Author Topic: Ransom: Win32/Nemreq.A ?  (Read 8972 times)

0 Members and 1 Guest are viewing this topic.

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Ransom: Win32/Nemreq.A ?
« on: January 30, 2017, 06:09:22 PM »
Earlier today a "Windows Defender limited Periotic scan" detected Ransom: Win32/Nemreq.A and asked me to reboot so it could be removed. I rebooted.
I then opened the History tab and "removed" it from "Quarantined items" and from "All detected items".

There don't appear to be any aftereffects, I could open a couple of randomly chosen Word .doc files without incident.

Wondering if I should have a checkup......
I rebooted again before I downloaded the tools

 SALog.txt and FRST.txt, follow....
Addition.txt in next reply
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Microsoft Windows 10 Home X64
UAC is Enabled!
Internet Explorer 11
Default Browser: Firefox
***------------Antivirus - Antispyware - Firewall-----------***
Windows Defender (Disabled - Up to Date)
Emsisoft Anti-Malware (Enabled - Up to Date)
ESET Smart Security Premium 10.0.386.0 (Enabled - Up to Date)
Emsisoft Anti-Malware (Enabled - Up to Date)
ESET Smart Security Premium 10.0.386.0 (Enabled - Up to Date)
Windows Defender (Disabled - Up to Date)
ESET Personal firewall (Enabled)
***-------Security Programs - Browsers - Miscellaneous------***
Adobe Flash Player 24 NPAPI (version 24.0.0.194)
CCleaner (version 5.25)
Firefox (version 51)
Malwarebytes Anti-Exploit (version 1.8.1.2572)
Malwarebytes Anti-Malware (version 2.2.1.1043)
Microsoft Silverlight (version 5.1)
SpywareBlaster (version 5.5)
SUPERAntiSpyware (version 6)
Thunderbird (version 45)
Windows Live Essentials (version 16.4)
WinPatrol (version 33.6)


***----------------Analysis Complete-------------------------***

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 29-01-2017
Ran by pete (administrator) on DELL (30-01-2017 14:55:42)
Running from C:\Users\pete\Desktop
Loaded Profiles: pete (Available Profiles: pete & Guest)
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ESET) C:\Program Files\ESET\ESET Smart Security Premium\ekrn.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
() C:\Program Files (x86)\HDD Health\HDDHealthService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\HP\Common\HPSupportSolutionsFrameworkService.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(SanDisk) C:\Program Files (x86)\SanDisk\SSD Dashboard\SanDiskSSDDashboardService.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Microsoft Corporation) C:\Windows\System32\snmp.exe
(Wistron Corporation) C:\Program Files\DELLOSD\VolumeCtlSrv.exe
(Atheros) C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(ESET) C:\Program Files\ESET\ESET Smart Security Premium\egui.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\smartscreen.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2guard.exe
(Ruiware) C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell Backup and Recovery\SftService.exe
(Dell Inc.) C:\Program Files\Dell\DellDataVault\DellDataVault.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2start.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.693_none_42ff55c9655f38bf\TiWorker.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8512760 2015-08-03] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1411320 2015-08-03] (Realtek Semiconductor)
HKLM\...\Run: [CnxtCoInstallerDefer] => C:\Program Files\CONEXANT\PREINSTALL\SETUP52BF5C7B0\SETUP64.EXE [1574528 2011-02-14] (Conexant Systems, Inc.)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [163800 2016-07-30] (IvoSoft)
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [8140696 2017-01-24] (Emsisoft Ltd)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2650576 2016-12-14] (Malwarebytes Corporation)
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.bat <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.jse <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.js <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.js <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.js <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.bat <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.cmd <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.bat <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.jse <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.bat <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.jse <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.js <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.js <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\Run: [WinPatrol Background Change Monitor] => C:\Program Files (x86)\Ruiware\WinPatrol\WinPatrol.exe [1231240 2016-11-13] (Ruiware)
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2017-01-09] (SUPERAntiSpyware)
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [9288408 2016-12-06] (Piriform Ltd)
ShellIconOverlayIdentifiers: [DBRShellOverlayBackupFile] -> {831CEBDD-6BAF-4432-BE76-9E0989C14AEF} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [DBRShellOverlayModifiedBackupFile] -> {275E4FD7-21EF-45CF-A836-832E5D2CC1B3} => C:\Program Files (x86)\Dell Backup and Recovery\Components\Shell\DBROverlayIconNotBackuped.dll [2015-12-07] (SoftThinks SAS)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Billminder.lnk [2016-06-02]
ShortcutTarget: Billminder.lnk -> C:\Program Files (x86)\Quicken\billmind.exe (Intuit)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\HP Digital Imaging Monitor.lnk [2014-01-04]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Microsoft Find Fast.lnk [2013-12-25]
ShortcutTarget: Microsoft Find Fast.lnk -> C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\MRU-Blaster Silent Clean.lnk [2016-05-18]
ShortcutTarget: MRU-Blaster Silent Clean.lnk -> C:\Program Files (x86)\MRU-Blaster\mrublaster.exe ()
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Quicken Scheduled Updates.lnk [2016-06-02]
ShortcutTarget: Quicken Scheduled Updates.lnk -> C:\Program Files (x86)\Quicken\bagent.exe (Intuit Inc.)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Quicken Startup.lnk [2016-06-02]
ShortcutTarget: Quicken Startup.lnk -> C:\Program Files (x86)\Quicken\QWDLLS.EXE (Intuit)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Billminder.lnk [2016-06-02]
ShortcutTarget: Billminder.lnk -> C:\Program Files (x86)\Quicken\billmind.exe (Intuit)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\HP Digital Imaging Monitor.lnk [2014-01-04]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Microsoft Find Fast.lnk [2013-12-25]
ShortcutTarget: Microsoft Find Fast.lnk -> C:\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\MRU-Blaster Silent Clean.lnk [2016-05-18]
ShortcutTarget: MRU-Blaster Silent Clean.lnk -> C:\Program Files (x86)\MRU-Blaster\mrublaster.exe ()
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Quicken Scheduled Updates.lnk [2016-06-02]
ShortcutTarget: Quicken Scheduled Updates.lnk -> C:\Program Files (x86)\Quicken\bagent.exe (Intuit Inc.)
Startup: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Startup\Quicken Startup.lnk [2016-06-02]
ShortcutTarget: Quicken Startup.lnk -> C:\Program Files (x86)\Quicken\QWDLLS.EXE (Intuit)
GroupPolicy: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{61f8113e-0f86-4440-be01-624156da2f71}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{c7f830c1-2c56-4a4d-8112-10a7fe0c5f37}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://areacode.six03.net
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001 -> DefaultScope {AF0E5B00-3CC0-417F-A24C-5C78FDA540F2} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001 -> {AF0E5B00-3CC0-417F-A24C-5C78FDA540F2} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll [2012-09-14] (Qualcomm Atheros Commnucations)
BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2016-07-30] (IvoSoft)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll [2015-09-22] (Eyeo GmbH)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
BHO-x32: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2016-07-30] (IvoSoft)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll [2015-09-22] (Eyeo GmbH)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2016-07-30] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2016-07-30] (IvoSoft)
DPF: HKLM-x32 {FA13A9FA-CA9B-11D2-9780-00104B242EA3} file:///D:/games/WebDriverFullInstall.exe
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll [2015-08-05] (Belarc, Inc.)
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  No File

Edge:
======
Edge HomeButtonPage: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001 -> hxxp://areacode.six03.net/
Edge Extension: (Adblock Plus) -> 10_EyeoGmbHAdblockPlus_d55gg7py3s0m0 => C:\Program Files\WindowsApps\EyeoGmbH.AdblockPlus_0.9.6.0_neutral__d55gg7py3s0m0 [2016-08-02]

FireFox:
========
FF ProfilePath: C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default [2017-01-30]
FF NewTab: Mozilla\Firefox\Profiles\y9wjajgv.default -> about:newtab
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\y9wjajgv.default -> Google
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\y9wjajgv.default -> Google
FF SearchEngineOrder.1: Mozilla\Firefox\Profiles\y9wjajgv.default -> Secure Search
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\y9wjajgv.default -> Secure Search
FF Homepage: Mozilla\Firefox\Profiles\y9wjajgv.default -> hxxp://willrun.4beer.today/
FF Extension: (CanvasBlocker) - C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\Extensions\CanvasBlocker@kkapsner.de.xpi [2016-12-13]
FF Extension: (Classic Theme Restorer) - C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2016-12-13]
FF Extension: (NoScript) - C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2017-01-25]
FF Extension: (BugMeNot Plugin) - C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\Extensions\{987311C6-B504-4aa2-90BF-60CC49808D42}.xpi [2016-04-27]
FF Extension: (WOT) - C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2015-12-09]
FF Extension: (Adblock Plus) - C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-12-13]
FF Extension: (BetterPrivacy) - C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\Extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}.xpi [2016-12-13]
FF SearchPlugin: C:\Users\pete\AppData\Roaming\Mozilla\Firefox\Profiles\y9wjajgv.default\searchplugins\McSiteAdvisor.xml [2016-03-08]
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_24_0_0_194.dll [2017-01-10] ()
FF Plugin: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2016-01-11] (Tracker Software Products (Canada) Ltd.)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\npPDFXCviewNPPlugin.dll [2016-01-11] (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-10] ()
FF Plugin-x32: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2016-01-11] (Tracker Software Products (Canada) Ltd.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @mozilla.zeniko.ch/SumatraPDF_Browser_Plugin -> C:\Program Files (x86)\SumatraPDF\npPdfViewer.dll [2013-10-01] (Simon Bünzli)
FF Plugin-x32: @tracker-software.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2016-01-11] (Tracker Software Products (Canada) Ltd.)
FF Plugin HKU\S-1-5-21-2229908789-3868270222-3131126828-1001: @docu-track.com/PDF-XChange Viewer Plugin,version=1.0,application/pdf -> C:\Program Files\Tracker Software\PDF Viewer\Win32\npPDFXCviewNPPlugin.dll [2016-01-11] (Tracker Software Products (Canada) Ltd.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npPDFXCviewNPPlugin.dll [2014-02-17] (Tracker Software Products (Canada) Ltd.)

