Author Topic: Have I been Hacked  (Read 7323 times)

0 Members and 1 Guest are viewing this topic.

Offline Heather Iles

  • Full Member
  • ***
  • Posts: 36
    • View Profile
Have I been Hacked
« on: January 17, 2017, 10:08:10 AM »
I should be grateful of your help of what is the best thing to do.

Last week I was told via a friend that he daughter has asked her to tell me that she received a funny email from me and perhaps I have been hacked.  I told her to tell her daughter that I would change my Password, but I haven't as I changed it a couple of weeks ago and usually these things go away.

A few days later I received a telephone call informing me that it was regarding my computer and did I have Windows 10.  I said yes.  He asked whether I have been getting updates and I said no.  He said that perhaps someone has got into my computer and if I gave him control of it that he would help me.  I told him that I don't deal with such things over the phone and I would contact my computer man.

A few days ago (probably Saturday) while I was in Facebook my computer locked up and I received a video message and a message on my screen informing me that they were from Microsoft and I may have been hacked and to protect their software I was not to do anything and should phone the number on the screen.   I tried to exit the message and was unable to, so I forced my Laptop to close down.  After a while I reopened my Laptop without any trouble, but it took me back to the same Facebook page and I got out of it.

My Laptop has been working OK since, but it has left me feeling insecure and concerned as I have heard tales like these before where you are made to pay a sum of money in order to regain control of the computer.

I should be grateful of your help and suggestions.

I should have thought that Scotty would have protected me.

I look forward to hearing from you.

Kind regards,

Heather

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19326
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have I been Hacked
« Reply #1 on: January 17, 2017, 11:32:43 AM »
Hi, Heather.

First, you were smart to ignore both the telephone call as well as the Facebook message.  Both were scams.  Fake tech support calls from Microsoft have been going on for years.  The scammers change their name and alter the message but the bottom line is that they are fake. 

Second, it was most likely that the email your friend's daughter received was using a spoofed email address.  However, it still wouldn't hurt if you changed your password, being sure to make it a strong password and never use the same password for multiple places.

Now, let's start by checking your computer for adware.  Please download Adware Cleaner.    Please save it to your desktop!
  • Close all open programs and internet browsers.
  • Right-click AdwCleaner.exe and select "Run as Administrator".
  • Click the Scan button.
  • AdwCleaner will begin.  Be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[S#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Heather Iles

  • Full Member
  • ***
  • Posts: 36
    • View Profile
Re: Have I been Hacked
« Reply #2 on: January 17, 2017, 08:27:52 PM »
# AdwCleaner v6.042 - Logfile created 17/01/2017 at 21:57:55
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-17.2 [Local]
# Operating System : Windows 10 Pro  (X64)
# Username : heather - HEATHER-HP
# Running from : C:\Users\heather\Downloads\adwcleaner_6.042 (1).exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service Found:  EsgScanner


***** [ Folders ] *****

Folder Found:  C:\Users\heather\AppData\Local\DriverToolkit
Folder Found:  C:\Users\heather\AppData\Roaming\FileOpenerWindows
Folder Found:  C:\Program Files (x86)\DriverToolkit
Folder Found:  C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceopoaldcnmhechacafgagdkklcogkgd
Folder Found:  C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbommkhnakaddhednbjjffmcopnngpkk


***** [ Files ] *****

File Found:  C:\WINDOWS\SysNative\drivers\EsgScanner.sys
File Found:  C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ceopoaldcnmhechacafgagdkklcogkgd_0.localstorage
File Found:  C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ceopoaldcnmhechacafgagdkklcogkgd_0.localstorage-journal
File Found:  C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbommkhnakaddhednbjjffmcopnngpkk_0.localstorage
File Found:  C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbommkhnakaddhednbjjffmcopnngpkk_0.localstorage-journal


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

Task Found:  DRIVERTOOLKIT AUTORUN


***** [ Registry ] *****

Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\SlimService
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found:  HKLM\SOFTWARE\Classes\uus3url-pl
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\uus3url-pl
Key Found:  HKU\S-1-5-21-3195271789-3375330248-1554225971-1000\Software\DriverToolkit
Key Found:  HKCU\Software\DriverToolkit
Key Found:  [x64] HKCU\Software\DriverToolkit
Key Found:  [x64] HKLM\SOFTWARE\DtsEncodeTools
Key Found:  HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driverupdate.net
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.co.uk
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mysearch.avg.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\totalrecipesearch.dl.tb.ask.com
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\unicef.org.uk
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driverupdate.net
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.co.uk
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mysearch.avg.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\totalrecipesearch.dl.tb.ask.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\unicef.org.uk
Value Found:  HKLM\SOFTWARE\Classes\Unknown\shell\openas\command [windowsfileopener.Dat]
Value Found:  HKLM\SOFTWARE\Classes\Unknown\shell\opendlg\command [windowsfileopener.Dat]
Key Found:  HKCU\Software\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej
Key Found:  HKLM\SOFTWARE\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej
Key Found:  [x64] HKCU\Software\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej
Key Found:  [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - bbommkhnakaddhednbjjffmcopnngpkk
Chrome pref Found:  [C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - ceopoaldcnmhechacafgagdkklcogkgd
Chrome pref Found:  [C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - ljibkigjccbegnbeojkoafejpoiachej

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [5933 Bytes] - [17/01/2017 21:50:08]
C:\AdwCleaner\AdwCleaner[S1].txt - [5783 Bytes] - [17/01/2017 21:57:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5856 Bytes] ##########

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19326
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have I been Hacked
« Reply #3 on: January 17, 2017, 09:01:09 PM »
Thank you!  Please do the following now.

1.  Double-click AdwCleaner.exe to run the tool again.
  • Click the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
Note:  Windows Vista, Windows 7/8 users right-click and select Run As Administrator.
  • After the scan has finished,
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
2.  Please download Junkware Removal Tool to your desktop.
  • Disable your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it.  If you are using Windows Vista or Seven, right-mouse click it and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

3.  Please download Farbar Recovery Scan Tool (FRST) and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • The first time FRST is run, it will produce two logs in the same directory the tool is run from -- FRST.txt and (Addition.txt.
  • Please copy/paste both logs in your reply.
IMPORTANT:  Due to the length of the logs it will take at least two replies to get them to fit.  Post the AdwCleaner and Junkware Removal Tool logs in one reply.  Then proceed to run FRST and post the two logs.  (Note:  It may even take a third reply for both of the FRST logs to post.)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Heather Iles

  • Full Member
  • ***
  • Posts: 36
    • View Profile
Re: Have I been Hacked
« Reply #4 on: January 18, 2017, 01:48:22 PM »
Hi Corrine

Here is the next report.  Thanks for your help and it is much appreciated.

I may need instructions on how to disabled my protection.  Do you mean my barking dog as it is my only protection.

