[SOLVED] Movie Sites Possible Malware

ChuckR · Nov 22, 2022

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2022
Ran by Chuck (administrator) on CHUCK-PC (22-11-2022 15:30:48)
Running from D:\Sysnative Tools
Loaded Profiles: Chuck
Platform: Microsoft Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Default browser: Chrome
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\Program Files (x86)\Google\Chrome\Application\chrome.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\cmd.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(cmd.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MbamBgNativeMsg.exe
(explorer.exe ->) (Google LLC -> Google LLC) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe <20>
(explorer.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(explorer.exe ->) (PARAMOUNT SOFTWARE UK LIMITED -> Paramount Software UK Ltd) C:\Program Files\Macrium\Common\ReflectMonitor.exe
(explorer.exe ->) (PARAMOUNT SOFTWARE UK LIMITED -> Paramount Software UK Ltd) C:\Program Files\Macrium\Common\ReflectUI.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe
(Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe
(NVIDIA Corporation -> Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(services.exe ->) (Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(services.exe ->) (Intel Corporation) [File not signed] C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
(services.exe ->) (Malwarebytes Inc. -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(services.exe ->) (Novawave Inc. -> Novawave Inc.) D:\System Tools\Novabench\NovabenchService.exe
(services.exe ->) (NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe <2>
(services.exe ->) (NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe <2>
(services.exe ->) (NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(services.exe ->) (PARAMOUNT SOFTWARE UK LIMITED -> Paramount Software UK Ltd) C:\Program Files\Macrium\Common\MacriumService.exe
(services.exe ->) (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd) C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ===================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
HKLM\...\Run: [Reflect UI] => C:\Program Files\Macrium\Common\ReflectUI.exe [9922800 2022-10-30] (PARAMOUNT SOFTWARE UK LIMITED -> Paramount Software UK Ltd)
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\Run: [CCleaner Smart Cleaning] => C:\Program Files\CCleaner\CCleaner64.exe [38650192 2022-11-09] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd)
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\Run: [cdloader] => C:\Users\Chuck\AppData\Roaming\mjusbsp\cdloader2.exe [58816 2018-04-05] (magicJack, L.P. -> magicJack L.P.)
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\MountPoints2: E - E:\Autorun.exe
HKLM\Software\Microsoft\Active Setup\Installed Components: [{8A69D345-D564-463c-AFF1-A69D9E530F96}] -> C:\Program Files (x86)\Google\Chrome\Application\107.0.5304.107\Installer\chrmstp.exe [2022-11-10] (Google LLC -> Google LLC)
Startup: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2014-02-19]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation -> Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass FF RunOnce.lnk [2016-01-08]
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass (Marvasol Inc) -> LastPass)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Install LastPass IE RunOnce.lnk [2016-01-08]
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\lpuninstall.exe (LastPass (Marvasol Inc) -> LastPass)
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION

==================== Scheduled Tasks (Whitelisted) ============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0429E07B-5A04-4599-AE23-8D75BE68FA72} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe [3728752 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {0BFBD582-A478-4155-8DAA-71369737467D} - System32\Tasks\{B12163EC-2A0F-4DB6-B448-3F1E1C447C92} => msiexec.exe /package "D:\DownLoads\DebugDiagx64.msi"
Task: {0C91D2F3-72FB-4433-A17C-7B3E6EC5D0E2} - System32\Tasks\SidebarExecute => C:\Program Files (x86)\Windows Sidebar\sidebar.exe [1174016 2010-11-20] (Microsoft Windows -> Microsoft Corporation)
Task: {0DFECF84-7CFC-445D-8AE9-246936167FC1} - System32\Tasks\{69549C03-FFF0-4BFC-8B8D-B37887F8ECAE} => C:\Windows\system32\pcalua.exe -a E:\disk1\setup.exe -d E:\
Task: {13A94C32-AE2A-4DD1-8BD0-EDCB06CF227B} - System32\Tasks\{9BBC9E44-985F-4751-9E09-A1136DB25F47} => C:\Windows\system32\pcalua.exe -a D:\DownLoads\AdobeAIRInstaller_3.2.0.2070.exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {1DA860CF-5DFE-4C1B-9C56-7C13DDF0F773} - \{08797947-0A0E-0C0C-7A11-040F0B78117F} -> No File <==== ATTENTION
Task: {24646530-7148-414B-A522-7667DBDD8F25} - System32\Tasks\{D79C03CB-3094-45B4-8EE1-04C9F9F008C0} => C:\Windows\system32\pcalua.exe -a D:\DownLoads\dotnetfx35setup(1).exe -d D:\DownLoads
Task: {32385522-1924-47A1-B4FF-D9CFE91CFDE4} - System32\Tasks\{41971C23-3C99-42C5-BCBB-92728124F03D} => C:\Windows\system32\pcalua.exe -a D:\DownLoads\winsdk_web.exe -d D:\DownLoads
Task: {38685812-E4BC-4DC9-BE86-6A659B4044E4} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2017-04-11] (Google Inc -> Google Inc.)
Task: {4B06C3CF-BF80-464E-8E56-82713B5C4359} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [684976 2022-11-09] (Piriform Software Ltd -> Piriform)
Task: {51D784C5-4B12-48B3-B395-B49CAA5658E2} - System32\Tasks\NvTmRepCR3_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [876912 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {52E06A5E-382C-43C9-802C-4C46121B6131} - System32\Tasks\{C0CFCFB0-8193-46C5-A156-7F247046C33B} => C:\Windows\system32\pcalua.exe -a D:\DownLoads\SH-S223L_SB04.exe
Task: {5B43C5C0-0162-47A1-B3BF-B3D844877FF0} - System32\Tasks\NvTmRepCR2_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [876912 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {5EB47497-0696-41FB-9FCC-5E7B6DBF383B} - System32\Tasks\{BD34E7F5-E78E-4B4D-BF34-27AFFD7428F0} => C:\Windows\system32\pcalua.exe -a "D:\System Tools\ProcessQuickLink 2\unins000.exe"
Task: {61F158BE-13BC-4C36-9D77-75474D232B20} - System32\Tasks\Mozilla\Firefox Background Update 308046B0AF4A39CB => C:\Program Files\Mozilla Firefox\firefox.exe --MOZ_LOG sync,prependheader,timestamp,append,maxsize:1,Dump:5 --MOZ_LOG_FILE C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\backgroundupdate.moz_log --backgroundtask backgroundupdate
Task: {6A232CB0-B3FF-46F0-9A87-1B7EAC41D8FE} - System32\Tasks\{E2B7E4FE-2714-4984-B7DC-98AF5995DB26} => C:\Windows\system32\pcalua.exe -a "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe"
Task: {73BBBC78-6381-476A-8111-CEBFAD111923} - System32\Tasks\NvTmRepCR1_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [876912 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {78CA1312-8C29-47B5-8B55-44A0680BDEA7} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [849264 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {7E7783EA-CC00-4D3D-852E-20DA977EAFF9} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe [849264 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {8DF32B52-D280-4121-BA6B-613A7B78B238} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe [876912 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {9F7D2AB7-57F6-424F-8698-94CDDE9A7A12} - System32\Tasks\{A8A659B3-0401-4CB6-B708-C17A88F05072} => C:\Windows\system32\pcalua.exe -a C:\Windows\system32\pcwrun.exe -c D:\Quicken\qw.exe
Task: {A20C5916-EA64-4DDD-A348-7A967B30D390} - System32\Tasks\Extend Health
Task: {AA35CA84-0159-480D-8323-45D76ECD2215} - System32\Tasks\NvBatteryBoostCheckOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [781680 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvBackend\NvBatteryBoostCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerBatteryBoostCheck.log
Task: {AFD3D950-259A-4034-B1D3-36845A707AA7} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1552376 2022-09-26] (Adobe Inc. -> Adobe Inc.)
Task: {B39BF604-F2EB-4A86-943E-65BD677F1B6C} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe [590704 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)
Task: {C3E55553-2031-421D-A0E2-C96955E833A3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [153752 2017-04-11] (Google Inc -> Google Inc.)
Task: {C5891914-10A3-4098-B16E-AF25CD02FA67} - System32\Tasks\{9CDADED3-9866-456D-ADC7-8C3E92D1AF87} => C:\Windows\system32\pcalua.exe -a D:\DownLoads\MicroFrameworkSDK3_0.exe -d D:\DownLoads
Task: {DEAA4E96-0111-4470-9BD0-4DCE1A359495} - System32\Tasks\CCleanerCrashReporting => C:\Program Files\CCleaner\CCleanerBugReport.exe [4669264 2022-11-09] (PIRIFORM SOFTWARE LIMITED -> Piriform Software) -> --product 90 --send dumps|report --path "C:\Program Files\CCleaner\LOG" --programpath "C:\Program Files\CCleaner" --configpath "C:\Program Files\CCleaner\Setup" --guid "07b8aa54-ba8d-4f5e-a3e2-6288a9738815" --version "6.06.10144" --silent
Task: {EE3C39B2-4D9C-4BEC-9967-E03FADBA7BAA} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [781680 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation) -> -d "C:\Program Files\NVIDIA Corporation\NvDriverUpdateCheck" -l 3 -f C:\ProgramData\NVIDIA\NvContainerDriverUpdateCheck.log
Task: {F3B06D00-3B07-457F-8AA4-3BFDF4254041} - System32\Tasks\CCleanerSkipUAC - Chuck => C:\Program Files\CCleaner\CCleaner.exe [32325456 2022-11-09] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd)
Task: {F4CC5EEF-081F-4B57-832F-82BD681C0F87} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe [648048 2019-04-02] (NVIDIA Corporation -> NVIDIA Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\CCleanerCrashReporting.job => C:\Program Files\CCleaner\CCleanerBugReport.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5-x64 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760 2012-07-17] (Microsoft Corporation -> Microsoft Corp.)
Winsock: Catalog5-x64 09 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [171760 2012-07-17] (Microsoft Corporation -> Microsoft Corp.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{ACC1B417-2078-4C2B-9C53-80C2DD2F3295}: [DhcpNameServer] 192.168.1.1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION

