-24] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files

(x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2011-02-24]

(NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program

Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16]

(Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program

Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16]

(Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0

-> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration

\Registered\1\NP_wtapp.dll [2012-06-30] ()
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat

11.0\Acrobat\Air\nppdf32.dll [2015-12-17] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat

Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files

(x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities

\npAdobeAAMDetect32.dll [2014-04-29] (Adobe Systems)
FF Plugin HKU\S-1-5-21-2364491048-255812346-798213191-1001:

@citrixonline.com/appdetectorplugin -> C:\Users\Thomas\AppData\Local

\Citrix\Plugins\104\npappdetector.dll [2016-01-20] (Citrix Online)

Chrome:
=======
CHR Profile: C:\Users\Thomas\AppData\Local\Google\Chrome\User Data

\Default [2017-03-28]
CHR Extension: (Google Slides) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions

\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-05]
CHR Extension: (Flash Video Downloader) - C:\Users\Thomas\AppData\Local

\Google\Chrome\User Data\Default\Extensions

\aiimdkdngfcipjohbjenkahhlhccpdbc [2017-02-26]
CHR Extension: (Google Docs) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake

[2015-02-05]
CHR Extension: (Google Drive) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf

[2015-10-21]
CHR Extension: (MagMouse) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions\biofinbccickkakhihdmkafjniganmee

[2016-10-03]
CHR Extension: (YouTube) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo

[2015-09-24]
CHR Extension: (Google Search) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf

[2015-10-26]
CHR Extension: (Adobe Acrobat) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj

[2017-03-04]
CHR Extension: (Google Sheets) - C:\Users\Thomas\AppData\Local\Google

\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap

[2015-02-05]
CHR Extension: (Google Docs Offline) - C:\Users\Thomas\AppData\Local

\Google\Chrome\User Data\Default\Extensions

\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (Google Hangouts) - C:\Users\Thomas\AppData\Local

\Google\Chrome\User Data\Default\Extensions

\knipolnnllmklapflnccelgolnpehhpl [2017-02-11]
CHR Extension: (Video DownloadHelper) - C:\Users\Thomas\AppData\Local

\Google\Chrome\User Data\Default\Extensions

\lmjnegcaeklhafolokijcfjliaokphfk [2016-12-21]
CHR Extension: (Aimersoft Video Converter Ultimate) - C:\Users\Thomas

\AppData\Local\Google\Chrome\User Data\Default\Extensions

\mapcejffhcbidcjmomhalabpcbaeimcb [2015-02-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Thomas\AppData

\Local\Google\Chrome\User Data\Default\Extensions

\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Gmail) - C:\Users\Thomas\AppData\Local\Google\Chrome

\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03

-27]
CHR Extension: (Chrome Media Router) - C:\Users\Thomas\AppData\Local

\Google\Chrome\User Data\Default\Extensions

\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-11]
CHR HKU\S-1-5-21-2364491048-255812346-798213191-1001\SOFTWARE

\Google\Chrome\Extensions\...\Chrome\Extension:

[lmjegmlicamnimmfhcmpkclmigmmcbeh] -

hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] -

C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser

\WCChromeExtn\WCChromeExtn.crx [2015-12-17]
CHR HKLM-x32\...\Chrome\Extension: [mapcejffhcbidcjmomhalabpcbaeimcb]

- C:\Program Files (x86)\Aimersoft\Video Converter Ultimate

\SVRChromePlugin.crx [2013-09-14]

==================== Services (Whitelisted)

====================

(If an entry is included in the fixlist, it will be removed from the registry. The

file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672

2012-07-11] (SUPERAntiSpyware.com) [File not signed]
R2 ABBYY.Licensing.FineReader.Professional.12.0; C:\Program Files

(x86)\ABBYY FineReader 12\NetworkLicenseServer.exe [925904 2014-01-23]

(ABBYY Production LLC)
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple

\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07]

(Apple Inc.)
S3 GoToAssist; C:\Program Files (x86)\Citrix\GoToAssist Corporate

\1121\G2AC_Service.exe [310080 2016-01-20] (Citrix Online, a division of

Citrix Systems, Inc.)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll

[249344 2009-09-20] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll

[133120 2009-09-20] (Hewlett-Packard Co.) [File not signed]
S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver

\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation)

[File not signed]
S4 KSS; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan

2.0\kss.exe [202296 2012-04-25] (Kaspersky Lab ZAO)
S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware

\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware

\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe

[119864 2016-11-14] (Microsoft Corporation)
R2 MSSQL$UPSWSDBSERVER; C:\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe

[29293408 2010-12-10] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-

06] (Hewlett-Packard) [File not signed]
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [361816

2016-11-14] (Microsoft Corporation)
S4 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup

\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-

06] (Hewlett-Packard) [File not signed]
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service

\PsiService_2.exe [336824 2010-11-30] (arvato digital services llc)
R2 psqlWGE; C:\Program Files (x86)\Pervasive Software\PSQL\bin

\w3dbsmgr.exe [435496 2009-04-06] (Pervasive Software Inc.)
R2 SpliCamService; C:\Program Files (x86)\SplitCam\SplitCamService.exe

[321064 2016-10-19] (SplitCam Co.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712

2013-05-27] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [14471408

2017-03-06] (Copyright 2017.) [File not signed]
S2 Dataup; C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe

[X] <==== ATTENTION
S4 SpyHunter 4 Service; C:\PROGRA~2\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [X]
S2 windowsmanagementservice; "C:\Users\Thomas\AppData\Local

\microlabs\ct.exe" /svc [X] <==== ATTENTION

===================== Drivers (Whitelisted)

======================

(If an entry is included in the fixlist, it will be removed from the registry. The

file will not be moved unless listed separately.)

S3 appliand; C:\Windows\System32\DRIVERS\appliand.sys [33888 2011-06-

25] (Applian Technologies Inc.)
R3 appliandMP; C:\Windows\System32\DRIVERS\appliand.sys [33888 2011-

06-25] (Applian Technologies Inc.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13]

(Microsoft Corporation)
R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [76576 2017-03

-26] () [File not signed] <==== ATTENTION
S3 ESGIGUARD; C:\Program Files (x86)\Enigma Software Group\SpyHunter

\esgiguard.sys [13088 2016-11-29] ()
S3 ESGSCANNER; C:\Windows\SysWOW64\DRIVERS\EsgScanner.sys [19984

2012-06-22] ()
R3 ManyCam; C:\Windows\System32\DRIVERS\mcvidrv.sys [49304 2014-12-

29] (Visicom Media Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-

03-10] (Malwarebytes)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys

[192216 2017-03-26] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896

2016-03-10] (Malwarebytes Corporation)
R3 mcaudrv_simple; C:\Windows\System32\drivers\mcaudrv_x64.sys [35992

2014-12-28] (Visicom Media Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-

25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-

25] (Microsoft Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928

2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368

2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 scvad_simple; C:\Windows\System32\drivers\SplitCamAudio.sys [23552

2016-08-02] (Windows ® Win 7 DDK provider)
R3 splitcam_hd_driver; C:\Windows\System32\DRIVERS

\splitcam_hd_driver.sys [37600 2016-08-02] (Windows ® Win 7 DDK

provider)
R3 WsAudio_Device; C:\Windows\System32\drivers\VirtualAudio.sys [31080

2013-03-25] (Wondershare)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2017-03-26]

(Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680

2017-03-26] (Zemana Ltd.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted)

===================

(If an entry is included in the fixlist, it will be removed from the registry. The

file will not be moved unless listed separately.)

==================== One Month Created files and folders

========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-28 13:18 - 2017-03-28 13:18 - 02424832 _____ (Farbar) C:\Users

\Thomas\Downloads\FRST64(1).exe
2017-03-28 11:57 - 2017-03-28 11:57 - 02710688 _____ (Sysinternals -

www.sysinternals.com) C:\Users\Thomas\Downloads\procexp(1).exe
2017-03-28 11:03 - 2017-03-28 11:03 - 00000900 _____ C:\Users\Public

\Desktop\Emsisoft Anti-Malware.lnk
2017-03-28 11:03 - 2017-03-28 11:03 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2017-03-28 11:02 - 2017-03-28 11:03 - 00000000 ____D C:\Program Files

\Emsisoft Anti-Malware
2017-03-28 10:59 - 2017-03-28 11:01 - 243565384 _____ (Emsisoft Ltd. )

C:\Users\Thomas\Downloads\EmsisoftAntiMalwareSetup.exe
2017-03-28 09:03 - 2017-03-28 09:03 - 49405136 _____ (Microsoft

Corporation) C:\Users\Thomas\Downloads\Windows-KB890830-x64-

V5.46.exe
2017-03-28 08:47 - 2017-03-28 10:53 - 00000228 _____ C:\Users\Thomas

\Documents\03-28-17-1.txt
2017-03-28 03:34 - 2017-03-28 03:34 - 00000000 ____D C:\VIPRERESCUE
2017-03-28 03:30 - 2017-03-28 03:33 - 315179008 _____ C:\Users

\Thomas\Downloads\VIPRERescue.exe
2017-03-28 03:07 - 2017-03-28 03:07 - 00023197 _____ C:\Users\Thomas

\Documents\03-28-17.txt
2017-03-28 03:03 - 2017-03-28 03:03 - 00023197 _____ C:\Windows

\system32\0
2017-03-28 02:54 - 2017-03-28 02:55 - 19044562 _____ C:\Users\Thomas

\Downloads\mbar-1.09.3.1001.zip
2017-03-27 17:22 - 2017-03-27 17:22 - 00001324 _____ C:\AdwCleaner

[R3].txt
2017-03-27 16:36 - 2017-03-27 16:36 - 00000700 _____ C:\Users\Thomas

\Documents\03-27-17.txt
2017-03-27 10:55 - 2017-03-27 10:56 - 00059427 _____ C:\Users\Thomas

\Downloads\Addition.txt
2017-03-27 10:53 - 2017-03-27 10:56 - 00079814 _____ C:\Users\Thomas

\Downloads\FRST.txt
2017-03-27 10:52 - 2017-03-28 13:20 - 00000000 ____D C:\FRST
2017-03-27 10:52 - 2017-03-27 10:52 - 02424832 _____ (Farbar) C:\Users

\Thomas\Downloads\FRST64.exe
2017-03-27 09:53 - 2017-03-27 09:53 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill.scr
2017-03-27 09:53 - 2017-03-27 09:53 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill(4).exe
2017-03-27 09:53 - 2017-03-27 09:53 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill(3).com
2017-03-27 09:12 - 2017-03-27 09:12 - 57131432 _____ (Malwarebytes ) C:

\Users\Thomas\Desktop\mb3-setup-1878.1878-3.0.6.1469-1075.exe
2017-03-27 09:11 - 2017-03-27 09:12 - 57131432 _____ (Malwarebytes ) C:

\Users\Thomas\Downloads\mb3-setup-1878.1878-3.0.6.1469-1075.exe
2017-03-27 07:58 - 2017-03-27 07:58 - 04031440 _____ C:\Users\Thomas

\Downloads\AdwCleaner (5).exe
2017-03-27 02:58 - 2017-03-27 02:58 - 00002407 _____ C:\Users\Thomas

\Desktop\RKreport[5]_D_03272017_02d0258.txt
2017-03-27 02:58 - 2017-03-27 02:58 - 00002364 _____ C:\Users\Thomas

\Desktop\RKreport[4]_S_03272017_02d0258.txt
2017-03-27 02:56 - 2017-03-27 02:56 - 00002710 _____ C:\Users\Thomas

\Desktop\RKreport[3]_D_03272017_02d0256.txt
2017-03-27 02:55 - 2017-03-27 02:55 - 00002718 _____ C:\Users\Thomas

\Desktop\RKreport[2]_S_03272017_02d0255.txt
2017-03-27 02:54 - 2017-03-27 02:54 - 00002681 _____ C:\Users\Thomas

\Desktop\RKreport[1]_S_03272017_02d0254.txt
2017-03-27 01:52 - 2017-03-27 00:19 - 04747704 _____ (AO Kaspersky Lab)

C:\Users\Thomas\Desktop\tdsskiller(1).exe
2017-03-27 01:52 - 2017-03-26 18:22 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Desktop\rkill.exe
2017-03-27 01:51 - 2017-03-27 01:49 - 16563352 _____ (Malwarebytes

Corp.) C:\Users\Thomas\Desktop\mbar-1.09.3.1001.exe
2017-03-27 01:49 - 2017-03-27 01:49 - 16563352 _____ (Malwarebytes

Corp.) C:\Users\Thomas\Downloads\mbar-1.09.3.1001.exe
2017-03-27 00:19 - 2017-03-27 00:19 - 04747704 _____ (AO Kaspersky Lab)

C:\Users\Thomas\Downloads\tdsskiller(1).exe
2017-03-26 22:54 - 2017-03-26 22:54 - 00001387 _____ C:\AdwCleaner

