[SOLVED] PUM.Optional.NoDrives

[JohnDrew]

Good afternoon.

Firstly let me say I am not computer literate so please excuse any misunderstandings I may cause.

Each time I scan with Malwarebytes I have a hit which is identified as PUM.Optional.NoDrives. This occurs even after it has been removed to Quarantine many times.
The reportby Malwarebytes identifies the location as:
HKU\S-1-5-21-4109210211-571196965-2683950656-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NODRIVES
But I have been unable to locate it using RegEdit; I have looked in SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER but I am unsure what it may be recorded as there and have changed nothing. I have copied the report from Malwarebytes to Notepad if this may be of help.

Please can anyone tell me if this is a false positive or if not how to get rid of it once and for all.

With thanks in anticipation.

 

[Corrine]

Hi, JohnDrew.

Please follow the instructions in Malware Removal Posting Instructions and we will do our best to assist you.

 

[JohnDrew]

Thanks for your reply I shall look, but the last two starts have been blue screen with a startup repair so I'm really unsure of what is going on.

I downloaded the tool and double clicked, it went straight to the scanning screen with no option to run as adminstrator or select the disclaimer. I don't understand "Copy/paste checkup.txt from SecurityCheck to your reply" What checkup and how do I do it?

Farbar Output.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 10.02.2019 01
Ran by John (administrator) on JOHN-PC (11-02-2019 20:03:51)
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available Profiles: John & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Cybereason) C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.11.895\SSScheduler.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\epson\Creativity Suite\Event Manager\EEventManager.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Acronis) C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe
(Cybereason) C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe
(Node.js) C:\Program Files (x86)\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
(McAfee, Inc.) C:\Program Files\McAfee\WebAdvisor\servicehost.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(McAfee, Inc.) C:\Program Files\McAfee\WebAdvisor\uihost.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NvContainer\nvcontainer.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(LULU Software) C:\Program Files (x86)\Soda PDF 2012\ConversionService.exe
(Acronis) C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Mozilla Corporation) C:\Users\John\AppData\Local\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
(Microsoft Corporation) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(McAfee, Inc.) C:\Program Files\McAfee\WebAdvisor\browserhost.exe
(Piriform Software Ltd) C:\Program Files\CCleaner\CCleaner64.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11613288 2010-11-19] (Realtek Semiconductor Corp -> Realtek Semiconductor)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
HKLM\...\Run: [AdobeGCInvoker-1.0] => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe [2675176 2018-12-13] (Adobe Systems Incorporated -> Adobe Systems, Incorporated)
HKLM\...\Run: [Acronis Scheduler2 Service] => C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe [403144 2012-06-28] (Acronis, Inc -> Acronis)
HKLM-x32\...\Run: [TrueImageMonitor.exe] => C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe [5955360 2012-06-28] (Acronis, Inc -> Acronis)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe [43608 2010-09-07] (JMicron Technology Corp. -> )
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\EPSON\Creativity Suite\Event Manager\EEventManager.exe [102400 2006-10-12] (SEIKO EPSON CORPORATION) [File not signed]
HKLM-x32\...\Run: [DivXMediaServer] => C:\Program Files (x86)\DivX\DivX Media Server\DivXMediaServer.exe [1058512 2018-12-18] (DivX, LLC. -> DivX, LLC)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [6788032 2018-04-20] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [653648 2018-06-27] (Oracle America, Inc. -> Oracle Corporation)
HKLM-x32\...\Run: [AcronisTimounterMonitor] => C:\Program Files (x86)\Acronis\TrueImageHome\TimounterMonitor.exe [1171336 2012-06-28] (Acronis, Inc -> Acronis)
HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\Policies\Explorer: [NoDrives] 1
HKU\S-1-5-21-4109210211-571196965-2683950656-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\scrnsave.scr [11264 2009-07-14] (Microsoft Windows -> Microsoft Corporation)
HKLM\...\Drivers32-x32: [vidc.DIVX] => C:\Windows\SysWOW64\DivX.dll [720384 2010-02-19] (DivX, Inc.)
HKLM\...\Drivers32-x32: [vidc.yv12] => C:\Windows\SysWOW64\DivX.dll [720384 2010-02-19] (DivX, Inc.)
HKLM\Software\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{2D46B6DC-2207-486B-B523-A557E6D54B47}] -> C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components: [{73FA19D0-2D75-11D2-995D-00C04F98BBC9}] ->
HKLM\Software\...\Authentication\Credential Providers: [{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}] -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDCREDPROV.DLL [2012-07-17] (Microsoft Corporation -> Microsoft Corp.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk [2018-12-16]
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files\McAfee Security Scan\3.11.895\SSScheduler.exe (McAfee, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk [2012-02-05]
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{40E5A727-9C1C-43A7-A17B-0803743976E4}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> DefaultScope {7E5BE403-0B12-4870-8DD5-94CBD25DEE5D} URL = hxxps://uk.search.yahoo.com/search?fr=mcafee&type=C010GB91044D20120202&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> {407199A3-6A17-4DBD-BFF8-489606105D5A} URL = hxxps://uk.search.yahoo.com/search?fr=mcafee&type=C010GB0D20120202&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> {7E5BE403-0B12-4870-8DD5-94CBD25DEE5D} URL = hxxps://uk.search.yahoo.com/search?fr=mcafee&type=C010GB91044D20120202&p={searchTerms}
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> {8C9300A8-5A66-4537-9AA7-775347DE8ABC} URL = hxxps://uk.search.yahoo.com/search?fr=mcafee&type=C010GB0D20120202&p={searchTerms}
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corporation -> Microsoft Corp.)
BHO: McAfee WebAdvisor -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files\McAfee\WebAdvisor\x64\IEPlugin.dll [2018-08-04] (McAfee, Inc. -> McAfee, Inc.)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre-10.0.2\bin\jp2ssv.dll [2018-07-25] (Oracle America, Inc. -> Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corporation -> Microsoft Corp.)
BHO-x32: McAfee WebAdvisor -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll [2018-08-04] (McAfee, Inc. -> McAfee, Inc.)
BHO-x32: Soda PDF 2012 Helper -> {ebe8b562-cba0-40d8-b920-af7cfe0c9d94} -> C:\Program Files (x86)\Soda PDF 2012\PDFIEHelper.dll [2012-04-17] (LULU software -> LULU Software)
Toolbar: HKLM-x32 - Soda PDF 2012 Toolbar - {a8c9d542-fd91-4834-a2e8-adb9ae692b8b} - C:\Program Files (x86)\Soda PDF 2012\PDFIEPlugin.dll [2012-04-17] (LULU software -> LULU Software)
Toolbar: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File

FireFox:
========
FF ProfilePath: C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\Profiles\cas16ady.default [not found] <==== ATTENTION
FF DefaultProfile: 9bm28xhk.default
FF ProfilePath: C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116 [2019-02-11]
FF Homepage: Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116 -> hxxps://www.google.co.uk/
FF Extension: (Adblock Plus Pop-up Addon) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\adblockpopups@jessehakanen.net.xpi [2016-04-27] [Legacy]
FF Extension: (Soda PDF Online Services) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\bbc76ea6dda56049318f865d3e38117a@lulusoftware.com.xpi [2016-09-01] [Legacy]
FF Extension: (Classic Theme Restorer) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2018-07-17] [Legacy]
FF Extension: (Nectar Browser Add-on) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\nectarffext@aimia.com.xpi [2018-06-27]
FF Extension: (Print Edit WE) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\printedit-we@DW-dev.xpi [2019-02-06]
FF Extension: (Print Edit) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\printedit@DW-dev.xpi [2018-02-12] [Legacy]
FF Extension: (RememberPass) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\rememberpass@teesoft.info.xpi [2016-04-28] [Legacy]
FF Extension: (S3.Translator) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\s3google@translator.xpi [2018-10-10]
FF Extension: (Saved Passwords Button) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\savedpasswords@adamfranco.com.xpi [2016-04-27] [Legacy]
FF Extension: (Show/Hide passwords) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\shpassword@shpassword.fr.xpi [2017-12-13]
FF Extension: (Smart Refresh Button) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\smart-refresh@taha.my.xpi [2016-04-29] [Legacy]
FF Extension: (NoScript) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2019-02-06] [Legacy]
FF Extension: (Adblock Plus - free ad blocker) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2019-01-23]
FF Extension: (McAfee Security Scan Plus) - C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2016-09-01] [Legacy]
FF SearchPlugin: C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\searchplugins\firefox-add-ons.xml [2015-09-14]
FF SearchPlugin: C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\lcf7fyzj.default-1442237503116\searchplugins\oxforddictionary.xml [2015-09-14]
FF ProfilePath: C:\Users\John\AppData\Roaming\CLIQZ\Profiles\9bm28xhk.default [2017-05-15]
FF Extension: (No Name) - C:\Program Files (x86)\CLIQZ\browser\features\https-everywhere@cliqz.com.xpi [not found]
FF Extension: (Skype) - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-01-06] [Legacy]
FF HKLM\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi
FF Extension: (McAfee® WebAdvisor) - C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi [2019-02-04]
FF HKLM-x32\...\Firefox\Extensions: [FFSodaPDFConverter2012@sodapdf.com] - C:\Program Files (x86)\Soda PDF 2012\FFSodaExt2012
FF Extension: (Soda PDF 2012 Converter For Firefox) - C:\Program Files (x86)\Soda PDF 2012\FFSodaExt2012 [2012-06-08] [Legacy] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{4ED1F68A-5463-4931-9384-8FFF5ED91D92}] - C:\Program Files\McAfee\WebAdvisor\e10ssaffplg.xpi
FF HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_32_0_0_114.dll [2019-01-13] ()
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2018-07-03] (Tracker Software Products (Canada) Ltd.)
FF Plugin: @java.com/DTPlugin,version=13.0.2.0 -> C:\Program Files\Java\jre-10.0.2\bin\dtplugin\npDeployJava1.dll [2018-07-25] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=13.0.2.0 -> C:\Program Files\Java\jre-10.0.2\bin\plugin2\npjp2.dll [2018-07-25] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] ( Microsoft Corporation)
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2018-07-03] (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_32_0_0_114.dll [2019-01-13] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1234204.dll [2018-06-06] (Adobe Systems, Inc.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll [2017-11-21] (DivX, LLC)
FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2018-07-03] (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-03-30] (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\npctrl.dll [2018-10-23] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2017-01-20] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2017-01-20] (NVIDIA Corporation)
FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2018-07-03] (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2018-12-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-4109210211-571196965-2683950656-1001: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2018-07-03] (Tracker Software Products (Canada) Ltd.)
StartMenuInternet: FIREFOX.EXE - C:\Users\John\AppData\Local\Mozilla Firefox\firefox.exe