# AdwCleaner v6.042 - Logfile created 18/01/2017 at 15:37:45
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-17.2 [Local]
# Operating System : Windows 10 Pro  (X64)
# Username : heather - HEATHER-HP
# Running from : C:\Users\heather\Downloads\AdwCleaner (2).exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: EsgScanner


***** [ Folders ] *****

[-] Folder deleted: C:\Users\heather\AppData\Local\DriverToolkit
[-] Folder deleted: C:\Users\heather\AppData\Roaming\FileOpenerWindows
[-] Folder deleted: C:\Program Files (x86)\DriverToolkit
[-] Folder deleted: C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceopoaldcnmhechacafgagdkklcogkgd
[-] Folder deleted: C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbommkhnakaddhednbjjffmcopnngpkk


***** [ Files ] *****

[-] File deleted: C:\WINDOWS\SysNative\drivers\EsgScanner.sys
[-] File deleted: C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ceopoaldcnmhechacafgagdkklcogkgd_0.localstorage
[-] File deleted: C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ceopoaldcnmhechacafgagdkklcogkgd_0.localstorage-journal
[-] File deleted: C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbommkhnakaddhednbjjffmcopnngpkk_0.localstorage
[-] File deleted: C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_bbommkhnakaddhednbjjffmcopnngpkk_0.localstorage-journal


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****

[-] Task deleted: DRIVERTOOLKIT AUTORUN


***** [ Registry ] *****

[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\SlimService
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key deleted: HKLM\SOFTWARE\Classes\uus3url-pl
  • Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector
  • Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector.1
  • Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
  • Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
  • Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\uus3url-pl
  • [-] Key deleted: HKU\S-1-5-21-3195271789-3375330248-1554225971-1000\Software\DriverToolkit
  • Key deleted on reboot: HKCU\Software\DriverToolkit
  • Key deleted on reboot: [x64] HKCU\Software\DriverToolkit
  • [-] Key deleted:
[x64] HKLM\SOFTWARE\DtsEncodeTools
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driverupdate.net
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.co.uk
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mysearch.avg.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\totalrecipesearch.dl.tb.ask.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\unicef.org.uk
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driverupdate.net
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fromdoctopdf.dl.tb.ask.com
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.co.uk
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\izito.com
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mysearch.avg.com
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\totalrecipesearch.dl.tb.ask.com
  • Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\unicef.org.uk
  • [-] Value deleted: HKLM\SOFTWARE\Classes\Unknown\shell\openas\command
[windowsfileopener.Dat]
[-] Value deleted: HKLM\SOFTWARE\Classes\Unknown\shell\opendlg\command [windowsfileopener.Dat]
[-] Key deleted: HKCU\Software\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej
  • Key deleted on reboot: [x64] HKCU\Software\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej
  • [-] Key deleted:
[x64] HKLM\SOFTWARE\Google\Chrome\Extensions\ljibkigjccbegnbeojkoafejpoiachej


***** [ Web browsers ] *****

[-] [C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: bbommkhnakaddhednbjjffmcopnngpkk
[-] [C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ceopoaldcnmhechacafgagdkklcogkgd
[-] [C:\Users\heather\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ljibkigjccbegnbeojkoafejpoiachej


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [6058 Bytes] - [18/01/2017 15:37:45]
C:\AdwCleaner\AdwCleaner[S0].txt - [5933 Bytes] - [17/01/2017 21:50:08]
C:\AdwCleaner\AdwCleaner[S1].txt - [6015 Bytes] - [17/01/2017 21:57:55]
C:\AdwCleaner\AdwCleaner[S2].txt - [6082 Bytes] - [18/01/2017 15:35:49]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [6350 Bytes] ##########

Offline Heather Iles

  • Full Member
  • ***
  • Posts: 36
    • View Profile
Re: Have I been Hacked
« Reply #5 on: January 18, 2017, 02:12:11 PM »
Hi Corrine

Here is Junkware Removal Report.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 10 Pro x64
Ran by heather (Administrator) on Wed 01/18/2017 at 15:53:47.96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 01/18/2017 at 15:59:30.27
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19326
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have I been Hacked
« Reply #6 on: January 18, 2017, 02:48:43 PM »
Excellent.  Now you need to run FRST and post the two (very long) logs.  You'll need the 64-Bit version.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Heather Iles

  • Full Member
  • ***
  • Posts: 36
    • View Profile
Re: Have I been Hacked
« Reply #7 on: January 18, 2017, 07:49:59 PM »
Hi Corrine

I hope I copied it all as it is in two parts.