[R2].txt
2017-03-26 22:51 - 2017-03-27 14:46 - 00000000 ____D C:\Users\Thomas

\AppData\Local\CrashDumps
2017-03-26 22:47 - 2017-03-27 02:26 - 00000212 _____ C:\Windows

\system32\bootdelete.lst
2017-03-26 21:02 - 2017-03-28 02:08 - 00028272 _____ C:\Windows

\system32\Drivers\TrueSight.sys
2017-03-26 21:01 - 2017-03-26 22:48 - 00000000 ____D C:\ProgramData

\RogueKiller
2017-03-26 21:01 - 2017-03-26 21:01 - 00000862 _____ C:\Users\Public

\Desktop\RogueKiller.lnk
2017-03-26 21:01 - 2017-03-26 21:01 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\RogueKiller
2017-03-26 21:01 - 2017-03-26 21:01 - 00000000 ____D C:\Program Files

\RogueKiller
2017-03-26 21:00 - 2017-03-26 21:01 - 35109888 _____ (Adlice Software )

C:\Users\Thomas\Downloads\setup.exe
2017-03-26 20:59 - 2017-03-28 02:06 - 00000000 ____D C:\Users\Thomas

\Desktop\RK_Quarantine
2017-03-26 19:30 - 2017-03-28 13:48 - 00143706 _____ C:\Windows

\ZAM.krnl.trace
2017-03-26 19:30 - 2017-03-28 13:48 - 00065856 _____ C:\Windows

\ZAM_Guard.krnl.trace
2017-03-26 19:30 - 2017-03-26 19:30 - 00203680 _____ (Zemana Ltd.) C:

\Windows\system32\Drivers\zamguard64.sys
2017-03-26 19:30 - 2017-03-26 19:30 - 00203680 _____ (Zemana Ltd.) C:

\Windows\system32\Drivers\zam64.sys
2017-03-26 19:30 - 2017-03-26 19:30 - 00001152 _____ C:\Users\Public

\Desktop\Zemana AntiMalware.lnk
2017-03-26 19:30 - 2017-03-26 19:30 - 00000000 ____D C:\Users\Thomas

\AppData\Local\Zemana
2017-03-26 19:30 - 2017-03-26 19:30 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2017-03-26 19:30 - 2017-03-26 19:30 - 00000000 ____D C:\Program Files

(x86)\Zemana AntiMalware
2017-03-26 19:28 - 2017-03-26 19:29 - 05740956 _____ (Zemana Ltd. ) C:

\Users\Thomas\Downloads\eXplorer(1).exe
2017-03-26 19:19 - 2017-03-26 19:19 - 02019656 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\RKill_2.8.2.0.com
2017-03-26 19:18 - 2017-03-26 19:18 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill(3).exe
2017-03-26 19:09 - 2017-03-26 19:09 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill(2).exe
2017-03-26 18:43 - 2017-03-26 18:42 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Desktop\iExplore.exe
2017-03-26 18:42 - 2017-03-26 18:42 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\iExplore.exe
2017-03-26 18:32 - 2017-03-26 18:32 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\eXplorer.exe
2017-03-26 18:29 - 2017-03-26 18:30 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill(2).com
2017-03-26 18:26 - 2017-03-26 18:26 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill(1).exe
2017-03-26 18:24 - 2017-03-26 18:24 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\Tom-fix.exe
2017-03-26 18:22 - 2017-03-26 18:22 - 02030536 _____ (Bleeping

Computer, LLC) C:\Users\Thomas\Downloads\rkill.exe
2017-03-26 14:40 - 2017-03-26 14:40 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\PhotoScissors
2017-03-26 14:40 - 2017-03-26 14:40 - 00000000 ____D C:\Program Files

\PhotoScissors
2017-03-26 14:37 - 2017-03-26 14:38 - 00570549 _____ C:\Users\Thomas

\Downloads\Teorex_MultiKG_v0.2_CRD.7z
2017-03-26 14:09 - 2017-03-26 14:09 - 09927190 _____ (teorex ) C:\Users

\Thomas\Downloads\PhotoScissorsSetup.exe
2017-03-26 12:34 - 2017-03-26 12:34 - 10351487 _____ C:\Users\Thomas

\Downloads\Teorex_PhotoScissors_3.rar
2017-03-26 12:13 - 2017-03-27 14:51 - 00000000 ____D C:\Users\Thomas

\AppData\Local\ntuserlitelist
2017-03-26 12:13 - 2017-03-27 14:23 - 00000000 ____D C:\Users\Thomas

\AppData\Local\microlabs
2017-03-26 12:13 - 2017-03-26 12:13 - 00833024 ____N C:\Windows

\system32\tprdpw32.exe
2017-03-26 12:13 - 2017-03-26 12:13 - 00076576 ____N C:\Windows

\system32\Drivers\ndistpr64.sys
2017-03-26 12:11 - 2017-03-26 12:11 - 00000000 ____D C:\Users\Thomas

\.proxycheck
2017-03-26 12:05 - 2017-03-26 12:06 - 00359669 _____ C:\Users\Thomas

\Downloads\Teorex+PhotoScissors+30+Setup_zip.zip
2017-03-26 11:43 - 2017-03-26 11:43 - 00033776 _____ C:\Users\Thomas

\Downloads\Teorex Photoscissors v3.torrent
2017-03-26 10:43 - 2017-03-26 10:43 - 00000000 ____D C:\Program Files

(x86)\Teorex
2017-03-26 10:41 - 2017-03-26 10:42 - 23845261 _____ C:\Users\Thomas

\Downloads\Teorex_PhotoScissors_3.0.rar
2017-03-25 18:23 - 2017-03-25 18:24 - 04031440 _____ C:\Users\Thomas

\Downloads\AdwCleaner(3).exe
2017-03-25 18:21 - 2017-03-25 18:21 - 00001234 _____ C:\AdwCleaner

[R1].txt
2017-03-24 19:03 - 2017-03-24 19:03 - 00288606 _____ C:\Users\Thomas

\Downloads
2017-03-21 19:23 - 2017-03-21 19:20 - 01201256 _____ (Adobe Systems

Incorporated) C:\Users\Thomas\Documents\flashplayer25_xa_install.ex

==================== One Month Modified files and folders

========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-28 13:47 - 2009-07-14 00:45 - 00016976 ____H C:\Windows

\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-

A289-439d-8115-601632D005A0
2017-03-28 13:47 - 2009-07-14 00:45 - 00016976 ____H C:\Windows

\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-

A289-439d-8115-601632D005A0
2017-03-28 13:39 - 2016-11-18 10:18 - 00000000 ____D C:\Users\Thomas

\AppData\LocalLow\Mozilla
2017-03-28 13:39 - 2015-03-26 12:16 - 00000000 ____D C:\Program Files

(x86)\Mozilla Firefox
2017-03-28 13:38 - 2015-04-26 15:37 - 00000000 ____D C:\Program Files

(x86)\Mozilla Maintenance Service
2017-03-28 13:35 - 2015-04-02 17:24 - 00000000 ____D C:\Program Files

\Frontier Texting
2017-03-28 13:32 - 2012-06-29 22:57 - 00000000 ____D C:\Users\Thomas

\Documents\Software Programs
2017-03-28 13:32 - 2012-06-29 22:08 - 00000000 ____D C:\Users\Thomas
2017-03-28 13:31 - 2014-03-28 05:13 - 00000894 _____ C:\Windows

\Tasks\GoogleUpdateTaskMachineCore1cf4a65f48969b0.job
2017-03-28 13:30 - 2011-11-10 19:10 - 00000000 ____D C:\ProgramData

\NVIDIA
2017-03-28 13:29 - 2009-07-14 01:08 - 00000006 ____H C:\Windows

\Tasks\SA.DAT
2017-03-28 12:06 - 2016-10-15 22:56 - 00000002 _____ C:\Users\Thomas

\Desktop\Rkill.txt
2017-03-28 09:57 - 2012-06-30 12:25 - 00000000 ____D C:\ProgramData

\clear.fi
2017-03-28 09:14 - 2012-06-30 02:17 - 00000000 ____D C:\Windows

\system32\Macromed
2017-03-27 19:56 - 2016-10-19 19:59 - 00000000 ____D C:\Users\Thomas

\AppData\LocalLow\Adblock Plus for IE
2017-03-27 17:23 - 2014-01-19 00:37 - 00000000 ____D C:\AdwCleaner
2017-03-27 16:47 - 2009-07-14 01:08 - 00032574 _____ C:\Windows

\Tasks\SCHEDLGU.TXT
2017-03-27 13:29 - 2016-10-27 10:06 - 00003242 _____ C:\Windows

\System32\Tasks\Hitman Pro 3.5 Boot Task
2017-03-27 13:29 - 2016-10-27 10:06 - 00001978 _____ C:\Users\Public

\Desktop\Hitman Pro 3.5.lnk
2017-03-27 13:29 - 2013-01-07 03:15 - 00023112 _____ C:\Windows

\system32\Drivers\hitmanpro35.sys
2017-03-27 08:00 - 2012-07-01 14:03 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\uTorrent
2017-03-27 02:26 - 2016-10-16 11:03 - 00012872 _____ (SurfRight B.V.) C:

\Windows\system32\bootdelete.exe
2017-03-26 17:37 - 2012-08-05 21:25 - 00000000 ____D C:\ProgramData

\ThumbsPlus
2017-03-26 15:20 - 2012-08-05 19:09 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\ThumbsPlus
2017-03-26 09:27 - 2013-03-24 02:41 - 00000000 ____D C:\Program Files

(x86)\Replay Video Capture 6
2017-03-26 06:34 - 2012-07-06 20:26 - 00000000 ____D C:\Users\Thomas

\Documents\My Streaming Media
2017-03-26 02:16 - 2014-04-30 01:28 - 00192216 _____ (Malwarebytes) C:

\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-03-25 20:01 - 2012-07-01 20:50 - 00000000 ____D C:\Users\Thomas

\Documents\ConvertXToDVD
2017-03-25 18:48 - 2009-07-14 01:13 - 00852428 _____ C:\Windows

\system32\PerfStringBackup.INI
2017-03-25 18:48 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2017-03-25 18:32 - 2016-01-15 15:26 - 00000000 ___RD C:\Users\Thomas

\Google Drive
2017-03-25 14:27 - 2011-07-20 09:02 - 00000000 ___HD C:\OEM
2017-03-25 08:12 - 2012-07-04 00:19 - 00000000 ____D C:\Users\Thomas

\Documents\My Stuff
2017-03-21 19:24 - 2016-05-17 23:35 - 00802904 _____ (Adobe Systems

Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-03-21 19:24 - 2016-05-17 23:35 - 00144472 _____ (Adobe Systems

Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-03-21 19:24 - 2014-09-02 07:08 - 00000000 ____D C:\Users\Thomas

\AppData\Local\Adobe
2017-03-21 19:24 - 2011-07-20 08:43 - 00000000 ____D C:\Windows

\SysWOW64\Macromed
2017-03-21 12:07 - 2014-08-25 18:55 - 00005052 _____ C:\Windows

\DUNZLOG.TXT
2017-03-20 23:48 - 2011-05-10 17:15 - 00000000 ____D C:\Users\Thomas

\Documents\Adult
2017-03-19 04:57 - 2012-07-16 11:42 - 00000000 ____D C:\Users\Thomas

\AppData\Local\ElevatedDiagnostics
2017-03-17 12:49 - 2013-01-01 03:06 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Smilebox
2017-03-16 06:16 - 2016-05-21 22:05 - 00001057 _____ C:\Users\Thomas

\AppData\Roaming\vso_ts_preview.xml
2017-03-16 06:16 - 2016-05-21 22:05 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Vso
2017-03-11 15:17 - 2012-07-04 22:20 - 00000000 ____D C:\Users\Thomas

\Documents\My Scans
2017-03-09 21:40 - 2012-09-03 12:07 - 00002199 _____ C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-03-09 21:40 - 2012-09-03 12:07 - 00002187 _____ C:\Users\Public

\Desktop\Google Chrome.lnk
2017-03-02 08:19 - 2014-12-27 00:32 - 00001945 _____ C:\Windows

\epplauncher.mif
2017-03-02 08:19 - 2014-12-27 00:31 - 00002121 _____ C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
2017-03-02 08:19 - 2014-12-27 00:31 - 00000000 ____D C:\Program Files

\Microsoft Security Client
2017-03-02 08:19 - 2014-12-27 00:31 - 00000000 ____D C:\Program Files