Chrome:
=======
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?fr=mcafee&type=C211US1134D20160210&p={searchTerms}
CHR DefaultSearchKeyword: Default -> McAfee
CHR Profile: C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default [2017-01-29]
CHR Extension: (Google Slides) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-24]
CHR Extension: (Docs) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-24]
CHR Extension: (Google Drive) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-24]
CHR Extension: (YouTube) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-24]
CHR Extension: (Google Sheets) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-24]
CHR Extension: (SiteAdvisor) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho [2016-04-24]
CHR Extension: (Google Docs Offline) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-24]
CHR Extension: (Chrome Web Store Payments) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-24]
CHR Extension: (Gmail) - C:\Users\pete\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-24]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [9461280 2017-01-24] (Emsisoft Ltd)
R2 AcfXAudioService; C:\WINDOWS\SysWOW64\ACFXAU64.dll [436736 2011-02-14] (Conexant Systems, Inc.)
R2 DellDataVault; C:\Program Files\Dell\DellDataVault\DellDataVault.exe [2574168 2015-09-11] (Dell Inc.)
R2 DellDataVaultWiz; C:\Program Files\Dell\DellDataVault\DellDataVaultWiz.exe [201560 2015-09-11] (Dell Inc.)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security Premium\ekrn.exe [2836296 2016-12-14] (ESET)
R2 HDDHealth; C:\Program Files (x86)\HDD Health\HDDHealthService.exe [17760 2013-03-08] () [File not signed]
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2011-08-18] (Hewlett-Packard Co.) [File not signed]
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89840 2015-03-28] (Hewlett-Packard Company)
R2 igfxCUIService1.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [319096 2016-01-13] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-09-17] (Intel Corporation)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [155088 2016-12-14] (Malwarebytes Corporation)
R2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [253776 2013-03-26] (CyberLink)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [312056 2015-08-03] (Realtek Semiconductor)
R2 SanDisk SSD Dashboard Service; C:\Program Files (x86)\SanDisk\SSD Dashboard\SanDiskSSDDashboardService.exe [373760 2016-10-10] (SanDisk) [File not signed]
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
R2 SftService; C:\Program Files (x86)\Dell Backup and Recovery\sftservice.exe [2065808 2016-01-04] (SoftThinks SAS)
R2 SNMP; C:\WINDOWS\System32\snmp.exe [53248 2016-10-14] (Microsoft Corporation)
R2 SNMP; C:\WINDOWS\SysWOW64\snmp.exe [47104 2016-10-14] (Microsoft Corporation)
S3 SupportAssistAgent; C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe [21160 2015-09-30] (Dell Inc.)
R2 VolumeCtlSrv; C:\Program Files\DELLOSD\VolumeCtlSrv.exe [221696 2012-07-20] (Wistron Corporation) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)
R2 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2012-12-26] (Atheros) [File not signed]
S2 0245531483186370mcinstcleanup; C:\WINDOWS\TEMP\024553~1.EXE -cleanup -nolog [X]

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 acfva; C:\WINDOWS\system32\DRIVERS\ACFVA64.sys [122624 2011-02-14] (Conexant Systems Inc.)
R1 CLVirtualDrive; C:\WINDOWS\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-08-29] (CyberLink)
R3 DDDriver; C:\WINDOWS\system32\drivers\DDDriver64Dcsa.sys [23760 2015-02-26] (Dell Computer Corporation)
R3 DellProf; C:\WINDOWS\system32\drivers\DellProf.sys [24240 2015-09-11] (Dell Computer Corporation)
S3 dgcfltr; C:\WINDOWS\system32\DRIVERS\ACFDCP64.sys [34944 2011-02-14] (Conexant Systems, Inc.)
S3 dot4; C:\WINDOWS\system32\DRIVERS\Dot4.sys [151968 2012-09-25] (Windows (R) Win 7 DDK provider)
S3 Dot4Print; C:\WINDOWS\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows (R) Win 7 DDK provider)
R1 eamonm; C:\WINDOWS\System32\DRIVERS\eamonm.sys [132272 2016-12-05] (ESET)
R0 edevmon; C:\WINDOWS\System32\DRIVERS\edevmon.sys [106768 2016-12-05] (ESET)
S0 eelam; C:\WINDOWS\System32\DRIVERS\eelam.sys [15488 2016-12-09] (ESET)
R1 ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [180544 2016-12-05] (ESET)
R2 ekbdflt; C:\WINDOWS\system32\DRIVERS\ekbdflt.sys [49672 2016-12-05] (ESET)
R1 epfw; C:\WINDOWS\system32\DRIVERS\epfw.sys [77616 2016-12-05] (ESET)
R1 epfwwfp; C:\WINDOWS\system32\DRIVERS\epfwwfp.sys [96856 2016-12-05] (ESET)
R1 epp; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [77408 2016-12-14] ()
R3 ITECIRfilter; C:\WINDOWS\system32\DRIVERS\ITECIRfilter.sys [27856 2015-06-03] (ITE Tech. Inc. )
R2 mdmxsdk; C:\WINDOWS\system32\DRIVERS\ACFSDK64.sys [17024 2011-02-14] (Conexant)
S3 MODEMCSA; C:\WINDOWS\system32\drivers\MODEMCSA.sys [26624 2016-07-16] (Microsoft Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 pcdrndisprot; C:\WINDOWS\system32\DRIVERS\pcdrndisprot.sys [37936 2013-02-14] (Windows (R) Win 7 DDK provider)
S1 pqadtgqv; C:\WINDOWS\system32\drivers\pqadtgqv.sys [55168 2017-01-30] (Microsoft Corporation)
R3 PQAWRwa; C:\Program Files\DELLOSD\PQAWDrv.sys [12384 2008-03-01] () [File not signed]
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [589824 2016-07-16] (Realtek                                            )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 WdBoot; C:\WINDOWS\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\WINDOWS\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
R2 XAudio; C:\WINDOWS\system32\DRIVERS\ACFXAU64.sys [10240 2011-02-14] (Conexant Systems, Inc.)
S3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-30 14:55 - 2017-01-30 14:56 - 00053572 _____ C:\Users\pete\Desktop\FRST.txt
2017-01-30 14:54 - 2017-01-30 14:55 - 00000000 ____D C:\FRST
2017-01-30 14:52 - 2017-01-30 14:53 - 02420736 _____ (Farbar) C:\Users\pete\Desktop\FRST64.exe
2017-01-30 14:52 - 2017-01-30 14:52 - 00899072 _____ C:\Users\pete\Desktop\RGSA.exe
2017-01-30 14:51 - 2017-01-30 14:51 - 00055168 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pqadtgqv.sys
2017-01-30 14:47 - 2017-01-30 14:47 - 00000486 _____ C:\Users\pete\Documents\Ransom Win32 NemreqA.txt
2017-01-27 10:09 - 2017-01-27 10:09 - 01750366 _____ C:\Users\pete\Desktop\DEED.pdf
2017-01-27 09:26 - 2017-01-27 09:26 - 00103678 _____ C:\Users\pete\Desktop\Claim Acknowledgment 01.27.17.pdf
2017-01-26 12:57 - 2017-01-26 12:57 - 06942621 _____ C:\Users\pete\Desktop\Rec'd fr RML 01-26-2016.pdf
2017-01-26 12:53 - 2017-01-26 12:55 - 06942621 _____ C:\Users\pete\Desktop\Rec'd 01-26-2016.pdf
2017-01-26 12:36 - 2017-01-26 15:10 - 08591079 _____ C:\Users\pete\Desktop\TitleInsurance.pdf
2017-01-26 11:20 - 2017-01-26 11:20 - 00102237 _____ C:\Users\pete\Desktop\RML Update of P&M Fee Program.pdf
2017-01-25 07:57 - 2016-12-21 02:08 - 00142848 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe
2017-01-25 07:57 - 2016-12-20 23:44 - 00120320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe
2017-01-24 18:51 - 2017-01-25 07:43 - 00000000 ____D C:\ProgramData\Emsisoft
2017-01-24 18:38 - 2017-01-30 14:50 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2017-01-24 13:05 - 2017-01-24 13:05 - 00000000 ____D C:\Users\pete\AppData\Roaming\www.shadowexplorer.com
2017-01-24 13:05 - 2017-01-24 13:05 - 00000000 ____D C:\Program Files (x86)\ShadowExplorer
2017-01-24 13:03 - 2017-01-24 13:03 - 00000000 ____D C:\Users\pete\Downloads\ShadowExplorer
2017-01-23 13:47 - 2017-01-23 13:47 - 01223507 _____ C:\Users\pete\Documents\AccidentReport .pdf
2017-01-22 13:27 - 2017-01-24 14:50 - 00001857 _____ C:\Users\pete\Documents\Passwords 2017.txt
2017-01-18 14:27 - 2017-01-20 09:46 - 00000000 ____D C:\Program Files\Common Files\McAfee
2017-01-18 14:27 - 2017-01-18 14:29 - 00000000 ____D C:\ProgramData\McAfee
2017-01-16 14:23 - 2017-01-16 14:23 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2017-01-16 09:15 - 2017-01-16 11:33 - 00000000 ____D C:\Users\pete\Documents\Profile1
2017-01-15 11:22 - 2017-01-15 11:22 - 00000000 ____D C:\ProgramData\WinPatrol
2017-01-10 15:13 - 2016-12-21 03:08 - 00245600 _____ (Microsoft Corporation) C:\WINDOWS\system32\offlinesam.dll
2017-01-10 15:13 - 2016-12-21 03:08 - 00136032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ImplatSetup.dll
2017-01-10 15:13 - 2016-12-21 03:04 - 07816032 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2017-01-10 15:13 - 2016-12-21 02:49 - 00328008 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Storage.ApplicationData.dll
2017-01-10 15:13 - 2016-12-21 02:46 - 00624048 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2017-01-10 15:13 - 2016-12-21 02:43 - 04130440 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
2017-01-10 15:13 - 2016-12-21 02:43 - 01454504 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
2017-01-10 15:13 - 2016-12-21 02:43 - 01071736 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2017-01-10 15:13 - 2016-12-21 02:43 - 00092512 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll
2017-01-10 15:13 - 2016-12-21 02:42 - 22224480 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2017-01-10 15:13 - 2016-12-21 02:42 - 01988560 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmp4srcsnk.dll
2017-01-10 15:13 - 2016-12-21 02:42 - 01702392 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfasfsrcsnk.dll
2017-01-10 15:13 - 2016-12-21 02:42 - 01300600 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfmpeg2srcsnk.dll
2017-01-10 15:13 - 2016-12-21 02:42 - 00241504 _____ (Microsoft Corporation) C:\WINDOWS\system32\CloudExperienceHost.dll
2017-01-10 15:13 - 2016-12-21 02:41 - 01600632 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2017-01-10 15:13 - 2016-12-21 02:37 - 00455520 _____ (Microsoft Corporation) C:\WINDOWS\system32\securekernel.exe
2017-01-10 15:13 - 2016-12-21 02:15 - 22563840 _____ (Microsoft Corporation) C:\WINDOWS\system32\edgehtml.dll
2017-01-10 15:13 - 2016-12-21 02:14 - 00043008 _____ (Microsoft Corporation) C:\WINDOWS\system32\LaunchWinApp.exe
2017-01-10 15:13 - 2016-12-21 02:09 - 00368640 _____ (Microsoft Corporation) C:\WINDOWS\system32\OneBackupHandler.dll
2017-01-10 15:13 - 2016-12-21 02:09 - 00363520 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.BioFeedback.dll
2017-01-10 15:13 - 2016-12-21 02:08 - 01292288 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSVPXENC.dll
2017-01-10 15:13 - 2016-12-21 02:08 - 00418304 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.BlockedShutdown.dll
2017-01-10 15:13 - 2016-12-21 02:08 - 00360448 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpencom.dll
2017-01-10 15:13 - 2016-12-21 02:08 - 00289792 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeveloperOptionsSettingsHandlers.dll
2017-01-10 15:13 - 2016-12-21 02:08 - 00211968 _____ (Microsoft Corporation) C:\WINDOWS\system32\InstallAgent.exe
2017-01-10 15:13 - 2016-12-21 02:07 - 00748544 _____ (Microsoft Corporation) C:\WINDOWS\system32\StoreAgent.dll
2017-01-10 15:13 - 2016-12-21 02:06 - 06285312 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Media.dll
2017-01-10 15:13 - 2016-12-21 02:06 - 00310784 _____ (Microsoft Corporation) C:\WINDOWS\system32\SyncSettings.dll
2017-01-10 15:13 - 2016-12-21 02:06 - 00260608 _____ (Microsoft Corporation) C:\WINDOWS\system32\InstallAgentUserBroker.exe
2017-01-10 15:13 - 2016-12-21 02:06 - 00147456 _____ (Microsoft Corporation) C:\WINDOWS\system32\winsrv.dll
2017-01-10 15:13 - 2016-12-21 02:05 - 00425984 _____ (Microsoft Corporation) C:\WINDO