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-01-2017
Ran by heather (18-01-2017 21:01:15)
Running from C:\Users\heather\Downloads
Windows 10 Pro Version 1511 (X64) (2016-05-18 23:15:09)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3195271789-3375330248-1554225971-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3195271789-3375330248-1554225971-503 - Limited - Disabled)
Guest (S-1-5-21-3195271789-3375330248-1554225971-501 - Limited - Disabled)
heather (S-1-5-21-3195271789-3375330248-1554225971-1000 - Administrator - Enabled) => C:\Users\heather
HomeGroupUser$ (S-1-5-21-3195271789-3375330248-1554225971-1004 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.38 beta (HKLM-x32\...\7-Zip) (Version:  - )
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20053 - Adobe Systems Incorporated)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 3.3.0.151 - Adobe Systems Incorporated)
Adobe Photoshop Elements 11 (HKLM-x32\...\Adobe Photoshop Elements 11) (Version: 11.0 - Adobe Systems Incorporated)
Adobe Photoshop Lightroom 5.7 64-bit (HKLM\...\{1B77B02E-17E4-4B6D-B8A1-74B29AF3D8DD}) (Version: 5.7.0 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.6.636 - Adobe Systems, Inc.)
Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Ashampoo Slideshow Studio HD 3 v.3.0.9 (HKLM-x32\...\{91B33C97-0CE8-6ABD-1CF4-0DAF2CCF492A}_is1) (Version: 3.0.9 - Ashampoo GmbH & Co. KG)
BBC iPlayer Downloads (HKLM-x32\...\{797389EC-980E-423A-AFC1-1C351339DCB6}) (Version: 1.14.1 - BBC)
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Citrix Online Launcher (HKLM-x32\...\{DB014C85-A264-4BCA-A66F-6DD1FCF8EC36}) (Version: 1.0.335 - Citrix)
Contents (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
Corel AfterShot HDR (HKLM\...\{E871EA56-F403-4B5C-A90C-9A133F31E3AE}) (Version: 1.00.0000 - Corel Corporation)
Corel AfterShot Pro 2 - ICA x64 (Version: 2.2.2 - Corel Corporation) Hidden
Corel AfterShot Pro 2 - IPM Content x64 (Version: 2.4.0 - Corel Corporation) Hidden
Corel AfterShot Pro 2 - IPM x64 (Version: 2.4.0 - Corel Corporation) Hidden
Corel AfterShot Pro 2 x64 (Version: 2.4.0 - Corel Corporation) Hidden
Corel AfterShot Pro 2(64-bit) (HKLM\...\_{FBBE376F-E586-449C-A521-B32A2DEC841E}) (Version: 2.4.0.119 - Corel Corporation)
Corel FastFlick (HKLM-x32\...\_{10EC8494-8A92-49D8-9677-2483EB01F7F1}) (Version: 1.0.0.101 - Corel Corporation)
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
CyberLink PhotoDirector 5 (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.5724.0 - CyberLink Corp.)
CyberLink PhotoDirector 5 (Version: 5.0.5724.0 - CyberLink Corp.) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.6.6119 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DENOISE projects professional (64-Bit) (HKLM\...\DENOISE_PROJECTS_1_3_FBC348A0_is1) (Version: 1.17 - Franzis Verlag GmbH)
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
Dropbox (HKLM-x32\...\Dropbox) (Version: 17.4.33 - Dropbox, Inc.)
Dropbox Update Helper (x32 Version: 1.3.59.1 - Dropbox, Inc.) Hidden
easyHDR 3 Demo (HKLM\...\easyHDR 3 Demo) (Version: 3.7 - Bartlomiej Okonek)
Elements 11 Organizer (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
Epson Easy Photo Print 2 (HKLM-x32\...\{87C2248A-C7DD-49ED-9BCD-B312A9D0819E}) (Version: 2.1.0.0 - SEIKO EPSON CORPORATION)
EPSON L355 Series Printer Uninstall (HKLM\...\EPSON L355 Series) (Version:  - SEIKO EPSON Corporation)
Epson Print CD (HKLM-x32\...\{D16A31F9-276D-4968-A753-FFEAC56995D0}) (Version: 2.00.00 - SEIKO EPSON CORPORATION)
Epson Printer Software Downloader (HKLM-x32\...\Epson Printer Software Downloader) (Version:  - )
Epson Printer Software Downloader (x32 Version: 2.0.0 - SEIKO EPSON CORPORATION) Hidden
EPSON PX650 Series Printer Uninstall (HKLM\...\EPSON PX650 Series) (Version:  - SEIKO EPSON Corporation)
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
Epson Software Updater (HKLM-x32\...\{C7AA3D65-1F84-4590-AFAA-0777A04B6687}) (Version: 4.4.1 - SEIKO EPSON CORPORATION)
Epson Stylus Photo PX650_TX650 Manual (HKLM-x32\...\Epson Stylus Photo PX650_TX650 User’s Guide) (Version:  - )
EPSON XP-750 Series Printer Uninstall (HKLM\...\EPSON XP-750 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
ESU for Microsoft Windows 7 SP1 (HKLM-x32\...\{E1ACF120-CD69-47F0-B202-9A4B95C436D8}) (Version: 5.1.5 - Hewlett-Packard)
Evernote v. 4.5.2 (HKLM-x32\...\{8CE152BA-1D16-11E1-867D-984BE15F174E}) (Version: 4.5.2.5904 - Evernote Corp.)
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Farmscapes (x32 Version: 2.2.0.98 - WildTangent) Hidden
FastStone Image Viewer 5.6 (HKLM-x32\...\FastStone Image Viewer) (Version: 5.6 - FastStone Soft)
Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 55.0.2883.87 - Google Inc.)
Google Earth (HKLM-x32\...\{A0C18B96-AB79-46BD-8321-6FA83E6D25B9}) (Version: 7.1.7.2606 - Google)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.8231.2252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
GoToAssist Corporate (HKLM-x32\...\GoToAssist) (Version: 11.3.0.1121 - Citrix Online, a division of Citrix Systems, Inc.)
GoToMeeting 7.18.0.4962 (HKU\S-1-5-21-3195271789-3375330248-1554225971-1000\...\GoToMeeting) (Version: 7.18.0.4962 - CitrixOnline)
HDR projects 3 professional (64-Bit) (HKLM\...\HDR_PROJECTS_3_3_3BF7CE82_is1) (Version: 3.31 - Franzis Verlag GmbH)
Hoyle Card Games (x32 Version: 2.2.0.95 - WildTangent) Hidden
HP Documentation (HKLM-x32\...\{946CE249-7402-4442-BC32-A89470DC1B64}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP On Screen Display (HKLM-x32\...\{ED1BD69A-07E3-418C-91F1-D856582581BF}) (Version: 1.3.5 - Hewlett-Packard Company)
HP Power Manager (HKLM-x32\...\{7E799992-5DA0-4A1A-9443-B1836B063FEC}) (Version: 1.4.8 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{53B17A98-5BF0-40BC-AAFF-850A357975AC}) (Version: 2.7.2 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{438363A8-F486-4C37-834C-4955773CB3D3}) (Version: 9.1.15430.4033 - Hewlett-Packard Company)
HP Software Framework (HKLM-x32\...\{DB97D0DE-0AA1-413C-8398-92C7FA3F4A67}) (Version: 4.6.13.1 - Hewlett-Packard Company)
i1Profiler (HKLM-x32\...\i1Profiler_is1) (Version: 1.5.6 - X-Rite)
ICA (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
Image Composite Editor (HKLM\...\{92AB5708-1AAA-4B1B-A8D5-45CF3AD77519}) (Version: 2.0.3 - Microsoft Corporation)
Image Resizer for Windows (64 bit) (Version: 3.0.4802.35565 - Brice Lambson) Hidden
Image Resizer for Windows (HKLM-x32\...\{69d72156-6582-4556-8637-06f40aa7f85b}) (Version: 3.0.4802.35565 - Brice Lambson)
Intel Security True Key (HKLM\...\TrueKey) (Version: 4.6.129.1 - Intel Security)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1351 - Intel Corporation)
Intel(R) OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version:  - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.0.0.1032 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{6199B534-A1B6-46ED-873B-97B0ECF8F81E}) (Version: 1.23.216.0 - Intel Corporation)
IPM_VS_Pro (x32 Version: 1.0 - Corel Corporation) Hidden
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Jewel Quest Mysteries: The Seventh Gate Collector's Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
join.me (HKU\S-1-5-21-3195271789-3375330248-1554225971-1000\...\JoinMe) (Version: 2.15.1.2637 - LogMeIn, Inc.)
join.me.launcher (x32 Version: 1.0.624.0 - LogMeIn, Inc.) Hidden
Letters from Nowhere 2 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Lightshot-5.3.0.0 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.3.0.0 - Skillbrains)
Luxor HD (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Manuals Finder (HKLM-x32\...\Manuals Finder) (Version: 1.0 - Manuals Finder)
McAfee Security Scan Plus (HKLM-x32\...\McAfee Security Scan) (Version: 3.11.266.3 - McAfee, Inc.)
Microsoft Camera Codec Pack (HKLM\...\{A6A4A258-0A48-4F76-B8F1-61F0514594DD}) (Version: 16.4.1970.0624 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 42.0 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 42.0 (x86 en-GB)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 42.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MyEpson Portal (HKLM-x32\...\MyEpson Portal) (Version:  - SEIKO EPSON Corporation)
MyEpson Portal (x32 Version: 1.0.0.12 - SEIKO EPSON CORPORATION) Hidden
Nik Collection (HKLM-x32\...\Nik Collection) (Version: 1.2.11 - Google)
Noiseware Community Edition (HKLM-x32\...\{CB3B7C24-30A1-4961-8039-94919F5ED2EE}) (Version: 2.6.0.1 - Imagenomic)
OLYMPUS Digital Camera Updater (HKLM-x32\...\{392427E9-9FA4-4CD2-99EB-FD53A12BDCDA}) (Version: 1.2.1 - Olympus Corporation)