(x86)\Microsoft Security Client
2017-02-26 20:38 - 2015-11-10 17:04 - 00002441 _____ C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-02-26 20:29 - 2016-03-19 14:52 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Photo Collage Creator
2017-02-26 20:29 - 2012-09-29 14:37 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\NetObjects
2017-02-26 20:27 - 2017-02-18 20:05 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SplitCam
2017-02-26 20:27 - 2016-11-29 11:15 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyHunter
2017-02-26 20:27 - 2016-10-27 10:06 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Hitman Pro 3.5
2017-02-26 20:27 - 2016-10-18 13:49 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\EaseUS Data Recovery Wizard
2017-02-26 20:27 - 2016-10-16 21:54 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Seagate File

Recovery for Windows
2017-02-26 20:27 - 2016-10-16 20:46 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\FILE RECOVERY for Windows
2017-02-26 20:27 - 2016-10-15 01:17 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\iCare Data Recovery Pro
2017-02-26 20:27 - 2016-09-30 06:35 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Java
2017-02-26 20:27 - 2016-08-02 15:33 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\XnConvert
2017-02-26 20:27 - 2016-05-22 19:30 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\DVD Flick
2017-02-26 20:27 - 2016-05-20 18:25 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Nero 2016
2017-02-26 20:27 - 2016-05-20 04:07 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\DVD Identifier
2017-02-26 20:27 - 2016-05-07 18:36 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
2017-02-26 20:27 - 2016-05-07 17:42 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
2017-02-26 20:27 - 2016-04-25 17:35 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\ManyCam
2017-02-26 20:27 - 2016-03-30 04:14 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Skype
2017-02-26 20:27 - 2016-03-19 15:36 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Picasa 3
2017-02-26 20:27 - 2016-03-19 14:52 - 00000000 ____D C:\Program Files

(x86)\Photo Collage Creator
2017-02-26 20:27 - 2016-03-02 10:01 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
2017-02-26 20:27 - 2016-01-15 15:16 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Google Drive
2017-02-26 20:27 - 2015-10-08 00:15 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Inpaint
2017-02-26 20:27 - 2015-10-07 10:54 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Portable

Programs
2017-02-26 20:27 - 2015-09-06 05:02 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\MKVToolNix
2017-02-26 20:27 - 2015-08-29 19:16 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Animated GIF producer 5.0 TRIAL
2017-02-26 20:27 - 2015-08-29 09:13 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Web Easy Professional 10
2017-02-26 20:27 - 2015-04-02 17:25 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\.zipwhip
2017-02-26 20:27 - 2015-03-16 18:10 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\ABBYY FineReader 12
2017-02-26 20:27 - 2015-02-19 17:09 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Microsoft LifeCam
2017-02-26 20:27 - 2015-02-16 23:52 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\CorelDRAW Graphics Suite X6 (64

-Bit)
2017-02-26 20:27 - 2015-02-02 20:32 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Barcode Generator
2017-02-26 20:27 - 2015-02-02 18:11 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\PY Software
2017-02-26 20:27 - 2014-08-09 07:30 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\CCleaner
2017-02-26 20:27 - 2014-04-30 01:27 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2017-02-26 20:27 - 2014-04-01 14:53 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\HTML-Kit
2017-02-26 20:27 - 2014-02-05 21:36 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Nikon Message Center 2
2017-02-26 20:27 - 2014-02-05 21:35 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\ViewNX 2
2017-02-26 20:27 - 2014-02-05 21:08 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Nikon View 6
2017-02-26 20:27 - 2013-12-23 15:50 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2017-02-26 20:27 - 2013-05-10 12:18 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\K-Lite Codec Pack
2017-02-26 20:27 - 2013-03-27 02:22 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Handbrake
2017-02-26 20:27 - 2013-03-27 01:27 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\DVD Shrink
2017-02-26 20:27 - 2013-03-24 02:41 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Applian

Technologies
2017-02-26 20:27 - 2013-03-13 03:02 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2017-02-26 20:27 - 2013-01-29 10:49 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kaspersky

Security Scan
2017-02-26 20:27 - 2012-10-11 13:10 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Microsoft Office Starter (English)
2017-02-26 20:27 - 2012-10-04 00:11 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2017-02-26 20:27 - 2012-08-05 21:25 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\ThumbsPlus
2017-02-26 20:27 - 2012-08-05 20:37 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-02-26 20:27 - 2012-08-05 20:37 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\WinRAR
2017-02-26 20:27 - 2012-07-27 23:17 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Machete Lite
2017-02-26 20:27 - 2012-07-15 13:46 - 00000000 ____D C:\ProgramData

\Protexis64
2017-02-26 20:27 - 2012-07-08 10:13 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Yahoo! Messenger
2017-02-26 20:27 - 2012-07-06 20:20 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Applian Technologies
2017-02-26 20:27 - 2012-07-02 14:08 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\UPS
2017-02-26 20:27 - 2012-06-30 19:13 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Peachtree Pro Accounting 2010
2017-02-26 20:27 - 2012-06-30 18:49 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\HP
2017-02-26 20:27 - 2012-06-29 23:14 - 00000000 ____D C:\Users\Thomas

\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StreamTorrent

1.0
2017-02-26 20:27 - 2012-06-29 23:00 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\WinZip
2017-02-26 20:27 - 2012-06-29 22:08 - 00000000 ____D C:\Users\Thomas

\AppData\Local\PowerCinema
2017-02-26 20:27 - 2011-11-10 19:27 - 00000000 ___RD C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\clear.fi
2017-02-26 20:27 - 2011-11-10 19:24 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\AUPEO!
2017-02-26 20:27 - 2011-11-10 19:16 - 00000000 ___RD C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Intel
2017-02-26 20:27 - 2011-11-10 19:13 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\AcerSystem
2017-02-26 20:27 - 2011-07-20 08:42 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Norton Online Backup
2017-02-26 20:27 - 2011-07-20 08:40 - 00000000 ____D C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Nero
2017-02-26 20:27 - 2011-07-20 08:36 - 00000000 ___RD C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Windows Live
2017-02-26 20:27 - 2011-07-20 08:32 - 00000000 ___RD C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Acer
2017-02-26 20:27 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData

\Microsoft\Windows\Start Menu\Programs\Games
2017-02-26 20:27 - 2009-07-13 23:20 - 00000000 ____D C:\Windows

\registration
2017-02-26 20:23 - 2012-09-03 12:06 - 00000000 ____D C:\Program Files

(x86)\Google

==================== Files in the root of some directories

=======

2014-11-13 08:30 - 2014-11-13 08:30 - 6000640 _____ () C:\Program Files

(x86)\GUT5B97.tmp
2017-02-26 19:16 - 2017-02-26 19:24 - 7680000 _____ () C:\Program Files

(x86)\GUT849B.tmp
2017-03-11 12:25 - 2017-03-11 12:25 - 0163840 _____ (Explorer) C:\Users

\Thomas\AppData\Roaming\35-1 q.exe
2014-02-05 21:35 - 2014-02-05 21:35 - 0000268 ___RH () C:\Users

\Thomas\AppData\Roaming\Bass Amp
2014-02-05 21:35 - 2014-02-05 21:35 - 0000268 ___RH () C:\Users

\Thomas\AppData\Roaming\Bass Reduction
2014-02-05 21:35 - 2014-02-05 21:35 - 0000268 ___RH () C:\Users

\Thomas\AppData\Roaming\BookService
2016-05-20 15:33 - 2016-05-21 20:48 - 0099384 _____ () C:\Users\Thomas

\AppData\Roaming\inst.exe
2013-03-02 18:55 - 2013-03-02 18:55 - 0000082 _____ () C:\Users\Thomas

\AppData\Roaming\mbam.context.scan
2016-05-18 18:14 - 2016-05-21 20:48 - 0007859 _____ () C:\Users\Thomas

\AppData\Roaming\pcouffin.cat
2016-05-18 18:14 - 2016-05-21 20:48 - 0001167 _____ () C:\Users\Thomas

\AppData\Roaming\pcouffin.inf
2016-05-18 18:14 - 2016-05-21 20:48 - 0000055 _____ () C:\Users\Thomas

\AppData\Roaming\pcouffin.log
2016-05-18 18:14 - 2016-05-21 20:48 - 0082816 _____ (VSO Software) C:

\Users\Thomas\AppData\Roaming\pcouffin.sys
2014-09-03 17:00 - 2014-09-03 17:00 - 35123384 _____ (VSO Software

) C:\Users\Thomas\AppData\Roaming

\vsoConvertXtoDVD5_setup.exe
2016-05-21 22:05 - 2017-03-16 06:16 - 0001057 _____ () C:\Users\Thomas

\AppData\Roaming\vso_ts_preview.xml
2015-05-20 18:10 - 2017-01-09 23:07 - 0014848 _____ () C:\Users\Thomas

\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-10-14 23:07 - 2016-10-14 23:09 - 0000003 _____ () C:\Users\Thomas

\AppData\Local\run1.txt
2013-01-12 18:20 - 2013-01-12 18:20 - 2250054 _____ () C:\ProgramData

\1.bmp
2013-01-12 18:19 - 2013-01-12 18:19 - 0444366 _____ () C:\ProgramData

\1.jpg
2011-11-10 19:29 - 2011-11-10 19:31 - 0014756 _____ () C:\ProgramData

\ArcadeDeluxe5.log
2014-02-05 21:35 - 2014-02-05 21:35 - 0000268 ___RH () C:\ProgramData

\Breath Pad
2014-02-05 21:35 - 2014-02-05 21:35 - 0000268 ___RH () C:\ProgramData

\Brother
2014-02-05 21:35 - 2014-02-05 21:35 - 0000268 ___RH () C:\ProgramData

\Bubble Noise
2014-02-05 21:35 - 2014-02-05 21:35 - 0000012 ___RH () C:\ProgramData

\Classical
2014-02-05 21:35 - 2014-02-05 21:35 - 0000012 ___RH () C:\ProgramData

\Clips
2014-02-05 21:35 - 2014-02-05 21:35 - 0000012 ___RH () C:\ProgramData

\ColorSync
2012-06-30 18:14 - 2013-10-16 14:30 - 0002719 _____ () C:\ProgramData

\hpzinstall.log
2014-02-05 21:35 - 2014-02-05 21:35 - 0000020 ____H () C:\ProgramData

\PKP_DLes.DAT
2014-02-05 21:35 - 2014-02-05 21:37 - 0000020 ____H () C:\ProgramData

\PKP_DLet.DAT
2014-02-05 21:35 - 2014-02-05 21:38 - 0000020 ____H () C:\ProgramData

\PKP_DLev.DAT

Some files in TEMP:
====================
2017-03-27 10:14 - 2016-09-09 14:23 - 1732864 _____ (Microsoft

Corporation) C:\Users\Thomas\AppData\Local\Temp\dllnt_dump.dll

==================== Bamital & volsnap

======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-24 05:14

==================== End of FRST.txt

============================

#6
playwiffme

Posted 28 March 2017 - 12:33 PM

Member

Topic Starter
Member
61 posts

Addition - Notepad -

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-

2017
Ran by Thomas (28-03-2017 13:50:44)
Running from C:\Users\Thomas\Documents\Software Programs\Farbar

Recovery Tool - 1
Windows 7 Home Premium Service Pack 1 (X64) (2012-06-30 02:08:02)
Boot Mode: Normal
==================================================

========

==================== Accounts:

=============================

Administrator (S-1-5-21-2364491048-255812346-798213191-500 -

Administrator - Disabled)
Guest (S-1-5-21-2364491048-255812346-798213191-501 - Limited -

Disabled)
HomeGroupUser$ (S-1-5-21-2364491048-255812346-798213191-1006 -

Limited - Enabled)
Thomas (S-1-5-21-2364491048-255812346-798213191-1001 -

Administrator - Enabled) => C:\Users\Thomas
UpdatusUser (S-1-5-21-2364491048-255812346-798213191-1000 - Limited

- Enabled)

==================== Security Center

========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-

45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-

4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44

-DA132C1ACF46}

==================== Installed Programs

======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to

unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-2364491048-255812346-798213191-1001\...