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #1 on: January 30, 2017, 06:11:10 PM »
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 29-01-2017
Ran by pete (30-01-2017 14:57:43)
Running from C:\Users\pete\Desktop
Windows 10 Home Version 1607 (X64) (2016-08-02 19:12:51)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2229908789-3868270222-3131126828-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-2229908789-3868270222-3131126828-503 - Limited - Disabled)
Guest (S-1-5-21-2229908789-3868270222-3131126828-501 - Limited - Disabled) => C:\Users\Guest
pete (S-1-5-21-2229908789-3868270222-3131126828-1001 - Administrator - Enabled) => C:\Users\pete

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Emsisoft Anti-Malware (Enabled - Up to date) {701CB209-EBBC-AADC-11E6-DE73E7AF4C9D}
AV: ESET Smart Security Premium 10.0.386.0 (Enabled - Up to date) {EC1D6F37-E411-475A-DF50-12FF7FE4AC70}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {CB7D53ED-CD86-A552-2B56-E5019C280620}
AS: ESET Smart Security Premium 10.0.386.0 (Enabled - Up to date) {577C8ED3-C22B-48D4-E5E0-298D0463E6CD}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall (Enabled) {D426EE12-AE7E-4602-F40F-BBCA8137EB0B}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

4500_G510gm_Help (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
4500G510gm (x32 Version: 140.0.001.000 - Hewlett-Packard) Hidden
4500G510gm_Software_Min (x32 Version: 140.0.001.000 - Hewlett-Packard) Hidden
64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden
Adblock Plus for IE (32-bit and 64-bit) (HKLM\...\{0F347A49-E36C-4639-8D2E-003AD408B8B2}) (Version: 1.5 - Eyeo GmbH)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.194 - Adobe Systems Incorporated)
BufferChm (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
BurnAware Professional 9.7 (HKLM-x32\...\BurnAware Professional_is1) (Version:  - Burnaware)
CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform)
Classic Shell (HKLM\...\{383BB30A-B4A7-4666-9A83-22CFA8640097}) (Version: 4.3.0 - IvoSoft)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CryptoPrevent (HKLM-x32\...\{5C5B24E7-4694-4049-A222-CCE7D3FAC63F}_is1) (Version:  - Foolish IT LLC)
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 11.0 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.9.2.8 - Dell Inc.)
Dell Data Vault (Version: 4.3.5.1 - Dell Inc.) Hidden
Dell SupportAssist (HKLM\...\PC-Doctor for Windows) (Version: 1.1.6664.10 - Dell)
Dell SupportAssistAgent (HKLM-x32\...\{287348C8-8B47-4C36-AF28-441A3B7D8722}) (Version: 1.1.1.14 - Dell)
Dell System Detect (HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\73f463568823ebbe) (Version: 6.5.0.6 - Dell)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
DELLOSD (HKLM-x32\...\{699D0EFA-5AC2-4DAB-846E-E4EFDA00ACAC}) (Version: 1.0.2.1108 - DELL)
Destinations (x32 Version: 140.0.253.000 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
DocProc (x32 Version: 140.0.185.000 - Hewlett-Packard) Hidden
Doom 3 (TM) Demo (HKLM-x32\...\Doom 3 (TM) Demo) (Version:  - )
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 12.0 - Emsisoft Ltd.)
ESET Smart Security Premium (HKLM\...\{E1F1E8E1-90E6-4A19-A4A8-242C696B82AA}) (Version: 10.0.386.0 - ESET, spol. s r.o.)
Fax (x32 Version: 140.0.307.000 - Hewlett-Packard) Hidden
Golden Dozen Solitaire (HKLM-x32\...\GoldenDozenSolitaire_is1) (Version: 1.0 - Media Contact LLC)
GPBaseService2 (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
HDD Health v4.2 (HKLM-x32\...\HDD Health_is1) (Version:  - )
HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Officejet 4500 G510g-m 14.0 Rel. 6 (HKLM\...\{C55BF64E-60E1-494C-B1EB-97A008141A55}) (Version: 14.0 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Support Solutions Framework (HKLM-x32\...\{FC3C2B77-6800-48C6-A15D-9D1031130C16}) (Version: 11.51.0049 - Hewlett-Packard Company)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (x32 Version: 1.00.0001 - Microsoft) Hidden
HPProductAssistant (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
HPSSupply (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
Intel(R) Driver Update Utility 2.4 (x32 Version: 2.4.0.7 - Intel) Hidden
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1281 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4358 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{561b5fb5-1d4d-40e8-b3e4-ad52858b217c}) (Version: 2.4.0.7 - Intel)
Ipswitch WS_FTP LE (HKLM-x32\...\WS_FTP LE) (Version:  - )
LibreOffice 5.1 Help Pack (English (United States)) (HKLM-x32\...\{798A717F-4949-4178-83D0-DA0A3FE378E9}) (Version: 5.1.4.2 - The Document Foundation)
LibreOffice 5.1.6.2 (HKLM-x32\...\{3D18F833-5EEE-4221-96CE-BC9488780EE3}) (Version: 5.1.6.2 - The Document Foundation)
Malwarebytes Anti-Exploit version 1.9.1.1291 (HKLM\...\Malwarebytes Anti-Exploit_is1) (Version: 1.9.1.1291 - Malwarebytes)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
MarketResearch (x32 Version: 140.0.212.000 - Hewlett-Packard) Hidden
Message+ (HKLM-x32\...\{3d292a76-d196-4c3c-95c1-f5df25f6c099}) (Version: 1.0.0.0 - Verizon)
Message+ (x32 Version: 1.0.0.0 - Verizon) Hidden
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Office 97, Professional Edition (HKLM-x32\...\Office8.0) (Version:  - )
Microsoft Office Word Viewer 2003 (HKLM-x32\...\{90850409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Word 97 HR/Ops Template Pack (Remove only) (HKLM-x32\...\wdoprtns) (Version:  - )
Microsoft Word 97 Sales & Mktg Template Pack (Remove only) (HKLM-x32\...\wdmktgpk) (Version:  - )
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 51.0.1 (x64 en-US) (HKLM\...\Mozilla Firefox 51.0.1 (x64 en-US)) (Version: 51.0.1 - Mozilla)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 51.0.1 - Mozilla)
Mozilla Thunderbird 45.5.1 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 45.5.1 (x86 en-US)) (Version: 45.5.1 - Mozilla)
MRU-Blaster v1.5 (Database 3.28.04) (HKLM-x32\...\MRU-Blaster_is1) (Version: 1.5 - BrightFort LLC)
Network64 (Version: 140.0.306.000 - Hewlett-Packard) Hidden
OCR Software by I.R.I.S. 14.0 (HKLM\...\HPOCR) (Version: 14.0 - HP)
Optimum (HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\2991278794.optimumapp.iptv.optimum.net) (Version:  - optimumapp.iptv.optimum.net)
Optimum App for Laptop 4.5 (HKLM\...\{6082AB31-92B1-4832-AC89-3B2E6D8C14FE}) (Version: 4.5 - Cablevision)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.316.0 - Tracker Software Products Ltd)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.209 - Qualcomm Atheros Communications)
Quicken 2003 Basic (HKLM-x32\...\InstallShield_{88D0E768-CD6A-42A9-97F9-2B12CF740019}) (Version: 12.00.0000 - Intuit)
Quicken 2003 Basic (x32 Version: 12.00.0000 - Intuit) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7544 - Realtek Semiconductor Corp.)
RootsMagic 7.2.0.0 (HKLM-x32\...\{D6286873-A757-4A4D-A6EF-0081B3EE32CA}_is1) (Version: RootsMagic 7.2.0.0 - RootsMagic, Inc.)
SanDisk SSD Dashboard (HKLM-x32\...\SanDisk SSD Dashboard) (Version: 1.4.4.4 - Western Digital Corporation or its affiliates)
SanDisk SSD Dashboard Service (HKLM-x32\...\{F4D977F4-1480-4F6A-A6BC-B2AB1D9E4F66}) (Version: 1.1.0 - SanDisk Corporation)
Scan (x32 Version: 140.0.253.000 - Hewlett-Packard) Hidden
ShadowExplorer 0.9 (HKLM-x32\...\ShadowExplorer_is1) (Version: 0.9.462.0 - ShadowExplorer.com)
Shared C Run-time for x64 (HKLM\...\{EF79C448-6946-4D71-8134-03407888C054}) (Version: 10.0.0 - McAfee)
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 14.0 - HP)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skypeâ„¢ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
SolutionCenter (x32 Version: 140.0.299.000 - Hewlett-Packard) Hidden
Space Quest 2 VGA 1.1 (HKLM-x32\...\Space Quest 2 VGA) (Version:  - Infamous Adventures)
SpywareBlaster 5.5 (HKLM-x32\...\SpywareBlaster_is1) (Version: 5.5.0 - BrightFort LLC)
Status (x32 Version: 140.0.342.000 - Hewlett-Packard) Hidden
SumatraPDF (HKLM-x32\...\SumatraPDF) (Version: 2.4 - Krzysztof Kowalczyk)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1210 - SUPERAntiSpyware.com)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