FireFox:
========
FF DefaultProfile: u7cjq9be.default-1630423938134
FF ProfilePath: C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\u7cjq9be.default-1630423938134 [2022-11-22]
FF Homepage: Mozilla\Firefox\Profiles\u7cjq9be.default-1630423938134 -> hxxps://my.yahoo.com/
FF Session Restore: Mozilla\Firefox\Profiles\u7cjq9be.default-1630423938134 -> is enabled.
FF Extension: (LastPass: Free Password Manager) - C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\u7cjq9be.default-1630423938134\Extensions\support@lastpass.com.xpi [2022-11-19]
FF Extension: (uBlock Origin) - C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\u7cjq9be.default-1630423938134\Extensions\uBlock0@raymondhill.net.xpi [2022-09-21]
FF Extension: (Malwarebytes Browser Guard) - C:\Users\Chuck\AppData\Roaming\Mozilla\Firefox\Profiles\u7cjq9be.default-1630423938134\Extensions\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi [2022-08-16]
FF Plugin: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-08] (LastPass (Marvasol Inc) -> LastPass)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @lastpass.com/NPLastPass -> C:\Program Files (x86)\LastPass\nplastpass64.dll [2016-01-08] (LastPass (Marvasol Inc) -> LastPass)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2022-11-14] (Adobe Inc. -> Adobe Systems Inc.)

Chrome:
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default [2022-11-22]
CHR Notifications: Default -> hxxps://askbobrankin.com; hxxps://mg.mail.yahoo.com; hxxps://news.yahoo.com; hxxps://www.askwoody.com; hxxps://www.facebook.com; hxxps://www.phone.instantcheckmate.com; hxxps://www.sendspace.com; hxxps://www.yahoo.com; hxxps://www.youtube.com
CHR HomePage: Default -> hxxp://my.yahoo.com/
CHR StartupUrls: Default -> "hxxps://my.yahoo.com/#"
CHR NewTab: Default -> Active:"chrome-extension://jonikckfpolfcdcgdficelkfffkloemh/n.html"
CHR Extension: (uBlock Origin) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2022-11-20]
CHR Extension: (Google Docs Offline) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2022-11-01]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2022-11-22]
CHR Extension: (Tabs to the Front) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\hiembaoomcehoiehhdldabfgnmphappc [2017-06-18]
CHR Extension: (Malwarebytes Browser Guard) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\ihcjicgdanjaechkgeegckofjjedodee [2022-11-17]
CHR Extension: (Blank New Tab Page) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonikckfpolfcdcgdficelkfffkloemh [2017-04-27]
CHR Extension: (Application Launcher For Drive (by Google)) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2021-01-23]
CHR Extension: (Plugins) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmcblfncjaclajmegihojiekebofjcen [2021-11-24]
CHR Extension: (Popup my Bookmarks) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\mppflflkbbafeopeoeigkbbdjdbeifni [2020-11-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2021-01-29]
CHR Profile: C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\System Profile [2022-11-21]
CHR HKU\S-1-5-21-4060470119-733395135-3709892937-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd]
CHR HKU\S-1-5-21-4060470119-733395135-3709892937-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj]
CHR HKLM-x32\...\Chrome\Extension: [ihcjicgdanjaechkgeegckofjjedodee]