\uTorrent) (Version: 3.4.9.43388 - BitTorrent Inc.)
64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden
ABBYY FineReader 12 Professional (HKLM-x32\...\{F12000FE-0001-0000-

0000-074957833700}) (Version: 12.0.501 - ABBYY Production LLC)
Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-

C93498E230D9}) (Version: 5.00.3505 - Acer Incorporated)
Acer Games (HKLM-x32\...\WildTangent acer Master Uninstall) (Version:

1.0.2.5 - WildTangent)
Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.04.3503 - Acer

Incorporated)
Acer ScreenSaver (HKLM-x32\...\Acer Screensaver) (Version: 1.1.0708.2011 -

Acer Incorporated)
Acer System Information (HKLM-x32\...\{72199E33-4F2A-4B7F-8E25-

95DDDD50A678}) (Version: 1.0.0 - Acer)
Active WebCam (HKLM-x32\...\Active WebCam) (Version: - )
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{0F347A49-E36C-4639-

8D2E-003AD408B8B2}) (Version: 1.5 - Eyeo GmbH)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-

AC0F074E4100}) (Version: 15.023.20070 - Adobe Systems Incorporated)
Adobe Acrobat XI Pro (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-

000000000006}) (Version: 11.0.14 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.7.0.19480 - Adobe Systems

Incorporated)
Adobe Flash Player 25 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX)

(Version: 25.0.0.127 - Adobe Systems Incorporated)
Adobe Flash Player 25 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI)

(Version: 25.0.0.127 - Adobe Systems Incorporated)
Adobe Flash Player 25 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI)

(Version: 25.0.0.127 - Adobe Systems Incorporated)
Agatha Christie - Death on the Nile (x32 Version: 2.2.0.98 - WildTangent)

Hidden
Aimersoft DVD Creator(Build 3.0.0) (HKLM-x32\...\Aimersoft DVD Creator_is1)

(Version: - Aimersoft Software)
Aimersoft Helper Compact 2.5.0 (HKLM-x32\...\{405147F7-FCC5-499B-

A27E-EA6BD4A80435}_is1) (Version: 2.5.0 - Aimersoft)
Aimersoft Video Converter Ultimate(Build 5.5.1.0) (HKLM-x32\...\Aimersoft

Video Converter Ultimate_is1) (Version: 5.5.1.0 - Aimersoft Software)
AlignmentUtility (x32 Version: 19.00.0000 - UPS) Hidden
Animated GIF producer 5.0 TRIAL (HKLM-x32\...\Animated GIF producer 5.0

TRIAL_is1) (Version: - AVLAN Design)
Apple Application Support (32-bit) (HKLM-x32\...\{C5815ACF-FD34-4553-

8A22-C7411B7E662B}) (Version: 4.1.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{CBF12D2F-CF64-4CB7-858B-

2C1F21068E5F}) (Version: 4.1.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-

31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-

0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
AviSynth 2.5 (HKLM-x32\...\AviSynth) (Version: - )
Barcode Generator version 02.10.10 (HKLM-x32\...\{4E846FBC-F6B3-4767-

A0DF-C38D8CD0E13D}_is1) (Version: 02.10.10 - Aurora3D Software)
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bing Bar (HKLM-x32\...\{C28D96C0-6A90-459E-A077-A6706F4EC0FC})

(Version: 7.0.765.0 - Microsoft Corporation)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version:

3.1.0.1 - Apple Inc.)
BufferChm (x32 Version: 130.0.331.000 - Hewlett-Packard) Hidden
Build-a-lot 4 - Power Source (x32 Version: 2.2.0.97 - WildTangent) Hidden
C5500 (x32 Version: 130.0.365.000 - Hewlett-Packard) Hidden
CCC (x32 Version: 19.00.0000 - United Parcel Service, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)
Chronicles of Albian (x32 Version: 2.2.0.95 - WildTangent) Hidden
Citrix Online Launcher (HKLM-x32\...\{48947098-A67C-46D4-90C5-

9F2F6F0F96FE}) (Version: 1.0.449 - Citrix)
clear.fi (HKLM-x32\...\InstallShield_{2637C347-9DAD-11D6-9EA2-

00055D0CA761}) (Version: 1.0.1720.15 - CyberLink Corp.)
clear.fi (x32 Version: 1.0.1517_36458 - CyberLink Corp.) Hidden
clear.fi (x32 Version: 1.0.1720.15 - CyberLink Corp.) Hidden
clear.fi (x32 Version: 9.0.7713 - CyberLink Corp.) Hidden
clear.fi Client (HKLM-x32\...\{43AAE145-83CF-4C96-9A5E-756CEFCE879F})

(Version: 1.01.3500 - Acer Incorporated)
ConvertXtoDVD 4.1.19.365 (HKLM-x32\...\{DB6AB705-C9BD-40E3-8929-

2EA57F36A4FF}_is1) (Version: 4.1.19.365 - )
Corel Graphics - Windows Shell Extension (HKLM\...\_{EBDC2D0D-1E26-4EF2

-BB48-C7E18F7800C6}) (Version: 16.0.0.707 - Corel Corporation)
Corel Graphics - Windows Shell Extension (Version: 16.0.707 - Corel

Corporation) Hidden
Corel Graphics - Windows Shell Extension 32 Bit (Version: 16.0.707 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Capture (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Common (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Connect (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Custom Data (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Draw (x64) (Version: 16.0 - Corel Corporation)

Hidden
CorelDRAW Graphics Suite X6 - EN (x64) (Version: 16.0 - Corel Corporation)

Hidden
CorelDRAW Graphics Suite X6 - Filters (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - FontNav (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - IPM (Version: 16.0 - Corel Corporation)

Hidden
CorelDRAW Graphics Suite X6 - PHOTO-PAINT (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Photozoom Plugin (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Redist (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - Setup Files (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - VBA (x64) (Version: 16.0 - Corel Corporation)

Hidden
CorelDRAW Graphics Suite X6 - VideoBrowser (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 - VSTA (x64) (Version: 16.0 - Corel Corporation)

Hidden
CorelDRAW Graphics Suite X6 - Writing Tools (x64) (Version: 16.0 - Corel

Corporation) Hidden
CorelDRAW Graphics Suite X6 (64-Bit) (HKLM\...\_{BDBFAC49-8877-472F-

876B-75ADB7DBC955}) (Version: 16.0.0.707 - Corel Corporation)
CorelDRAW Graphics Suite X6 (x64) (Version: 16.0 - Corel Corporation) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Crystal Reports 2008 Runtime SP1 (HKLM-x32\...\{C484CC8D-03CF-4022-

89C4-DB4F02E8A15B}) (Version: 12.1.0.882 - Business Objects)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Destinations (x32 Version: 130.0.0.0 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 130.0.465.000 - Hewlett-Packard) Hidden
DHTML Editing Component (HKLM-x32\...\{2EA870FA-585F-4187-903D-

CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
DVD Flick 1.3.0.7 (HKLM-x32\...\DVD Flick_is1) (Version: 1.3.0.7 - Dennis

Meuwissen)
DVD Identifier (HKLM-x32\...\DVD Identifier_is1) (Version: 5.2.0 - Kris

Schoofs)
DVD Shrink 3.2 (HKLM-x32\...\DVD Shrink_is1) (Version: - DVD Shrink)
EaseUS Data Recovery Wizard (HKLM\...\EaseUS Data Recovery Wizard_is1)

(Version: - EaseUS)
eBay Worldwide (HKLM-x32\...\{D3E5A972-9A15-427D-AE78-

8181A5FD943C}) (Version: 2.2.0409 - OEM)
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-

B5CBD7684CEA}_is1) (Version: 2017.2 - Emsisoft Ltd.)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
Etron USB3.0 Host Controller (x32 Version: 0.103 - Etron Technology) Hidden
FILE RECOVERY for Windows (HKLM-x32\...\FILE RECOVERY for WindowsNSIS)

(Version: 1.0.201 - Seagate)
Final Drive: Nitro (x32 Version: 2.2.0.95 - WildTangent) Hidden
FormsComponent (x32 Version: 19.00.0000 - UPS) Hidden
FOSS (x32 Version: 19.00.0000 - UPS) Hidden
Frontier Texting (HKU\S-1-5-21-2364491048-255812346-798213191-

1001\...\Frontier Texting) (Version: 2.5.0b3 - Zipwhip Inc.)
Galerie de photos (x32 Version: 16.4.3505.0912 - Microsoft Corporation)

Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 57.0.2987.98 -

Google Inc.)
Google Drive (HKLM-x32\...\{07A12123-B717-496B-B471-48AF6407B433})

(Version: 1.32.4066.7445 - Google, Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-

9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
GoToAssist Corporate (HKLM-x32\...\GoToAssist) (Version: 11.3.0.1121 -

Citrix Online, a division of Citrix Systems, Inc.)
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent)

Hidden
GPBaseService2 (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HandBrake 0.9.8 (HKLM-x32\...\HandBrake) (Version: 0.9.8 - )
Hitman Pro 3.5 (HKLM\...\HitmanPro35) (Version: 3.5.9.125 - SurfRight B.V.)
Hotkey Utility (HKLM-x32\...\Hotkey Utility) (Version: 2.05.3505 - Acer

Incorporated)
HP Imaging Device Functions 13.0 (HKLM\...\HP Imaging Device Functions)

(Version: 13.0 - HP)
HP Photosmart C5500 All-In-One Driver Software 13.0 Rel. 4 (HKLM\...

\{5F5FEF58-F4D8-488B-BDB3-6D5B22192B02}) (Version: 13.0 - HP)
HP Photosmart Essential 3.5 (HKLM\...\HP Photosmart Essential) (Version: 3.5

- HP)
HP Smart Web Printing 4.51 (HKLM\...\HP Smart Web Printing) (Version: 4.51 -

HP)
HP Solution Center 13.0 (HKLM\...\HP Solution Center & Imaging Support

Tools) (Version: 13.0 - HP)
HP Update (HKLM-x32\...\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3})

(Version: 5.003.001.001 - Hewlett-Packard)
HPPhotoGadget (x32 Version: 130.0.282.000 - Hewlett-Packard) Hidden
HPPhotoSmartDiscLabel_PaperLabel (x32 Version: 2.04.0000 - Hewlett-

Packard) Hidden
HPPhotoSmartDiscLabel_PrintOnDisc (x32 Version: 2.04.0000 - Hewlett-

Packard) Hidden
HPPhotoSmartDiscLabelContent1 (x32 Version: 2.04.0000 - Hewlett-Packard)

Hidden
hpphotosmartdisclabelplugin (x32 Version: 2.04.0000 - Hewlett-Packard)

Hidden
HPPhotosmartEssential (x32 Version: 2.04.0000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 130.0.371.000 - Hewlett-Packard) Hidden
HTML-Kit 292 (HKLM-x32\...\HTMLKit_is1) (Version: 1.0 - HTMLKit.com)
iCare Data Recovery Pro (HKLM-x32\...\{F7EAB243-4D0C-47F5-A4F1-

74D350E45489}_is1) (Version: 7.6 - iCare Recovery)
ICCHelp (HKLM-x32\...\{A5763105-D1D5-4862-A3FE-EC058F9AA73E})

(Version: 19.00.0000 - UPS)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3501 - Acer

Incorporated)
Inpaint 5.0 (HKLM-x32\...\{2AEDC172-479F-47AE-8A48-A0524D4AED5B}_is1)

(Version: - Teorex)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-

43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-

86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-

5c6d204aed7a}.sdb) (Version: - )
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-

2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Jewel Match 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 16.4.3505.0912 - Microsoft Corporation)

Hidden
Kaspersky Security Scan (HKLM-x32\...\InstallWIX_{56009CA3-423B-41F8-

884A-E5B049534F15}) (Version: 12.0.1.117 - Kaspersky Lab)
Kaspersky Security Scan (x32 Version: 12.0.1.117 - Kaspersky Lab) Hidden
K-Lite Codec Pack 9.5.0 (Basic) (HKLM-x32\...\KLiteCodecPack_is1) (Version:

9.5.0 - )
Machete Lite 3.8 (HKLM-x32\...\{CBA55866-5332-4E19-867F-30F7E22E9F1E})

(Version: 3.8.33 - MacheteSoft)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes

Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
ManyCam 5.0.5 (HKLM-x32\...\ManyCam) (Version: 5.0.5 - Visicom Media Inc.)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-

CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109})

(Version: 3.60.253.0 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-

0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-

199F86A2CD93}) (Version: - Microsoft)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-

0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run)

(Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-

0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft

Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR)

(Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-

0409-0000-0000000FF1CE}) (Version: 14.0.5131.5000 - Microsoft

Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version:

4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00})

(Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-2364491048-255812346-798213191-

1001\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft

Corporation)
Microsoft SQL Server 2005 (HKLM-x32\...\Microsoft SQL Server 2005) (Version:

- Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-

B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft

Corporation)
Microsoft SQL Server Native Client (HKLM\...\{9ACF3FDB-C8E6-444C-8C64-

13A221F7BFFD}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM-x32\...\{53F5C3EE-

05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.5000.00 - Microsoft

Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{B636C9B9-A3F2-4DCE-ADCC-

72E095018385}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-

4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-

4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-

x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 -

Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-

x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version:

9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-

x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version:

9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...

\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 -

Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...

\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 -

Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...

\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 -

Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...

\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 -

Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 - ENU (HKLM-x32\...

\{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}) (Version: 9.0.30729 -

Microsoft Corporation)
Microsoft Visual Studio Tools for Applications 2.0 Runtime (HKLM-x32\...