TaxACT 2013 - 1040 Edition (HKLM-x32\...\TaxACT 2013 - 1040 Edition) (Version:  - TaxACT, Inc.)
TaxACT 2014 - 1040 Edition (HKLM-x32\...\TaxACT 2014 - 1040 Edition) (Version: 1.00 - TaxACT, Inc.)
Toolbox (x32 Version: 140.0.596.000 - Hewlett-Packard) Hidden
TrayApp (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
TurboTax 2015 (HKLM-x32\...\TurboTax 2015) (Version: 2015.0 - Intuit, Inc)
TurboTax 2016 (HKLM-x32\...\TurboTax 2016) (Version: 2016.0 - Intuit, Inc)
USB Modem (HKLM\...\CNXT_MODEM_USB_ACF) (Version: 2.0.22.0 - Conexant)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Vohaul Strikes Back version 1.0.3.0 (HKLM-x32\...\{90F3E0D4-E2F5-4420-8152-2C0B3CFD61BB}_is1) (Version: 1.0.3.0 - VSB team)
WebReg (x32 Version: 140.0.297.017 - Hewlett-Packard) Hidden
Windows 10 Upgrade Assistant (HKLM-x32\...\{D5C69738-B486-402E-85AC-2456D98A64E4}) (Version: 1.4.9200.17349 - Microsoft Corporation)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinPatrol (HKLM\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 34.11.2016.27 - Ruiware)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\WINDOWS\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {0032A20F-466F-478E-91E9-967955B9DDD4} - System32\Tasks\{46822454-DF91-4A43-B7AA-ADB8D384244A} => pcalua.exe -a "C:\Users\pete\Downloads\P90 downloads\Sleepless Software\poco-w95.exe" -d "C:\Users\pete\Downloads\P90 downloads\Sleepless Software"
Task: {1881CE76-998C-4326-84D1-42CACD18F91F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {1FB1BC53-2BD1-4004-B3AD-BBE88543E278} - System32\Tasks\{56E124F5-3B42-4ACC-B96D-166FB789B7E0} => pcalua.exe -a D:\util\ccc\AccessDeniedUtility.exe -d D:\util\ccc
Task: {34199925-5A11-4635-98BB-6F8C97893DB9} - System32\Tasks\Dell SupportAssistAgent AutoUpdate => C:\Program Files (x86)\Dell\SupportAssistAgent\bin\SupportAssist.exe [2015-09-30] (Dell Inc.)
Task: {352E6CA0-7314-4DF4-89C4-682368D80D57} - System32\Tasks\Microsoft\Windows\Workplace Join\Automatic-Workplace-Join => C:\WINDOWS\System32\AutoWorkplace.exe
Task: {3CF1291D-BE67-4ABD-A929-57D856EC9BC2} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2013-03-04] (CyberLink)
Task: {3F54310D-B448-49EC-B0D4-69667345A24B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {3FC697D4-52BE-4C8D-A4A1-7C0B8B878C1B} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {41D31C52-CA72-48ED-894E-B673875E770F} - System32\Tasks\{565E0546-D044-4F82-BCC9-ED9F3508D844} => pcalua.exe -a "C:\Users\pete\Downloads\P90 downloads\Kain\kaindemo.exe" -d "C:\Users\pete\Downloads\P90 downloads\Kain"
Task: {5687F754-8261-400F-861A-69955C0D7E5C} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {6D5A4AA7-E06F-452F-9E26-8DF2FAD2E67F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {745EA8F6-213D-41F9-AA69-B3FC2825C6F5} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {809C54D1-59DB-4950-A192-9EFF74B8D57D} - System32\Tasks\PCDEventLauncher => C:\Program Files\Dell Support Center\sessionchecker.exe
Task: {82ADB4A8-0D6C-4A07-A1B4-8BE809200316} - System32\Tasks\{A2CF2577-2E36-44F6-A99C-B34FB5325931} => pcalua.exe -a D:\GAMES.EXE -d D:\
Task: {8506568E-170A-415F-9170-96772482EE85} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {909CF5A9-7EA4-4C2B-8C25-1AF14EFDC531} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-01-10] (Adobe Systems Incorporated)
Task: {92C9C5B2-A196-4E98-993C-5594359939A5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {B9EC1C95-5D3E-4A5C-AD90-15917BB00B99} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {BC7BAB8D-327C-472A-97D7-619809B71BDA} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {BEB2E8FE-00B1-4822-9E47-1D355B5F3E53} - System32\Tasks\TrackerAutoUpdate => C:\Program Files\Tracker Software\Update\TrackerUpdate.exe [2016-01-11] (Tracker Software Products (Canada) Ltd.)
Task: {CE26748E-3A47-4649-AF4B-ABC8762F76A0} - System32\Tasks\CLVDLauncher => C:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2013-03-22] (CyberLink Corp.)
Task: {D5E27664-7D81-4F5F-851A-53600F3721BD} - System32\Tasks\AVG_SYS_TASK_0615av => C:\ProgramData\Avg_Update_0615av\AVG-Secure-Search-Update_0615av.exe
Task: {DD5DEBE7-C572-47D0-9642-E1595AA01C3A} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2017-01-10] (Microsoft Corporation)
Task: {DFE6BAA4-402A-4E49-8371-75DB7433DAAD} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {E8E71D81-757D-4C39-998B-6536817CBBFA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {EADC2295-9737-49CC-9AF1-5FEA2DE18A6E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-06] (Piriform Ltd)
Task: {EDB5C075-BCBF-4DBF-8DF1-8C03EE7A44C9} - System32\Tasks\{4FAFF3EB-22BD-473A-8572-9BF1D94B256C} => pcalua.exe -a "C:\Program Files (x86)\Doom95\DXSETUP.EXE" -d "C:\Program Files (x86)\Doom95"
Task: {F81BE428-6FDA-4D23-AAF2-614AE7473B32} - System32\Tasks\{37D508CC-2C2A-4AC2-8570-F7531B140A63} => pcalua.exe -a "C:\Program Files (x86)\PDFCreator\PDFCreator.exe" -d "C:\Program Files (x86)\PDFCreator"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\TrackerAutoUpdate.job => C:\Program Files\Tracker Software\Update\TrackerUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\pete\Documents\Start Menu\Internet Tools\YahooPOPs!\YahooPOPs! Website.lnk -> hxxp://yahoopops.sourceforge.net
Shortcut: C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games\Doom 3 Demo\Visit Doom3.com.lnk -> hxxp://www.doom3.com

==================== Loaded Modules (Whitelisted) ==============

2016-07-16 06:42 - 2016-07-16 06:42 - 00231424 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-12-13 13:21 - 2016-12-09 05:29 - 02681200 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2015-03-01 14:33 - 2013-03-08 09:54 - 00017760 _____ () C:\Program Files (x86)\HDD Health\HDDHealthService.exe
2016-08-02 14:18 - 2016-08-02 14:18 - 00959168 _____ () C:\Users\pete\AppData\Local\Microsoft\OneDrive\17.3.6381.0405\amd64\ClientTelemetry.dll
2016-12-13 13:21 - 2016-12-09 05:29 - 02681200 _____ () C:\WINDOWS\SYSTEM32\CoreUIComponents.dll
2016-09-13 12:28 - 2016-09-06 23:56 - 00134656 _____ () C:\Windows\ShellExperiences\Windows.UI.Shell.SharedUtilities.dll
2017-01-10 15:13 - 2016-12-21 02:09 - 00474112 _____ () C:\Windows\ShellExperiences\QuickActions.dll
2017-01-10 15:13 - 2016-12-21 01:54 - 09760768 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2017-01-10 15:13 - 2016-12-21 01:48 - 01401856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2017-01-10 15:13 - 2016-12-21 01:48 - 00757248 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CSGSuggestLib.dll
2017-01-10 15:13 - 2016-12-21 01:48 - 02424320 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2017-01-10 15:13 - 2016-12-21 01:53 - 04853760 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2015-03-03 13:45 - 2013-03-04 22:40 - 00626240 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2013-03-05 11:41 - 2013-03-05 11:41 - 00015424 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
2013-06-19 23:46 - 2012-07-18 15:55 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2016-01-05 11:17 - 2015-12-18 17:52 - 01607920 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\STRestoreAPI.dll
2013-06-19 23:59 - 2012-11-26 00:19 - 01153384 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\libxml2.dll
2016-01-05 11:17 - 2014-02-18 14:12 - 00117568 _____ () C:\Program Files (x86)\Dell Backup and Recovery\Components\Restore\zlib1.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\WINDOWS\system32\Drivers\pqadtgqv.sys:changelist [322]
AlternateDataStreams: C:\ProgramData\cis378C.exe:$CmdTcID [64]
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [125]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcapexe => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\McNaiAnn => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\.scr: CryptoPreventSCR => "C:\Program Files (x86)\Foolish IT\CryptoPrevent\CryptoPreventFilterMod.CryptoPreventEXEC" "%1" /S %*

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\1001movie.com -> 1001movie.com

There are 6091 more sites.