==================== Services (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeARMservice; C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [173040 2022-09-26] (Adobe Inc. -> Adobe Inc.)
R2 CCleanerPerformanceOptimizerService; C:\Program Files\CCleaner\CCleanerPerformanceOptimizerService.exe [1003344 2022-11-09] (PIRIFORM SOFTWARE LIMITED -> Piriform Software Ltd)
R2 ICCS; C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe [160256 2011-08-30] (Intel Corporation) [File not signed]
R2 MacriumService; C:\Program Files\Macrium\Common\MacriumService.exe [11072008 2022-10-30] (PARAMOUNT SOFTWARE UK LIMITED -> Paramount Software UK Ltd)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe [8842536 2022-10-21] (Malwarebytes Inc. -> Malwarebytes)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
R2 NovabenchService; D:\System Tools\Novabench\NovabenchService.exe [1229808 2020-08-30] (Novawave Inc. -> Novawave Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Windows -> Microsoft Corporation)

===================== Drivers (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13368 2009-04-06] (ASUSTeK Computer Inc. -> )
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [158640 2022-06-22] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2014-12-07] (Martin Malik - REALiX -> REALiX(tm))
S3 JLTECH0227; C:\Windows\System32\Drivers\jl2005c.sys [80240 2010-05-18] (JEILIN TECHNOLOGIES CORPORATION -> Windows (R) Codename Longhorn DDK provider)
R2 MBAMChameleon; C:\Windows\System32\Drivers\MbamChameleon.sys [223176 2022-11-19] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMFarflt; C:\Windows\System32\DRIVERS\farflt.sys [193992 2022-11-22] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\DRIVERS\mbam.sys [75216 2022-11-22] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [239544 2022-07-05] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R3 MBAMWebProtection; C:\Windows\System32\DRIVERS\mwac.sys [149432 2022-11-22] (Microsoft Windows Hardware Compatibility Publisher -> Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation -> Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-05-14] (ASUSTeK Computer Inc. -> )
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation -> Microsoft Corporation)
R3 NovabenchDriver; D:\System Tools\Novabench\NovabenchDriver.sys [27488 2018-05-27] (Novawave Inc. -> )
R3 nusb3hub; C:\Windows\System32\DRIVERS\nusb3hub.sys [77824 2010-01-22] (Microsoft Windows Hardware Compatibility Publisher -> NEC Electronics Corporation)
R3 nusb3xhc; C:\Windows\System32\DRIVERS\nusb3xhc.sys [180224 2010-01-22] (Microsoft Windows Hardware Compatibility Publisher -> NEC Electronics Corporation)
R3 NVHDA; C:\Windows\System32\drivers\nvhda64v.sys [129960 2021-05-15] (Microsoft Windows Hardware Compatibility Publisher -> NVIDIA Corporation)
R3 nvlddmkm; C:\Windows\System32\DRIVERS\nvlddmkm.sys [38196648 2021-05-13] (Microsoft Windows Hardware Compatibility Publisher -> NVIDIA Corporation)
R2 speedfan; C:\Windows\SysWOW64\speedfan.sys [28664 2012-12-29] (SOKNO S.R.L. -> Almico Software)
R3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [398112 2012-01-25] (Marvell Semiconductor -> Marvell)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One month (created) (Whitelisted) =========

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-11-22 15:30 - 2022-11-22 15:31 - 000000000 ____D C:\FRST
2022-11-22 06:14 - 2022-11-22 06:14 - 000193992 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2022-11-22 06:14 - 2022-11-22 06:14 - 000149432 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2022-11-22 06:14 - 2022-11-22 06:14 - 000075216 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2022-11-19 20:10 - 2022-11-19 20:10 - 000223176 _____ (Malwarebytes) C:\Windows\system32\Drivers\MbamChameleon.sys
2022-11-19 17:12 - 2022-11-19 17:12 - 000002157 _____ C:\Users\Chuck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefox Private Browsing.lnk
2022-10-26 07:07 - 2022-10-26 07:07 - 000000930 _____ C:\Users\Public\Desktop\Firefox.lnk

==================== One month (modified) ==================

(If an entry is included in the fixlist, the file/folder will be moved.)

2022-11-22 15:29 - 2022-07-15 19:32 - 000000000 ____D C:\Program Files\Mozilla Firefox
2022-11-22 15:29 - 2016-11-16 09:15 - 000000000 ____D C:\Users\Chuck\AppData\LocalLow\Mozilla
2022-11-22 15:29 - 2012-04-12 15:28 - 000000000 ____D C:\Program Files (x86)\Google
2022-11-22 12:25 - 2016-10-14 14:00 - 000000000 ____D C:\ProgramData\NVIDIA
2022-11-22 08:11 - 2020-09-17 13:54 - 000000000 ____D C:\Program Files\CCleaner
2022-11-22 06:32 - 2009-07-13 20:45 - 000026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2022-11-22 06:32 - 2009-07-13 20:45 - 000026352 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2022-11-22 06:16 - 2009-07-13 21:13 - 000832608 _____ C:\Windows\system32\PerfStringBackup.INI
2022-11-22 06:16 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\inf
2022-11-22 06:14 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\system32\inetsrv
2022-11-22 06:12 - 2009-07-13 21:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2022-11-21 20:24 - 2022-09-21 19:24 - 000000760 _____ C:\Windows\Tasks\CCleanerCrashReporting.job
2022-11-20 06:30 - 2016-10-22 08:47 - 000000000 ____D C:\Users\Chuck\AppData\Local\CrashDumps
2022-11-20 06:23 - 2012-04-24 08:00 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2022-11-19 17:13 - 2022-05-24 07:32 - 000000000 ____D C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38
2022-11-19 17:12 - 2022-05-24 07:32 - 000000000 ____D C:\Windows\system32\Tasks\Mozilla
2022-11-19 17:12 - 2015-12-16 09:00 - 000006610 _____ C:\Windows\wininit.ini
2022-11-19 08:10 - 2022-09-11 19:18 - 000000000 ____D C:\Users\Chuck\AppData\Roaming\com.adobe.dunamis
2022-11-19 07:58 - 2009-07-13 21:08 - 000032548 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2022-11-18 12:04 - 2022-10-13 14:33 - 000002113 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader.lnk
2022-11-18 08:11 - 2022-09-21 19:24 - 000003352 _____ C:\Windows\system32\Tasks\CCleanerCrashReporting
2022-11-18 08:11 - 2020-09-17 13:54 - 000003870 _____ C:\Windows\system32\Tasks\CCleaner Update
2022-11-10 20:07 - 2017-04-11 08:51 - 000002278 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2022-11-09 08:14 - 2013-07-23 06:48 - 000000000 ____D C:\Windows\system32\MRT
2022-11-09 08:11 - 2012-01-03 16:51 - 146960040 ____C (Microsoft Corporation) C:\Windows\system32\MRT.exe
2022-10-28 19:10 - 2012-04-22 12:32 - 000000000 ____D C:\Users\Chuck\AppData\Roaming\mjusbsp
2022-10-28 15:42 - 2012-12-28 18:01 - 000000991 _____ C:\Users\Chuck\Desktop\magicJack.lnk
2022-10-28 15:42 - 2012-12-28 18:01 - 000000977 _____ C:\Users\Chuck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\magicJack.lnk
2022-10-28 15:25 - 2009-07-13 19:20 - 000000000 __RHD C:\Users\Public\Libraries
2022-10-28 07:51 - 2015-11-14 17:41 - 000000782 _____ C:\Users\Chuck\Desktop\Router Settings.txt
2022-10-27 14:15 - 2009-07-13 19:20 - 000000000 ____D C:\Windows\system32\NDF
2022-10-26 07:07 - 2011-12-31 13:50 - 000000942 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk
2022-10-23 19:08 - 2022-10-13 14:33 - 000002101 _____ C:\Users\Public\Desktop\Acrobat Reader.lnk