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [bopakagnckmlgajfccecajhnimjiiedh] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AGMService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGMService.exe [2917864 2018-12-13] (Adobe Systems Incorporated -> Adobe Systems, Incorporated)
R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2709480 2018-12-13] (Adobe Systems Incorporated -> Adobe Systems, Incorporated)
R2 CybereasonRansomFree; C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFreeServiceHost.exe [13824 2017-11-20] (Cybereason) [File not signed]
S3 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [6347056 2018-09-19] (Malwarebytes Corporation -> Malwarebytes)
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [665824 2018-08-04] (McAfee, Inc. -> McAfee, Inc.)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.11.895\McCHSvc.exe [405392 2018-12-11] (McAfee, Inc. -> McAfee, Inc.)
R2 mfevtp; C:\Windows\system32\mfevtps.exe [250672 2015-04-18] (McAfee, Inc. -> McAfee, Inc.)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
R2 NvContainerLocalSystem; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [519240 2018-01-24] (NVIDIA Corporation -> NVIDIA Corporation)
S3 NvContainerNetworkService; C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe [519240 2018-01-24] (NVIDIA Corporation -> NVIDIA Corporation)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3892256 2018-04-20] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [3943664 2018-04-20] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [233712 2018-02-06] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
S3 Soda PDF 2012 Helper Service; C:\Program Files (x86)\Soda PDF 2012\HelperService.exe [705880 2012-04-17] (LULU software -> LULU Software)
R2 Soda PDF 2012 Service; C:\Program Files (x86)\Soda PDF 2012\ConversionService.exe [723288 2012-04-17] (LULU software -> LULU Software)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Windows -> Microsoft Corporation)
R2 NVDisplay.ContainerLocalSystem; "C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe" -s NVDisplay.ContainerLocalSystem -f "C:\ProgramData\NVIDIA\NVDisplay.ContainerLocalSystem.log" -l 3 -d "C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem" -r -p 30000
R2 NvTelemetryContainer; "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\NvTelemetryContainer.exe" -s NvTelemetryContainer -f "C:\ProgramData\NVIDIA\NvTelemetryContainer.log" -l 3 -d "C:\Program Files (x86)\NVIDIA Corporation\NvTelemetry\plugins" -r

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ahcix64; C:\Windows\system32\drivers\ahcix64.sys [226312 2009-07-01] (Promise Technology -> Advanced Micro Devices, Inc)
R0 ahcix64s; C:\Windows\System32\drivers\ahcix64s.sys [226616 2009-07-07] (Advanced Micro Devices, Inc. -> Advanced Micro Devices, Inc)
R0 amd_sata; C:\Windows\System32\drivers\amd_sata.sys [77952 2010-11-11] (Advanced Micro Devices, Inc. -> Advanced Micro Devices)
R0 amd_xata; C:\Windows\System32\drivers\amd_xata.sys [37504 2010-11-11] (Advanced Micro Devices, Inc. -> Advanced Micro Devices)
R3 asmthub3; C:\Windows\System32\DRIVERS\asmthub3.sys [126952 2011-02-24] (MCCI Internal Testing Software -> ASMedia Technology Inc)
R3 asmtxhci; C:\Windows\System32\DRIVERS\asmtxhci.sys [389608 2011-02-24] (MCCI Internal Testing Software -> ASMedia Technology Inc)
R0 AtiPcie; C:\Windows\System32\drivers\AtiPcie.sys [16440 2009-05-05] (Advanced Micro Devices, Inc. -> Advanced Micro Devices Inc.)
S3 Cardex; C:\Windows\SysWOW64\drivers\TBPANELX64.SYS [15648 2007-03-16] (PALIT MICROSYSTEMS,INC. -> Windows (R) Server 2003 DDK provider)
R1 HWiNFO32; C:\Windows\system32\drivers\HWiNFO64A.SYS [27552 2017-05-17] (Martin Malik - REALiX -> REALiX(tm))
S3 MBAMSwissArmy; C:\Windows\System32\Drivers\mbamswissarmy.sys [260480 2019-02-03] (Malwarebytes Corporation -> Malwarebytes)
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [864072 2015-04-18] (McAfee, Inc. -> McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [106120 2015-04-18] (McAfee, Inc. -> McAfee, Inc.)
R3 mfesapsn; C:\Program Files\McAfee\WebAdvisor\mfesapsn.sys [111976 2018-08-04] (McAfee, Inc. -> McAfee, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation -> Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation -> Microsoft Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [30280 2018-01-24] (NVIDIA Corporation -> NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [59240 2018-01-24] (NVIDIA Corporation -> NVIDIA Corporation)
R3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [57792 2017-12-16] (NVIDIA Corporation -> NVIDIA Corporation)
S1 PCLEPCI; C:\Windows\SysWOW64\drivers\pclepci.sys [14165 2004-07-16] (Pinnacle Systems GmbH) [File not signed]
R1 RegHiveRecovery; C:\Windows\system32\drivers\RegHiveRecovery.sys [48304 2014-02-20] (Microsoft Corporation -> Microsoft Corporation)
S3 RTLE8023x64; C:\Windows\System32\DRIVERS\Rtenic64.sys [335464 2011-01-14] (Realtek Semiconductor Corp -> Realtek Semiconductor Corporation )
R2 speedfan; C:\Windows\SysWOW64\speedfan.sys [28664 2012-12-29] (SOKNO S.R.L. -> Almico Software)
S3 TBPanel; no ImagePath
U5 UnlockerDriver5; C:\Program Files\Unlocker\UnlockerDriver5.sys [12352 2010-07-01] (Empty Loop -> )
R3 usbfilter; C:\Windows\System32\DRIVERS\usbfilter.sys [47232 2010-12-16] (Advanced Micro Devices, Inc. -> Advanced Micro Devices)
S3 WIMMount; C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\amd64\DISM\wimmount.sys [40552 2013-08-22] (Microsoft Corporation -> Microsoft Corporation)
S3 SIWIO; \??\C:\Windows\TEMP\SiwIo.sys [X]
S3 uxddrv; \??\C:\pcspro\fscommand\uxddrv64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One month (created) ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2019-02-11 20:03 - 2019-02-11 20:06 - 000026437 _ C:\Users\John\Desktop\FRST.txt
2019-02-11 20:02 - 2019-02-11 20:02 - 002434048 _ (Farbar) C:\Users\John\Desktop\FRST64.exe
2019-02-11 19:55 - 2019-02-11 19:55 - 000517511 ____N C:\Users\Ac5yn\trafficeducate.xlsx
2019-02-11 19:55 - 2019-02-11 19:55 - 000513561 ____N C:\Users\Vwna\extraordinary_cover.xlsx
2019-02-11 19:55 - 2019-02-11 19:55 - 000232592 ____N C:\Users\Vwna\personality-cuts-subject-enforcement.mdb
2019-02-11 19:55 - 2019-02-11 19:55 - 000202198 ____N C:\Users\Ac5yn\mutual.mouth.tennessee.ordinary.mdb
2019-02-11 19:55 - 2019-02-11 19:55 - 000077711 ____N C:\Users\Vwna\transmit_author_affect_contribution.xls
2019-02-11 19:55 - 2019-02-11 19:55 - 000070613 ____N C:\Users\Ac5yn\thunder-paul-combat-meanwhile.xls
2019-02-11 19:55 - 2019-02-11 19:55 - 000055952 ____N C:\Users\Ac5yn\raiseyoung.pem
2019-02-11 19:55 - 2019-02-11 19:55 - 000052510 ____N C:\Users\Vwna\bridges.spontaneous.roughly.pem
2019-02-11 19:55 - 2019-02-11 19:55 - 000042338 ____N C:\Users\Vwna\gained.lean.roof.heredity.txt
2019-02-11 19:55 - 2019-02-11 19:55 - 000026836 ____N C:\Users\Ac5yn\submarines follow write satisfactory.txt
2019-02-11 19:55 - 2019-02-11 19:55 - 000014047 ____N C:\Users\Ac5yn\ringclothedefinite.sql
2019-02-11 19:55 - 2019-02-11 19:55 - 000013646 ____N C:\Users\Vwna\retirement-wagner-graduate.sql
2019-02-11 19:55 - 2019-02-11 19:55 - 000000000 __SHD C:\Users\John\Desktop\0K, this directory is for Ransomware detection (just leave it here)
2019-02-11 19:55 - 2019-02-11 19:55 - 000000000 ___HD C:\Users\Vwna
2019-02-11 19:55 - 2019-02-11 19:55 - 000000000 ___HD C:\Users\John\Documents\Xresources148
2019-02-11 19:55 - 2019-02-11 19:55 - 000000000 ___HD C:\Users\John\Documents\Abstores141
2019-02-11 19:55 - 2019-02-11 19:55 - 000000000 ___HD C:\Users\Ac5yn
2019-02-11 19:55 - 2019-02-11 19:55 - 000000000 ____D C:\Xversions131
2019-02-11 19:55 - 2019-02-11 19:55 - 000000000 ____D C:\abprogram56
2019-02-11 19:54 - 2019-02-11 19:54 - 000393840 _ C:\Windows\Minidump\021119-14227-01.dmp
2019-02-11 14:36 - 2019-02-11 14:36 - 000001367 _ C:\Users\John\Desktop\Scan.txt
2019-02-11 13:45 - 2019-02-11 19:54 - 529493595 _ C:\Windows\MEMORY.DMP
2019-02-11 12:34 - 2019-02-11 12:34 - 000000141 _ C:\Users\John\Desktop\PUM.txt
2019-02-10 13:56 - 2019-02-10 13:57 - 007151634 _ C:\Users\John\Desktop\Easy Guide to Erase PUM.Optional.NoDrives from PC - Easy Virus Kiling.pdf
2019-02-08 11:18 - 2019-02-08 11:22 - 000000178 _ C:\Users\John\Desktop\Eon.txt
2019-02-03 10:19 - 2019-02-03 10:19 - 000260480 _ (Malwarebytes) C:\Windows\system32\Drivers\mbamswissarmy.sys
2019-02-02 14:35 - 2019-02-02 14:35 - 002958923 _ C:\Users\John\Desktop\Memory.pdf
2019-01-27 11:41 - 2015-05-29 07:43 - 000307352 _ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2019-01-19 15:45 - 2019-01-11 00:49 - 000154856 _ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2019-01-19 15:45 - 2019-01-11 00:49 - 000095464 _ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2019-01-19 15:45 - 2019-01-11 00:47 - 000135680 _ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2019-01-19 15:45 - 2019-01-11 00:47 - 000028672 _ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2019-01-19 15:45 - 2019-01-11 00:47 - 000028160 _ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2019-01-19 15:45 - 2019-01-11 00:46 - 001472512 _ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2019-01-19 15:45 - 2019-01-11 00:34 - 000096768 _ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2019-01-19 15:45 - 2019-01-11 00:34 - 000022016 _ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2019-01-19 15:45 - 2019-01-11 00:15 - 000030720 _ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2019-01-19 15:45 - 2018-12-28 19:59 - 002072576 _ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2019-01-19 15:45 - 2018-12-28 19:59 - 000876032 _ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2019-01-19 15:45 - 2018-12-28 19:59 - 000516608 _ (Microsoft Corporation) C:\Windows\system32\rpcss.dll
2019-01-19 15:45 - 2018-12-28 19:59 - 000026112 _ (Microsoft Corporation) C:\Windows\system32\oleres.dll
2019-01-19 15:45 - 2018-12-28 19:59 - 000008704 _ (Microsoft Corporation) C:\Windows\system32\comcat.dll
2019-01-19 15:45 - 2018-12-28 19:48 - 001425920 _ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2019-01-19 15:45 - 2018-12-28 19:48 - 000582144 _ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2019-01-19 15:45 - 2018-12-28 19:48 - 000026112 _ (Microsoft Corporation) C:\Windows\SysWOW64\oleres.dll
2019-01-19 15:45 - 2018-12-28 19:32 - 000007168 _ (Microsoft Corporation) C:\Windows\SysWOW64\comcat.dll
2019-01-19 15:45 - 2018-12-04 16:07 - 000194048 _ (Microsoft Corporation) C:\Windows\system32\itircl.dll
2019-01-19 15:45 - 2018-12-04 16:07 - 000170496 _ (Microsoft Corporation) C:\Windows\system32\itss.dll
2019-01-19 15:45 - 2018-12-04 15:55 - 000158720 _ (Microsoft Corporation) C:\Windows\SysWOW64\itircl.dll
2019-01-19 15:45 - 2018-12-04 15:55 - 000142848 _ (Microsoft Corporation) C:\Windows\SysWOW64\itss.dll
2019-01-19 15:45 - 2018-12-02 16:06 - 000687616 _ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000998480 _ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000918408 _ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000066000 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000063936 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000021968 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000020944 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000019408 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000018880 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000017872 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000017856 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000017360 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000017352 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000016336 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000015824 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000015808 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000015296 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000014312 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000014272 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000013768 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000013760 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000013760 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000013264 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012752 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012736 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012264 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012240 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012240 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012240 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012232 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012224 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012224 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000012024 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011752 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011728 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011728 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011712 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011712 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011712 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011712 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-2-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011712 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011712 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011512 _ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011216 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l2-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011216 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-timezone-l1-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011216 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l2-1-0.dll
2019-01-19 15:45 - 2018-10-12 13:05 - 000011200 _ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-2-0.dll