\{299C0434-4F4E-341F-A916-4E07AEB35E79}) (Version: 9.0.30729 -

Microsoft Corporation)
MKVToolNix 8.3.0 (64bit) (HKLM-x32\...\MKVToolNix) (Version: 8.3.0 - Moritz

Bunkus)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Movie Maker 6.0 for Windows 7 (64-bit) (HKLM\...\{A7395F20-2B22-4CB8-

8510-B452C0F47E02}) (Version: 6.0.0 - Microsoft Corporation)
Mozilla Firefox 52.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 52.0.2 (x86

en-US)) (Version: 52.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService)

(Version: 52.0.2.6291 - Mozilla)
Mozilla Thunderbird 24.2.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird

24.2.0 (x86 en-US)) (Version: 24.2.0 - Mozilla)
MSIChecker (x32 Version: 19.00.0000 - UPS) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-

8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-

8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.98 - WildTangent) Hidden
NA1Messenger (x32 Version: 19.00.0000 - Your Company Name) Hidden
Nero 2016 (HKLM-x32\...\{4297E807-5633-466A-8AC0-5AC48D310471})

(Version: 17.0.02000 - Nero AG)
Nero DiscSpeed 10 (HKLM-x32\...\{34490F4E-48D0-492E-8249-

B48BECF0537C}) (Version: 6.2.10500.2.100 - Nero AG)
Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-

564E155DB1A7}) (Version: 10.2.12000.21.100 - Nero AG)
Nero Info (HKLM-x32\...\{F030BFE8-8476-4C08-A553-233DE80A2BE1})

(Version: 16.0.2000 - Nero AG)
Nero Multimedia Suite 10 Essentials (HKLM-x32\...\{62BF4BD3-B1F6-4FA2-

8388-CC0647ACBF86}) (Version: 10.5.10300 - Nero AG)
Nero StartSmart 10 (HKLM-x32\...\{F61D489E-6C44-49AC-AD02-

7DA8ACA73A65}) (Version: 10.2.11600.14.100 - Nero AG)
NetObjects Fusion 10.0 (HKLM-x32\...\{ECC8CC4E-2291-438F-9601-

C8A6BFBA0880}) (Version: 10.0 - )
NetObjects Fusion 11.0 (HKLM-x32\...\{1BD687EB-C093-4BA5-B336-

AEF08C314921}) (Version: 11.0 - )
Nikon Message Center 2 (HKLM-x32\...\{B014EE44-9197-4513-9613-

71E6EB1B514E}) (Version: 2.1.0 - Nikon)
Nikon Movie Editor (HKLM-x32\...\{5CAD3393-EEC0-44CE-9F93-

BCAA365B77FB}) (Version: 2.9.0 - Nikon)
Nikon View 6 (HKLM-x32\...\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F})

(Version: - )
NOOK for PC (HKLM-x32\...\BN_DesktopReader) (Version: 2.5.4.7070 -

Barnesandnoble.com)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-

83B118A2C0DC}) (Version: 2.1.17869 - Symantec Corporation)
NRF (x32 Version: 19.00.0000 - UPS) Hidden
NVIDIA Graphics Driver 267.33 (HKLM\...\{B2FE1952-0186-46C3-BAEC-

A80AA35AC5B8}_Display.Driver) (Version: 267.33 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.1.13.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-

A80AA35AC5B8}_HDAudio.Driver) (Version: 1.1.13.1 - NVIDIA Corporation)
NVIDIA Stereoscopic 3D Driver (HKLM-x32\...\NVIDIAStereo) (Version:

7.17.12.6733 - NVIDIA Corporation)
Peachtree Accounting 2010 (x32 Version: 17.00.00 - Sage Software, Inc.)

Hidden
Peachtree Pro Accounting 2010 (HKLM-x32\...\InstallShield_{51EF69CF-70D3

-4142-993D-AA97F36484CC}) (Version: 17.00.00 - Sage Software, Inc.)
Peachtree Pro Accounting 2010 (HKLM-x32\...\Peachtree Pro Accounting)

(Version: - )
PeachTree Signature Ready Forms (x32 Version: 6.7.4 - Sage Software SB, Inc.)

Hidden
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Pervasive PSQL v10.10 Workgroup (32-bit) (x32 Version: 10.12.025 -

Pervasive Software) Hidden
Photo Collage Creator 3.61 (HKLM-x32\...\Photo Collage Creator_is1)

(Version: - AMS Software)
PhotoScissors 3.0 (HKLM\...\{664FCCAE-8187-4EC5-B191-758C040C999C}

_is1) (Version: - teorex)
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9.141.259 - Google, Inc.)
Picture Collage Maker Pro 4.1.2 (HKLM-x32\...\{6D308A90-6C14-4A02-9B04

-CB0EF17894A9}_is1) (Version: 4.1.2 - PearlMountain Technology Co., Ltd)
Picture Control Utility x64 (HKLM\...\{11953C65-BB4E-4CA4-B0F0-

2600A4B20040}) (Version: 1.5.0 - Nikon)
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent)

Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
PolicyManager (x32 Version: 19.00.0000 - UPS) Hidden
Prerequisite installer (x32 Version: 17.0.0002 - Nero AG) Hidden
PS_AIO_04_C5500_Software_Min (x32 Version: 130.0.365.000 - Hewlett-

Packard) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-

81AA-06DFEED9A476}) (Version: 7.45.516.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-

8A7C-958108FE7DBC}) (Version: 6.0.1.6242 - Realtek Semiconductor Corp.)
Reconciler (x32 Version: 19.00.0000 - UPS) Hidden
Replay Media Catcher 4 (4.3.0) (HKLM-x32\...\Replay Media Catcher 4)

(Version: 4.3.0 - Applian Technologies)
Replay Video Capture 6 (HKLM-x32\...\Replay Video Capture6.0.6) (Version:

6.0.6 - Applian Technologies Inc.)
ReportServer (x32 Version: 18.00.0000 - Your Company Name) Hidden
RogueKiller version 12.10.1.0 (HKLM\...\8B3D7924-ED89-486B-8322-

E8594065D5CB_is1) (Version: 12.10.1.0 - Adlice Software)
Sage Message Center (x32 Version: 2.00.0000 - Sage Software Inc.) Hidden
Scan (x32 Version: 13.0.0.0 - Hewlett-Packard) Hidden
Seagate File Recovery for Windows 2.0 (HKLM-x32\...\Seagate File Recovery

for WindowsNSIS) (Version: 2.0.18656 - Seagate)
SeaTools for Windows 1.4.0.4 (HKLM-x32\...\SeaTools for Windows) (Version:

1.4.0.4 - Seagate Technology)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-

03407888C054}) (Version: 10.0.0 - McAfee)
Skype™ 7.29 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6})

(Version: 7.29.102 - Skype Technologies S.A.)
SmartWebPrinting (x32 Version: 130.0.457.000 - Hewlett-Packard) Hidden
Smilebox (HKU\S-1-5-21-2364491048-255812346-798213191-1001\...

\Smilebox) (Version: 1.1.1.1 - Smilebox, Inc.)
SolutionCenter (x32 Version: 130.0.373.000 - Hewlett-Packard) Hidden
SplitCam (HKLM-x32\...\SplitCam) (Version: 7.5.3.2 - SplitCam Co)
Stashimi Stub Installer (x32 Version: 18.001.1 - Nero AG) Hidden
Status (x32 Version: 130.0.469.000 - Hewlett-Packard) Hidden
StreamTorrent 1.0 (HKLM-x32\...\StreamTorrent 1.0) (Version: - )
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA})

(Version: 5.6.1006 - SUPERAntiSpyware.com)
SupportUtility (x32 Version: 19.00.0000 - UPS) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System (x32 Version: 19.00.0000 - UPS) Hidden
ThumbsPlus (HKLM-x32\...\ThumbsPlus) (Version: - Cerious Software Inc.)
ThumbsPlus (x32 Version: 8.1.0.3537 - Cerious Software Inc.) Hidden
Times Reader (HKLM-x32\...

\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1)

(Version: 2.055 - The New York Times Company)
Times Reader (x32 Version: 2.055 - The New York Times Company) Hidden
Toolbox (x32 Version: 130.0.648.000 - Hewlett-Packard) Hidden
Torchlight (x32 Version: 2.2.0.97 - WildTangent) Hidden
TrayApp (x32 Version: 130.0.422.000 - Hewlett-Packard) Hidden
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry

Backup) (Version: 1.5.1 - Tweaking.com)
UnifiedPrinting (x32 Version: 19.00.0000 - UPS) Hidden
UnloadSupport (x32 Version: 11.0.0 - Hewlett-Packard) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...

\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-

5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update Installer for WildTangent Games App (x32 Version: - WildTangent)

Hidden
UPS WorldShip (HKLM-x32\...\UPS WorldShip) (Version: 19.0 - UPS)
UPSDB (x32 Version: 19.00.0000 - UPS) Hidden
UPSICC (x32 Version: 19.00.0000 - UPS) Hidden
UPSlinkHTTP (x32 Version: 19.00.0000 - UPS) Hidden
UPSVC2008MM (x32 Version: 1.00.0000 - UPS) Hidden
UPSVC2013MM (x32 Version: 19.00.0000 - Your Company Name) Hidden
UPSVCMM (x32 Version: 12.00.0000 - UPS) Hidden
ViewNX 2 (HKLM\...\{635BE602-BB9C-4C59-8CC5-93F9366E8A21}) (Version:

2.9.0 - Nikon)
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent)

Hidden
Web Easy Professional (HKLM-x32\...\{B651BFCB-C9F3-489C-A2A7-

764A12E2C79B}) (Version: 10.1 - Avanquest)
WebHelp (HKLM-x32\...\{8C5BD501-AD5D-4A75-9321-076509B438FC})

(Version: 19.00.0000 - UPS)
WebReg (x32 Version: 130.0.132.017 - Hewlett-Packard) Hidden
Welcome Center (HKLM-x32\...\Acer Welcome Center) (Version: 1.02.3502 -

Acer Incorporated)
WildTangent Games App (Acer Games) (x32 Version: 4.0.5.14 - WildTangent)

Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version:

16.4.3505.0912 - Microsoft Corporation)
WinRAR 4.00 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.00.0 - win.rar

GmbH)
WinX Free FLV to AVI Converter 4.1.10 (HKLM-x32\...\WinX Free FLV to AVI

Converter_is1) (Version: - Digiarty Software,Inc.)
WinZip 14.5 (HKLM-x32\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240BD})

(Version: 14.5.9095 - WinZip Computing, S.L. )
Wondershare Photo Collage Studio 4.2.12.13 (HKLM-x32\...\Wondershare

Photo Collage Studio_is1) (Version: 4.2.12.13 - Wondershare Software

Co.,Ltd.)
Wondershare Video Editor(Build 4.6.0) (HKLM-x32\...\Wondershare Video

Editor_is1) (Version: - Wondershare Software)
WorldShip (x32 Version: 19.00.0000 - UPS) Hidden
WSShared (x32 Version: 19.00.0000 - UPS) Hidden
XnConvert 1.73 (HKLM\...\XnConvert_is1) (Version: 1.73 - Gougelet Pierre-e)
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-

833578D45057}_is1) (Version: 2.72.0.176 - Zemana Ltd.)
Zuma's Revenge (x32 Version: 2.2.0.97 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted):

==========================

(If an entry is included in the fixlist, it will be removed from the registry. The

file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2364491048-255812346-798213191-

1001_Classes\CLSID\{8AE44FFE-BF0D-085D-33DC-

93B2E248BF89}\InprocServer32 -> C:\Windows\system32\ole32.dll (Microsoft

Corporation)

==================== Scheduled Tasks (Whitelisted)

=============

(If an entry is included in the fixlist, it will be removed from the registry. The

file will not be moved unless listed separately.)