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\pete\Pictures\Marianne 1983\Mossy.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\StartupFolder: => "Quicken Scheduled Updates.lnk"
HKLM\...\StartupApproved\StartupFolder: => "Billminder.lnk"
HKLM\...\StartupApproved\StartupFolder: => "Quicken Startup.lnk"
HKLM\...\StartupApproved\StartupFolder: => "HP Digital Imaging Monitor.lnk"
HKLM\...\StartupApproved\StartupFolder: => "Microsoft Find Fast.lnk"
HKLM\...\StartupApproved\Run32: => "mcpltui_exe"
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\StartupApproved\StartupFolder: => "Microsoft Find Fast.lnk"
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\StartupApproved\StartupFolder: => "HP Digital Imaging Monitor.lnk"
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\StartupApproved\StartupFolder: => "Quicken Scheduled Updates.lnk"
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\StartupApproved\StartupFolder: => "Billminder.lnk"
HKU\S-1-5-21-2229908789-3868270222-3131126828-1001\...\StartupApproved\StartupFolder: => "Quicken Startup.lnk"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => LPort=139
FirewallRules: [SNMP-In-UDP] => %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-Out-UDP] => %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-In-UDP-NoScope] => %SystemRoot%\system32\snmp.exe
FirewallRules: [SNMP-Out-UDP-NoScope] => %SystemRoot%\system32\snmp.exe
FirewallRules: [{38B04055-3601-4F01-9C4B-A4A6B854A641}] => C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{E0CE4812-DDA5-4C90-8820-FEB3CC2B09F3}] => C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{EFACD861-95A4-466D-AA3A-717AE34EBC98}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{C396E93E-72D4-49CD-BF91-D0E849E8AD2B}] => C:\Users\pete\AppData\Local\Chromium\Application\chrome.exe
FirewallRules: [{B27F059E-FC31-48E6-8FA4-ED7D428F59D6}] => C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{177ED89D-CD4E-4B5F-B35A-8981DE75AD7B}] => C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
FirewallRules: [{23A52B91-A4D0-44B0-8C7F-DE1053D72D1A}] => C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{943D7317-20FD-4F19-A614-DAD6AD20D039}] => C:\Program Files (x86)\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{2DAF0B80-FA83-4177-AF0A-EB3F88E04694}] => C:\windows\system32\wfs.exe
FirewallRules: [{BE8234EC-0BE7-4CEE-A8ED-D067E72E09A4}] => C:\windows\system32\wfs.exe
FirewallRules: [UDP Query User{0BE68F98-F88D-4E2A-8B2B-CBFFD74BEF10}C:\windows\system32\wfs.exe] => C:\windows\system32\wfs.exe
FirewallRules: [TCP Query User{5099F34E-E157-4453-B49E-82A3EBE234BA}C:\windows\system32\wfs.exe] => C:\windows\system32\wfs.exe
FirewallRules: [{E74DD8F5-ED2A-4F3C-A7C1-053D5387EF32}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{EA568648-6C0E-40D1-94F2-ED110BCD54CB}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3374AF9B-7860-47CF-8A57-6971A6A10438}] => %ProgramFiles% (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{85E87F1B-A8A6-4FED-981F-A21A88CCC2E7}] => %ProgramFiles% (x86)\Mozilla Thunderbird\thunderbird.exe
FirewallRules: [{67C34787-8B58-4747-AA00-EA0F0E78A0BB}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{7F178634-A4D4-4A54-A758-C1A29D8FA6F8}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{BEE07A29-3200-4152-A374-062379A398FE}] => C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{6CFAA856-5221-4F64-83E3-462E94A5CF84}] => C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{6543E6E6-E19C-408C-BB44-DD5C8B7052A5}] => C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{351AFB17-FB55-4F47-8E26-D3714284BC27}] => C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{F8DAAB5F-8ECD-4AFD-9380-8FA211A2DAFB}] => C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{304D35AD-1EC8-4070-83FC-98ED6A1DC032}] => C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{658B11D2-8511-41EC-8A2B-D8FEF370C442}] => C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{86C2B5F1-1751-4CEC-A66A-CA86C5026EF6}] => C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{DB63262E-A0D5-455E-9395-70C181D4A00D}] => C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{ACE2AA4C-54DD-4126-B209-45DB9E86191D}] => C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{1137A211-B2C6-4884-AAC4-2C52BF73CDEA}] => C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

==================== Restore Points =========================

16-01-2017 14:36:36 Scheduled Checkpoint
25-01-2017 07:58:59 Windows Update

==================== Faulty Device Manager Devices =============

Name: Officejet 4500 G510g-m
Description: Officejet 4500 G510g-m
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Officejet 4500 G510g-m
Description: Officejet 4500 G510g-m
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Hewlett-Packard
Service: StillCam
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/30/2017 10:12:45 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Error: (01/30/2017 06:55:03 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SSUPDATE64.EXE, version: 1.0.0.1080, time stamp: 0x53d80800
Faulting module name: SSUPDATE64.EXE, version: 1.0.0.1080, time stamp: 0x53d80800
Exception code: 0xc0000005
Fault offset: 0x0000000000024c8d
Faulting process id: 0x2c58
Faulting application start time: 0x01d27aefafbb37a6
Faulting application path: C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
Faulting module path: C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
Report Id: 2b022639-1817-42ec-b0ef-31c07d39c1f9
Faulting package full name:
Faulting package-relative application ID:

Error: (01/29/2017 10:04:16 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Error: (01/29/2017 07:14:08 AM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <30, 0x80040d07, "iehistory://{S-1-5-21-2229908789-3868270222-3131126828-1001}/">.

Error: (01/29/2017 07:05:20 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_MapsBroker, version: 10.0.14393.0, time stamp: 0x57899b1c
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0x8400000e
Fault offset: 0x0000000000000000
Faulting process id: 0x3078
Faulting application start time: 0x01d27a27dfcb17b1
Faulting application path: C:\WINDOWS\System32\svchost.exe
Faulting module path: unknown
Report Id: 93e193f3-7cba-4a4a-a880-7ee22acd639d
Faulting package full name:
Faulting package-relative application ID:

Error: (01/29/2017 07:02:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SSUPDATE64.EXE, version: 1.0.0.1080, time stamp: 0x53d80800
Faulting module name: SSUPDATE64.EXE, version: 1.0.0.1080, time stamp: 0x53d80800
Exception code: 0xc0000005
Fault offset: 0x0000000000024ca5
Faulting process id: 0x92c
Faulting application start time: 0x01d27a2795896850
Faulting application path: C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
Faulting module path: C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
Report Id: 91423d6a-4e8f-4aca-9aa2-06bfb9ba8d7b
Faulting package full name:
Faulting package-relative application ID:

Error: (01/28/2017 10:01:33 AM) (Source: Perflib) (EventID: 1008) (User: )
Description: The Open Procedure for service "BITS" in DLL "C:\Windows\System32\bitsperf.dll" failed. Performance data for this service will not be available. The first four bytes (DWORD) of the Data section contains the error code.

Error: (01/28/2017 07:16:52 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: SSUPDATE64.EXE, version: 1.0.0.1080, time stamp: 0x53d80800
Faulting module name: SSUPDATE64.EXE, version: 1.0.0.1080, time stamp: 0x53d80800
Exception code: 0xc0000005
Fault offset: 0x0000000000024ca5
Faulting process id: 0x2abc
Faulting application start time: 0x01d27960673d8411
Faulting application path: C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
Faulting module path: C:\Program Files\SUPERAntiSpyware\SSUPDATE64.EXE
Report Id: 076dbf8e-e71d-4ac0-b298-b30c49d92688
Faulting package full name:
Faulting package-relative application ID:

Error: (01/27/2017 01:44:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_stisvc, version: 10.0.14393.0, time stamp: 0x57899b1c
Faulting module name: wiaservc.dll, version: 10.0.14393.0, time stamp: 0x578998fe
Exception code: 0xc0000005
Fault offset: 0x000000000004e927
Faulting process id: 0x2614
Faulting application start time: 0x01d278ae3c38f8ef
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: c:\windows\system32\wiaservc.dll
Report Id: 3ab12509-68a5-4e98-8396-df3b1eb26277
Faulting package full name:
Faulting package-relative application ID:

Error: (01/27/2017 10:01:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_stisvc, version: 10.0.14393.0, time stamp: 0x57899b1c
Faulting module name: hpwtiop5.dll, version: 130.0.98.0, time stamp: 0x5035d37d
Exception code: 0xc0000005
Fault offset: 0x000000000001105c
Faulting process id: 0x1378
Faulting application start time: 0x01d278ad294ecf5b
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\system32\hpwtiop5.dll
Report Id: 128f7b44-8b3c-4145-b25c-09634a9caae2
Faulting package full name:
Faulting package-relative application ID:


System errors:
=============
Error: (01/30/2017 02:52:52 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {784E29F4-5EBE-4279-9948-1E8FE941646D} did not register with DCOM within the required timeout.