==================== One month (modified) ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2019-02-12 03:53 - 2018-12-16 10:11 - 000000000 ____D C:\ProgramData\McAfee Security Scan
2019-02-12 03:53 - 2013-12-10 19:57 - 000000000 ____D C:\Users\UpdatusUser.John-PC
2019-02-12 03:53 - 2012-04-07 10:16 - 000000000 ____D C:\Users\UpdatusUser
2019-02-12 03:53 - 2012-02-05 13:19 - 000000000 ____D C:\Users\Administrator.John-PC
2019-02-12 03:53 - 2009-07-14 03:20 - 000000000 ____D C:\Windows\registration
2019-02-12 03:53 - 2009-07-14 03:20 - 000000000 ____D C:\Windows\inf
2019-02-11 21:44 - 2013-03-02 09:58 - 000000000 ____D C:\ProgramData\Licenses
2019-02-11 21:44 - 2013-02-09 15:09 - 000000000 ____D C:\Users\John\Desktop\SmartDeblur photos
2019-02-11 21:44 - 2012-11-18 15:37 - 000000000 ____D C:\Users\John\Desktop\Misc Docs
2019-02-11 21:44 - 2012-01-30 16:10 - 000000000 ____D C:\ProgramData\Spybot - Search & Destroy
2019-02-11 21:44 - 2009-07-14 03:20 - 000000000 ____D C:\Windows\SysWOW64\GroupPolicy
2019-02-11 20:05 - 2009-07-14 04:45 - 000031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2019-02-11 20:05 - 2009-07-14 04:45 - 000031904 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2019-02-11 20:03 - 2018-11-20 16:31 - 000000000 ____D C:\FRST
2019-02-11 19:56 - 2013-07-04 14:18 - 000000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2019-02-11 19:56 - 2012-01-24 10:58 - 000000000 ____D C:\ProgramData\NVIDIA
2019-02-11 19:54 - 2012-05-12 16:22 - 000000000 ____D C:\Windows\Minidump
2019-02-11 19:54 - 2012-01-27 14:40 - 000000000 ____D C:\Users\John
2019-02-11 19:54 - 2009-07-14 05:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2019-02-11 13:57 - 2012-02-03 20:24 - 000000000 ____D C:\Windows\SysWOW64\Macromed
2019-02-11 11:54 - 2016-02-29 11:48 - 000000000 ____D C:\Users\John\AppData\Roaming\MoneyManagerEx
2019-02-11 11:53 - 2012-01-30 14:12 - 000000000 ____D C:\Users\John\Documents\Accounts
2019-02-10 16:23 - 2016-01-26 10:15 - 000000010 _ C:\Users\John\AppData\Local\sponge.last.runtime.cache
2019-02-10 10:55 - 2012-01-30 16:05 - 000000000 ____D C:\ProgramData\TEMP
2019-02-09 15:00 - 2012-02-05 12:16 - 000035686 _ C:\Users\John\AppData\Roaming\wklnhst.dat
2019-02-08 14:09 - 2017-10-25 09:23 - 000004128 _ C:\Windows\System32\Tasks\CCleaner Update
2019-02-08 11:16 - 2012-02-03 12:16 - 000040924 __RSH C:\ProgramData\ntuser.pol
2019-02-07 14:43 - 2016-09-06 13:12 - 000000000 ____D C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2019-02-07 10:28 - 2012-05-07 10:27 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2019-02-07 10:28 - 2012-01-30 14:25 - 000000000 ____D C:\Program Files\CCleaner
2019-02-06 14:06 - 2016-12-13 21:07 - 000000000 ____D C:\Users\John\AppData\Local\Mozilla Firefox
2019-02-06 14:06 - 2015-12-23 14:38 - 000001234 _ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2019-02-06 13:55 - 2016-12-13 21:08 - 000000000 ____D C:\Users\John\AppData\LocalLow\Mozilla
2019-02-03 10:19 - 2012-02-13 11:22 - 000000000 ____D C:\Program Files (x86)\SpywareBlaster
2019-02-01 14:30 - 2012-02-20 15:56 - 000000000 ____D C:\Users\John\Documents\Ccleaner Registry Backups
2019-01-27 12:04 - 2012-11-09 10:50 - 002114802 _ C:\Users\John\AppData\Local\census.cache
2019-01-27 12:04 - 2012-11-09 10:50 - 000136545 _ C:\Users\John\AppData\Local\ars.cache
2019-01-27 10:27 - 2009-07-14 02:34 - 000455054 ____R C:\Windows\system32\Drivers\etc\hosts.20190203-102054.backup
2019-01-26 15:21 - 2012-06-29 13:08 - 000000082 _ C:\Windows\MPLAYER.INI
2019-01-26 15:21 - 2009-07-14 02:34 - 000000434 _ C:\Windows\win.ini
2019-01-26 13:53 - 2009-07-14 02:34 - 000455054 ____R C:\Windows\system32\Drivers\etc\hosts.20190127-102718.backup
2019-01-20 11:01 - 2009-07-14 02:34 - 000455054 ____R C:\Windows\system32\Drivers\etc\hosts.20190126-135311.backup
2019-01-17 11:23 - 2012-05-09 13:26 - 000000000 ____D C:\Program Files\Microsoft Silverlight
2019-01-17 11:23 - 2012-05-09 13:26 - 000000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2019-01-17 11:19 - 2012-01-27 15:38 - 000767492 _ C:\Windows\SysWOW64\PerfStringBackup.INI
2019-01-17 11:19 - 2009-07-14 05:13 - 000767492 _ C:\Windows\system32\PerfStringBackup.INI
2019-01-17 11:14 - 2012-05-09 13:26 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2019-01-17 11:08 - 2014-09-01 12:47 - 000000000 ____D C:\ProgramData\Oracle
2019-01-13 11:04 - 2018-05-13 09:47 - 000004458 _ C:\Windows\System32\Tasks\Adobe Flash Player NPAPI Notifier
2019-01-13 11:04 - 2014-09-01 15:54 - 000000000 ____D C:\Users\John\AppData\Local\Adobe
2019-01-13 11:04 - 2012-04-03 08:42 - 000842240 _ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2019-01-13 11:04 - 2012-04-03 08:42 - 000000000 ____D C:\Windows\system32\Macromed
2019-01-13 11:04 - 2012-02-13 11:38 - 000175104 _ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2019-01-13 11:03 - 2009-07-14 02:34 - 000455054 ____R C:\Windows\system32\Drivers\etc\hosts.20190120-110151.backup
2019-01-12 12:09 - 2015-06-05 13:55 - 000001062 _ C:\Users\Public\Desktop\PDF-Viewer.lnk
2019-01-12 11:26 - 2009-07-14 02:34 - 000455054 ____R C:\Windows\system32\Drivers\etc\hosts.20190113-110316.backup

==================== Files in the root of some directories =======

2015-05-29 10:26 - 2015-05-29 10:26 - 000000089 _ () C:\Users\John\IP_Log_Data.js
2015-01-03 12:07 - 2017-09-06 15:04 - 000009034 _ () C:\Users\John\AppData\Roaming\.freeciv-client-rc-2.4
2015-05-29 10:21 - 2017-05-17 14:51 - 000000772 _ () C:\Users\John\AppData\Roaming\Network Meter_Settings.ini
2015-05-29 10:30 - 2017-05-17 14:52 - 000000019 _ () C:\Users\John\AppData\Roaming\Network Meter_Usage.ini
2012-02-05 12:16 - 2019-02-09 15:00 - 000035686 _ () C:\Users\John\AppData\Roaming\wklnhst.dat
2012-11-09 10:50 - 2019-01-27 12:04 - 000136545 _ () C:\Users\John\AppData\Local\ars.cache
2012-11-09 10:50 - 2019-01-27 12:04 - 002114802 _ () C:\Users\John\AppData\Local\census.cache
2013-08-23 16:33 - 2013-08-23 16:33 - 000003584 _ () C:\Users\John\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-11-09 10:43 - 2012-11-09 10:43 - 000000036 _ () C:\Users\John\AppData\Local\housecall.guid.cache
2018-11-26 13:56 - 2018-11-26 13:56 - 000000000 _ () C:\Users\John\AppData\Local\oobelibMkey.log
2012-02-10 10:24 - 2018-07-04 15:29 - 000007598 _ () C:\Users\John\AppData\Local\resmon.resmoncfg
2016-01-26 10:15 - 2019-02-10 16:23 - 000000010 _ () C:\Users\John\AppData\Local\sponge.last.runtime.cache
2017-11-15 13:42 - 2017-11-15 13:42 - 000000000 _ () C:\Users\John\AppData\Local\{4B77A666-D5F0-48E3-BA05-84538B4E567B}

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\dllhost.exe => File is digitally signed
C:\Windows\SysWOW64\dllhost.exe => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2019-01-08 15:48