OLYMPUS Viewer 3 (HKLM-x32\...\{144CB8BE-46E5-43AE-ADBB-CCC7AB4E0649}) (Version: 1.4.2 - OLYMPUS IMAGING CORP.)
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
Pantone Color Manager 1.0.0 (HKLM-x32\...\Pantone Color Manager_is1) (Version:  - PANTONE)
PDF Complete Corporate Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.87 - PDF Complete, Inc)
PDF to Text (HKLM-x32\...\{F35E2F46-93AF-4F43-876A-5CB5AD5ACFE4}) (Version: 1.0.10 - PDF Technologies)
Penguins! (x32 Version: 2.2.0.98 - WildTangent) Hidden
Perfect Effects 9 (HKLM-x32\...\Perfect Effects 9 PE) (Version: 9.5.0 - on1)
Perfect Effects Free 9 (HKLM-x32\...\Perfect Effects Free 9) (Version: 9.5.0 - on1)
Photomatix Pro version 5.0 (HKLM-x32\...\PhotomatixPro5x32_is1) (Version: 5.0 - HDRsoft Ltd)
PhotoScissors 2.0 (HKLM\...\{664FCCAE-8187-4EC5-B191-758C040C999C}_is1) (Version:  - teorex)
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.98 - WildTangent) Hidden
PortraitPro 15.1 Trial (HKLM\...\PortraitPro15Trial_is1) (Version: 15.1 - Anthropics Technology Ltd.)
PSE11 STI Installer (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
QuickTime 7 (HKLM-x32\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
Ralink Bluetooth Stack64 (HKLM\...\{8A69F02D-A72B-AEE6-1CD3-6B05B9F9DD83}) (Version: 11.0.742.0 - Mediatek)
Ralink RT3290 802.11bgn Wi-Fi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 5.0.25.0 - Mediatek)
Rapport (x32 Version: 3.5.1609.107 - Trusteer) Hidden
Realtek Card Reader (HKLM-x32\...\{F0A8BF4A-972F-41E0-9800-1EFE3BF28266}) (Version: 6.2.9200.29065 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.61.612.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6937 - Realtek Semiconductor Corp.)
RollerCoaster Tycoon 3: Platinum (x32 Version: 2.2.0.98 - WildTangent) Hidden
Setup (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
Share (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
SiSoftware Sandra Lite 2015.SP2 (HKLM\...\{C3113E55-7BCB-4de3-8EBF-60E6CE6B2496}_is1) (Version: 21.40.2015.4 - SiSoftware)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skypeâ„¢ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.0.12.98 - Synaptics Incorporated)
The Treasures of Mystery Island: The Ghost Ship (x32 Version: 2.2.0.98 - WildTangent) Hidden
Topaz Adjust 5 (HKLM-x32\...\Topaz Adjust 5) (Version: 5.1.0 - Topaz Labs, LLC)
Topaz B&W Effects (HKLM-x32\...\Topaz BW Effects 2) (Version: 2.1.0 - Topaz Labs, LLC)
Topaz Clarity (HKLM-x32\...\Topaz Clarity) (Version: 1.0.0 - Topaz Labs, LLC)
Topaz Clean 3 (HKLM-x32\...\Topaz Clean 3) (Version: 3.1.0 - Topaz Labs, LLC)
Topaz DeJpeg 4 (HKLM-x32\...\Topaz DeJpeg 4) (Version: 4.0.2 - Topaz Labs, LLC)
Topaz DeNoise 5 (HKLM-x32\...\Topaz DeNoise 5) (Version: 5.1.0 - Topaz Labs, LLC)
Topaz Detail 3 (HKLM-x32\...\Topaz Detail 3) (Version: 3.2.0 - Topaz Labs, LLC)
Topaz Fusion Express 2 (64-bit) (HKLM-x32\...\Topaz Fusion Express 2 (64-bit)) (Version: 2.1.1 - Topaz Labs)
Topaz Fusion Express 2 (HKLM-x32\...\Topaz Fusion Express 2) (Version: 2.1.3 - Topaz Labs, LLC)
Topaz InFocus (HKLM-x32\...\Topaz InFocus) (Version: 1.0.0 - Topaz Labs, LLC)
Topaz Lens Effects (HKLM-x32\...\Topaz Lens Effects) (Version: 1.2.0 - Topaz Labs, LLC)
Topaz ReMask 4 (HKLM-x32\...\Topaz ReMask 4) (Version: 4.0.0 - Topaz Labs, LLC)
Topaz ReStyle (HKLM-x32\...\Topaz ReStyle) (Version: 1.0.0 - Topaz Labs, LLC)
Topaz Simplify 4 (HKLM-x32\...\Topaz Simplify 4) (Version: 4.1.1 - Topaz Labs, LLC)
Topaz Star Effects (HKLM-x32\...\Topaz Star Effects) (Version: 1.1.0 - Topaz Labs, LLC)
Torchlight (x32 Version: 2.2.0.98 - WildTangent) Hidden
Trusteer Endpoint Protection (HKLM-x32\...\Rapport_msi) (Version: 3.5.1609.107 - Trusteer)
Unchecky v1.0.1 (HKLM-x32\...\Unchecky) (Version: 1.0.1 - RaMMicHaeL)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.98 - WildTangent) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
VSClassic (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
VSPro (x32 Version: 1.0.0.101 - Corel Corporation) Hidden
WildTangent Games App (HP Games) (x32 Version: 4.0.5.36 - WildTangent) Hidden
Windows Driver Package - OLYMPUS IMAGING CORP. Camera Communication Driver Package (09/09/2009 1.0.0.0) (HKLM\...\2C1C2F29FADF39F533CEEE67B90F07A5306A4BDB) (Version: 09/09/2009 1.0.0.0 - OLYMPUS IMAGING CORP.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinPatrol (HKLM-x32\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 33.6.2015.18 - Ruiware)
XRD i1d3 (x32 Version: 1.0.135 - X-Rite) Hidden
X-Rite Device Services Manager (HKLM-x32\...\{64285C74-388D-4147-B215-54B34AFBF0CA}) (Version: 2.3.82 - X-Rite)
Your download is ready Packages (HKU\S-1-5-21-3195271789-3375330248-1554225971-1000\...\Your download is ready Packages) (Version:  - ) <==== ATTENTION
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3195271789-3375330248-1554225971-1000_Classes\CLSID\{1AC77AE9-9EC6-405A-9F9B-C06AB3C10B71}\InprocServer32 -> C:\Program Files\Microsoft Research\Image Composite Editor\ShellExtension.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3195271789-3375330248-1554225971-1000_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)
CustomCLSID: HKU\S-1-5-21-3195271789-3375330248-1554225971-1000_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\heather\AppData\Local\Citrix\GoToMeeting\3019\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-3195271789-3375330248-1554225971-1000_Classes\CLSID\{e8c77137-e224-5791-b6e9-ff0305797a13}\InprocServer32 -> C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {01DDFB00-312A-4A83-9E28-D8CA2BBCB06B} - System32\Tasks\Microsoft\Windows\Media Center\MediaCenterRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {045CE9A0-EF5D-47F7-998A-111A3D5CCC90} - System32\Tasks\Microsoft\Windows\Media Center\PeriodicScanRetry => C:\WINDOWS\ehome\MCUpdate.exe
Task: {11BC9183-5869-4F7C-BFFA-A2CDB6FE0B87} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\WINDOWS\ehome\mcupdate.exe
Task: {14EE2BCF-0381-4215-BA83-1D9CF816AB28} - System32\Tasks\Microsoft\Windows\Media Center\RecordingRestart => C:\WINDOWS\ehome\ehrec.exe
Task: {17F80CB5-AD5F-4421-A20A-3954B455330C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {25CE9CF5-A1A2-42C6-B6B5-F6BB7FACE5FE} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {27F757CE-C31C-46F3-A826-ADE4BD8970F6} - System32\Tasks\SidebarExecute => C:\Program Files\Windows Sidebar\sidebar.exe
Task: {2D2DAC58-4815-4E66-9195-E9A7F29781AB} - System32\Tasks\DropboxUpdateTaskMachineUA => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-06-20] (Dropbox, Inc.)
Task: {2EE7CFAA-4BED-4B50-90E3-FBE89A34E487} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {32842AFA-CB7A-40F5-9734-E2D4B19B584C} - System32\Tasks\G2MUpdateTask-S-1-5-21-3195271789-3375330248-1554225971-1000 => C:\Users\heather\AppData\Local\Citrix\GoToMeeting\4962\g2mupdate.exe [2016-05-20] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {40C30C3F-7F2A-4977-AE9E-CEC6F1AC9C47} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {4883F232-0A31-44DC-AA9F-5AF9BE3BBDD4} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {54D77624-513A-4342-A963-1D569655818E} - System32\Tasks\Microsoft\Windows\Media Center\OCURDiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {577BA233-46B3-45EE-B1F6-19DB2D915446} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {585202C7-BA40-4EB0-BB61-EED5EA2D74E6} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {59E6BB05-2215-4C8C-9D81-2CE73188BC8C} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {5D6FF121-2A35-4385-8AA6-52EA20667928} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {63D7D5E1-B6B0-4915-9BC5-C5D3AD71502B} - System32\Tasks\Microsoft\Windows\Media Center\UpdateRecordPath => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {67B5E83A-99BC-4104-8391-615D6E07D5EF} - System32\Tasks\Microsoft\Windows\Media Center\DispatchRecoveryTasks => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {70196180-0C30-4E0F-953C-E071EC2F80E3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {70B814CF-7781-4F85-9DAC-10DB43C06BFF} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [2013-06-06] (Realtek Semiconductor)
Task: {712A57BD-8EDE-445E-BE06-8DCF95E21F37} - System32\Tasks\Microsoft\Windows\Media Center\PvrRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {78352750-F240-480C-98B3-259F73E00BEF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {7DDC7706-13DF-42E8-8AAD-B91D973086E9} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {7E29D993-52EE-480F-A919-0571569689AD} - System32\Tasks\CreateChoiceProcessTask => C:\Windows\System32\browserchoice.exe