==================== Files in the root of some directories ========

2013-06-28 05:37 - 2016-01-08 06:59 - 021382680 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe
2017-09-06 08:01 - 2017-09-06 08:01 - 000033193 _____ () C:\Users\Chuck\AppData\Roaming\UserTile.png
2014-03-18 15:30 - 2014-03-18 15:30 - 000000046 _____ () C:\Users\Chuck\AppData\Roaming\WB.CFG
2012-01-08 18:27 - 2022-08-12 20:26 - 000000173 _____ () C:\Users\Chuck\AppData\Local\msmathematics.qat.Chuck
2012-04-29 16:19 - 2022-09-01 09:18 - 000007655 _____ () C:\Users\Chuck\AppData\Local\resmon.resmoncfg

==================== SigCheck ============================

(There is no automatic fix for files that do not pass verification.)

LastRegBack: 2022-11-20 16:10
==================== End of FRST.txt ========================

ChuckR · Nov 22, 2022

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-11-2022
Ran by Chuck (22-11-2022 15:32:24)
Running from D:\Sysnative Tools
Microsoft Windows 7 Professional Service Pack 1 (X64) (2011-12-30 03:35:35)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

(If an entry is included in the fixlist, it will be removed.)

Administrator (S-1-5-21-4060470119-733395135-3709892937-500 - Administrator - Enabled) => C:\Users\Administrator
Chuck (S-1-5-21-4060470119-733395135-3709892937-1001 - Administrator - Enabled) => C:\Users\Chuck
Guest (S-1-5-21-4060470119-733395135-3709892937-501 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 21.07 (HKLM-x32\...\7-Zip) (Version: 21.07 - Igor Pavlov)
7-Zip 22.01 (x64) (HKLM\...\7-Zip) (Version: 22.01 - Igor Pavlov)
AC3Filter 2.6.0b (HKLM-x32\...\AC3Filter_is1) (Version: 2.6.0b - Alexander Vigovsky)
Adobe Acrobat Reader (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 22.003.20282 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\{EFC4BB62-CD01-4F63-9165-FC5DEB350469}) (Version: 11.9.900.152 - Adobe Systems Incorporated)
Adobe Refresh Manager (HKLM-x32\...\{AC76BA86-0804-1033-1959-018244601032}) (Version: 1.8.0 - Adobe Systems Incorporated) Hidden
AMD Wireless Display v3.0 (HKLM\...\{D7C275A6-3266-0FBC-2D84-17A6AC226F01}) (Version: 1.0.0.14 - Advanced Micro Devices, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 6.06 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 107.0.5304.107 - Google LLC)
Google Drive (HKLM-x32\...\{A8DC81F2-D365-4248-892A-FA3B5951F731}) (Version: 2.34.9392.7803 - Google, Inc.)
Intel Processor Diagnostic Tool 64bit (HKLM\...\{A3135913-E080-45FD-9301-5995B1BAF1C5}) (Version: 4.1.0.24 - Intel Corporation)
iSEEK AnswerWorks English Runtime (HKLM-x32\...\{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}) (Version: 010.000.0101 - Vantage Linguistics)
LastPass (uninstall only) (HKLM-x32\...\LastPass) (Version: - LastPass)
Macrium Reflect Free Edition (HKLM\...\{E00F3578-4849-40C8-91DE-58F02AF087A8}) (Version: 8.0.6392 - Paramount Software (UK) Ltd.) Hidden
Macrium Reflect Free Edition (HKLM\...\MacriumReflect) (Version: 8.0 - Paramount Software (UK) Ltd.)
magicJack (HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\magicJack) (Version: 4.18.9462.6668 - magicJack L.P.)
Malwarebytes version 4.5.16.217 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 4.5.16.217 - Malwarebytes)
Microsoft .NET Framework 4.8 (HKLM\...\{16735AF7-1D8D-3681-94A5-C578A61EC832}) (Version: 4.8.03761 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.8 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.8.03761 - Microsoft Corporation)
Microsoft Help Viewer 1.1 (HKLM\...\{E5748D30-7E6D-3A8E-BFE6-C1D02C6DDABB}) (Version: 1.1.40219 - Microsoft Corporation) Hidden
Microsoft Mathematics (64-bit) (HKLM\...\{E57B7E0A-8BE5-42E2-BE60-C07ED680A063}) (Version: 4.0 - Microsoft Corporation)
Microsoft Mathematics Add-in (32-bit) (HKLM-x32\...\{E2C98732-F973-4985-A9C5-DC06178E16EE}) (Version: 2.0.040811.01 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{664655D8-B9BB-455D-8A58-7EAF7B0B2862}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}) (Version: - Microsoft) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office Excel MUI (English) 2007 (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2007 (HKLM\...\{90120000-002A-0000-1000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2007 (HKLM-x32\...\{90120000-00A1-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (HKLM-x32\...\{90120000-001F-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (HKLM-x32\...\{90120000-001F-040C-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (HKLM-x32\...\{90120000-001F-0C0A-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (HKLM-x32\...\{90120000-002C-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}) (Version: - Microsoft) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}) (Version: - Microsoft) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}) (Version: - Microsoft) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (HKLM\...\{90120000-002A-0409-1000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (HKLM\...\{90120000-0116-0409-1000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (HKLM-x32\...\{90120000-0115-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Security Client (HKLM\...\{2AA3C13E-0531-41B8-AE48-AE28C940A809}) (Version: 4.10.0209.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (HKLM-x32\...\{B175520C-86A2-35A7-8619-86DC379688B9}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (HKLM-x32\...\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}) (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (HKLM\...\{929FBD26-9020-399B-9A7A-751D61F0B942}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (HKLM\...\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (HKLM-x32\...\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (HKLM-x32\...\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}) (Version: 12.0.21005 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2017 Redistributable (x64) - 14.13.26020 (HKLM-x32\...\{7474cd6e-76cc-4257-837e-5b9261e526af}) (Version: 14.13.26020.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.13.26020 (HKLM-x32\...\{5c045b7f-e561-4794-91f8-c6cda0893107}) (Version: 14.13.26020.0 - Microsoft Corporation)
Microsoft Visual C++ 2017 x64 Additional Runtime - 14.13.26020 (HKLM\...\{C5ECDB9A-D9B0-3107-BA85-1269998A5B3E}) (Version: 14.13.26020 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2017 x64 Minimum Runtime - 14.13.26020 (HKLM\...\{221D6DB4-46E2-333C-B09B-5F49351D0980}) (Version: 14.13.26020 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.13.26020 (HKLM-x32\...\{895D5198-C5DB-375E-86AB-133F4DAA9FE2}) (Version: 14.13.26020 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.13.26020 (HKLM-x32\...\{8F271F6C-6E7B-3D0A-951B-6E7B694D78BD}) (Version: 14.13.26020 - Microsoft Corporation) Hidden
Microsoft Visual Studio Team Foundation Server 11 Beta Team Explorer Language Pack - ENU (HKLM-x32\...\{0E6433BF-7522-303A-B241-1E0AA09E226E}) (Version: 11.0.50214 - Microsoft Corporation) Hidden
Microsoft Windows Performance Toolkit (HKLM\...\{E7F9E526-2324-437B-A609-E8C5309465CB}) (Version: 4.8.0 - Microsoft Corporation)
Mozilla Firefox (x64 en-US) (HKLM\...\Mozilla Firefox 106.0.3 (x64 en-US)) (Version: 106.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 106.0.2 - Mozilla)
MSVCRT_amd64 (HKLM-x32\...\{D0B44725-3666-492D-BEF6-587A14BD9BD9}) (Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM-x32\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
NEC Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\{D7BF9739-8A68-4335-BBEE-37752AD9E86B}) (Version: 1.0.19.0 - NEC Electronics Corporation) Hidden
NEC Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}) (Version: 1.0.19.0 - NEC Electronics Corporation)
NirSoft Wireless Network Watcher (HKLM-x32\...\NirSoft Wireless Network Watcher) (Version: - )
Novabench (HKLM\...\{32D01ECE-310C-4220-B2E9-AC4B1B34BAC7}) (Version: 4.0.9 - Novawave Inc.)
NVIDIA GeForce Experience 3.18.0.102 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.18.0.102 - NVIDIA Corporation)
NVIDIA Graphics Driver 466.47 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 466.47 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.38.60 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.38.60 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.21.0713 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.21.0713 - NVIDIA Corporation)
Quicken (HKLM-x32\...\{62D93E3E-2F8E-42BD-9343-896F4F0031D3}) (Version: 27.1.43.20 - Quicken)
Quicken 2011 (HKLM-x32\...\{5FE545A1-D215-4216-9189-E7B39C9D1CC1}) (Version: 20.1.8.6 - Intuit)
Quicken 2014 (HKLM-x32\...\{0877F595-254F-45F4-991D-3F72E86B17CE}) (Version: 23.1.9.3 - Intuit)
Quicken 2017 (HKLM-x32\...\{E5AE4F66-CDA1-432A-A69E-C685D454ABDA}) (Version: 26.1.19.8 - Quicken)
Speccy (HKLM\...\Speccy) (Version: 1.32 - Piriform)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version: - )
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Windows Media Player Firefox Plugin (HKLM-x32\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)