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 10.02.2019 01
Ran by John (11-02-2019 20:07:04)
Running from C:\Users\John\Desktop
Windows 7 Professional Service Pack 1 (X64) (2012-01-27 14:40:00)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-4109210211-571196965-2683950656-500 - Administrator - Disabled) => C:\Users\Administrator.John-PC
Guest (S-1-5-21-4109210211-571196965-2683950656-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4109210211-571196965-2683950656-1006 - Limited - Enabled)
John (S-1-5-21-4109210211-571196965-2683950656-1001 - Administrator - Enabled) => C:\Users\John

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Spybot - Search and Destroy (Disabled - Out of date) {4C1D9672-63FE-5C90-371E-8FDA591C5B75}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 18.06 (x64) (HKLM\...\7-Zip) (Version: 18.06 - Igor Pavlov)
ABBYY FineReader 6.0 Sprint (HKLM-x32\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1395.4512 - ABBYY Software House)
Acronis True Image Home 2012 (HKLM-x32\...\{DE9DDE76-B62E-49E9-B41F-510F83D7706D}) (Version: 15.0.7133 - Acronis) Hidden
Acronis True Image Home 2012 (HKLM-x32\...\{DE9DDE76-B62E-49E9-B41F-510F83D7706D}Visible) (Version: 15.0.7133 - Acronis)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 19.010.20069 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 32.0.0.89 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 32 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 32.0.0.114 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.3 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.3.4.204 - Adobe Systems, Inc.)
Ansel (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Ansel) (Version: 378.49 - NVIDIA Corporation) Hidden
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Ashampoo Burning Studio 9.21 (HKLM-x32\...\Ashampoo Burning Studio 9_is1) (Version: 9.2.1 - ashampoo GmbH & Co. KG)
Ashampoo Home Designer Pro v.1.0.1 (HKLM-x32\...\{4D1A0101-17A2-4fca-9119-4734EDBDA12D}_is1) (Version: 1.0.1 - Creative Amadeo GmbH)
Ashampoo Photo Commander 8.0.0 (HKLM-x32\...\Ashampoo Photo Commander 8_is1) (Version: 8.0.0 - ashampoo GmbH & Co. KG)
Ashampoo Photo Commander 9 v.9.4.2 (HKLM-x32\...\Ashampoo Photo Commander 9_is1) (Version: 9.4.2 - Ashampoo GmbH & Co. KG)
Ashampoo Photo Optimizer 3.10 (HKLM-x32\...\Ashampoo Photo Optimizer 3_is1) (Version: 3.1.0 - ashampoo GmbH & Co. KG)
Ashampoo Slideshow Studio 2012 v.1.0.2 (HKLM-x32\...\Ashampoo Slideshow Studio 2012_is1) (Version: 1.0.2 - Ashampoo GmbH & Co. KG)
Asmedia ASM104x USB 3.0 Host Controller Driver (HKLM-x32\...\{E4FB0B39-C991-4EE7-95DD-1A1A7857D33D}) (Version: 1.10.0.0 - Asmedia Technology)
Assessments on Client (HKLM-x32\...\{C1C83898-5A60-AE9D-A3AB-7534375CA453}) (Version: 8.100.26629 - Microsoft) Hidden
ATI Catalyst Install Manager (HKLM\...\{AB7F4312-8037-4EBF-9D0F-5513CDFD534C}) (Version: 3.0.812.0 - ATI Technologies, Inc.)
Bing Desktop (HKLM-x32\...\{7D095455-D971-4D4C-9EFD-9AF6A6584F3A}) (Version: 1.1.165.0 - Microsoft Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 5.52 - Piriform)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CPUID CPU-Z 1.83 (HKLM\...\CPUID CPU-Z_is1) (Version: 1.83 - CPUID, Inc.)
CrystalDiskInfo 7.5.1 (HKLM-x32\...\CrystalDiskInfo_is1) (Version: 7.5.1 - Crystal Dew World)
Cybereason RansomFree 2.4.2.0 (HKLM-x32\...\{2A15E1FB-A1F5-4F11-B033-D8DB1E37C1E9}) (Version: 2.4.2.0 - Cybereason Inc.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
Data Lifeguard Diagnostic for Windows 1.31 (HKLM-x32\...\{519C4DB6-B53B-4F5C-8297-89B2BE949FA5}_is1) (Version: - Western Digital Corporation)
DirectX for Managed Code Update (Summer 2004) (HKLM-x32\...\{E9E34215-82EF-4909-BE2F-F581F0DC9062}) (Version: 9.02.2904 - Microsoft) Hidden
DisplayDriverAnalyzer (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_DisplayDriverAnalyzer) (Version: 390.77 - NVIDIA Corporation) Hidden
DivX Setup (HKLM\...\DivX Setup) (Version: 10.8.7.0 - DivX, LLC)
DVD Shrink 3.2 (HKLM-x32\...\DVD Shrink_is1) (Version: - DVD Shrink)
EPSON Attach To Email (HKLM-x32\...\{20C45B32-5AB6-46A4-94EF-58950CAF05E5}) (Version: 1.01.0000 - SEIKO EPSON) Hidden
EPSON Attach To Email (HKLM-x32\...\InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}) (Version: 1.01.0000 - SEIKO EPSON)
EPSON Copy Utility 3 (HKLM-x32\...\{67EDD823-135A-4D59-87BD-950616D6E857}) (Version: 3.3.0.0 - )
Epson Copy Utility 4 (HKLM-x32\...\{06A7E8AB-2856-4490-BAA9-F338ABE7695A}) (Version: 4.01.0001 - Seiko Epson Corporation)
EPSON CopyFactory (HKLM-x32\...\{52B4C42B-A110-4236-95C8-AA4B137C16AC}) (Version: 4.7.0.0 - Seiko Epson Corporation)
EPSON Event Manager (HKLM-x32\...\{48F22622-1CC2-4A83-9C1E-644DD96F832D}) (Version: 1.80.00 - )
EPSON File Manager (HKLM-x32\...\{2EB81825-E9EE-44F4-8F51-1240C3898DC6}) (Version: 1.3.0.0 - )
EPSON PERFECTION V500 PHOTO Manual (HKLM-x32\...\EPSON PERFECTION V500 PHOTO User’s Guide) (Version: - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EPSON Scan Assistant (HKLM-x32\...\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}) (Version: 1.11.00 - )
Epson Software Updater (HKLM-x32\...\{B55DB65D-EF6E-4E04-89D5-B03603BF681B}) (Version: 4.4.5 - SEIKO EPSON CORPORATION)
EPUB File Reader (HKLM-x32\...\{818C5857-5C74-4CAC-9F43-E5597086852D}_is1) (Version: - )
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version: - )
Family Tree Maker 2006 (HKLM-x32\...\{F2F4C144-7D1A-47C4-9D53-395A57B0CD64}) (Version: - )
FileHippo App Manager (HKLM-x32\...\FileHippo.com) (Version: - FileHippo.com)
Freeciv 2.4.4 (SDL client) (HKLM-x32\...\Freeciv-2.4.4-sdl) (Version: - )
Google Earth (HKLM-x32\...\{1A295C25-6E02-49FB-826B-F0D2C56FFA4E}) (Version: 7.1.4.1529 - Google)
HijackThis 2.0.2 (HKLM-x32\...\HijackThis) (Version: 2.0.2 - TrendMicro)
HWiNFO64 Version 5.50 (HKLM\...\HWiNFO64_is1) (Version: 5.50 - Martin Malík - REALiX)
Java 10.0.2 (64-bit) (HKLM\...\{EECB2736-D013-5AC5-9917-7656712F6931}) (Version: 10.0.2.0 - Oracle Corporation)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.62.0 - JMicron Technology Corp.)
Junk Mail filter update (HKLM-x32\...\{0BE9E708-5DC0-4963-9CFD-0AA519090E79}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Kits Configuration Installer (HKLM-x32\...\{B74E65FD-CC47-41C5-4B89-791A3F61942D}) (Version: 8.100.25984 - Microsoft) Hidden
Malwarebytes version 3.6.1.2711 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.6.1.2711 - Malwarebytes)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.11.895.1 - McAfee, Inc.)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.8.21000 - McAfee, Inc.)
Microsoft .NET Framework 4.7.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.7.03062 - Microsoft Corporation)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft AutoRoute 2005 (HKLM-x32\...\{67E4EE98-59F4-4220-89A6-A20AF5BEC689}) (Version: 12.00.07.1200 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\OneDriveSetup.exe) (Version: 17.0.4035.0328 - Microsoft Corporation)
Microsoft Photo Premium 10 (HKLM-x32\...\PictureItPrem_v10) (Version: 10.0.0707 - Microsoft Corporation)
Microsoft PowerPoint Viewer (HKLM-x32\...\{95140000-00AF-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50918.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.23026 (HKLM-x32\...\{e46eca4f-393b-40df-9f49-076faf788d83}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.23026 (HKLM-x32\...\{74d0e5db-b326-4dae-a6b2-445b9de1836e}) (Version: 14.0.23026.0 - Microsoft Corporation)
Microsoft Word 2002 (HKLM-x32\...\{911B0409-6000-11D3-8CFE-0050048383C9}) (Version: 10.0.6626.0 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}) (Version: 08.04.0623 - Microsoft Corporation)
Microsoft Works 2005 Setup Launcher (HKLM-x32\...\Works2005Setup) (Version: - )
Microsoft Works Suite Add-in for Microsoft Word (HKLM-x32\...\{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}) (Version: 8.0.0.0000 - Microsoft Corporation)
Microsoft_VC100_CRT_x64 (HKLM\...\{17106CA8-E65A-4D02-95BE-79AF8C698935}) (Version: 1.0.0 - Microsoft)
MoneyManagerEX 1.2.7 (HKLM\...\{2C48DC11-E113-4912-8AFC-366D1918101E}_is1) (Version: 1.2.7 - Money Manager EX)
Movie Maker (HKLM-x32\...\{38F03569-A636-4CF3-BDDE-032C8C251304}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Movie Maker (HKLM-x32\...\{DD67BE4B-7E62-4215-AFA3-F123A800A389}) (Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 56.0.1 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 56.0.1 (x86 en-GB)) (Version: 56.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 56.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyKeyFinder (HKLM-x32\...\MyKeyFinder_is1) (Version: 2012 - Abelssoft)
NVIDIA 3D Vision Controller Driver 369.04 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 369.04 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 378.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 378.49 - NVIDIA Corporation)
NVIDIA GeForce Experience 3.12.0.84 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 3.12.0.84 - NVIDIA Corporation)
NVIDIA Graphics Driver 378.49 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 378.49 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.21 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.17.0524 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.17.0524 - NVIDIA Corporation)
Oolite 1.84.0.6817-160719-1041323 (HKLM-x32\...\Oolite) (Version: - )
OpenOffice 4.1.2 Language Pack (English (United Kingdom)) (HKLM-x32\...\{F07DA5BB-8A1E-4F3E-B6B0-A4CBFF33E9C7}) (Version: 4.12.9782 - Apache Software Foundation)
OpenOffice 4.1.6 (HKLM-x32\...\{16E4FF6B-31E8-4037-B627-D87CF872E32B}) (Version: 4.16.9790 - Apache Software Foundation)
PDFTK Builder 3.5.3 (HKLM-x32\...\PDFTK Builder_is1) (Version: - )
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.322.9 - Tracker Software Products Ltd)
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6251 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.93 (HKLM-x32\...\Revo Uninstaller) (Version: 1.93 - VS Revo Group)
SIW version 2011.10.29 (HKLM-x32\...\{AB67580-257C-45FF-B8F4-C8C30682091A}_is1) (Version: 2011.10.29 - Topala Software Solutions)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Soda PDF 2012 (HKLM-x32\...\{686D24DF-5FB5-4F9F-A520-D642D0F37C65}) (Version: 2.1.2.4147 - LULU Software)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version: - )
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.7.64.0 - Safer-Networking Ltd.)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
SSC Service Utility v4.30 (HKLM-x32\...\SSC Service Utility_is1) (Version: - SSC Localization Group)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TechPowerUp GPU-Z (HKLM-x32\...\TechPowerUp GPU-Z) (Version: - TechPowerUp)
Toolkit Documentation (HKLM-x32\...\{6C870B12-6FF2-68FC-8C3B-DD177BBF3F92}) (Version: 8.100.26629 - Microsoft) Hidden
Unlocker (HKLM\...\{5993C960-4E90-4A00-A2F3-D0C4020A6992}) (Version: 1.9.2 - ajua Custom Installers)
VC80CRTRedist - 8.0.50727.6195 (HKLM-x32\...\{933B4015-4618-4716-A828-5289FC03165F}) (Version: 1.2.0 - DivX, Inc) Hidden
Vtune 7.21 (HKLM-x32\...\MySSID_is1) (Version: - )
Vulkan Run Time Libraries 1.0.3.0 (HKLM\...\VulkanRT1.0.3.0) (Version: 1.0.3.0 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.37.0 (HKLM\...\VulkanRT1.0.37.0) (Version: 1.0.37.0 - LunarG, Inc.)
WD Drive Utilities (HKLM-x32\...\{2db219ff-e483-403b-9374-aea609abaf1d}) (Version: 1.4.3.13 - Western Digital Technologies, Inc.) Hidden