Task: {7E8870DA-2336-4C0E-A821-1E3EAC4CA8F5} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\WINDOWS\ehome\ehrec.exe
Task: {7F273370-1CEB-454F-9AB7-ED15391CCC84} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {8065EDD9-D822-49A0-97D4-2CE9B912C2E4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {8A6709BE-D456-450C-A75B-16982114609E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {8ADF33BD-DF64-410C-8053-B0D9D5FBA5BA} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
Task: {8B3CE715-3D46-4B39-BB27-2945EDB1331D} - System32\Tasks\Microsoft\Windows\Media Center\OCURActivate => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {95093A67-A35A-40F4-A01A-6447EFCF0107} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {9EB8FDF8-C804-453A-BF7F-2D4F8FF1C8F0} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW1 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {A08BCA91-7B21-4FEE-9D83-88580CA2073E} - System32\Tasks\Microsoft\Windows\Media Center\ObjectStoreRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {AEB6C8B5-B44B-4E0E-A916-3EC47DE7BCDF} - System32\Tasks\Microsoft\Windows\Media Center\PvrScheduleTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {AF46F012-B6EF-454F-9B7D-3AEBE071381D} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate => C:\WINDOWS\ehome\mcupdate.exe
Task: {B4ADBAD6-1728-413B-B154-8E1E96D1CE28} - System32\Tasks\X-Rite Device Services Software Updater => C:\Program Files (x86)\X-Rite\Devices\Services\XRD Software Update.exe [2014-06-23] (X-Rite Inc.)
Task: {B556824B-418C-4739-8620-0F9555989DE9} - System32\Tasks\Microsoft\Windows\Media Center\ehDRMInit => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {B6141C2F-7FE2-4AEA-AB70-FC25CECDF7A5} - System32\Tasks\AdobeAAMUpdater-1.0-heather-HP-heather => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-09-04] (Adobe Systems Incorporated)
Task: {B68CBDD8-0079-4388-AE3F-C308E127FDE0} - System32\Tasks\Microsoft\Windows\Media Center\ConfigureInternetTimeService => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {BAB31610-3570-4B8A-AC26-F865769F85F8} - System32\Tasks\Microsoft\Windows\Media Center\ReindexSearchRoot => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {BFA60C0F-14FA-4801-B04B-6C4FE2BA622E} - System32\Tasks\Epson Printer Software Downloader => C:\Program Files (x86)\EPSON\EPAPDL\E_SAPDL2.EXE [2009-01-23] (SEIKO EPSON CORPORATION)
Task: {C6BA7041-61D9-42E6-A79E-AE3BF01CAFC7} - System32\Tasks\Microsoft\Windows\Media Center\SqlLiteRecoveryTask => C:\WINDOWS\ehome\mcupdate.exe
Task: {C8982777-8BB6-4497-AF39-0F6F7BE1E17B} - System32\Tasks\Microsoft\Windows\Media Center\RegisterSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {CC2AF13B-2B70-4B9B-AE73-29F89B3D73EA} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-28] (Google Inc.)
Task: {DAC716EC-A459-4E91-8F91-9073E84EA38C} - System32\Tasks\DropboxUpdateTaskMachineCore => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe [2016-06-20] (Dropbox, Inc.)
Task: {DD548646-50B2-42CB-A862-D54228DAA1CA} - System32\Tasks\Microsoft\Windows\Media Center\InstallPlayReady => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {E4FA5F95-1429-4F95-A566-BEB7E3FBC7B7} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {E9F80F05-4511-4563-BDBE-1FFC6C7465CD} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscovery => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {EC88D8E4-3CF9-407C-8113-CA64DE8C2E06} - System32\Tasks\Microsoft\Windows\Media Center\PBDADiscoveryW2 => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {F0C90E3C-72A7-4D38-B634-CDE0AA9D9602} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {F10A350A-23EC-4AC1-A613-4A5258EEA523} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-05-13] (Adobe Systems Incorporated)
Task: {F2D340C4-1389-4D8A-8E31-A3F31B321FEE} - System32\Tasks\Microsoft\Windows\Media Center\ActivateWindowsSearch => C:\WINDOWS\ehome\ehPrivJob.exe
Task: {F71EBE76-48D5-423A-AC2D-9A5CADECC74F} - System32\Tasks\G2MUploadTask-S-1-5-21-3195271789-3375330248-1554225971-1000 => C:\Users\heather\AppData\Local\Citrix\GoToMeeting\4962\g2mupload.exe [2016-05-20] (Citrix Online, a division of Citrix Systems, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\Epson Printer Software Downloader.job => C:\Program Files (x86)\EPSON\EPAPDL\E_SAPDL2.EXE
Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-3195271789-3375330248-1554225971-1000.job => C:\Users\heather\AppData\Local\Citrix\GoToMeeting\4962\g2mupdate.exe
Task: C:\WINDOWS\Tasks\G2MUploadTask-S-1-5-21-3195271789-3375330248-1554225971-1000.job => C:\Users\heather\AppData\Local\Citrix\GoToMeeting\4962\g2mupload.exe
Task: C:\WINDOWS\Tasks\X-Rite Device Services Software Updater.job => C:\Program Files (x86)\X-Rite\Devices\Services\XRD Software Update.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-10-30 07:18 - 2015-10-30 07:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-11-09 14:22 - 2016-10-25 09:42 - 02656952 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-11-09 14:22 - 2016-10-25 09:42 - 02656952 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-05-24 10:29 - 2016-05-24 10:29 - 00959168 _____ () C:\Users\heather\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\ClientTelemetry.dll
2016-05-19 00:01 - 2016-05-19 00:01 - 00144384 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
2016-02-13 12:54 - 2016-02-13 12:54 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-07-12 21:58 - 2016-07-01 03:48 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-11-09 14:23 - 2016-10-25 04:49 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-11-09 14:23 - 2016-10-25 04:44 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-11-09 14:23 - 2016-10-25 04:45 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-11-09 14:23 - 2016-10-25 04:48 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-12-15 14:58 - 2016-12-08 08:03 - 02412888 _____ () C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\libglesv2.dll
2016-12-15 14:58 - 2016-12-08 08:03 - 00099672 _____ () C:\Program Files (x86)\Google\Chrome\Application\55.0.2883.87\libegl.dll
2016-05-19 00:01 - 2016-05-19 00:01 - 00141312 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeBackgroundTasks.dll
2016-05-19 00:01 - 2016-05-19 00:01 - 22284800 _____ () C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkyWrap.dll
2015-06-02 14:51 - 2015-06-02 14:51 - 00545792 _____ () C:\Program Files (x86)\Trusteer\Rapport\bin\js32.dll
2016-05-25 14:33 - 2016-05-25 14:33 - 00172032 _____ () C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\IsdiInterop\8dfb5661206e8f5e3caac49ae1f2d865\IsdiInterop.ni.dll
2013-09-30 03:26 - 2011-11-30 04:00 - 00059392 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2013-09-30 03:26 - 2012-01-10 21:42 - 01198872 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns1 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns2 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns3 [5]
AlternateDataStreams: C:\ProgramData\Nalpeiron:user.ns4 [5]
AlternateDataStreams: C:\Users\heather\Downloads\2016-07-14 05.38.35.jpg:com.dropbox.attributes [876]
AlternateDataStreams: C:\Users\heather\Downloads\2016-08-04 05.30.16.jpg:com.dropbox.attributes [878]
AlternateDataStreams: C:\Users\heather\Downloads\2016-08-23 08.05.02.jpg:com.dropbox.attributes [880]
AlternateDataStreams: C:\Users\heather\Downloads\2016-08-23 08.05.04.jpg:com.dropbox.attributes [868]
AlternateDataStreams: C:\Users\heather\Downloads\2016-08-23 09.44.48.jpg:com.dropbox.attributes [880]
AlternateDataStreams: C:\Users\heather\Downloads\2016-08-24 10.21.29.jpg:com.dropbox.attributes [874]
AlternateDataStreams: C:\Users\heather\Downloads\2016-08-24 10.21.36.jpg:com.dropbox.attributes [880]
AlternateDataStreams: C:\Users\heather\Downloads\2016-09-28 08.04.28.jpg:com.dropbox.attributes [894]
AlternateDataStreams: C:\Users\heather\Downloads\2016-09-28 08.05.41.jpg:com.dropbox.attributes [894]
AlternateDataStreams: C:\Users\heather\Downloads\2016-09-28 08.05.45.jpg:com.dropbox.attributes [894]
AlternateDataStreams: C:\Users\heather\Downloads\2016-09-28 08.06.27.jpg:com.dropbox.attributes [898]
AlternateDataStreams: C:\Users\heather\Downloads\2016-09-28 08.06.29.jpg:com.dropbox.attributes [898]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 02:34 - 2017-01-18 15:39 - 00002024 ____A C:\WINDOWS\system32\Drivers\etc\hosts