Error: (01/30/2017 02:49:53 PM) (Source: RemoteAccess) (EventID: 20063) (User: )
Description: Remote Access Connection Manager failed to start because the Protocol engine [IKEv2] failed to initialize. The request is not supported.

Error: (01/30/2017 02:49:53 PM) (Source: RemoteAccess) (EventID: 20063) (User: )
Description: Remote Access Connection Manager failed to start because the Protocol engine [rasgreeng.dll] failed to initialize. The specified module could not be found.

Error: (01/30/2017 02:49:42 PM) (Source: SNMP) (EventID: 1500) (User: )
Description: The SNMP Service encountered an error while accessing the registry key SYSTEM\CurrentControlSet\Services\SNMP\Parameters\TrapConfiguration.

Error: (01/30/2017 02:49:36 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/30/2017 02:49:36 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}
 and APPID
{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
 to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/30/2017 02:48:14 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{D63B10C5-BB46-4990-A94F-E40B9D520160}
 and APPID
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}
 to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.

Error: (01/30/2017 12:07:46 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: The server {784E29F4-5EBE-4279-9948-1E8FE941646D} did not register with DCOM within the required timeout.

Error: (01/30/2017 12:04:46 PM) (Source: RemoteAccess) (EventID: 20063) (User: )
Description: Remote Access Connection Manager failed to start because the Protocol engine [IKEv2] failed to initialize. The request is not supported.

Error: (01/30/2017 12:04:46 PM) (Source: RemoteAccess) (EventID: 20063) (User: )
Description: Remote Access Connection Manager failed to start because the Protocol engine [rasgreeng.dll] failed to initialize. The specified module could not be found.


CodeIntegrity:
===================================
  Date: 2017-01-30 14:49:57.033
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-01-30 14:49:44.005
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-27 09:55:23.414
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume5\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Windows signing level requirements.

  Date: 2017-01-27 09:53:47.219
  Description: Code Integrity determined that a process (\Device\HarddiskVolume5\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume5\Program Files\Emsisoft Anti-Malware\a2hooks64.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-01-27 07:45:24.046
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ProgramData\ESET\ESET Smart Security Premium\Updfiles\base_nonnups\nod4826.dll.nup.raw because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-01-27 07:45:23.841
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ProgramData\ESET\ESET Smart Security Premium\Updfiles\base_nonnups\nod4826.dll.nup.raw because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-01-27 07:45:23.686
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ProgramData\ESET\ESET Smart Security Premium\Updfiles\base_nonnups\nod4826.dll.nup.raw because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-01-27 07:45:23.407
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ProgramData\ESET\ESET Smart Security Premium\Updfiles\base_nonnups\nod4826.dll.nup.raw because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-01-27 07:45:23.164
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ProgramData\ESET\ESET Smart Security Premium\Updfiles\base_nonnups\nod4826.dll.nup.raw because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2017-01-27 07:45:22.963
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\ProgramData\ESET\ESET Smart Security Premium\Updfiles\base_nonnups\nod4826.dll.nup.raw because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel(R) Pentium(R) CPU G2020T @ 2.50GHz
Percentage of memory in use: 56%
Total physical RAM: 3985.33 MB
Available physical RAM: 1751.66 MB
Total Virtual: 4689.33 MB
Available Virtual: 1842.91 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:917.77 GB) (Free:826.73 GB) NTFS
Drive e: (ESP) (Fixed) (Total:0.48 GB) (Free:0.44 GB) FAT32
Drive x: () (Fixed) (Total:0.44 GB) (Free:0.08 GB) NTFS
Drive y: (PBR Image) (Fixed) (Total:12.16 GB) (Free:0.24 GB) NTFS

==================== MBR & Partition Table ==================

==================== End of Addition.txt ============================

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #2 on: January 30, 2017, 06:17:34 PM »
At this point there's no rush, I'm not suffering any ill effects.
It's just that after using home computers since 1988, this is the first time I've detected anything more serious than adware or spyware.

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #3 on: January 30, 2017, 06:34:42 PM »
OOPs....
The rest of FRST.txt