==================== Custom CLSID (Whitelisted): ==============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

ShellIconOverlayIdentifiers: [ GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2018-04-23] (Google Inc -> Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2018-04-23] (Google Inc -> Google)
ShellIconOverlayIdentifiers: [ GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2018-04-23] (Google Inc -> Google)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2022-07-15] (Igor Pavlov) [File not signed]
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files (x86)\Google\Drive\contextmenu64.dll [2018-04-23] (Google Inc -> Google)
ContextMenuHandlers1: [ReflectShellExt] -> {DEBB9B79-B3DD-47F4-9E5C-EA6975BAB611} => D:\System Tools\Macrium\Reflect\RContextMenu.dll [2022-10-30] (PARAMOUNT SOFTWARE UK LIMITED -> Paramount Software UK Ltd)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers2: [ReflectShellExt] -> {DEBB9B79-B3DD-47F4-9E5C-EA6975BAB611} => D:\System Tools\Macrium\Reflect\RContextMenu.dll [2022-10-30] (PARAMOUNT SOFTWARE UK LIMITED -> Paramount Software UK Ltd)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-05-10] (Malwarebytes Inc. -> Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2022-07-15] (Igor Pavlov) [File not signed]
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => C:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers4: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files (x86)\Google\Drive\contextmenu64.dll [2018-04-23] (Google Inc -> Google)
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => -> No File
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2021-05-12] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2022-07-15] (Igor Pavlov) [File not signed]
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2022-05-10] (Malwarebytes Inc. -> Malwarebytes)

==================== Codecs (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Drivers32: [msacm.ac3filter] => C:\Windows\system32\ac3filter64.acm [2231296 2013-04-05] () [File not signed]
HKLM\...\Drivers32: [msacm.ac3filter] => C:\Windows\SysWOW64\ac3filter.acm [1679360 2013-04-05] () [File not signed]

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\Chuck\Desktop\YouTube.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe (Google LLC) -> --profile-directory=Default --app-id=agimnkijcaahngcdmfeangaknmldooml
ShortcutWithArgument: C:\Users\Chuck\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome_proxy.exe (Google LLC) -> --profile-directory=Default --app-id=agimnkijcaahngcdmfeangaknmldooml
ShortcutWithArgument: C:\Users\Chuck\AppData\Roaming\Microsoft\Internet Explorer OLD\Quick Launch\User Pinned\ImplicitAppShortcuts\d249d9ddd424b688\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC) -> --profile-directory=Default

==================== Loaded Modules (Whitelisted) =============

2022-08-27 07:37 - 2022-07-15 06:00 - 000094720 _____ (Igor Pavlov) [File not signed] C:\Program Files\7-Zip\7-zip.dll

==================== Alternate Data Streams (Whitelisted) ========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]

==================== Safe Mode (Whitelisted) ==================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"

==================== Association (Whitelisted) =================

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKU\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.reg\UserChoice => regfile