0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com
0.0.0.0 cdn.bispd.com

There are 4 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3195271789-3375330248-1554225971-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\heather\AppData\Local\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: RapportMgmtService => 2
MSCONFIG\Services: SandraAgentSrv => 3
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: vToolbarUpdater18.7.0 => 2
MSCONFIG\Services: xrdd.exe => 2
MSCONFIG\startupreg: EPLTarget =>
HKLM\...\StartupApproved\StartupFolder: => "XRGamma.lnk"
HKLM\...\StartupApproved\StartupFolder: => "i1Profiler Tray.lnk"
HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run: => "AdobeAAMUpdater-1.0"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKLM\...\StartupApproved\Run32: => "APSDaemon"
HKLM\...\StartupApproved\Run32: => "Dropbox"
HKLM\...\StartupApproved\Run32: => "HP Quick Launch"
HKLM\...\StartupApproved\Run32: => "QuickTime Task"
HKLM\...\StartupApproved\Run32: => "PDF Complete"
HKLM\...\StartupApproved\Run32: => "Lightshot"
HKU\S-1-5-21-3195271789-3375330248-1554225971-1000\...\StartupApproved\Run: => "join.me.launcher"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => LPort=139
FirewallRules: [MSMQ-In-TCP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-Out-TCP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-In-UDP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [MSMQ-Out-UDP] => %systemroot%\system32\mqsvc.exe
FirewallRules: [WCF-NetTcpActivator-In-TCP-64bit] => LPort=808
FirewallRules: [UDP Query User{D5B36EE6-3737-4873-9933-78F1981D0AED}C:\windows\system32\spool\drivers\x64\3\sagent4.exe] => C:\windows\system32\spool\drivers\x64\3\sagent4.exe
FirewallRules: [TCP Query User{DE16185F-0239-4CAA-8BFC-E9F0E848785B}C:\windows\system32\spool\drivers\x64\3\sagent4.exe] => C:\windows\system32\spool\drivers\x64\3\sagent4.exe
FirewallRules: [{32472890-D9F9-4CBE-B26D-57619029104C}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EC0A4061-4E0C-4825-BBAF-982F52A06750}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EF7CD2A1-EA42-4334-94A7-20F7D8B983C5}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{B23253BD-53DF-4668-91AA-1E740A728B77}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [UDP Query User{4E2C4097-D4C2-4825-BB03-D4A33D3BDF0E}C:\program files\onone software\perfect effects 9\perfect effects 9.exe] => C:\program files\onone software\perfect effects 9\perfect effects 9.exe
FirewallRules: [TCP Query User{203E0475-67AB-4AD2-BB5F-83970432F595}C:\program files\onone software\perfect effects 9\perfect effects 9.exe] => C:\program files\onone software\perfect effects 9\perfect effects 9.exe
FirewallRules: [{53497CC5-3F0F-4EAD-B20A-68EF80E8CC32}] => C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2015.SP2\WNt600x64\RpcSandraSrv.exe
FirewallRules: [{55066700-49E9-43DA-8D80-7100B69081FD}] => C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2015.SP2\RpcAgentSrv.exe
FirewallRules: [{64EC8B0C-A64C-4797-B114-2ADCAEAE6ACB}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{EEE9AE49-9BEE-47A1-8B99-1856AD6BF721}] => C:\Windows\System32\hasplms.exe
FirewallRules: [{47BC8841-18D5-4A47-BD41-6B34AC5F8F89}] => C:\Windows\System32\hasplms.exe
FirewallRules: [{E8E8ABEE-4924-4869-A0B6-447F81370550}] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [{7D53C43C-A319-437E-88D7-D539DF79F644}] => C:\Windows\System32\hasplms.exe
FirewallRules: [{F5739B95-E294-420D-94FB-CEAEDBEB5346}] => C:\Windows\System32\hasplms.exe
FirewallRules: [{D927F983-A341-42AF-950F-2B496E848C4B}] => LPort=5454
FirewallRules: [{037C2EEF-D9D0-4F26-AA61-BDFE2E9D27BB}] => LPort=5454
FirewallRules: [{6BD69C3A-27F3-4944-AA7B-AB01AC0DFE7F}] => C:\Program Files (x86)\Pantone Color Manager\PantoneColorManager.exe
FirewallRules: [{E6C70DF5-2B96-4428-8ACC-D6A3BE870BCC}] => C:\Program Files (x86)\Pantone Color Manager\PantoneColorManager.exe
FirewallRules: [{39084639-C42E-41A8-9E30-CF4D7E5CA85D}] => C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
FirewallRules: [{248F0B08-9A56-4E97-BC5E-1195F45D1402}] => C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
FirewallRules: [{6A7ACED9-70E0-4C74-A705-0E278B1107C1}] => C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
FirewallRules: [{A06041E3-E6FC-4538-8A92-773D4C8B63D0}] => C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BlueSoleilCS.exe
FirewallRules: [{BA181E4F-3446-4616-9A50-A8CA4F628146}] => LPort=1900
FirewallRules: [{88A70933-1090-4ECA-85B6-9A70CE95599E}] => LPort=2869
FirewallRules: [{FC5D2339-64B7-4ADB-BDF2-74CB4D6E46F5}] => C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [TCP Query User{8F0E2B5D-C9A9-4A4D-A6FC-72335CCFB0EC}C:\windows\system32\spool\drivers\x64\3\sagent4.exe] => C:\windows\system32\spool\drivers\x64\3\sagent4.exe
FirewallRules: [UDP Query User{1A6F9C81-C41C-4C41-9279-406F3612A30B}C:\windows\system32\spool\drivers\x64\3\sagent4.exe] => C:\windows\system32\spool\drivers\x64\3\sagent4.exe
FirewallRules: [TCP Query User{95475E4B-4634-4C04-963D-F132C76002EF}C:\users\heather\appdata\local\temp\joicc7e.tmp\join.me.exe] => C:\users\heather\appdata\local\temp\joicc7e.tmp\join.me.exe
FirewallRules: [UDP Query User{5B37EF41-0C28-42F1-B1F1-674BDB74730E}C:\users\heather\appdata\local\temp\joicc7e.tmp\join.me.exe] => C:\users\heather\appdata\local\temp\joicc7e.tmp\join.me.exe
FirewallRules: [TCP Query User{E5C34E3B-28C7-485E-9A63-130623DFFB2C}C:\users\heather\appdata\local\join.me\join.me.exe] => C:\users\heather\appdata\local\join.me\join.me.exe
FirewallRules: [UDP Query User{0532D9D3-5373-4509-A442-7DB28C3F3883}C:\users\heather\appdata\local\join.me\join.me.exe] => C:\users\heather\appdata\local\join.me\join.me.exe
FirewallRules: [TCP Query User{C034D593-0340-48B2-B82A-7F4CBC069444}C:\program files\onone software\perfect effects free 9\perfect effects free 9.exe] => C:\program files\onone software\perfect effects free 9\perfect effects free 9.exe
FirewallRules: [UDP Query User{08AC3400-C21B-4F79-AB8E-D6CAF34C15B4}C:\program files\onone software\perfect effects free 9\perfect effects free 9.exe] => C:\program files\onone software\perfect effects free 9\perfect effects free 9.exe
FirewallRules: [{DBF301FA-E165-4576-A472-FF913C0DC394}] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{CA8A37B1-4E6F-4746-A9F5-2AD3CA8F8C1D}] => C:\Program Files (x86)\Dropbox\Client\Dropbox.exe