2017-01-10 15:13 - 2016-12-21 02:05 - 00425984 _____ (Microsoft Corporation) C:\WINDOWS\system32\aadcloudap.dll
2017-01-10 15:13 - 2016-12-21 02:05 - 00261632 _____ (Microsoft Corporation) C:\WINDOWS\system32\indexeddbserver.dll
2017-01-10 15:13 - 2016-12-21 02:05 - 00049152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Shell.dll
2017-01-10 15:13 - 2016-12-21 02:01 - 09131008 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2017-01-10 15:13 - 2016-12-21 02:00 - 00440320 _____ (Microsoft Corporation) C:\WINDOWS\system32\fhcfg.dll
2017-01-10 15:13 - 2016-12-21 01:59 - 01908224 _____ (Microsoft Corporation) C:\WINDOWS\system32\AzureSettingSyncProvider.dll
2017-01-10 15:13 - 2016-12-21 01:59 - 00883712 _____ (Microsoft Corporation) C:\WINDOWS\system32\samsrv.dll
2017-01-10 15:13 - 2016-12-21 01:58 - 23678464 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2017-01-10 15:13 - 2016-12-21 01:57 - 00462336 _____ (Microsoft Corporation) C:\WINDOWS\system32\fhsettingsprovider.dll
2017-01-10 15:13 - 2016-12-21 01:56 - 00947712 _____ (Microsoft Corporation) C:\WINDOWS\system32\MSVP9DEC.dll
2017-01-10 15:13 - 2016-12-21 01:56 - 00936960 _____ (Microsoft Corporation) C:\WINDOWS\system32\MCRecvSrc.dll
2017-01-10 15:13 - 2016-12-21 01:55 - 08129536 _____ (Microsoft Corporation) C:\WINDOWS\system32\Chakra.dll
2017-01-10 15:13 - 2016-12-21 01:55 - 04749312 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingsHandlers_nt.dll
2017-01-10 15:13 - 2016-12-21 01:54 - 05511680 _____ (Microsoft Corporation) C:\WINDOWS\system32\aclui.dll
2017-01-10 15:13 - 2016-12-21 01:53 - 06664192 _____ (Microsoft Corporation) C:\WINDOWS\system32\mspaint.exe
2017-01-10 15:13 - 2016-12-21 01:53 - 04474368 _____ (Microsoft Corporation) C:\WINDOWS\system32\D3DCompiler_47.dll
2017-01-10 15:13 - 2016-12-21 01:53 - 01692672 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentExtensions.onecore.dll
2017-01-10 15:13 - 2016-12-21 01:51 - 08075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\mstscax.dll
2017-01-10 15:13 - 2016-12-21 01:51 - 05611008 _____ (Microsoft Corporation) C:\WINDOWS\system32\d2d1.dll
2017-01-10 15:13 - 2016-12-21 01:51 - 02275840 _____ (Microsoft Corporation) C:\WINDOWS\system32\AppXDeploymentServer.dll
2017-01-10 15:13 - 2016-12-21 01:50 - 01490432 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2017-01-10 15:13 - 2016-12-21 01:49 - 04149248 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll
2017-01-10 15:13 - 2016-12-21 01:49 - 02691072 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Logon.dll
2017-01-10 15:13 - 2016-12-21 01:49 - 01062912 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncCore.dll
2017-01-10 15:13 - 2016-12-21 01:47 - 01121280 _____ (Microsoft Corporation) C:\WINDOWS\system32\aadtb.dll
2017-01-10 15:13 - 2016-12-21 00:59 - 00218976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\offlinesam.dll
2017-01-10 15:13 - 2016-12-21 00:09 - 00263472 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Storage.ApplicationData.dll
2017-01-10 15:13 - 2016-12-21 00:02 - 03892864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2017-01-10 15:13 - 2016-12-21 00:02 - 01852720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmp4srcsnk.dll
2017-01-10 15:13 - 2016-12-21 00:02 - 01360464 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
2017-01-10 15:13 - 2016-12-21 00:02 - 01277344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfasfsrcsnk.dll
2017-01-10 15:13 - 2016-12-21 00:02 - 01201872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfmpeg2srcsnk.dll
2017-01-10 15:13 - 2016-12-21 00:02 - 00980832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2017-01-10 15:13 - 2016-12-21 00:01 - 20969928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2017-01-10 15:13 - 2016-12-20 23:46 - 00034304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LaunchWinApp.exe
2017-01-10 15:13 - 2016-12-20 23:43 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.BlockedShutdown.dll
2017-01-10 15:13 - 2016-12-20 23:41 - 00253952 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.BioFeedback.dll
2017-01-10 15:13 - 2016-12-20 23:41 - 00231936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.ApplicationModel.LockScreen.dll
2017-01-10 15:13 - 2016-12-20 23:40 - 00557568 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StoreAgent.dll
2017-01-10 15:13 - 2016-12-20 23:40 - 00318976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rdpencom.dll
2017-01-10 15:13 - 2016-12-20 23:40 - 00237056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SyncSettings.dll
2017-01-10 15:13 - 2016-12-20 23:40 - 00180224 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InstallAgent.exe
2017-01-10 15:13 - 2016-12-20 23:39 - 01300480 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVPXENC.dll
2017-01-10 15:13 - 2016-12-20 23:39 - 00223232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\InstallAgentUserBroker.exe
2017-01-10 15:13 - 2016-12-20 23:38 - 00866816 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Cred.dll
2017-01-10 15:13 - 2016-12-20 23:35 - 04612608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Media.dll
2017-01-10 15:13 - 2016-12-20 23:35 - 00198656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\indexeddbserver.dll
2017-01-10 15:13 - 2016-12-20 23:34 - 07626752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2017-01-10 15:13 - 2016-12-20 23:33 - 19413504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\edgehtml.dll
2017-01-10 15:13 - 2016-12-20 23:32 - 19417600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2017-01-10 15:13 - 2016-12-20 23:30 - 05398016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aclui.dll
2017-01-10 15:13 - 2016-12-20 23:30 - 01255936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AzureSettingSyncProvider.dll
2017-01-10 15:13 - 2016-12-20 23:27 - 00640000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MCRecvSrc.dll
2017-01-10 15:13 - 2016-12-20 23:26 - 01155072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MSVP9DEC.dll
2017-01-10 15:13 - 2016-12-20 23:25 - 07469056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mstscax.dll
2017-01-10 15:13 - 2016-12-20 23:25 - 06474752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mspaint.exe
2017-01-10 15:13 - 2016-12-20 23:24 - 06044160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakra.dll
2017-01-10 15:13 - 2016-12-20 23:24 - 05061120 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\d2d1.dll
2017-01-10 15:13 - 2016-12-20 23:24 - 03733504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\D3DCompiler_47.dll
2017-01-10 15:13 - 2016-12-20 23:24 - 00886272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\aadtb.dll
2017-01-10 15:13 - 2016-12-20 23:22 - 01883648 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Logon.dll
2017-01-10 15:13 - 2016-12-20 23:22 - 00860672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncCore.dll
2017-01-10 15:13 - 2016-12-14 00:41 - 01235296 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2017-01-10 15:13 - 2016-12-14 00:41 - 00590960 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
2017-01-10 15:13 - 2016-12-14 00:34 - 02482280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msmpeg2vdec.dll
2017-01-10 15:13 - 2016-12-14 00:33 - 01356864 _____ (Microsoft Corporation) C:\WINDOWS\system32\ClipUp.exe
2017-01-10 15:13 - 2016-12-14 00:23 - 00404832 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2017-01-10 15:13 - 2016-12-14 00:21 - 02206496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msmpeg2vdec.dll
2017-01-10 15:13 - 2016-12-14 00:19 - 00584544 _____ (Microsoft Corporation) C:\WINDOWS\system32\SettingSyncHost.exe
2017-01-10 15:13 - 2016-12-14 00:18 - 00715104 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\vhdmp.sys
2017-01-10 15:13 - 2016-12-14 00:18 - 00335712 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pci.sys
2017-01-10 15:13 - 2016-12-14 00:17 - 00319288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2017-01-10 15:13 - 2016-12-14 00:14 - 01694712 _____ (Microsoft Corporation) C:\WINDOWS\system32\winmde.dll
2017-01-10 15:13 - 2016-12-14 00:14 - 00418952 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
2017-01-10 15:13 - 2016-12-14 00:14 - 00089416 _____ (Microsoft Corporation) C:\WINDOWS\system32\remoteaudioendpoint.dll
2017-01-10 15:13 - 2016-12-14 00:06 - 00509792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\SettingSyncHost.exe
2017-01-10 15:13 - 2016-12-14 00:01 - 01557808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winmde.dll
2017-01-10 15:13 - 2016-12-14 00:01 - 00382784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
2017-01-10 15:13 - 2016-12-14 00:01 - 00076984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\remoteaudioendpoint.dll
2017-01-10 15:13 - 2016-12-13 23:48 - 01631232 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.Resources.dll
2017-01-10 15:13 - 2016-12-13 23:46 - 01631232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.Resources.dll
2017-01-10 15:13 - 2016-12-13 23:46 - 00206848 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2017-01-10 15:13 - 2016-12-13 23:45 - 00147968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32k.sys
2017-01-10 15:13 - 2016-12-13 23:43 - 00201728 _____ (Microsoft Corporation) C:\WINDOWS\system32\ScDeviceEnum.dll
2017-01-10 15:13 - 2016-12-13 23:42 - 00352768 _____ (Microsoft Corporation) C:\WINDOWS\system32\cloudAP.dll
2017-01-10 15:13 - 2016-12-13 23:42 - 00236544 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSCard.dll
2017-01-10 15:13 - 2016-12-13 23:42 - 00208896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Internal.UI.Logon.ProxyStub.dll
2017-01-10 15:13 - 2016-12-13 23:42 - 00167424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinSCard.dll
2017-01-10 15:13 - 2016-12-13 23:41 - 00223744 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2017-01-10 15:13 - 2016-12-13 23:40 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\system32\domgmt.dll
2017-01-10 15:13 - 2016-12-13 23:40 - 00266752 _____ (Microsoft Corporation) C:\WINDOWS\system32\ConsoleLogon.dll
2017-01-10 15:13 - 2016-12-13 23:40 - 00231424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CloudBackupSettings.dll
2017-01-10 15:13 - 2016-12-13 23:40 - 00193536 _____ (Microsoft Corporation) C:\WINDOWS\system32\certprop.dll
2017-01-10 15:13 - 2016-12-13 23:39 - 00837632 _____ (Microsoft Corporation) C:\WINDOWS\system32\wbiosrvc.dll
2017-01-10 15:13 - 2016-12-13 23:39 - 00290816 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatehandlers.dll
2017-01-10 15:13 - 2016-12-13 23:39 - 00257024 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.CredDialogController.dll
2017-01-10 15:13 - 2016-12-13 23:38 - 17188864 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.UI.Xaml.dll
2017-01-10 15:13 - 2016-12-13 23:38 - 13869056 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.Xaml.dll
2017-01-10 15:13 - 2016-12-13 23:38 - 00295424 _____ (Microsoft Corporation) C:\WINDOWS\system32\CloudBackupSettings.dll
2017-01-10 15:13 - 2016-12-13 23:38 - 00213504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.UI.CredDialogController.dll
2017-01-10 15:13 - 2016-12-13 23:37 - 00090112 _____ (Microsoft Corporation) C:\WINDOWS\system32\updatepolicy.dll
2017-01-10 15:13 - 2016-12-13 23:36 - 01002496 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRH.dll
2017-01-10 15:13 - 2016-12-13 23:36 - 00539648 _____ (Microsoft Corporation) C:\WINDOWS\system32\usocore.dll
2017-01-10 15:13 - 2016-12-13 23:36 - 00074752 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\updatepolicy.dll
2017-01-10 15:13 - 2016-12-13 23:35 - 00755712 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2017-01-10 15:13 - 2016-12-13 23:35 - 00712192 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2017-01-10 15:13 - 2016-12-13 23:35 - 00600576 _____ (Microsoft Corporation) C:\WINDOWS\system32\cryptui.dll
2017-01-10 15:13 - 2016-12-13 23:35 - 00553984 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cryptui.dll
2017-01-10 15:13 - 2016-12-13 23:32 - 00497152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\LogonController.dll
2017-01-10 15:13 - 2016-12-13 23:26 - 00932864 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2017-01-10 15:13 - 2016-12-13 23:26 - 00869888 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2017-01-10 15:13 - 2016-12-13 23:25 - 02009600 _____ (Microsoft Corporation) C:\WINDOWS\system32\SRHInproc.dll
2017-01-10 15:13 - 2016-12-13 23:24 - 01005568 _____ (Microsoft Corporation) C:\WINDOWS\system32\D3D12.dll
2017-01-10 15:13 - 2016-12-13 23:24 - 00673792 _____ (Microsoft Corporation) C:\WINDOWS\system32\winlogon.exe
2017-01-10 15:13 - 2016-12-13 23:23 - 03134976 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcore.dll
2017-01-10 15:13 - 2016-12-13 23:23 - 01231872 _____ (Microsoft Corporation) C:\WINDOWS\system32\dosvc.dll
2017-01-10 15:13 - 2016-12-13 23:22 - 02998272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\win32kfull.sys
2017-01-10 15:13 - 2016-12-13 23:22 - 02748416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rdpcore.dll
2017-01-10 15:13 - 2016-12-13 23:22 - 02317824 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2017-01-10 15:13 - 2016-12-13 23:22 - 01513472 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kbase.sys
2017-01-10 15:13 - 2016-12-13 23:22 - 00707584 _____ (Microsoft Corporation) C:\WINDOWS\system32\LogonController.dll
2017-01-10 15:13 - 2016-12-13 23:22 - 00391168 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuuhext.dll
2017-01-10 15:13 - 2016-12-13 23:21 - 03616768 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32kfull.sys
2017-01-10 15:13 - 2016-11-02 07:01 - 00484584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2017-01-10 15:13 - 2016-11-02 06:00 - 00534096 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEng.dll
2017-01-10 15:13 - 2016-11-02 05:28 - 00324608 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.ApplicationModel.LockScreen.dll
2017-01-10 15:13 - 2016-11-02 05:22 - 00337920 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2017-01-10 15:13 - 2016-11-02 05:21 - 00942080 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2017-01-10 15:13 - 2016-08-01 23:30 - 00822784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Chakradiag.dll
2017-01-10 15:12 - 2016-12-21 02:13 - 00119808 _____ (Microsoft Corporation) C:\WINDOWS\system32\KnobsCsp.dll
2017-01-10 15:12 - 2016-12-21 02:12 - 00083968 _____ (Microsoft Corporation) C:\WINDOWS\system32\ProvPluginEng.dll
2017-01-10 15:12 - 2016-12-21 02:10 - 00234496 _____ (Microsoft Corporation) C:\WINDOWS\system32\KnobsCore.dll
2017-01-10 15:12 - 2016-12-21 02:08 - 00349184 _____ (Microsoft Corporation) C:\WINDOWS\system32\provengine.dll
2017-01-10 15:12 - 2016-12-14 00:08 - 00341344 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2017-01-10 15:12 - 2016-12-13 23:40 - 00104448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Internal.UI.Logon.ProxyStub.dll
2017-01-10 15:12 - 2016-12-13 23:32 - 00806400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\D3D12.dll
2017-01-09 10:44 - 2017-01-09 10:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SanDisk
2017-01-09 10:43 - 2017-01-09 10:43 - 00000000 ____D C:\Program Files (x86)\SanDisk
2017-01-07 07:53 - 2017-01-14 07:13 - 00001267 _____ C:\Users\pete\Desktop\Inhaler vs BP.lnk
2017-01-06 16:48 - 2017-01-06 16:48 - 00000028 _____ C:\Users\pete\Documents\Avast Key 2017.txt
2017-01-06 12:17 - 2017-01-09 11:29 - 00000000 ____D C:\Users\pete\Downloads\SanDisk
2017-01-06 09:45 - 2017-01-06 10:08 - 00008027 _____ C:\Users\pete\Documents\BP -Toprol.txt
2017-01-05 14:32 - 2017-01-05 14:32 - 00002846 _____ C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2017-01-05 14:32 - 2017-01-05 14:32 - 00000000 ____D C:\Program Files\CCleaner
2017-01-04 15:52 - 2017-01-30 07:13 - 00022914 _____ C:\Users\pete\Documents\Test Inhaler vs Blood Pressure.ods
2017-01-03 18:26 - 2017-01-03 18:26 - 05566703 _____ C:\Users\pete\Downloads\RamapoAreaMapFinalDraft_reduced.pdf
2017-01-03 16:00 - 2017-01-03 16:32 - 00000000 ____D C:\AVG_Remover
2017-01-02 15:41 - 2017-01-02 15:41 - 00001841 _____ C:\Users\pete\Documents\Product Keys 2015&2016.txt
2017-01-01 12:33 - 2017-01-01 12:55 - 00037338 _____ C:\Users\pete\Documents\2017_dog_cat_license_application.pdf
2017-01-01 11:36 - 2017-01-01 11:36 - 00000000 ____D C:\Users\pete\AppData\Roaming\ESET
2017-01-01 09:34 - 2017-01-01 09:34 - 00417046 _____ C:\Users\pete\SysInspector-DELL-170101-074417.zip
2016-12-31 11:48 - 2016-12-31 11:48 - 00000000 ____D C:\ProgramData\ESET
2016-12-31 11:48 - 2016-12-31 11:48 - 00000000 ____D C:\Program Files\ESET
2016-12-31 07:15 - 2017-01-25 15:04 - 00000000 ____D C:\Users\pete\AppData\Local\Deployment