==================== Internet Explorer (Version 11) (Whitelisted) ==========

HKU\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/#
HKU\S-1-5-21-4060470119-733395135-3709892937-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://myaccount.cox.net/internettools/home.cox?cid=83042&
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2021-07-18] (LastPass (Marvasol Inc) -> LastPass)
BHO-x32: LastPass Vault -> {95D9ECF5-2A4D-4550-BE49-70D42F71296E} -> C:\Program Files (x86)\LastPass\LPToolbar.dll [2021-07-18] (LastPass (Marvasol Inc) -> LastPass)
Toolbar: HKLM - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll [2021-07-18] (LastPass (Marvasol Inc) -> LastPass)
Toolbar: HKLM-x32 - LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll [2021-07-18] (LastPass (Marvasol Inc) -> LastPass)
DPF: HKLM {CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_05-windows-i586.cab
DPF: HKLM {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab
DPF: HKLM {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: HKLM {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_11-windows-i586.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\bankofamerica.com -> hxxps://safe.bankofamerica.com
IE trusted site: HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\cox.com -> hxxps://ww2.cox.com
IE trusted site: HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\cox.net -> hxxps://idm.east.cox.net
IE trusted site: HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\yahoo.com -> hxxps://my.yahoo.com

==================== Hosts content: =========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2019-05-27 08:27 - 000000855 _____ C:\Windows\system32\drivers\etc\hosts
127.0.0.1 localhost

==================== Other Areas ===========================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path -> C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\NVIDIA Corporation\NVIDIA NvDLISR
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Chuck\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\S-1-5-21-4060470119-733395135-3709892937-500\Control Panel\Desktop\\Wallpaper -> C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

==================== FirewallRules (Whitelisted) ================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) C:\Windows\system32\sppsvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SPPSVC-In-TCP] => (Allow) C:\Windows\system32\sppsvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{E273F5FF-33EB-4F3E-95BA-E9067A42202F}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{330B0006-DAE6-4B40-9793-6ABAE572AC8A}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [TCP Query User{7547D9BE-DFB2-46F2-B7CE-1CFC00E09BBB}C:\users\chuck\appdata\roaming\mjusbsp\magicjack.exe] => (Allow) C:\users\chuck\appdata\roaming\mjusbsp\magicjack.exe (magicJack, L.P. -> magicJack L.P.)
FirewallRules: [UDP Query User{33DE519A-93D5-4AD7-8169-13B5C770E543}C:\users\chuck\appdata\roaming\mjusbsp\magicjack.exe] => (Allow) C:\users\chuck\appdata\roaming\mjusbsp\magicjack.exe (magicJack, L.P. -> magicJack L.P.)
FirewallRules: [{206F2248-4053-4CC4-8209-11C46D2D1B63}] => (Allow) C:\Program Files (x86)\Quicken\qw.exe (Quicken Inc. -> Quicken Inc.)
FirewallRules: [{7EC12F65-7437-4A22-A6B5-C54E7E589990}] => (Allow) C:\Program Files (x86)\Quicken\qw.exe (Quicken Inc. -> Quicken Inc.)
FirewallRules: [{5FB5F696-4537-4991-ADB3-7F70B4F2A0A0}] => (Allow) C:\Program Files (x86)\Quicken\qw.exe (Quicken Inc. -> Quicken Inc.)
FirewallRules: [{B58FA877-8988-453F-9625-6DA8AE2094BD}] => (Allow) C:\Program Files (x86)\Quicken\qw.exe (Quicken Inc. -> Quicken Inc.)
FirewallRules: [{E5DC1327-6084-42FA-8B9B-818FA3A3D634}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{C398FB24-6511-4404-8A6C-FFB963828153}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{8BB009BF-59E5-41FC-BBB0-DFD9FFFA311B}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{3D7011C1-6589-4D6D-ADD4-59655B362561}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{0343BBEE-B93B-49CD-B142-B51A0C92440E}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{502510E8-8557-42BF-A7AE-3006D7C36F6B}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [TCP Query User{2EB5E8E7-CC97-4C8A-A292-0B0D5C0C6B26}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [UDP Query User{B5F49198-65C8-4FC9-A4B5-34D296F2187F}C:\windows\system32\mmc.exe] => (Block) C:\windows\system32\mmc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [TCP Query User{3018510B-7639-402D-9EB6-15593E5955EE}C:\windows\syswow64\rundll32.exe] => (Allow) C:\windows\syswow64\rundll32.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [UDP Query User{72A79A2F-BD72-4840-87C5-5EC004BD2DC3}C:\windows\syswow64\rundll32.exe] => (Allow) C:\windows\syswow64\rundll32.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [TCP Query User{9894703E-32BB-4DFF-AE9E-32E07EFE6B77}C:\program files (x86)\quicken\qwsubprocess.exe] => (Block) C:\program files (x86)\quicken\qwsubprocess.exe (Quicken Inc. -> Quicken Inc.)
FirewallRules: [UDP Query User{D77618AE-E65E-42C3-B27B-265E23BB87CB}C:\program files (x86)\quicken\qwsubprocess.exe] => (Block) C:\program files (x86)\quicken\qwsubprocess.exe (Quicken Inc. -> Quicken Inc.)
FirewallRules: [{13EC86B3-34A7-4E07-B227-44E93830FF09}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google LLC -> Google LLC)

==================== Restore Points =========================

16-11-2022 08:10:38 Windows Update
19-11-2022 14:57:31 Windows Update

==================== Faulty Device Manager Devices ============

Name: Microsoft Teredo Tunneling Adapter #2
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

==================== Event log errors: ========================

Application errors:
==================
Error: (11/17/2022 09:56:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MbamBgNativeMsg.exe, version: 4.0.0.108, time stamp: 0x63481cdd
Faulting module name: ntdll.dll, version: 6.1.7601.24499, time stamp: 0x5d0115b0
Exception code: 0xc0000005
Fault offset: 0x000000000002d196
Faulting process id: 0x1530
Faulting application start time: 0x01d8faadcb70915e
Faulting application path: C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MbamBgNativeMsg.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 20943185-66a1-11ed-b5e0-485b39430625

Error: (11/09/2022 09:25:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MbamBgNativeMsg.exe, version: 4.0.0.108, time stamp: 0x63481cdd
Faulting module name: ntdll.dll, version: 6.1.7601.24499, time stamp: 0x5d0115b0
Exception code: 0xc0000005
Fault offset: 0x000000000002d196
Faulting process id: 0x14a8
Faulting application start time: 0x01d8f4c4c43e9a43
Faulting application path: C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MbamBgNativeMsg.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 08740f6c-60b8-11ed-b43f-485b39430625

Error: (10/28/2022 07:06:57 AM) (Source: Firefox Default Browser Agent) (EventID: 12007) (User: )
Description: Event-ID 12007

Error: (10/28/2022 07:06:57 AM) (Source: Firefox Default Browser Agent) (EventID: 0) (User: )
Description: Event-ID 0

Error: (10/27/2022 02:35:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MbamBgNativeMsg.exe, version: 4.0.0.108, time stamp: 0x63481cdd
Faulting module name: ntdll.dll, version: 6.1.7601.24499, time stamp: 0x5d0115b0
Exception code: 0xc0000005
Fault offset: 0x000000000002d196
Faulting process id: 0x160c
Faulting application start time: 0x01d8ea54256d09b4
Faulting application path: C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\MbamBgNativeMsg.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: b1024999-5647-11ed-8eea-485b39430625

Error: (10/08/2022 06:53:12 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/08/2022 06:53:12 AM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/08/2022 06:53:12 AM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

System errors:
=============
Error: (11/22/2022 03:35:17 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {BB6DF56B-CACE-11DC-9992-0019B93A3A84} did not register with DCOM within the required timeout.