==================== Restore Points =========================

18-12-2016 18:13:10 Scheduled Checkpoint
09-01-2017 12:46:15 Scheduled Checkpoint
15-01-2017 14:57:32 Installed Rapport
18-01-2017 15:53:50 JRT Pre-Junkware Removal

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/18/2017 03:54:13 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/18/2017 03:39:28 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mepService.exe, version: 1.0.2.5, time stamp: 0x4e72c013
Faulting module name: mepService.exe, version: 1.0.2.5, time stamp: 0x4e72c013
Exception code: 0xc000000d
Fault offset: 0x0006c169
Faulting process id: 0xb34
Faulting application start time: 0x01d271a10295bf68
Faulting application path: C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe
Faulting module path: C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe
Report Id: d148eeb9-04a4-47c2-a038-f0c686cf760f
Faulting package full name:
Faulting package-relative application ID:

Error: (01/18/2017 03:39:11 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

Error: (01/16/2017 08:59:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 10.0.10586.672, time stamp: 0x580ee8b2
Faulting module name: ntdll.dll, version: 10.0.10586.672, time stamp: 0x580ee321
Exception code: 0xc0000409
Fault offset: 0x00000000000a9b90
Faulting process id: 0xb08
Faulting application start time: 0x01d26fd13eecece1
Faulting application path: C:\WINDOWS\Explorer.EXE
Faulting module path: C:\WINDOWS\SYSTEM32\ntdll.dll
Report Id: 61499657-13b7-4a99-af4a-1b103fb7b0bb
Faulting package full name:
Faulting package-relative application ID:

Error: (01/15/2017 07:31:03 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: The backup did not complete because of an error writing to the backup location F:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check the backup location. (0x81000006).

Error: (01/15/2017 02:59:54 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: heather-HP)
Description: Activation of app Microsoft.Messaging_8wekyb3d8bbwe!ppleae38af2e007f4358a809ac99a64a67c1 failed with error: -2147023170 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (01/15/2017 02:58:28 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/15/2017 02:53:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mepService.exe, version: 1.0.2.5, time stamp: 0x4e72c013
Faulting module name: mepService.exe, version: 1.0.2.5, time stamp: 0x4e72c013
Exception code: 0xc000000d
Fault offset: 0x0006c169
Faulting process id: 0xae4
Faulting application start time: 0x01d26f3f0af4e882
Faulting application path: C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe
Faulting module path: C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe
Report Id: b8f321ba-7cbd-420f-b01a-e606e85657c4
Faulting package full name:
Faulting package-relative application ID:

Error: (01/15/2017 02:53:01 PM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.

Error: (01/12/2017 08:28:41 AM) (Source: DbxSvc) (EventID: 320) (User: )
Description: Failed to connect to the driver: (-2147024894) The system cannot find the file specified.


System errors:
=============
Error: (01/18/2017 07:12:06 PM) (Source: Service Control Manager) (EventID: 7005) (User: )
Description: The LoadUserProfile call failed with the following error:
The configuration registry database is corrupt.

Error: (01/18/2017 07:02:47 PM) (Source: Service Control Manager) (EventID: 7005) (User: )
Description: The LoadUserProfile call failed with the following error:
The configuration registry database is corrupt.

Error: (01/18/2017 03:54:41 PM) (Source: Service Control Manager) (EventID: 7005) (User: )
Description: The LoadUserProfile call failed with the following error:
The configuration registry database is corrupt.

Error: (01/18/2017 03:43:05 PM) (Source: Service Control Manager) (EventID: 7005) (User: )
Description: The LoadUserProfile call failed with the following error:
The configuration registry database is corrupt.

Error: (01/18/2017 03:43:00 PM) (Source: Service Control Manager) (EventID: 7005) (User: )
Description: The LoadUserProfile call failed with the following error:
The configuration registry database is corrupt.

Error: (01/18/2017 03:40:35 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MyEpson Portal Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (01/18/2017 03:40:15 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (01/18/2017 03:40:15 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the FontCache3.0.0.0 service to connect.

Error: (01/18/2017 03:39:59 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Net.Msmq Listener Adapter service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (01/18/2017 03:39:59 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the NetMsmqActivator service to connect.