Task: {16DAEEF1-75E7-4967-A0AB-639073B50045} - System32\Tasks

\GoogleUpdateTaskMachineCore1cfff9880ae2cc6 => C:\Program Files

(x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {23177269-9013-451C-8386-C179F89D9EF2} - System32\Tasks

\clear.fi => C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fi.exe [2011-05

-20] (Acer Incorporated)
Task: {4C49873D-9FA8-44D9-9FD3-69F404A3DB13} - System32\Tasks\Adobe

ARM => C:\Program Files (x86)\Common Files\Adobe\ARM

\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {4E052D3B-423D-4CE5-9A57-2C9CA78EF7FD} - System32\Tasks

\{1390CD58-C961-4F8A-9697-BC0F2EA7DE28} => pcalua.exe -a "C:\Users

\Thomas\Documents\Software Programs\NetObjects-

10\NetObjectsFusion.exe" -d "C:\Users\Thomas\Documents\Software

Programs\NetObjects-10"
Task: {5D52F708-8AF4-459C-87F8-2CA301D37B70} - System32\Tasks

\{1FAB6466-7362-44E4-994A-ED0ECC8289FF} => pcalua.exe -a "C:\Users

\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files

\Content.IE5\THMJSELL\NOF-Essentials.exe" -d C:\Users\Thomas\Desktop
Task: {67EFCEAA-3903-4A4D-B5AD-7373C6C4BDF8} - System32\Tasks

\clear.fiAgent => C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe

[2011-05-20] (CyberLink Corp.)
Task: {685739C3-A826-4DFD-9404-807244F788BB} - System32\Tasks

\Hitman Pro 3.5 Boot Task => C:\Program Files\Hitman Pro

3.5\HitmanPro35_x64.exe [2011-12-14] (SurfRight B.V.)
Task: {6F64FB0E-FDD2-47D6-8BC4-ED656B932489} - System32\Tasks

\{2666C777-E13A-4E21-A384-401634CFE18B} => pcalua.exe -a C:\Windows

\IsUninst.exe -c -f"C:\Program Files (x86)\NetObjects\NetObjects Fusion

Essentials\Uninst.isu" -c"C:\Program Files (x86)\NetObjects\NetObjects

Fusion Essentials\uninst.dll"
Task: {723BB62B-9A9A-4863-A61B-663D2EE58991} - System32\Tasks

\{7EC91944-1AE2-4040-A2D5-A5C2808F1330} => pcalua.exe -a E:

\Setup.exe -d E:\
Task: {74670948-AC2F-402F-994D-9F6CBC2AA903} - System32\Tasks

\DMREngine => C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR

\DMREngine.exe [2011-05-20] (CyberLink)
Task: {8B0DEE79-BA34-4030-8278-D24541977994} - System32\Tasks

\{2344072B-ABA6-4FD7-883D-7937D39C1457} => pcalua.exe -a C:\UPS

\WSTD\FOSS\Drivers\Eltron\Setup.exe -d C:\UPS\WSTD\FOSS\Drivers\Eltron
Task: {A9846488-A41D-4418-B486-6D294D30EC95} - System32\Tasks

\GoogleUpdateTaskMachineUA1cf6a74d539a8c8 => C:\Program Files

(x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {C2BB3B62-DF0B-48AB-A762-92DD0030BE9B} - System32\Tasks

\GoogleUpdateTaskMachineCore1cf4a65f48969b0 => C:\Program Files

(x86)\Google\Update\GoogleUpdate.exe [2015-08-29] (Google Inc.)
Task: {C41F54D2-3C66-4BDB-A255-34304978D1AB} - System32\Tasks

\Adobe Flash Player PPAPI Notifier => C:\Windows\SysWOW64\Macromed

\Flash\FlashUtil32_25_0_0_127_pepper.exe [2017-03-18] (Adobe Systems

Incorporated)
Task: {D4CAA19A-0D42-46EB-8D2F-EAE5E9F02170} - System32\Tasks\Adobe

Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM

\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {D529A07A-6B47-4D71-A819-348965BCAF8F} - System32\Tasks

\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-07-23]

(Piriform Ltd)
Task: {DDDA45C2-04B6-42BC-A39A-CA370EDDF848} - System32\Tasks

\Adobe Reader Speed Launcher => C:\Program Files (x86)\Adobe\Reader

10.0\Reader\Reader_sl.exe
Task: {F362E5F4-6301-4F1F-8282-95E4892457E2} - System32\Tasks\Nero

\Nero Info => C:\Program Files (x86)\Common Files\Nero\Nero Info

\NeroInfo.exe [2015-06-04] (Nero AG)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file

which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4a65f48969b0.job

=> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts

=============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted)

==============

2017-03-26 12:13 - 2017-03-26 12:13 - 00833024 ____N () C:\windows

\system32\tprdpw32.exe
2015-11-20 15:57 - 2015-11-20 15:57 - 00085800 _____ () C:\Program

Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-11-20 15:57 - 2015-11-20 15:57 - 01328912 _____ () C:\Program

Files\Common Files\Apple\Apple Application Support\libxml2.dll
2012-08-05 20:37 - 2011-03-02 12:40 - 00164864 _____ () C:\Program

Files\WinRAR\rarext.dll
2013-09-14 20:13 - 2013-03-25 10:57 - 00721917 _____ () C:\Windows

\SysWOW64\AiCM64.dll
2017-03-26 19:30 - 2017-03-26 19:30 - 00154480 _____ () C:\Program Files

(x86)\Zemana AntiMalware\ZAMShellExt64.dll
2011-05-20 15:13 - 2011-05-20 15:13 - 00091432 _____ () C:\Program Files

(x86)\Acer\clear.fi\MVP\Kernel\DMR\DeviceStage.exe
2011-05-20 15:13 - 2011-05-20 15:13 - 00206216 _____ () C:\Program Files

(x86)\Acer\clear.fi\MVP\Kernel\DMR\CLNetMediaDMA.dll

==================== Alternate Data Streams (Whitelisted)

=========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Thomas\Downloads\Kristin.mp3:TOC.WMV

[130]

==================== Safe Mode (Whitelisted)

===================

(If an entry is included in the fixlist, it will be removed from the registry. The

"AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer =>

""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\GoToAssist =>

""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer =>

""="Service"

==================== Association (Whitelisted)

===============

(If an entry is included in the fixlist, the registry item will be restored to

default or removed.)

HKU\S-1-5-21-2364491048-255812346-798213191-1001\Software

\Classes\.exe: exefile => <===== ATTENTION
HKU\S-1-5-21-2364491048-255812346-798213191-1001\Software

\Classes\.scr: scrfile => <===== ATTENTION

==================== Internet Explorer trusted/restricted

===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-2364491048-255812346-798213191-

1001\...\paypal.com -> hxxps://www.paypal.com

==================== Hosts content:

===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-01-23 20:50 - 2017-03-26 20:56 - 00000824 ____A C:\Windows

\system32\Drivers\etc\hosts

==================== Other Areas

============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2364491048-255812346-798213191-1001\Control Panel

\Desktop\\Wallpaper -> C:\Users\Thomas\AppData\Roaming\Microsoft

\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.254.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System =>

(ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3)

(EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: !SASCORE => 2
MSCONFIG\Services: GamesAppService => 3
MSCONFIG\Services: IAStorDataMgrSvc => 2
MSCONFIG\Services: IDriverT => 3
MSCONFIG\Services: KSS => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: MSK80Service => 2
MSCONFIG\Services: NAUpdate => 2
MSCONFIG\Services: NOBU => 2
MSCONFIG\Services: SpyHunter 4 Service => 2
MSCONFIG\Services: UNS => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start

Menu^Programs^Startup^NkvMon.exe.lnk => C:\Windows\pss

\NkvMon.exe.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start

Menu^Programs^Startup^UPS WorldShip Messaging Utility.lnk => C:

\Windows\pss\UPS WorldShip Messaging Utility.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start

Menu^Programs^Startup^UPS WorldShip PLD Reminder Utility.lnk => C:

\Windows\pss\UPS WorldShip PLD Reminder Utility.lnk.CommonStartup
MSCONFIG\startupfolder:

C:^Users^Thomas^AppData^Roaming^Microsoft^Windows^Start

Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk =>

C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files

(x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files

(x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: Aimersoft Helper Compact.exe => C:\Program Files

(x86)\Common Files\Aimersoft\Aimersoft Helper Compact\ASHelper.exe
MSCONFIG\startupreg: Bonus.SSR.FR11 => "C:\Program Files (x86)\ABBYY

FineReader 11\Bonus.ScreenshotReader.exe" /autorun
MSCONFIG\startupreg: Bonus.SSR.FR12 => "C:\Program Files (x86)\ABBYY

FineReader 12\Bonus.ScreenshotReader.exe" /autorun
MSCONFIG\startupreg: BrowserPlugInHelper => C:\Program Files

(x86)\Aimersoft\Video Converter Ultimate\BrowserPlugInHelper.exe
MSCONFIG\startupreg: GoogleDriveSync => "C:\Program Files (x86)\Google

\Drive\googledrivesync.exe" /autostart
MSCONFIG\startupreg: Hotkey Utility => C:\Program Files (x86)\Acer\Hotkey

Utility\HotkeyUtility.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes

\iTunesHelper.exe"
MSCONFIG\startupreg: KSS => "C:\Program Files (x86)\Kaspersky Lab

\Kaspersky Security Scan 2.0\kss.exe" /autorun
MSCONFIG\startupreg: mcpltui_exe => "C:\Program Files

\Common~1\McAfee\Platform\mcuicnt.exe" /platui /runkey
MSCONFIG\startupreg: mcui_exe => "C:\Program Files\McAfee.com\Agent

\mcagent.exe" /runkey
MSCONFIG\startupreg: MSC => "C:\Program Files\Microsoft Security Client

\msseces.exe" -hide -runkey
MSCONFIG\startupreg: NA1Messenger => C:\UPS\WSTD\UPSNA1Msgr.exe
MSCONFIG\startupreg: Nikon Message Center 2 => C:\Program Files

(x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
MSCONFIG\startupreg: Norton Online Backup => C:\Program Files

(x86)\Symantec\Norton Online Backup\NOBuClient.exe
MSCONFIG\startupreg: PeachtreePrefetcher.exe => "C:

\PROGRA~2\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe"

/configfile:peachtreeprefetcher.winstart.config
MSCONFIG\startupreg: SmileboxTray => "C:\Users\Thomas\AppData

\Roaming\Smilebox\SmileboxTray.exe"
MSCONFIG\startupreg: uTorrent => "C:\Users\Thomas\AppData\Roaming

\uTorrent\uTorrent.exe" /MINIMIZED
MSCONFIG\startupreg: Wondershare Helper Compact.exe => C:\Program Files

(x86)\Common Files\Wondershare\Wondershare Helper Compact

\WSHelper.exe
MSCONFIG\startupreg: WSUpdater => C:\UPS\WSTD\CF\WorldShipCF.exe

==================== FirewallRules (Whitelisted)

===============

(If an entry is included in the fixlist, it will be removed from the registry. The

file will not be moved unless listed separately.)

FirewallRules: [{45C8A10F-2FF6-4D87-9665-A22AA70DAFBE}] => (Allow) C:

\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{5A6E31E7-15DB-46D0-A20F-83457C526220}] => (Allow) C:

\Program Files (x86)\Acer\clear.fi\MVP\clear.fi.exe
FirewallRules: [{7AC4E3B6-169A-48D9-B967-70426B56DA30}] => (Allow) C:

\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
FirewallRules: [{1E6E2D4E-065E-4520-9DC6-6F991CCA8F9A}] => (Allow) C:

\Program Files (x86)\Acer\clear.fi\MVP\Kernel\CLML\CLMLSvc.exe
FirewallRules: [{366BAA21-74FF-447B-A5B0-0312692B5248}] => (Allow) C:

\Program Files (x86)\Acer\clear.fi\MVP\Kernel\DMR\DMREngine.exe
FirewallRules: [{C7C78C39-A8FC-450B-B43C-6BCCBCD1E393}] => (Allow) C:

\Program Files (x86)\Acer\clear.fi\MVP\Kernel\DMR\DMREngine.exe
FirewallRules: [{65105041-EB2C-431D-A588-EAA1687AF13B}] => (Block) C:

\Program Files (x86)\Acer\clear.fi\MVP\Kernel\DMR\DMREngine.exe
FirewallRules: [{6DF34829-2052-411A-A409-DCF8515CB7E6}] => (Allow) C:

\Program Files (x86)\Acer\clear.fi\Movie\TouchMovie.exe
FirewallRules: [{E49C7DC5-2AA2-4A92-BA1C-860F80B776D3}] => (Allow) C:

\Program Files (x86)\Acer\clear.fi\Movie\TouchMovieService.exe
FirewallRules: [{FD1EA280-CACF-4175-8956-ED5A7B499485}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
FirewallRules: [{B4E2B11A-34CC-4826-980A-F157FB9C9EBF}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
FirewallRules: [{B88A86A5-2E99-4AAE-AB1C-872773AA7CB0}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hposid01.exe
FirewallRules: [{D189DE28-0637-49E9-8808-9F48A29FFB84}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqkygrp.exe
FirewallRules: [{FE67D766-DB21-4300-B80D-73EBF3F6F511}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpfccopy.exe
FirewallRules: [{1778FE0A-21FD-4A3C-9DF4-CC84403D2B76}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpoews01.exe
FirewallRules: [{599E24F9-7BAB-4775-8D32-30556677CE6A}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe
FirewallRules: [{27BB0359-BE57-4044-AB4D-5DF6E43E0242}] => (Allow) C:

\Program Files (x86)\common files\hp\digital imaging\bin\hpqphotocrm.exe
FirewallRules: [{FB7511B2-9303-43E6-B280-9040098AA7A9}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqsudi.exe
FirewallRules: [{E6B43D01-A3E8-4DD5-A090-065E48BC3585}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqpsapp.exe
FirewallRules: [{BEBE3EA8-5B9D-41AB-B074-7D3DDE7431A7}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqpse.exe
FirewallRules: [{17DCEE9C-6EB0-4DC3-9D3D-542916B1FD28}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqgplgtupl.exe
FirewallRules: [{8FCFEBB4-6277-4089-A4EB-521F4F658940}] => (Allow) C:

\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
FirewallRules: [{5AF32E7F-B313-4DFF-B331-5FC01A08425C}] => (Allow) C:

\Program Files (x86)\HP\hp software update\hpwucli.exe
FirewallRules: [{82E35F61-DFE4-4F6C-8B70-3148250200D8}] => (Allow) C:

\Program Files (x86)\HP\digital imaging\smart web printing

\smartwebprintexe.exe
FirewallRules: [{B47E290C-5BA9-4FA9-95E9-096114153501}] => (Allow)

LPort=1583
FirewallRules: [{AD894820-7BE5-42E4-A900-4FEE755FB2A2}] => (Allow)

LPort=3351
FirewallRules: [{0B6E2700-DBB1-4EEB-9BA4-BBAA97B541C7}] => (Allow) C:

\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
FirewallRules: [{52FB2E7C-C939-47C8-B866-8F708B98A8F1}] => (Allow) C:

\Program Files (x86)\Pervasive Software\PSQL\bin\w3dbsmgr.exe
FirewallRules: [{D39BCF72-91E1-4BD9-A04E-8C0C4D93D335}] => (Allow) C:

\Program Files (x86)\uTorrent\uTorrent.exe
FirewallRules: [{293BB0BE-8B5D-41AC-B233-BE830533AE81}] => (Allow) C:

\Program Files (x86)\uTorrent\uTorrent.exe
FirewallRules: [{87431AE6-8CA2-4656-B068-74467066863F}] => (Allow) C:

\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe
FirewallRules: [{5E6362D6-5FA8-4841-80E6-687C6BA6032D}] => (Allow) C:

\UPS\WSTD\MSSQL.1\MSSQL\Binn\sqlservr.exe
FirewallRules: [{17CF3A75-C8A4-4791-8B6E-6DE1759CE312}] => (Allow)

LPort=1434
FirewallRules: [{2D2BCF6A-1BD7-4E59-9133-3F7D009AD963}] => (Allow) C:

\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{AEFCA8D9-F3F1-4F98-9372-3651BD85D00B}] => (Allow) C:

\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
FirewallRules: [{5C4A0B7F-B5F2-4C7B-8542-08D570395B76}] => (Allow) C:

\Users\Thomas\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{3D592120-01B1-4E2D-9A9B-DAC2E8DC99C0}] => (Allow) C:

\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{55DF9532-74EA-4F31-AD6B-510DA628093D}] => (Allow)

LPort=2869
FirewallRules: [{590C98E9-8822-466C-98B1-BAAEB4F71B06}] => (Allow)

LPort=1900
FirewallRules: [{0D1A9D6D-9F5E-4105-BC28-022FBF659872}] => (Allow) C:

\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{C20FEF1C-B44F-4550-8087-A513B61FBB11}] => (Allow) C:

\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
FirewallRules: [{38AF9D53-9A1F-4E97-B02B-BC2A8F36DC81}] => (Allow) C:

\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
FirewallRules: [{B1B345D7-055D-42FF-B5AE-D37CB1DD63E2}] => (Allow) C:

\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{C633F96C-705D-43E6-9F7C-B03F1E8BDCB6}] => (Allow) C:

\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{67E4D9F7-4DD8-4A6E-B0BF-045D41A88C11}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{DA1752BB-7B99-4039-B470-E7FADB567F7A}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeCam.exe
FirewallRules: [{AE419300-E45A-44E8-8CD4-34BC4282CB2E}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{571321D2-9FDC-4219-8290-2D1496EC6CDE}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeEnC2.exe
FirewallRules: [{E88C24E9-5795-4C46-9A4D-A59E41346B27}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{785509E7-0966-49A9-B375-8AFBF2248235}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeExp.exe
FirewallRules: [{B809CFE2-8646-445B-91C0-3AB7AF0F4F9F}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{48C14C6A-6AF0-4B77-8D04-01CB24570FCC}] => (Allow) C:

\Program Files (x86)\Microsoft LifeCam\LifeTray.exe
FirewallRules: [{F466404D-F4B7-43BC-BE29-7F6D9E579340}] => (Allow) C:

\Users\Thomas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D8DA4B46-4C86-413F-AE6C-FB0075C31146}] => (Allow) C:

\Users\Thomas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{6FEC0336-AF8C-4BCA-9305-3823AA5F81D6}] => (Allow) C:

\Users\Thomas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{4AFB8BA6-8B1C-445F-ACD4-72B0764EFAB4}] => (Allow) C:

\Users\Thomas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BD562C63-0906-4A40-8E14-9F77EB8C1695}] => (Allow) C:

\Users\Thomas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{C0B69772-23A2-4209-8C9C-547642F4AB2F}] => (Allow) C:

\Users\Thomas\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{47496406-FABC-4D17-9F72-3391033C7D00}

C:\program files (x86)\pervasive software\psql\bin\w3dbsmgr.exe] =>

(Block) C:\program files (x86)\pervasive software\psql\bin\w3dbsmgr.exe
FirewallRules: [UDP Query User{94D63014-325E-4A2E-99C0-BFA5DBAAF377}

C:\program files (x86)\pervasive software\psql\bin\w3dbsmgr.exe] =>

(Block) C:\program files (x86)\pervasive software\psql\bin\w3dbsmgr.exe
FirewallRules: [{B36EBC99-CF4F-4468-B9F3-6481CAFA0800}] => (Allow) C:

\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{6DA7E325-DB82-4D35-A13E-C6EC0531B70B}] => (Allow) C:

\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{183AC061-1226-4819-A26C-354CFEAC87E1}] => (Allow) C:

\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{DA7021D9-8A87-4B3E-9C27-794E2A343A15}] => (Allow) C:

\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{18FC8F30-6C60-4D0F-BD86-B61C4B646CC6}] => (Allow) C:

\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{114A5DB6-5A6D-4A0F-8439-48E0E752A758}] => (Allow) C:

\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{EE9BBE7A-3CA8-493A-9CD9-C5A40BBB0075}] => (Allow) C:

\Program Files (x86)\Nero\Nero 2016\Nero Burning ROM\StartNBR.exe
FirewallRules: [{227A64CB-5D9D-4F53-9E14-E2219B21B57F}] => (Allow) C:

\Program Files (x86)\Nero\KM\NMDllHost.exe
FirewallRules: [{442CD5BD-7417-46A0-B9A9-C53B7373B572}] => (Allow) C:

\Program Files (x86)\Nero\Nero 2016\Nero Burning ROM\nero.exe
FirewallRules: [{5C590FFE-4D6E-4415-B9A1-A217CF204CBE}] => (Allow) C:

\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{1DAEA779-2A80-418E-AC16-

33B909C593CC}C:\program files (x86)\mozilla firefox\firefox.exe] => (Block)

C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{40F9D36A-B07E-414D-9F49-BBA4B215175D}

C:\program files (x86)\mozilla firefox\firefox.exe] => (Block) C:\program

files (x86)\mozilla firefox\firefox.exe

==================== Restore Points

=========================

26-03-2017 12:12:08 Installed WeatherBuddy
27-03-2017 03:02:43 Manual Restore

==================== Faulty Device Manager Devices

=============

==================== Event log errors:

=========================

Application errors:
==================
Error: (03/28/2017 01:30:50 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM

__InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA

"Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be

reactivated in namespace "//./root/CIMV2" because of error 0x80041003.

Events cannot be delivered through this filter until the problem is corrected.

Error: (03/28/2017 01:25:14 PM) (Source: Application Hang) (EventID: 1002)

(User: )
Description: The program FRST64.exe version 15.3.2017.0 stopped

interacting with Windows and was closed. To see if more information about

the problem is available, check the problem history in the Action Center

control panel.

Process ID: 14d8

Start Time: 01d2a7e79aa6328d

Termination Time: 2

Application Path: C:\Users\Thomas\Documents\Software Programs\Farbar

Recovery Tool\FRST64.exe

Report Id:

Error: (03/28/2017 11:00:55 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Thomas

\Downloads\esetsmartinstaller_enu (1).exe".Error in manifest or policy file ""

on line .
A component version required by the application conflicts with another

component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests

\amd64_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manif

est.
Component 2: C:\Windows\WinSxS\manifests

\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manif

est.

Error: (03/28/2017 08:51:36 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM

__InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA

"Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be

reactivated in namespace "//./root/CIMV2" because of error 0x80041003.

Events cannot be delivered through this filter until the problem is corrected.

Error: (03/28/2017 02:55:53 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Users\Thomas

\Downloads\esetsmartinstaller_enu.exe".Error in manifest or policy file "" on

line .
A component version required by the application conflicts with another

component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests

\amd64_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757.manif

est.
Component 2: C:\Windows\WinSxS\manifests

\x86_microsoft.windows.common-

controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d.manif

est.

Error: (03/28/2017 01:07:55 AM) (Source: Application Hang) (EventID: 1002)

(User: )
Description: The program iexplore.exe version 11.0.9600.18500 stopped

interacting with Windows and was closed. To see if more information about

the problem is available, check the problem history in the Action Center

control panel.

Process ID: 17a8

Start Time: 01d2a780e3bce791

Termination Time: 0

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id: 6c7c98d7-1374-11e7-bc64-3860773e2656

Error: (03/28/2017 01:03:12 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM

__InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA

"Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be

reactivated in namespace "//./root/CIMV2" because of error 0x80041003.

Events cannot be delivered through this filter until the problem is corrected.

Error: (03/27/2017 08:33:56 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: Event filter with query "SELECT * FROM

__InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA

"Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be

reactivated in namespace "//./root/CIMV2" because of error 0x80041003.

Events cannot be delivered through this filter until the problem is corrected.

Error: (03/27/2017 05:02:01 PM) (Source: ESENT) (EventID: 454) (User: )
Description: wuaueng.dll (4328) SUS20ClientDataStore: Database

recovery/restore failed with unexpected error -1216.

Error: (03/27/2017 05:02:01 PM) (Source: ESENT) (EventID: 494) (User: )
Description: wuaueng.dll (4328) SUS20ClientDataStore: Database recovery

failed with error -1216 because it encountered references to a database, 'C:

\Windows\SoftwareDistribution\DataStore\DataStore.edb', which is no longer

present. The database was not brought to a Clean Shutdown state before it

was removed (or possibly moved or renamed). The database engine will not

permit recovery to complete for this instance until the missing database is

re-instated. If the database is truly no longer available and no longer

required, procedures for recovering from this error are available in the

Microsoft Knowledge Base or by following the "more information" link at the

bottom of this message.

System errors:
=============
Error: (03/28/2017 01:35:45 PM) (Source: Service Control Manager) (EventID:

7022) (User: )
Description: The Windows Update service hung on starting.

Error: (03/28/2017 01:32:58 PM) (Source: Service Control Manager) (EventID:

7000) (User: )
Description: The Windows Management Service service failed to start due to

the following error:
The system cannot find the file specified.

Error: (03/28/2017 01:29:46 PM) (Source: Service Control Manager) (EventID:

7000) (User: )
Description: The MBAMService service failed to start due to the following

error:
The requested resource is in use.

Error: (03/28/2017 01:29:46 PM) (Source: Service Control Manager) (EventID:

7000) (User: )
Description: The Dataup Service service failed to start due to the following

error:
The system cannot find the file specified.

Error: (03/28/2017 08:56:22 AM) (Source: Service Control Manager) (EventID:

7022) (User: )
Description: The Windows Update service hung on starting.

Error: (03/28/2017 08:53:33 AM) (Source: Service Control Manager) (EventID:

7000) (User: )
Description: The Windows Management Service service failed to start due to

the following error:
The system cannot find the file specified.

Error: (03/28/2017 08:50:27 AM) (Source: Service Control Manager) (EventID:

7000) (User: )
Description: The MBAMService service failed to start due to the following

error:
The requested resource is in use.

Error: (03/28/2017 08:50:27 AM) (Source: Service Control Manager) (EventID:

7000) (User: )
Description: The Dataup Service service failed to start due to the following

error:
The system cannot find the file specified.

Error: (03/28/2017 02:56:16 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: Unable to start a DCOM Server: {AB8902B4-09CA-4BB6-B78D-

A8F59079A8D5}. The error:
"170"
Happened while starting this command:
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-

B78D-A8F59079A8D5}

Error: (03/28/2017 01:07:15 AM) (Source: Service Control Manager) (EventID:

7022) (User: )
Description: The Windows Update service hung on starting.

CodeIntegrity:
===================================
Date: 2016-05-20 15:06:01.318
Description: Windows is unable to verify the image integrity of the file

\Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could

not be found on the system. A recent hardware or software change might

have installed a file that is signed incorrectly or damaged, or that might be

malicious software from an unknown source.

Date: 2016-05-20 15:06:01.256
Description: Windows is unable to verify the image integrity of the file

\Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could

not be found on the system. A recent hardware or software change might

have installed a file that is signed incorrectly or damaged, or that might be

malicious software from an unknown source.