WD Drive Utilities (HKLM-x32\...\{546D15D7-D6AF-422B-B4E5-05AF20BA8573}) (Version: 1.4.3.13 - Western Digital Technologies, Inc.) Hidden
Windows Assessment and Deployment Kit for Windows 8.1 (HKLM-x32\...\{9277b0c4-2ca8-431b-b4e2-98daf4005ec0}) (Version: 8.100.26629 - Microsoft Corporation)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
Windows XP Mode (HKLM\...\{1374CC63-B520-4f3f-98E8-E9020BF01CFF}) (Version: 1.3.7600.16423 - Microsoft Corporation)
WMI Tools (HKLM-x32\...\{25A13826-8E4A-4FBF-AD2B-776447FE9646}) (Version: 1.50.1131.0001 - Microsoft Corporation)
Works Upgrade (HKLM-x32\...\{DE1AF137-C455-494A-A817-EFE44BCCFDEE}) (Version: 8.0.0.0000 - Microsoft Corporation) Hidden
WPT Redistributables (HKLM-x32\...\{64F3FB9A-9250-B2D6-00B4-50BE0358AEE8}) (Version: 8.100.26629 - Microsoft) Hidden
WPTx64 (HKLM-x32\...\{BFF81CB5-E8C7-4184-FBB4-74ADFBC6CCCB}) (Version: 8.100.26629 - Microsoft) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4109210211-571196965-2683950656-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\John\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4109210211-571196965-2683950656-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\John\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4109210211-571196965-2683950656-1001_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\John\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4109210211-571196965-2683950656-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\John\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll (Microsoft Corporation -> Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4109210211-571196965-2683950656-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\John\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\FileSyncApi64.dll (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-12-30] (Igor Pavlov)
ContextMenuHandlers1: [DivXShellExtensionItem] -> {48A8A3B0-57E8-4F2B-A49D-19E02B92377B} => C:\Program Files (x86)\Common Files\DivX Shared\DivXShellExtension64.dll [2018-10-09] (DivX, LLC -> DivX, LLC)
ContextMenuHandlers1: [DivXShellExtensionItem64] -> {6B49A276-0DBA-43F4-BC96-A841AD11B40B} => C:\Program Files (x86)\Common Files\DivX Shared\DivXShellExtension64.dll [2018-10-09] (DivX, LLC -> DivX, LLC)
ContextMenuHandlers1: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers1: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2018-03-23] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
ContextMenuHandlers1: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2018-03-23] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
ContextMenuHandlers1-x32: [SodaPDFExtension] -> {5477fca3-91ce-419b-82df-bc8b5f9dc6b7} => C:\Program Files (x86)\Soda PDF 2012\ContextMenuExt.dll [2012-04-17] (LULU software -> LULU Software)
ContextMenuHandlers1-x32: [VersionsPageShellExt] -> {9E42900A-85F9-4E67-9778-575FBBA0A81C} => C:\Program Files (x86)\Acronis\TrueImageHome\x64\versions_page.dll [2012-06-28] (Acronis, Inc -> Acronis)
ContextMenuHandlers2: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-09-19] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers4: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-12-30] (Igor Pavlov)
ContextMenuHandlers4: [EPP] -> {09A47860-11B0-4DA5-AFA5-26D86198A780} => c:\Program Files\Microsoft Security Client\shellext.dll [2016-11-14] (Microsoft Corporation -> Microsoft Corporation)
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2017-01-20] (NVIDIA Corporation -> NVIDIA Corporation)
ContextMenuHandlers5-x32: [VtuneShlExt] -> {DF9B9092-B8A0-4505-9B00-CC64A0409C2F} => C:\Program Files (x86)\Vtune\TBPanelExt.dll [2007-01-31] ()
ContextMenuHandlers6: [7-Zip] -> {23170F69-40C1-278A-1000-000100020000} => C:\Program Files\7-Zip\7-zip.dll [2018-12-30] (Igor Pavlov)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll [2018-09-19] (Malwarebytes Corporation -> Malwarebytes)
ContextMenuHandlers6: [SDECon32] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2018-03-23] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
ContextMenuHandlers6: [SDECon64] -> {44176360-2BBF-4EC1-93CE-384B8681A0BC} => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDECon64.dll [2018-03-23] (Safer-Networking Ltd. -> Safer-Networking Ltd.)
ContextMenuHandlers6: [VersionsPageShellExt] -> {9E42900A-85F9-4E67-9778-575FBBA0A81C} => C:\Program Files (x86)\Acronis\TrueImageHome\x64\versions_page.dll [2012-06-28] (Acronis, Inc -> Acronis)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {04DBC878-C3D4-40C4-8168-ED456F2C1A2A} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe (Safer-Networking Ltd. -> Safer-Networking Ltd.)
Task: {053A5FEC-AD64-4C2B-8DEF-74448BF3E18E} - System32\Tasks\{7DF2A145-3792-4F6D-9094-5ACD3F063E26} => C:\Program Files (x86)\SpywareBlaster\spywareblaster.exe (BrightFort LLC -> )
Task: {07604005-3D08-4989-A44E-6D4AC3EF5475} - System32\Tasks\JavaUpdateSched => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Oracle America, Inc. -> Oracle Corporation)
Task: {1EE578D2-1557-4AB9-9FDB-1AA044A50FA5} - System32\Tasks\{5196F98B-212B-44A3-933C-9B8E324B627B} => "c:\program files (x86)\mozilla firefox\firefox.exe" hxxp://ui.skype.com/ui/0/7.3.0.101/en/go/help.faq.installer?source=lightinstaller&LastError=1618
Task: {25EF6E7A-CD84-4BB7-9AA0-0806156CD1F2} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems, Incorporated -> Adobe Systems Incorporated)
Task: {2754C02C-42B1-402E-B031-15B086CA549E} - System32\Tasks\Cybereason RansomFree Keepalive => C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe (Cybereason) [File not signed]
Task: {29E5300A-9507-46ED-A828-E67A569481F8} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => C:\Program Files\Microsoft Security Client\\MpCmdRun.exe (Microsoft Corporation -> Microsoft Corporation)
Task: {319F692C-C52E-4FBE-AEC7-FFBF8504E442} - System32\Tasks\{0B914A12-0C35-408C-A308-B2E8BB53E61D} => C:\Program Files (x86)\Acronis\Ransomware Protection\ARPTray.exe
Task: {3F6E7306-BCD3-4FA7-93DB-C16F077D40DD} - System32\Tasks\NvDriverUpdateCheckDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {45D84743-78AD-4B1B-ADCC-6F7C346BD259} - System32\Tasks\NvProfileUpdaterOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {461B9F1F-8287-4C38-8A87-C9B21B13784F} - System32\Tasks\{7EFAAAF1-C305-4441-B706-BF87A3429B48} => C:\Windows\system32\pcalua.exe -a "D:\MS Updates & Programs for W7\MS Word Compatibility Pack\Hotfix for MS Word Agent\MSagent.exe" -d "D:\MS Updates & Programs for W7\MS Word Compatibility Pack\Hotfix for MS Word Agent"
Task: {4DBC0B55-7537-4297-BC9A-DDD9EA8F6D5C} - System32\Tasks\{A288061F-6F66-45DE-AA99-1AF6CEAEFD78} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u71-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {5316AC41-5791-4A9E-BF13-F2BE6EDB50A2} - System32\Tasks\NvProfileUpdaterDaily_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files\NVIDIA Corporation\Update Core\NvProfileUpdater64.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {58AD8AFF-691D-4A66-A70D-81C41A12DDB7} - System32\Tasks\NvTmMon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmMon.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {593B1EAB-8DE2-4610-A364-D3E89B5398CD} - System32\Tasks\NVIDIA GeForce Experience SelfUpdate_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {5D3F10FF-904F-43E2-A85E-C7BB85917E4B} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe (Apple Inc. -> Apple Inc.)
Task: {661A4B46-4BB0-47F1-A144-B7DD13D3079B} - System32\Tasks\{1AED8F28-DFDB-4F66-8383-C6DA051696C9} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u73-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {78953973-B058-4942-A05C-301B4A3DC62E} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe (Safer-Networking Ltd. -> Safer-Networking Ltd.)
Task: {7EFA0A7A-5141-4AE9-BDE1-F8F336A68B35} - System32\Tasks\NvTmRepOnLogon_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {81B95B17-FACB-4DDF-9D77-1843052E9AFF} - System32\Tasks\{5D1702F8-C475-463B-A523-F89C07A6F61A} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u66-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {82CF9D36-D531-4E98-B201-2EEEDBE170F6} - System32\Tasks\{A7DEFE8E-8F2B-4C0E-A76E-1975D2A633DD} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u111-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {84985E17-00CD-44CB-878C-8E60F985701E} - System32\Tasks\Adobe Flash Player NPAPI Notifier => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_32_0_0_114_Plugin.exe (Adobe Systems Incorporated -> Adobe Systems Incorporated)
Task: {8E0554E8-9571-457B-BE9E-6F4B4F5F74EA} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe (Piriform Software Ltd -> Piriform Software Ltd)
Task: {96B95A6A-FFE8-4E52-9434-4F913FF5331F} - System32\Tasks\{3E28D8FB-A21D-4125-AB26-8EB6B8D49E28} => C:\Windows\system32\pcalua.exe -a C:\Users\John\Desktop\saSetup3.2.0.152_p4.exe -d C:\Users\John\Desktop
Task: {986D8727-609E-4D89-A657-9DF263D4149C} - System32\Tasks\TrackerAutoUpdate => C:\Program Files\Tracker Software\Update\TrackerUpdate.exe (Tracker Software Products (Canada) Ltd. -> Tracker Software Products (Canada) Ltd.)
Task: {B02AE4F2-2A1E-4A13-B926-369A21DBBA28} - System32\Tasks\{76F59026-B04B-430D-8064-AE432E532CF2} => C:\Windows\system32\pcalua.exe -a C:\HiJackThis\HiJackThis.exe -d C:\HiJackThis
Task: {B58D84A6-BDC6-4A54-89D0-1073F70F0B69} - System32\Tasks\{7461C74A-1F41-493A-B8A6-EEC0B27174C2} => C:\Windows\system32\pcalua.exe -a C:\Users\John\Desktop\AdobeAIRInstaller.exe -d C:\Users\John\Desktop
Task: {BC365AE4-CC02-42E7-BAD5-F86CB60AF098} - System32\Tasks\{21788A33-AD15-473C-9120-16CF0D3392DB} => C:\Windows\system32\pcalua.exe -a C:\Users\John\Desktop\jxpiinstall.exe -d C:\Users\John\Desktop
Task: {BF676745-4806-40FA-BC44-50D6033BAB0D} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe (Safer-Networking Ltd. -> Safer-Networking Ltd.)
Task: {C5C32CB8-9EEF-4E5C-8A0B-4E9B16D7DB2E} - System32\Tasks\NvTmRep_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvTmRep.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {CD1458EA-1834-484D-8782-DA808F94407D} - System32\Tasks\Cybereason RansomFree Autostart => C:\Program Files (x86)\Cybereason\RansomFree\CybereasonRansomFree.exe (Cybereason) [File not signed]
Task: {DDC16853-809B-4881-8919-D42CE2E4C278} - System32\Tasks\{6BA6849D-CB13-4C8C-87D8-02BD83AC8A86} => C:\Program Files (x86)\Acronis\Ransomware Protection\ARPTray.exe
Task: {EEC963A4-113D-4B41-ADDD-75E1139E89AE} - System32\Tasks\AdobeGCInvoker-1.0-John-PC-John => C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility.exe (Adobe Systems Incorporated -> Adobe Systems, Incorporated)
Task: {F06CC6F7-4DA7-47ED-98F6-AE4131516522} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
Task: {F1799F64-2F6F-4713-BC36-2D3F15991913} - System32\Tasks\NvNodeLauncher_{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8} => C:\Program Files (x86)\NVIDIA Corporation\NvNode\nvnodejslauncher.exe (NVIDIA Corporation -> NVIDIA Corporation)
Task: {FDF479ED-0641-4ADA-BE7E-3D75CDDB1535} - System32\Tasks\DivXUpdate => C:\Program Files (x86)\Common Files\DivX Shared\DivX Update\DivXUpdate.exe (DivX, LLC -> DivX, LLC)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\TrackerAutoUpdate.job => C:\Program Files\Tracker Software\Update\TrackerUpdate.exe-CheckUpdate(Tracker Software Products (Canada) Ltd.Kee