Error: (11/22/2022 03:29:48 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Mozilla Maintenance Service service terminated with the following error:
Incorrect function.

Error: (11/22/2022 01:08:39 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 80.

Error: (11/22/2022 01:08:39 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (11/22/2022 08:29:51 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 80.

Error: (11/22/2022 08:29:51 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Error: (11/22/2022 06:27:13 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 80.

Error: (11/22/2022 06:27:12 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 70.

Windows Defender:
================
Date: 2014-11-19 16:08:04.250
Description:
Windows Defender scan has been stopped before completion.
Scan Type:AntiSpyware
Scan Parameters:Full Scan
Event[0]:

Date: 2015-03-21 12:39:32.889
Description:
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:Current
Error Code:0x80070002
Error description:The system cannot find the file specified.
Signature version:0.0.0.0
Engine version:0.0.0.0

Date: 2015-03-21 12:39:32.889
Description:
Windows Defender has encountered an error trying to update signatures.
New Signature Version:
Previous Signature Version:
Update Source:Signature Update Folder
Signature Type:AntiSpyware
Update Type

elta
Current Engine Version:
Previous Engine Version:
Error code:0x80070002
Error description:The system cannot find the file specified.

Date: 2014-02-28 08:43:36.022
Description:
Windows Defender has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.
Signatures Attempted:Current
Error Code:0x80070002
Error description:The system cannot find the file specified.
Signature version:0.0.0.0
Engine version:0.0.0.0

==================== Memory info ===========================

BIOS: American Megatrends Inc. 0502 11/16/2010
Motherboard: ASUSTeK Computer INC. P6X58D-E
Processor: Intel(R) Core(TM) i7 CPU 930 @ 2.80GHz
Percentage of memory in use: 45%
Total physical RAM: 12279.12 MB
Available physical RAM: 6748.72 MB
Total Virtual: 26604.38 MB
Available Virtual: 18665.02 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:119.14 GB) (Free:45.94 GB) (Model: KINGSTON SNVP325S2128GB ATA Device) NTFS
Drive d: (Local Disk ) (Fixed) (Total:465.76 GB) (Free:407.56 GB) (Model: WDC WD5001AALS-00L3B2 ATA Device) NTFS
Drive f: (HP) (Fixed) (Total:298.09 GB) (Free:51.18 GB) (Model: SAMSUNG HD320KJ ATA Device) NTFS
Drive h: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.03 GB) (Model: KINGSTON SNVP325S2128GB ATA Device) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ====================

==========================================================
Disk: 0 (MBR Code: Windows 7/8/10) (Size: 119.2 GB) (Disk ID: 245B1879)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=119.1 GB) - (Type=07 NTFS)

==========================================================
Disk: 1 (MBR Code: Windows 7/8/10) (Size: 465.8 GB) (Disk ID: 2AE525A7)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

==========================================================
Disk: 2 (Size: 298.1 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=298.1 GB) - (Type=07 NTFS)

==================== End of Addition.txt =======================

Gary R · Nov 23, 2022

No signs of an active infection in your FRST logs.

Few things that need attention ....

First ...

Please uninstall the following Chrome extension ...

CHR HKU\S-1-5-21-4060470119-733395135-3709892937-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd]

https://www.timeatlas.com/uninstall-chrome-extensions/

(You may have to use the manual option listed in the above link)

Next ...

Start FRST.
Hit your Windows Key + R to open a Run window
Type Notepad then click OK
This will open an empty Notepad document
Copy/Paste the following into it (Don't include Code: ) .....

Code:

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\MountPoints2: E - E:\Autorun.exe
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} =>  -> No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Folder:C:\Users\Chuck\AppData\Roaming\mjusbsp
CMD: ipconfig /flushdns
EmptyTemp:

Save it as fixlist.txt to the same location as FRST (must be in this location)
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
Now press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
Please post me the log

Finally ...... Windows 7 is no longer supported by Microsoft, so any exploits that are not already patched will never be patched, that means your computer can never be secure. Doesn't matter what AV, AS or other ptotective programs you install, any unpatched exploits will forever be exploitable.

ChuckR · Nov 23, 2022

I went to Google Settings Extensions and your referenced Extension is not listed. I do have
Blank Page, LastPass, Browser Guard, Tabs to Front, Popup my Bookmarks and Ublock Origin
active. There are others listed that are not active that I will select Remove for.
I searched for your extension as (CHR HKU) with no luck. I then tried ([fcfenmboojpjinhpgggodefccipikbpd] with no luck.

After breakfast, I will copy your code. I initially ran FRST64. I will rename the results of that run.
Where will the FIX button be?
I looked into C:/USERS/Chuck/Appdata/Roaming WOW this has so many programs I don't recognize or don't use.

Gary R · Nov 23, 2022

There should be a folder .... fcfenmboojpjinhpgggodefccipikbpd .... in .... C:\Users\username\AppData\Local\Google\Chrome\User Data\Default (where "username" is replaced by the name of the account you log in under).

Delete that folder to remove that extension.

Don't worry if you can't find it, we can always run a search for it with FRST once you've run the Fix I posted in my last post.

The FIX button is the furthest right of the 4 blue buttons under the Search box in the FRST interface.

ChuckR · Nov 23, 2022

I looked up fcfenmboojpjinhpgggodefccipikbpd in C:\Users\Chuck\AppData\Local\Google\Chrome\User Data\Default with no luck.
I then did a search in C:\Users\Chuck with no luck.
Any other ideas?
How should I run FRST64 against the fixlist.txt? Or does clicking on fixlist.txt bring up the RUN button?
Sorry for the confusion.

ChuckR · Nov 23, 2022

The memory started working. I ran FRST64 and chose Fix. Quick run and then it Restarted the computer. Here is the fixlog

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-11-2022
Ran by Chuck (23-11-2022 09:34:03) Run:1
Running from D:\Sysnative Tools
Loaded Profiles: Chuck & Administrator & DefaultAppPool
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\MountPoints2: E - E:\Autorun.exe
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => -> No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Folder:C:\Users\Chuck\AppData\Roaming\mjusbsp
CMD: ipconfig /flushdns
EmptyTemp:
*****************

HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"="0" => value restored successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate => removed successfully
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ACE => removed successfully
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
"HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
"HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully

========================= Folder:C:\Users\Chuck\AppData\Roaming\mjusbsp ========================

not found.