Date: 2016-05-20 15:06:01.209
Description: Windows is unable to verify the image integrity of the file

\Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could

not be found on the system. A recent hardware or software change might

have installed a file that is signed incorrectly or damaged, or that might be

malicious software from an unknown source.

Date: 2016-05-20 15:06:01.147
Description: Windows is unable to verify the image integrity of the file

\Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could

not be found on the system. A recent hardware or software change might

have installed a file that is signed incorrectly or damaged, or that might be

malicious software from an unknown source.

==================== Memory info

===========================

Processor: Intel® Core™ i7-2600 CPU @ 3.40GHz
Percentage of memory in use: 36%
Total physical RAM: 8172.25 MB
Available physical RAM: 5191.78 MB
Total Virtual: 16342.68 MB
Available Virtual: 12886.45 MB

==================== Drives

================================

Drive c: (Acer) (Fixed) (Total:923.45 GB) (Free:22.91 GB) NTFS
Drive d: (DATA) (Fixed) (Total:923.47 GB) (Free:923.05 GB) NTFS

==================== MBR & Partition Table

==================

==================================================

======
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: C23FF5DB)
Partition 1: (Not Active) - (Size=16 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=923.5 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=923.5 GB) - (Type=07 NTFS)

==================== End of Addition.txt

============================

#7
RKinner

Posted 28 March 2017 - 01:43 PM

Malware Expert

Expert
24,625 posts

Open Process Explorer again. Click on Process column header then find tprdpw32.exe and right click on it and SUSPEND.

Download the attached fixlist.txt

and save it to the same location where FRST is. (C:\Users\Thomas\Documents\Software Programs\Farbar)

Run FRST again and hit FIX. You will get a fixlog.txt. Please Post it but before you copy it go in to Format (in Notepad) and uncheck Word Wrap.)

Reboot and run another FRST scan and Process Explorer log.

#8
playwiffme

Posted 28 March 2017 - 01:52 PM

Member

Topic Starter
Member
61 posts

Re: Click on Process column header then find tprdpw32.exe and right click on it and SUSPEND

CANNOT Suspend - says "access is denied"

#9
playwiffme

Posted 28 March 2017 - 01:54 PM

Member

Topic Starter
Member
61 posts

Therefore I DID NOT proceed to Fixlist because I felt you needed this taken care of first....

#10
RKinner

Posted 28 March 2017 - 02:04 PM

Malware Expert

Expert
24,625 posts

tprdpw32.exe is protecting the infection but go ahead and run the fixlist anyway. Let's see what happens.

#11
playwiffme

Posted 28 March 2017 - 02:23 PM

Member

Topic Starter
Member
61 posts

UPDATE!!!

I've been continuing to run Zemana AntiMalware and HitManPro as both programs continue to find bits and pieces of this malware/virus.

Just after my last message to you, HitManPro finished another round and discovered and quarantined "tprdpw32.exe"

Of course HitManPro forced me to reboot, which I did and had a couple of heart stopping moments -

The computer went through 3 rounds of partial reboots, while showing TWICE the dreaded blue screen with white written scripts (texts)

for about 2 seconds before going back into reboot mode. It went too fast for me to read what the warning message was but thankfully on

the third partial reboot I was taken into Windows.

When finally reaching Windows, something new - only MY NAME was present to select - the "other user" was no longer there. There really

shouldn't be any name when booting into Windows (I don't believe) as I've never had to make this selection previously.

So all that being said and so I don't disrupt YOUR train of work/thought, what would you like me to do now since that tprdpw32.exe is gone?

#12
playwiffme

Posted 28 March 2017 - 02:26 PM

Member

Topic Starter
Member
61 posts

Process Explorer has verified that tprdpw32.exe is no longer present...

#13
RKinner

Posted 28 March 2017 - 02:33 PM

Malware Expert

Expert
24,625 posts

Have you done the Fixlist yet? If not do it now that the protector is off.

Then run FRST, check Addition.txt hit SCAN and post both

#14
playwiffme

Posted 28 March 2017 - 02:49 PM

Member

Topic Starter
Member
61 posts

FixLog - NotePad -

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Thomas (28-03-2017 16:34:43) Run:1
Running from C:\Users\Thomas\Documents\Software Programs\Farbar Recovery Tool - 1
Loaded Profiles: Thomas (Available Profiles: Thomas)
Boot Mode: Normal
==============================================

fixlist content:
*****************
R0 drmkpro64; C:\Windows\System32\drivers\ndistpr64.sys [76576 2017-03-26] () [File not signed] <==== ATTENTION
S2 Dataup; C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe[X] <==== ATTENTION
S4 SpyHunter 4 Service; C:\PROGRA~2\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE [X]
S2 windowsmanagementservice; "C:\Users\Thomas\AppData\Local\microlabs\ct.exe" /svc [X] <==== ATTENTION
2017-03-26 14:40 - 2017-03-26 14:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScissors
2017-03-26 14:40 - 2017-03-26 14:40 - 00000000 ____D C:\Program Files\PhotoScissors
2017-03-26 14:37 - 2017-03-26 14:38 - 00570549 _____ C:\Users\Thomas\Downloads\Teorex_MultiKG_v0.2_CRD.7z
2017-03-26 14:09 - 2017-03-26 14:09 - 09927190 _____ (teorex ) C:\Users\Thomas\Downloads\PhotoScissorsSetup.exe
2017-03-26 12:34 - 2017-03-26 12:34 - 10351487 _____ C:\Users\Thomas\Downloads\Teorex_PhotoScissors_3.rar
2017-03-26 12:13 - 2017-03-27 14:51 - 00000000 ____D C:\Users\Thomas\AppData\Local\ntuserlitelist
2017-03-26 12:13 - 2017-03-27 14:23 - 00000000 ____D C:\Users\Thomas\AppData\Local\microlabs
2017-03-26 12:13 - 2017-03-26 12:13 - 00833024 ____N C:\Windows\system32\tprdpw32.exe
2017-03-26 12:13 - 2017-03-26 12:13 - 00076576 ____N C:\Windows\system32\Drivers\ndistpr64.sys
2017-03-26 12:11 - 2017-03-26 12:11 - 00000000 ____D C:\Users\Thomas\.proxycheck
2017-03-26 12:05 - 2017-03-26 12:06 - 00359669 _____ C:\Users\Thomas\Downloads\Teorex+PhotoScissors+30+Setup_zip.zip
2017-03-26 11:43 - 2017-03-26 11:43 - 00033776 _____ C:\Users\Thomas\Downloads\Teorex Photoscissors v3.torrent
2017-03-26 10:43 - 2017-03-26 10:43 - 00000000 ____D C:\Program Files(x86)\Teorex
2017-03-26 10:41 - 2017-03-26 10:42 - 23845261 _____ C:\Users\Thomas\Downloads\Teorex_PhotoScissors_3.0.rar
2017-03-27 10:14 - 2016-09-09 14:23 - 1732864 _____ (Microsoft Corporation) C:\Users\Thomas\AppData\Local\Temp\dllnt_dump.dll
Task: {5D52F708-8AF4-459C-87F8-2CA301D37B70} - System32\Tasks\{1FAB6466-7362-44E4-994A-ED0ECC8289FF} => pcalua.exe -a "C:\Users\Thomas\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\THMJSELL\NOF-Essentials.exe" -d C:\Users\Thomas\Desktop
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4a65f48969b0.job=> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
2017-03-26 12:13 - 2017-03-26 12:13 - 00833024 ____N () C:\windows\system32\tprdpw32.exe
unlock: C:\windows\system32\tprdpw32.exe
unlock: C:\Users\Thomas\AppData\Local\microlabs\ct.exe
unlock: C:\Windows\system32\Drivers\ndistpr64.sys
unlock: C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe
C:\windows\system32\tprdpw32.exe
mkdir C:\Windows\system32\tprdpw32.exe
C:\Users\Thomas\AppData\Local\microlabs\ct.exe
mkdir C:\Users\Thomas\AppData\Local\microlabs\ct.exe
C:\Windows\system32\Drivers\ndistpr64.sys
mkdir C:\Windows\system32\Drivers\ndistpr64.sys
C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe
mkdir: C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
*****************

drmkpro64 => Service stopped successfully.
HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\SpyHunter 4 Service => key removed successfully
SpyHunter 4 Service => service removed successfully
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PhotoScissors => moved successfully
C:\Program Files\PhotoScissors => moved successfully
C:\Users\Thomas\Downloads\Teorex_MultiKG_v0.2_CRD.7z => moved successfully
C:\Users\Thomas\Downloads\PhotoScissorsSetup.exe => moved successfully
C:\Users\Thomas\Downloads\Teorex_PhotoScissors_3.rar => moved successfully
C:\Users\Thomas\AppData\Local\ntuserlitelist => moved successfully
C:\Users\Thomas\AppData\Local\microlabs => moved successfully
Could not move "C:\Windows\system32\tprdpw32.exe" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\Drivers\ndistpr64.sys" => Scheduled to move on reboot.
C:\Users\Thomas\.proxycheck => moved successfully
C:\Users\Thomas\Downloads\Teorex+PhotoScissors+30+Setup_zip.zip => moved successfully
C:\Users\Thomas\Downloads\Teorex Photoscissors v3.torrent => moved successfully
"C:\Program Files(x86)\Teorex" => not found.
C:\Users\Thomas\Downloads\Teorex_PhotoScissors_3.0.rar => moved successfully
C:\Users\Thomas\AppData\Local\Temp\dllnt_dump.dll => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5D52F708-8AF4-459C-87F8-2CA301D37B70} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5D52F708-8AF4-459C-87F8-2CA301D37B70} => key removed successfully
C:\Windows\System32\Tasks\{1FAB6466-7362-44E4-994A-ED0ECC8289FF} => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1FAB6466-7362-44E4-994A-ED0ECC8289FF} => key removed successfully
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf4a65f48969b0.job=> C:\Program Files (x86)\Google\Update\GoogleUpdate.exe => not found.
Could not move "C:\windows\system32\tprdpw32.exe" => Scheduled to move on reboot.
"C:\windows\system32\tprdpw32.exe" => could not be unlocked
"C:\Users\Thomas\AppData\Local\microlabs\ct.exe" => not found.
"C:\Windows\system32\Drivers\ndistpr64.sys" => could not be unlocked
"C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe" => not found.
Could not move "C:\windows\system32\tprdpw32.exe" => Scheduled to move on reboot.
mkdir C:\Windows\system32\tprdpw32.exe => Error: No automatic fix found for this entry.
"C:\Users\Thomas\AppData\Local\microlabs\ct.exe" => not found.
mkdir C:\Users\Thomas\AppData\Local\microlabs\ct.exe => Error: No automatic fix found for this entry.
Could not move "C:\Windows\system32\Drivers\ndistpr64.sys" => Scheduled to move on reboot.
mkdir C:\Windows\system32\Drivers\ndistpr64.sys => Error: No automatic fix found for this entry.
"C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe" => not found.
mkdir: C:\Users\Thomas\AppData\Local\NTUSER~1\dataup\dataup.exe => Error: No automatic fix found for this entry.

========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" =========

========= End of CMD: =========

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 28-03-2017 16:41:25)

"C:\Windows\system32\tprdpw32.exe" => Could not move
"C:\Windows\system32\Drivers\ndistpr64.sys" => Could not move
"C:\windows\system32\tprdpw32.exe" => Could not move
"C:\windows\system32\tprdpw32.exe" => Could not move
"C:\Windows\system32\Drivers\ndistpr64.sys" => Could not move

Result of scheduled keys to remove after reboot:

HKLM\System\CurrentControlSet\Services\drmkpro64 => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\Dataup => key could not remove, key could be protected
HKLM\System\CurrentControlSet\Services\windowsmanagementservice => key could not remove, key could be protected

==== End of Fixlog 16:41:25 ====

#15
playwiffme

Posted 28 March 2017 - 02:58 PM

Member

Topic Starter
Member
61 posts

When the computer rebooted from the fixlog this is the message received when windows opened...

Windows has recovered from an unexpexted shutdown...

Problem signature:
Problem Event Name:   BlueScreen
OS Version:   6.1.7601.2.1.0.768.3
Locale ID:   1033

Additional information about the problem:
BCCode:   1000007e
BCP1:   FFFFFFFFC0000005
BCP2:   FFFFF88000E12130
BCP3:   FFFFF880037BD5E8
BCP4:   FFFFF880037BCE40
OS Version:   6_1_7601
Service Pack:   1_0
Product:   768_1

Files that help describe the problem:
C:\Windows\Minidump\032817-34398-01.dmp
C:\Users\Thomas\AppData\Local\Temp\WER-121649-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft....88&clcid=0x0409

If the online privacy statement is not available, please read our privacy

statement offline:
C:\Windows\system32\en-US\erofflps.txt