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
WMI:subscription\CommandLineEventConsumer->BVTConsumer::[CommandLineTemplate => cscript KernCap.vbs][WorkingDirectory => C:\\tools\\kernrate]

==================== Loaded Modules (Whitelisted) ==============

2018-01-19 10:57 - 2018-01-24 00:19 - 000544240 _ () C:\Program Files\NVIDIA Corporation\Display.NvContainer\plugins\LocalSystem\DisplayDriverAnalyzer\_DisplayDriverCrashAnalyzer64.dll
2017-08-26 12:46 - 2017-01-20 15:13 - 000134712 _ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2016-12-13 21:20 - 2018-01-24 00:19 - 001267272 _ () C:\Program Files\NVIDIA Corporation\NvContainer\libprotobuf.dll
2012-06-28 21:07 - 2012-06-28 21:07 - 012985824 _ () C:\Program Files (x86)\Acronis\TrueImageHome\Common\ti_managers.dll
2016-12-13 21:20 - 2018-01-24 00:19 - 001040456 _ () C:\Program Files (x86)\NVIDIA Corporation\NvContainer\libprotobuf.dll
2012-06-28 15:58 - 2012-06-28 15:58 - 000435584 _ () C:\Program Files (x86)\Acronis\TrueImageHome\Common\ulxmlrpcpp.dll
2014-03-31 20:35 - 2014-03-31 20:35 - 000270016 _ () C:\Program Files (x86)\Windows Live\Writer\en\WindowsLive.Writer.Localization.resources.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfetdi2k.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7945 more sites.

IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\1-2005-search.com -> www.1-2005-search.com

There are 12762 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 02:34 - 2019-02-03 10:20 - 000455054 ____R C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com
127.0.0.1 www.123moviedownload.com

There are 15615 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKLM\System\CurrentControlSet\Control\Session Manager\Environment\\Path: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\ProgramData\Oracle\Java\javapath;C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Program Files (x86)\Common Files\Acronis\SnapAPI\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Live\Shared;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files (x86)\NVIDIA Corporation\PhysX\Common;C:\Program Files (x86)\QuickTime\QTSystem\;%systemroot%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Acronis\TrueImageHome\
HKU\S-1-5-21-4109210211-571196965-2683950656-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\John\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

If an entry is included in the fixlist, it will be removed.

MSCONFIG\startupreg: Acronis Scheduler2 Service => "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: C: =>
MSCONFIG\startupreg: Dropbox => "C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" /systemstartup
MSCONFIG\startupreg: RealProtect => "C:\Program Files\McAfee\Real Protect\RealProtect.exe" --run

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [VirtualPC-In-UDP-1] => (Allow) %SystemRoot%\System32\vpc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [VirtualPC-In-UDP-2] => (Allow) %SystemRoot%\System32\vpc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [VirtualPC-In-TCP-1] => (Allow) %SystemRoot%\System32\vpc.exe (Microsoft Windows -> Microsoft Corporation)
FirewallRules: [{92C13FC1-0D9F-416F-A78F-8537C3749667}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe (Apple Inc. -> Apple Inc.)
FirewallRules: [{1A93BD63-CE97-430A-89AF-45A3913D9BA5}] => (Allow) C:\Users\John\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{1F7C1B01-B2F2-4847-8FCC-8D9C700E0D61}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{15FDC4F1-F3EA-4E03-A5F8-5F5CDE89E116}] => (Allow) LPort=2869
FirewallRules: [{F261F28F-0D38-4C02-B675-22C833C621B2}] => (Allow) LPort=1900
FirewallRules: [{297DD96A-03F6-49AF-84E6-3BA5B4A0DEAD}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation -> Microsoft Corporation)
FirewallRules: [{66CD0D7A-3537-44A2-B5DC-E204A6E1B0D1}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{35440E0B-4463-4F43-BBD0-48D536FDCE2D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [TCP Query User{53F4D688-562E-4313-9443-9972A261DAB7}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [UDP Query User{470D3782-D333-42B1-8DA4-F7F0503CBC17}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [TCP Query User{FD97BC3B-28E5-4740-8356-698119ADC76D}C:\program files\moneymanagerex\bin\mmex.exe] => (Allow) C:\program files\moneymanagerex\bin\mmex.exe (MoneyManagerEX)
FirewallRules: [UDP Query User{3C957582-3F01-49EC-A7D3-E05B6828E34F}C:\program files\moneymanagerex\bin\mmex.exe] => (Allow) C:\program files\moneymanagerex\bin\mmex.exe (MoneyManagerEX)
FirewallRules: [{2D6EEEC8-706F-4EC7-AFBD-241BBFC14ACE}] => (Block) C:\program files\moneymanagerex\bin\mmex.exe (MoneyManagerEX)
FirewallRules: [{33432F53-A2B7-43AD-98CB-062378F7C4CD}] => (Block) C:\program files\moneymanagerex\bin\mmex.exe (MoneyManagerEX)
FirewallRules: [{3D526032-CA82-4351-B825-83BD281287EF}] => (Allow) C:\Users\John\AppData\Local\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{5BFAF5DD-CD58-4045-BF94-461F7D050A2B}] => (Allow) C:\Users\John\AppData\Local\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{62CC9747-C666-47AB-BCC3-B871CCCABD70}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{AEA5739F-50CD-494A-A353-64D19F09EB62}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{9ADCCCBD-775E-4067-8CB0-08C861A25963}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{BBC07158-730A-4481-843D-223E449593AB}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{5680F208-F98F-4CD6-A697-FA43841611BA}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{8C84391B-6F01-4878-93EA-B2EF8A60E605}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [TCP Query User{58EAD6A0-9B4D-4626-A497-CC4136D43654}C:\users\john\appdata\local\mozilla firefox\firefox.exe] => (Block) C:\users\john\appdata\local\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [UDP Query User{A6FEBD27-6D10-4DD1-93AA-4C356951FC0B}C:\users\john\appdata\local\mozilla firefox\firefox.exe] => (Block) C:\users\john\appdata\local\mozilla firefox\firefox.exe (Mozilla Corporation -> Mozilla Corporation)
FirewallRules: [{8A6840CB-8F7A-4A66-968D-3CE48F888B20}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{C1767A4B-367A-41C0-BE8E-1CB527714CEF}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{59C21297-A2AA-4E01-8B6F-908295BD1AE0}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{9DE0D8B1-6180-4E86-939C-F43ACFFF3352}] => (Allow) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{A15A0D28-2244-4DBC-A50F-69309C16ADB2}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{79239BB8-015A-4D98-B8A6-C82E7E77FD0D}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe (NVIDIA Corporation -> NVIDIA Corporation)
FirewallRules: [{236C8672-6B76-486C-B497-2890D4739ED8}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [{F17D304B-DA7E-4966-9582-F8ED8BCF819E}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [{E769AD26-7CE2-4876-8506-82C0906E3824}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
FirewallRules: [{92A958A5-3822-4B06-9148-F8D3DDAC5C7E}] => (Allow) C:\Program Files\CCleaner\CCUpdate.exe (Piriform Software Ltd -> Piriform Software Ltd)
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

==================== Restore Points =========================

24-01-2019 11:42:49 Microsoft Antimalware Checkpoint
26-01-2019 11:24:47 Windows Update
29-01-2019 13:56:57 Windows Update
01-02-2019 14:10:42 Windows Update
04-02-2019 15:16:44 Windows Update
05-02-2019 19:31:15 Windows Update
08-02-2019 20:00:00 Windows Update
11-02-2019 13:58:40 Windows Update

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/11/2019 07:57:22 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/11/2019 03:29:03 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/11/2019 01:47:50 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/11/2019 11:51:51 AM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/11/2019 10:01:06 AM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/10/2019 05:50:35 PM) (Source: Microsoft-Windows-WMI) (EventID: 10) (User: NT AUTHORITY)
Description: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Error: (02/10/2019 05:22:34 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program esetonlinescanner_enu.exe version 2.0.22.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1360

Start Time: 01d4c139df401357

Termination Time: 573

Application Path: C:\esetonlinescanner_enu.exe

Report Id:

Error: (02/10/2019 05:16:59 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 56.0.1.6484 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 770

Start Time: 01d4c15b32901167

Termination Time: 4042

Application Path: C:\Users\John\AppData\Local\Mozilla Firefox\firefox.exe

Report Id:


System errors:
=============
Error: (02/11/2019 07:57:26 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PCLEPCI

Error: (02/11/2019 07:54:27 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: The computer has rebooted from a bugcheck. The bugcheck was: 0x00000124 (0x0000000000000000, 0xfffffa8003e30028, 0x00000000b665c000, 0x0000000000000135). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 021119-14227-01.