CodeIntegrity:
===================================
  Date: 2017-01-18 16:30:45.539
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-15 15:21:39.878
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-09 12:39:48.819
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-09 12:39:48.800
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-09 12:39:43.898
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-09 12:39:43.858
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-12-24 16:34:18.698
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-12-24 16:34:18.605
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-12-24 16:34:15.344
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-12-24 16:34:15.181
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-3110M CPU @ 2.40GHz
Percentage of memory in use: 42%
Total physical RAM: 6039.35 MB
Available physical RAM: 3490.52 MB
Total Virtual: 12183.35 MB
Available Virtual: 9871.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:679.26 GB) (Free:300.41 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Recovery) (Fixed) (Total:19.08 GB) (Free:2.06 GB) NTFS ==>[system with boot components (obtained from drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 698.6 GB) (Disk ID: 2C039501)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=679.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=19.1 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=102 MB) - (Type=0C)

==================== End of Addition.txt ============================
 [235696 2015-12-02] (McAfee, Inc.)
S2 MyEpson Portal Service; C:\Program Files (x86)\EPSON\MyEpson Portal\mepService.exe [703584 2011-09-16] (SEIKO EPSON CORPORATION)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1134584 2012-02-20] (PDF Complete Inc)
R2 PSI_SVC_2; c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe [277360 2013-09-13] (arvato digital services llc)
R2 PSI_SVC_2_x64; c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [337776 2014-04-30] (arvato digital services llc)
R2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [2387952 2016-11-22] (IBM Corp.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [245832 2013-06-06] (Realtek Semiconductor)
S4 SandraAgentSrv; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2015.SP2\RpcAgentSrv.exe [73200 2015-05-20] (SiSoftware) [File not signed]
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [253960 2016-04-27] (Synaptics Incorporated)
S2 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [922152 2016-08-25] (McAfee, Inc.)
S2 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [16248 2016-08-25] (McAfee, Inc.)
R2 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [86864 2016-08-25] (McAfee, Inc.)
R2 Unchecky; C:\Program Files (x86)\Unchecky\bin\unchecky_svc.exe [254232 2016-08-22] (RaMMicHaeL)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2016-10-25] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2016-10-25] (Microsoft Corporation)
S4 xrdd.exe; C:\Program Files (x86)\X-Rite\Devices\Services\xrdd.exe [83312 2014-06-23] (X-Rite Inc.)
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 netr28x; C:\WINDOWS\system32\DRIVERS\netr28x.sys [2554528 2015-06-12] (MediaTek Inc.)
R0 PxHlpa64; C:\WINDOWS\System32\Drivers\PxHlpa64.sys [56336 2012-08-10] (Corel Corporation)
R1 RapportCerberus_1609053; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_1609053.sys [1181672 2016-09-16] (IBM Corp.)
R1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [566248 2016-11-22] (IBM Corp.)
R0 RapportHades64; C:\WINDOWS\System32\Drivers\RapportHades64.sys [235688 2016-11-22] (IBM Corp.)
R0 RapportKE64; C:\WINDOWS\System32\Drivers\RapportKE64.sys [489704 2016-11-22] (IBM Corp.)
R1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [548008 2016-11-22] (IBM Corp.)
S3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [288840 2013-05-27] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2015-10-30] (Realtek                                            )
R3 rtbth; C:\WINDOWS\System32\drivers\rtbth.sys [1219200 2015-06-03] (Ralink Technology, Corp.)
S3 SANDRA; C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2015.SP2\WNt600x64\Sandra.sys [23112 2009-08-07] (SiSoftware)
R3 SmbDrvI; C:\WINDOWS\system32\DRIVERS\Smb_driver_Intel.sys [52904 2016-04-27] (Synaptics Incorporated)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R2 WinI2C-DDC; C:\Windows\system32\drivers\DDCDrv.sys [20832 2014-07-11] (Nicomsoft Ltd.)
R2 WinI2C-DDC; C:\Windows\SysWOW64\drivers\DDCDrv.sys [10240 2014-07-11] (Nicomsoft Ltd.) [File not signed]
R3 WirelessButtonDriver64; C:\WINDOWS\system32\DRIVERS\WirelessButtonDriver64.sys [31656 2016-04-14] (HP)
S3 dbx; system32\DRIVERS\dbx.sys [X]
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-18 20:59 - 2017-01-18 21:00 - 00028726 _____ C:\Users\heather\Downloads\FRST.txt
2017-01-18 20:59 - 2017-01-18 20:59 - 00000000 ____D C:\FRST
2017-01-18 20:58 - 2017-01-18 20:59 - 02419200 _____ (Farbar) C:\Users\heather\Downloads\FRST64.exe
2017-01-18 15:59 - 2017-01-18 15:59 - 00000556 _____ C:\Users\heather\Desktop\JRT.txt
2017-01-18 15:52 - 2017-01-18 15:53 - 01663040 _____ (Malwarebytes) C:\Users\heather\Downloads\JRT (2).exe
2017-01-18 15:52 - 2017-01-18 15:53 - 01663040 _____ (Malwarebytes) C:\Users\heather\Downloads\JRT (1).exe
2017-01-18 15:33 - 2017-01-18 15:34 - 10578984 _____ (MyTurboPC.com) C:\Users\heather\Downloads\Myturbopc_f638f8c0-ba06-434c-a58a-991b42bfc919_.exe
2017-01-18 15:31 - 2017-01-18 15:31 - 01663040 _____ (Malwarebytes) C:\Users\heather\Downloads\JRT.exe
2017-01-18 15:28 - 2017-01-18 15:32 - 03988944 _____ C:\Users\heather\Downloads\AdwCleaner (2).exe
2017-01-18 14:07 - 2017-01-18 14:07 - 02866605 _____ C:\Users\heather\Downloads\PrintingAndSharingInLightroom.pdf
2017-01-17 22:01 - 2017-01-17 22:01 - 00006015 _____ C:\Users\heather\Desktop\AdwCleaner[S1].txt
2017-01-17 21:56 - 2017-01-17 21:56 - 03988944 _____ C:\Users\heather\Downloads

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19326
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Have I been Hacked
« Reply #8 on: January 18, 2017, 11:42:17 PM »
You did it (almost) right, Heather, but I warned you that the logs are long -- yours in particular since there are leftover files from the free upgrade to Windows 10 that are no longer needed.  As a result, not all of the Addition.txt log posted and none of the FRST.txt log made it.

When doing the cleanup, FRST needs to be on the desktop.  I also need to see the rest of the logs.  Please do the following.

1.  Go to C:\Users\heather\Downloads\ and move FRST to your desktop (C:\Users\Heather\Desktop\)

2.  Locate Addition.txt and double-click it to open.  In Notepad, click Edit  > Find.   Copy/paste the following line in the search box:  C:\Users\heather\Desktop\AdwCleaner[S1].txt.  Select the text below that line to the end of the log and select Edit > Copy or use the keyboard shortcut Ctrl+C.  Return here and paste (Ctrl+v) that in a reply.

3.  Next, locate the FRST.txt log and double-click it to open.  This time click Edit > Select All.  Then Edit > Copy (or Ctrl+C).  Return here and create a new reply (you may need to wait a few minutes before the forum software will allow you to post).   Paste the results (Ctrl_v).  After it posts, check the reply.  You'll know the complete log has posted if you see the following: 

==================== End of FRST.txt ============================

If that doesn't appear, look at the last line that posted and return to FRST.txt, locate it and copy the remainder of the log in yet another reply.

(Sorry, the forum software has restrictions on the number of characters that can be posted and, as I mentioned, the logs are very long.)

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.