====== End of Folder: ======

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========== EmptyTemp: ==========

FlushDNS => completed
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 19128174 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
Windows/system/drivers => 701200 B
Edge => 0 B
Chrome => 417130406 B
Firefox => 22388244 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 4291090 B
Chuck => 27302274 B
Administrator => 30874737 B
DefaultAppPool => 30874737 B

RecycleBin => 0 B
EmptyTemp: => 527.1 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 09:34:10 ====

Gary R · Nov 23, 2022

OK, let's see if FRST can find the missing Chrome extension.

Double click Frst64.exe to launch it.
FRST will start to run.
- When the tool opens click Yes to the disclaimer.
- Copy/Paste or Type the following line into the Search: box.
SearchAll:fcfenmboojpjinhpgggodefccipikbpd

Click to expand...
- Press the Search Files button.
- When finished searching a log will open on your Desktop ... Search.txt
- Please post it in your next reply.

ChuckR · Nov 23, 2022

Farbar Recovery Scan Tool (x64) Version: 18-11-2022
Ran by Chuck (23-11-2022 10:39:49)
Running from D:\Sysnative Tools
Boot Mode: Normal

================== Search Files: "SearchAll:fcfenmboojpjinhpgggodefccipikbpd" =============

File:
========

folder:
========

Registry:
========
[HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd]
[HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Microsoft\DefaultPack]
"GCEXTN_DHP_DSE"="fcfenmboojpjinhpgggodefccipikbpd"

====== End of Search ======

Gary R · Nov 23, 2022

Start FRST.
Hit your Windows Key + R to open a Run window
Type Notepad then click OK
This will open an empty Notepad document
Copy/Paste the following into it (Don't include Code: ) .....

Code:

DeleteKey:HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd
DeleteValue:HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Microsoft\DefaultPack | GCEXTN_DHP_DSE
Reboot:

Save it as fixlist.txt to the same location as FRST (must be in this location)
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
Now press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
Please post me the log

ChuckR · Nov 23, 2022

Have we addressed the initial issue which were junk ads. The scan included
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
This is the only reference to adware in all the scan/fix we have done so far. I find nothing in the Control Panel under Programs and Features
related to ADWARE or applications that make sense.

Gary R · Nov 23, 2022

No Adware programs installed that I can see. Not all hidden install entries are malicious, and there are many legitimate hidden entries that will show in the Installed programs list that FRST creates.

ChuckR · Nov 23, 2022

Do think we are ready to try h ttps: // f movies.to / home ??????? AGAIN.

Gary R · Nov 23, 2022

Have you run the fix I posted in post #30 yet ???? If so, please post the log created.

Personally, I'd say if you got problems when accessing a site once, then I'd be reluctant to visit that site again .......... especially with an unsupported OS like W7.

If you want to check whether a site is "safe" to visit, try inputting its URL to .... VirusTotal .... where it will be scanned and checked by a number of different AVs, and a report produced.

Corday · Nov 23, 2022

I'm not posting to help only to inform. The site is not safe and contains pirated material.

ChuckR · Nov 23, 2022

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-11-2022
Ran by Chuck (23-11-2022 09:34:03) Run:1
Running from D:\Sysnative Tools
Loaded Profiles: Chuck & Administrator & DefaultAppPool
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\...\MountPoints2: E - E:\Autorun.exe
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
ContextMenuHandlers5: [ACE] -> {5E2121EE-0300-11D4-8D3B-444553540000} => -> No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Folder:C:\Users\Chuck\AppData\Roaming\mjusbsp
CMD: ipconfig /flushdns
EmptyTemp:
*****************

HKLM\SOFTWARE\Microsoft\Windows Defender\\"DisableAntiSpyware"="0" => value restored successfully
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate => removed successfully
HKU\S-1-5-21-4060470119-733395135-3709892937-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\system32\GroupPolicy\User => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => removed successfully
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ACE => removed successfully
HKLM\Software\Classes\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000} => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
"HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
"HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully

========================= Folder:C:\Users\Chuck\AppData\Roaming\mjusbsp ========================

not found.

====== End of Folder: ======

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========== EmptyTemp: ==========

FlushDNS => completed
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 19128174 B
Java, Discord, Steam htmlcache, WinHttpAutoProxySvc/winhttp *.cache => 0 B
Windows/system/drivers => 701200 B
Edge => 0 B
Chrome => 417130406 B
Firefox => 22388244 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 4291090 B
Chuck => 27302274 B
Administrator => 30874737 B
DefaultAppPool => 30874737 B

RecycleBin => 0 B
EmptyTemp: => 527.1 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 09:34:10 ====

Gary R · Nov 24, 2022

That's not the log from the fix in post #30 in this topic, that's from the fix I posted in post #23

What I need to see is whether the two registry entries for the Chrome extension ... fcfenmboojpjinhpgggodefccipikbpd ... have been successfully removed or not, which is what the fix in post #30 was scripted to do.

ChuckR · Nov 24, 2022

Fix result of Farbar Recovery Scan Tool (x64) Version: 18-11-2022
Ran by Chuck (24-11-2022 06:44:27) Run:2
Running from D:\Sysnative Tools
Loaded Profiles: Chuck
Boot Mode: Normal
==============================================

fixlist content:
*****************
DeleteKey:HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd
DeleteValue:HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Microsoft\DefaultPack | GCEXTN_DHP_DSE
Reboot:
*****************

HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd => removed successfully
"HKEY_USERS\S-1-5-21-4060470119-733395135-3709892937-1001\Software\Microsoft\DefaultPack\\GCEXTN_DHP_DSE" => removed successfully

The system needed a reboot.

==== End of Fixlog 06:44:27 ====

The strange thing is that after the Reboot there is NO fixlist.txt file.

Gary R · Nov 24, 2022

ChuckR said:
The strange thing is that after the Reboot there is NO fixlist.txt file.

Nothing strange about that. When FRST successfully processes a fixlist, it automatically removes that file.

I think you may be confusing fixlist.txt with fixlog.txt

The first is a list of instructions given to FRST, which as I said is deleted on completion, the second is the results generated by FRST from processing the fixlist.

The fixlog you're just posted shows those two Registry entries we wanted to remove were successfully removed.

As far as I can see, your machine is clean.

If you wish, we can run an online AV scan, but honestly I wouldn't expect it to find much (if anything).

ChuckR · Nov 24, 2022

Earlier someone mentioned VIRUSTOTAL. Would you suggest joining that site when I seldom download a new application?
Thank you for all the help and support.
Is it okay to try and run //fmovies.to/home or will I just mess up the GOOD Work you have done.
Have a great Thanksgiving.

[SOLVED] Movie Sites Possible Malware

Well-known member

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Well-known member

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Moderator

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Well-known member

Forum Moderator, Security Analyst, Windows Update Trainee

Well-known member