Error: (02/11/2019 07:54:27 PM) (Source: Microsoft Antimalware) (EventID: 2004) (User: )
Description: Microsoft Antimalware has encountered an error trying to load signatures and will attempt reverting back to a known-good set of signatures.

Signatures Attempted: Current

Error Code: 0x80070002

Error description: The system cannot find the file specified.

Signature version: 0.0.0.0;0.0.0.0

Engine version: 0.0.0.0

Error: (02/11/2019 07:54:13 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\drivers\pclepci.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/11/2019 03:29:12 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
PCLEPCI

Error: (02/11/2019 03:28:44 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (02/11/2019 03:28:44 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (02/11/2019 03:26:57 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\drivers\pclepci.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.


CodeIntegrity:
===================================

Date: 2015-04-25 16:46:50.781
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2015-04-25 16:46:50.681
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-10-11 16:19:41.478
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-10-11 16:19:41.447
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-10-11 16:18:27.254
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-10-11 16:18:27.223
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-02-13 10:10:30.550
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2012-02-13 10:10:30.534
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\Temp\SiwIo.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: AMD Phenom(tm) II X4 960T Processor
Percentage of memory in use: 92%
Total physical RAM: 3033.37 MB
Available physical RAM: 221.02 MB
Total Virtual: 6064.88 MB
Available Virtual: 2145.3 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:488.18 GB) (Free:219.89 GB) NTFS
Drive d: (Storage) (Fixed) (Total:443.23 GB) (Free:373.05 GB) NTFS

\\?\Volume{fc6ffd2c-48f3-11e1-890a-806e6f6e6963}\ (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: A5904070)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=488.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=443.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

[Corrine]

Hi, JohnDrew.

Thank you very much for pointing out the part of the instructions regarding checkup.txt. The instructions were edited some time ago to remove it but I managed to miss that line in the posting instructions -- which I have now taken care of thanks to your observation!

1. Adobe Flash Player for IE: Although IE is not your primary browser, it is still advisable to keep Flash Player updated. The latest version for IE is at Flash Player for Internet Explorer - ActiveX. Note that it is scheduled to be updated tomorrow along with Adobe Acrobat Reader DC and, of course, Microsoft security updates.

2. Adobe Shockwave Player: I have yet to need Shockwave Player on this 2008 computer. You may wish to consider uninstalling it -- one less program to update. :)

3. HijackThis 2.0.2 has not been supported for many years. I suggest that you uninstall it from your computer.

4. Oracle Java: Unfortunately, Java is required for OpenOffice. The current version for 64-bit is 11.0.2 which included critical security updated. The update is available from here: https://www.oracle.com/technetwork/java/javase/downloads/index.html

5. Mozilla Firefox: Particularly since it is your primary browser and extremely out of date, I strongly advise updating it ASAP from version 56.0.1 to the latest release, 65.0. To get the update now, select "Help" from the Firefox menu, then pick "About Firefox."

6. Regarding the "NoDrives=0" entry, it is listed in the FRST log but before addressing it, please see the Malwarebtytes descripton at PUM.Optional.NoDrives. If you made changes in the past as described there, it is fine. However, if that isn't the case please provide a copy of the Malwarebytes log and we'll proceed from there.

7. Please do the following to run FRST:

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ".

Start::
CreateRestorePoint:
CloseProcesses:
Toolbar: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF ProfilePath: C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\Profiles\cas16ady.default [not found] <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
S3 TBPanel; no ImagePath
S3 SIWIO; \??\C:\Windows\TEMP\SiwIo.sys [X]
S3 uxddrv; \??\C:\pcspro\fscommand\uxddrv64.sys [X]
Task: {81B95B17-FACB-4DDF-9D77-1843052E9AFF} - System32\Tasks\{5D1702F8-C475-463B-A523-F89C07A6F61A} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u66-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {82CF9D36-D531-4E98-B201-2EEEDBE170F6} - System32\Tasks\{A7DEFE8E-8F2B-4C0E-A76E-1975D2A633DD} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u111-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
C:\ProgramData\TEMP:5C321E34 [125]
EmptyTemp:
End::

• Please right-click on FRST/FRST64 to run as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST/FRST64.exe
• Please post the log in your next reply.

 

[JohnDrew]

Hello Corrine,

Many thanks for your extremely quick and clear advice and instructions.

Firstly I must admit to keeping an early version of Firefox because I use the Saved Passwords Button as I am terrible with passwords and forget them often and need to find them - this facility allows this and I have been unable to find a replacement that works on the newer Firefox. If you have any suggestions I shall be very pleased to hear of them.

I have updated Java and Flash Player as recommended and removed Adobe Shockwave Player and HiJackThis.

I have run the script (results below) but as yet not done a full Malwarebytes scan with the changes in your link - the Scan results I mentioned in my first post is also below.

Is there anything else I should do?



Fix result of Farbar Recovery Scan Tool (x64) Version: 10.02.2019 01
Ran by John (12-02-2019 10:33:37) Run:2
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available Profiles: John & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*
CreateRestorePoint:
CloseProcesses:
Toolbar: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} - No File
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File
FF ProfilePath: C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\Profiles\cas16ady.default [not found] <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
S3 TBPanel; no ImagePath
S3 SIWIO; \??\C:\Windows\TEMP\SiwIo.sys [X]
S3 uxddrv; \??\C:\pcspro\fscommand\uxddrv64.sys [X]
Task: {81B95B17-FACB-4DDF-9D77-1843052E9AFF} - System32\Tasks\{5D1702F8-C475-463B-A523-F89C07A6F61A} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u66-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {82CF9D36-D531-4E98-B201-2EEEDBE170F6} - System32\Tasks\{A7DEFE8E-8F2B-4C0E-A76E-1975D2A633DD} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u111-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
C:\ProgramData\TEMP:5C321E34 [125]
EmptyTemp:

*

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-4109210211-571196965-2683950656-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4BAAC1B8-0800-42C9-8FA6-08B211F356B8}" => removed successfully
HKLM\Software\Classes\CLSID\{4BAAC1B8-0800-42C9-8FA6-08B211F356B8} => not found
HKLM\Software\Classes\PROTOCOLS\Handler\dssrequest => removed successfully
HKLM\Software\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => not found
HKLM\Software\Classes\PROTOCOLS\Handler\sacore => removed successfully
HKLM\Software\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => not found
C:\Users\John\AppData\Roaming\Mozilla\Firefox\Profiles\Profiles\cas16ady.default => path removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => removed successfully
HKLM\System\CurrentControlSet\Services\TBPanel => removed successfully
TBPanel => service removed successfully
HKLM\System\CurrentControlSet\Services\SIWIO => removed successfully
SIWIO => service removed successfully
HKLM\System\CurrentControlSet\Services\uxddrv => removed successfully
uxddrv => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{81B95B17-FACB-4DDF-9D77-1843052E9AFF}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{81B95B17-FACB-4DDF-9D77-1843052E9AFF}" => removed successfully
C:\Windows\System32\Tasks\{5D1702F8-C475-463B-A523-F89C07A6F61A} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{5D1702F8-C475-463B-A523-F89C07A6F61A}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{82CF9D36-D531-4E98-B201-2EEEDBE170F6}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{82CF9D36-D531-4E98-B201-2EEEDBE170F6}" => removed successfully
C:\Windows\System32\Tasks\{A7DEFE8E-8F2B-4C0E-A76E-1975D2A633DD} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A7DEFE8E-8F2B-4C0E-A76E-1975D2A633DD}" => removed successfully
"C:\ProgramData\TEMP:5C321E34 [125]" => not found

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12173944 B
Java, Flash, Steam htmlcache => 1291 B
Windows/system/drivers => 38395659 B
Edge => 0 B
Chrome => 0 B
Firefox => 419892531 B
Opera => 1704960 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 87718 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128412 B
systemprofile32 => 129297 B
LocalService => 66228 B
NetworkService => 37437896 B
UpdatusUser => 37874 B
John => 239218572 B
UpdatusUser => 0 B
UpdatusUser.John-PC => 37874 B
Administrator.John-PC => 90134 B

RecycleBin => 259718550 B
EmptyTemp: => 970.4 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 10:38:45 ====

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/11/19
Scan Time: 2:14 PM
Log File: 551960f2-2e07-11e9-9384-c8600002382d.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.527
Update Package Version: 1.0.9210
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: John-PC\John

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 339591
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 8 min, 53 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 1
PUM.Optional.NoDrives, HKU\S-1-5-21-4109210211-571196965-2683950656-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|NODRIVES, Replaced, [13169], [293339],1.0.9210

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

​

 

[JohnDrew]

Sorry Corrine I should have said, I run Malwarebytes Free as a backup to Microsoft Security Essentials which is my main anti-virus. So I am unable to use some of the settings for it in your link. I just did another scan and found PUM.Optional.NoDrives in the results. Is all well or do I still have a problem?

 

[Corrine]

Hi, JohnDrew.

There are a number of password managers available. This article is specifically directed to Firefox: Best Password Managers for Firefox of 2019.

What the NoDrives entry means is that the hidden drives are still accessible via the "Run box" but they are not visible in the Windows Explorer. To have FRST remove the key and a bit of additional cleanup, please do the following:

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ".

Start::
CreateRestorePoint:
CloseProcesses:
DeleteKey: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\...\Policies\Explorer: [NoDrives] 1
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Extension: (No Name) - C:\Program Files (x86)\CLIQZ\browser\features\https-everywhere@cliqz.com.xpi [not found]
Task: {4DBC0B55-7537-4297-BC9A-DDD9EA8F6D5C} - System32\Tasks\{A288061F-6F66-45DE-AA99-1AF6CEAEFD78} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u71-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {661A4B46-4BB0-47F1-A144-B7DD13D3079B} - System32\Tasks\{1AED8F28-DFDB-4F66-8383-C6DA051696C9} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u73-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
EmptyTemp:
End::

• Please right-click on FRST/FRST64 to run as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST/FRST64.exe
• Please post the log in your next reply.

 

[JohnDrew]

Good morning Corrine.

Once again many thanks for your helpful reply. I shall use your link and see if any of the managers help my poor memory.

Perhaps if we had studied computing at school 60 years ago I would have a little better idea of what made the things tick inside these boxes!! :)

I did a full scan with Microsoft Security Essentials yesterday (it took forever!) but showed no hits.

Before I run your script, I use an external drive for my backups and wondered if it could prevent this from being seen? Also the script in the thread is longer than that in the email I received which should I use?

 

[Corrine]

Hi, JohnDrew.

Unfortunately there weren't computing classes in school 60 years ago. :)

The very point of the NoDrives key is that other drives are not visible in Windows Explorer. Thus, it rather sounds as though you edited the registry to create the NoDrives value to hide the external drive for your backups and perhaps forgot having done so when it showed up in the Malwarebytes scan. If that is the case and you wish to keep the setting and only access other drives via the Run command, do NOT run the above FRST script. As to to the script being longer, I edited it after posting to add a few general cleanup entries.

Please let me know how you wish to proceed. Do you want to retain the NoDrives value and keep the external drive hidden from Windows Explorer?

 

[JohnDrew]

Hello Corrine,

I promise faithfully that I have never changed anything in the Registry - I was advised that it was totally taboo and I could look but not touch. Not from school but from a book. :)

In Widows Explorer I usually see my C: & D: drives (my hard drive is partitioned) and the E: (DVD RW). When I connect my external drive it will eventually show up as it comes up to speed. There is normally nothing else showing. However I have noticed that now I have an additional drive A: which has a large red cross on it it is identified as "Disconnected Network Drive" - could this be the partition that Windows 7 makes on installation? Whether this drive has appeared after running Malwarebytes and quarantining PUM.Optional.NoDrives I am unsure. I shall have a look when I next restart the PC as it seems to be then the PUM comes back. If I repeat the scan during a session, having removed it, I get no hits.

I certainly would like to be able to see my external drive when I power it up so it looks very much as if I need to ignore the Malwarebytes warning when it arises although I am confused as to why it has only started showing up in the past few months - possibly late last year.

As an aside I have looked at your link for password managers and the Add-ons list but not been able to find one that will show me both my Username and Password for the site I'm looking at. I need access because there are some sites which will not provide the Password in any case for security and as I said my memory ... Thanks for trying anyway.

​

 

[Corrine]

Hi, JohnDrew.

Let's hold off making any changes for right now while I take another look at your logs. As to Firefox, with previous versions as well as the current version, you can go to Tools > Privacy & Security and check the box for Firefox to remember logins and passwords for websites and set a master password which you will, of course, need to remember.

 

[Corrine]

Hi, John Drew.

It seems that my multi-tasking got the best of me. The previous instructions wouldn't have found what I was looking for because I hadn't provided the correct path so the results from FRST would have been "not found". As to the "Disconnected Network Drive", that would be the System Reserve Partition that stores boot information for Windows. I suggest leaving that alone. It is normal to show as disconnected and shows the same on my PC's as well.

Since you are certain that you did not make the registry edit, I'd like you to proceed with the script below to run FRST. Then, if you find you don't want the change, you can use System Restore to reverse it:

Please do the following to run FRST:

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ".

Start::
CreateRestorePoint:
CloseProcesses:
DeleteKey: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDrives
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Extension: (No Name) - C:\Program Files (x86)\CLIQZ\browser\features\https-everywhere@cliqz.com.xpi [not found]
Task: {4DBC0B55-7537-4297-BC9A-DDD9EA8F6D5C} - System32\Tasks\{A288061F-6F66-45DE-AA99-1AF6CEAEFD78} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u71-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {661A4B46-4BB0-47F1-A144-B7DD13D3079B} - System32\Tasks\{1AED8F28-DFDB-4F66-8383-C6DA051696C9} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u73-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
EmptyTemp:
End::

• Please right-click on FRST/FRST64 to run as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in the same folder/directory as FRST/FRST64.exe
• Please post the log in your next reply.

 

[JohnDrew]

Hello Corrine,

Many thanks for your replies and further help.

It seems my explanation on Passwords has been far from clear; I'll try again. I do use Firefox to save passwords, but, unlike this site, some will only allow the username to be input automatically by Firefox and I then need to retrieve the password (using the Saved Password Button) and copy/paste it in to get access.

I have run the script but have no idea what it has done. Did you want me to run Malwarebytes again to remove the PUM and see what results or what?

Fixlog below:

Fix result of Farbar Recovery Scan Tool (x64) Version: 13.02.2019
Ran by John (14-02-2019 14:41:52) Run:3
Running from C:\Users\John\Desktop
Loaded Profiles: John (Available Profiles: John & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*
CreateRestorePoint:
CloseProcesses:
DeleteKey: HKU\S-1-5-21-4109210211-571196965-2683950656-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDrives
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKU\S-1-5-21-4109210211-571196965-2683950656-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Extension: (No Name) - C:\Program Files (x86)\CLIQZ\browser\features\https-everywhere@cliqz.com.xpi [not found]
Task: {4DBC0B55-7537-4297-BC9A-DDD9EA8F6D5C} - System32\Tasks\{A288061F-6F66-45DE-AA99-1AF6CEAEFD78} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u71-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
Task: {661A4B46-4BB0-47F1-A144-B7DD13D3079B} - System32\Tasks\{1AED8F28-DFDB-4F66-8383-C6DA051696C9} => C:\Windows\system32\pcalua.exe -a C:\Users\John\AppData\Local\Temp\jre-8u73-windows-au.exe -d C:\Windows\SysWOW64 -c /installmethod=jau FAMILYUPGRADE=1 <==== ATTENTION
EmptyTemp:

*

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-4109210211-571196965-2683950656-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoDrives => not found
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Windows\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
HKU\S-1-5-21-4109210211-571196965-2683950656-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => removed successfully
HKLM\Software\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => not found
C:\Program Files (x86)\CLIQZ\browser\features\https-everywhere@cliqz.com.xpi => path removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4DBC0B55-7537-4297-BC9A-DDD9EA8F6D5C}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4DBC0B55-7537-4297-BC9A-DDD9EA8F6D5C}" => removed successfully
C:\Windows\System32\Tasks\{A288061F-6F66-45DE-AA99-1AF6CEAEFD78} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A288061F-6F66-45DE-AA99-1AF6CEAEFD78}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{661A4B46-4BB0-47F1-A144-B7DD13D3079B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{661A4B46-4BB0-47F1-A144-B7DD13D3079B}" => removed successfully
C:\Windows\System32\Tasks\{1AED8F28-DFDB-4F66-8383-C6DA051696C9} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1AED8F28-DFDB-4F66-8383-C6DA051696C9}" => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 6378163 B
Java, Flash, Steam htmlcache => 291 B
Windows/system/drivers => 132298 B
Edge => 0 B
Chrome => 0 B
Firefox => 117213227 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 5738 B
UpdatusUser => 0 B
John => 46029467 B
UpdatusUser => 0 B
UpdatusUser.John-PC => 0 B
Administrator.John-PC => 0 B

RecycleBin => 30895063 B
EmptyTemp: => 199.4 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:44:33 ====

 

[Corrine]

Hi, JohnDrew.

For sites that do not remember the password, although inconvenient for you, what you are doing is the only way I am aware of.

Yes, go ahead and scan with Malwarebytes, posting the log here as a reply.

 

[JohnDrew]

Good morning Corrine,

Looks as if I have been doing the only possible thing with Firefox after all. Good to have it confirmed though. :)

I have just scanned with Malwarebytes again and it found the PUM again. Did you expect this?

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/15/19
Scan Time: 10:38 AM
Log File: d906e6e3-310d-11e9-9718-c8600002382d.json

-Software Information-
Version: 3.6.1.2711
Components Version: 1.0.527
Update Package Version: 1.0.9278
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: John-PC\John

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 333749
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 11 min, 19 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0 (No malicious items detected)

Registry Data: 1
PUM.Optional.NoDrives, HKU\S-1-5-21-4109210211-571196965-2683950656-
1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EX
PLORER|NODRIVES, Replaced, [13176], [293339],1.0.9278

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

[Tekno Venus]

Looks as if I have been doing the only possible thing with Firefox after all. Good to have it confirmed though. :)

Hi,

I have a suggestion that might work for you if I am understanding your needs correctly! :)

In Firefox 57 and above, there is a new built-in Password Manager. It's not as easily accessible by default (it's under Options -> Privacy and Security -> Saved Logins), but if you create a new bookmark with the following URL:

chrome://passwordmgr/content/passwordManager.xul

That bookmark will take you to the new password manager. This screen lists all the passwords saved by FF, and you can right click on a row to copy the password. You can alternatively click the "Show Passwords" button on the bottom right to see all the passwords.



This might work for you.

 

[JohnDrew]

Hello Techno Venus,


Many thanks for your suggestion. Being a coward I first tried your suggestion in my "old" version of Firefox and it appeared to work OK. I then upgraded to v65 and tried it there and, although a bit clunky compared to the old Saved Passwords button, is usable. This allows me to take on Corrine's recommendation to upgrade which should further improve my security (?). All I need now is for the "wheel" to be re-invented and clear out the disabled Add-ons and the world will be a better place. :)

Many thanks again.

 

[Corrine]

Hi, JohnDrew.

Mystery solved! Thanks to a friend who had seen this elsewhere, I learned that Cybereason RansomFree, which you have installed on your PC, is the source of the detection by Malwarebytes. In this case the modification is a result of legitimate software rather than malware. To have Malwarebytes Anti-Malware ignore the detection, do the following:

• Launch Malwarebytes Anti-Malware and click the SETTINGS tab.
• On the left hand side, click Detection and Protection.
• Look for the 'Non-Malware Detections' portion and change the PUP and PUM settings to Warn user about detections.
• Run a Threat Scan with Malwarebytes Anti-Malware. When the scan completes, uncheck the boxes next to the detection.
• Click the Next button.
• Click Ignore always. After this, Malwarebytes Anti-Malware will no longer detect the item.

 

[JohnDrew]

Hello Corrine,

I installed Cybereason RansomFree to make myself a little safer and it bit me!! Ouch!!

I have run Malwarebytes (after starting the task without restoring the PUM from this mornings scan!!) and now I have it listed as an Excluded item and all appears well as I get no hit on it. :)

Do I need to take any action on the Script I ran last (see Yesterday at 3:01 PM) or is this OK to leave alone?

Many thanks for your help and advice. I have (hopefully) a more up to date set of software than I started with and have learned some lessons along the way. They do say that a day is not wasted if your learn one thing that is new to you and I feel my last few days have been a vertical learning curve. :)

 

[Corrine]

Hi, JohnDrew.

As it turns out, we both learned something during this process so it is a win-win all the way!

No, there is no need to take any action following the previous script.

Please do the following to Uninstall FRST

• Right-click on FRST/FRST64, and select Rename.
• Rename it to Uninstall.exe and press Enter on your keyboard.
• Double-click on Uninstall.exe. Your computer will restart, and allow it to do so. FRST will now uninstall.