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-01-30 14:52 - 2013-06-19 23:58 - 00000000 ____D C:\Program Files (x86)\Dell Backup and Recovery
2017-01-30 14:50 - 2016-11-15 11:13 - 00000000 ____D C:\Users\pete\AppData\LocalLow\Mozilla
2017-01-30 14:50 - 2014-11-30 18:08 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2017-01-30 14:49 - 2016-08-02 14:05 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-01-30 14:49 - 2014-08-24 13:17 - 00000000 __SHD C:\Users\pete\IntelGraphicsProfiles
2017-01-30 14:48 - 2016-07-16 01:04 - 01572864 _____ C:\WINDOWS\system32\config\BBI
2017-01-30 14:48 - 2015-06-03 13:07 - 00000000 ____D C:\Users\pete\AppData\Local\ClassicShell
2017-01-30 12:04 - 2013-12-29 19:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-01-30 10:57 - 2016-08-02 13:44 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-01-30 07:07 - 2015-01-17 18:42 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2017-01-30 07:06 - 2014-02-11 11:05 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2017-01-30 07:06 - 2013-06-19 23:54 - 00000000 ____D C:\ProgramData\Temp
2017-01-30 06:58 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-01-29 07:14 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-01-29 07:14 - 2016-07-16 06:45 - 00000000 ____D C:\WINDOWS\INF
2017-01-27 19:13 - 2014-02-17 16:24 - 00000000 ____D C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mozilla
2017-01-27 19:06 - 2016-04-26 14:25 - 00000000 ____D C:\Program Files\Mozilla Firefox
2017-01-27 19:05 - 2014-01-06 10:45 - 00000000 ____D C:\Users\pete\Downloads\FireFox
2017-01-27 10:00 - 2015-10-17 12:43 - 00000000 ____D C:\ProgramData\HP
2017-01-27 09:53 - 2016-11-15 11:13 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-01-25 19:08 - 2016-08-02 13:49 - 00000000 ____D C:\Users\pete
2017-01-25 08:00 - 2016-07-16 06:36 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-01-25 07:51 - 2014-02-17 16:26 - 00000000 ____D C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tools
2017-01-25 07:49 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\ModemLogs
2017-01-24 18:37 - 2014-09-17 16:51 - 00000000 ____D C:\Users\pete\Downloads\EmsisoftAntiMalware
2017-01-24 12:52 - 2014-01-06 11:56 - 00000000 ____D C:\Users\pete\Documents\2012
2017-01-23 14:06 - 2013-12-26 18:48 - 00000000 ___RD C:\Users\pete\Documents\Scanned Documents
2017-01-20 09:46 - 2016-08-02 13:44 - 00302712 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2017-01-20 09:46 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\InputMethod
2017-01-19 07:08 - 2015-12-06 11:56 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2017-01-18 14:13 - 2016-02-09 15:37 - 00000000 ____D C:\Users\pete\Downloads\McAfee-Optimum
2017-01-17 16:04 - 2014-01-06 12:13 - 00000000 ____D C:\Users\pete\Documents\Marianne
2017-01-17 16:04 - 2014-01-06 11:56 - 00000000 ____D C:\Users\pete\Documents\Carnation Forms
2017-01-16 12:05 - 2015-03-09 14:26 - 00000000 ____D C:\ProgramData\softthinks
2017-01-16 09:07 - 2013-12-25 12:32 - 00000719 _____ C:\WINDOWS\ODBC.INI
2017-01-13 15:11 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\rescache
2017-01-12 10:04 - 2015-01-10 19:20 - 00000000 ____D C:\Users\pete\Documents\TAXACT 2014
2017-01-12 09:46 - 2015-08-05 14:17 - 00000000 ____D C:\Users\pete\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Office & Financial
2017-01-12 09:45 - 2016-02-01 15:05 - 00000629 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2017-01-12 09:42 - 2016-02-01 15:06 - 00000000 ____D C:\Users\pete\AppData\Roaming\Intuit
2017-01-12 09:42 - 2016-02-01 15:03 - 00000000 ____D C:\Program Files (x86)\TurboTax
2017-01-12 09:41 - 2016-01-12 14:08 - 00000000 ____D C:\Users\pete\Downloads\TurboTax
2017-01-11 07:44 - 2015-09-10 00:42 - 00000000 __RHD C:\Users\Public\AccountPictures
2017-01-11 07:42 - 2016-01-19 17:09 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2017-01-10 19:08 - 2016-07-16 06:47 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2017-01-10 19:08 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\WinBioPlugIns
2017-01-10 19:08 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\oobe
2017-01-10 19:08 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\ShellExperiences
2017-01-10 19:08 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\Provisioning
2017-01-10 14:41 - 2014-01-15 13:25 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-01-10 14:38 - 2014-01-15 13:25 - 135657872 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-01-10 14:20 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\Macromed
2017-01-10 14:19 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2017-01-10 14:19 - 2014-01-06 10:46 - 00000000 ____D C:\Users\pete\Downloads\flashplayer
2017-01-08 12:27 - 2016-12-19 12:35 - 00000396 _____ C:\Users\pete\AppData\Roaming\burnaware.ini
2017-01-06 16:07 - 2014-01-06 10:30 - 00000000 ____D C:\Users\pete\Downloads\Avast
2017-01-06 14:40 - 2016-07-16 06:47 - 00000000 ____D C:\WINDOWS\system32\NDF
2017-01-05 14:39 - 2016-09-09 14:10 - 00000000 ____D C:\WINDOWS\Minidump
2017-01-05 14:39 - 2016-08-02 17:43 - 00000000 ___DC C:\WINDOWS\Panther
2017-01-05 14:39 - 2013-12-29 13:05 - 00000000 ____D C:\Users\pete\AppData\Local\CrashDumps
2017-01-05 14:29 - 2014-01-06 10:42 - 00000000 ____D C:\Users\pete\Downloads\CCleaner
2017-01-03 16:31 - 2015-07-07 08:03 - 00000000 ____D C:\Users\pete\AppData\Local\Avg
2017-01-03 16:09 - 2015-07-01 13:21 - 00000000 ____D C:\Program Files (x86)\AVG
2017-01-03 15:59 - 2014-01-06 10:37 - 00000000 ____D C:\Users\pete\Downloads\AVG
2017-01-03 07:24 - 2014-01-06 11:56 - 00000000 ____D C:\Users\pete\Documents\aaa_files
2017-01-03 07:23 - 2014-01-06 11:57 - 00000000 ____D C:\Users\pete\Documents\E-mail account backup
2017-01-03 07:20 - 2016-09-06 10:06 - 00000000 ____D C:\Users\pete\Documents\2016
2017-01-03 07:16 - 2014-01-06 11:55 - 00000000 ____D C:\Users\pete\Documents\1Using IMAP with Outlook Express_files
2017-01-03 07:16 - 2014-01-06 11:55 - 00000000 ____D C:\Users\pete\Documents\1aaJMA Software - Web2Pop_files
2017-01-02 15:32 - 2014-01-06 11:56 - 00000000 ____D C:\Users\pete\Documents\BOE 2013=4
2017-01-02 15:14 - 2013-12-24 20:39 - 00000000 ____D C:\Users\pete\AppData\Local\Packages
2017-01-02 14:59 - 2015-08-05 14:11 - 00000000 ____D C:\Program Files (x86)\LibreOffice 5
2017-01-02 14:51 - 2015-08-05 14:08 - 00000000 ____D C:\Users\pete\Downloads\LibreOffice
2016-12-31 13:39 - 2014-02-11 09:27 - 00000000 ____D C:\Users\pete\Downloads\SpywareBlaster
2016-12-31 13:39 - 2014-01-06 11:32 - 00000000 ____D C:\Users\pete\Downloads\ZoneAlarm
2016-12-31 12:05 - 2016-07-16 01:04 - 00032768 _____ C:\WINDOWS\system32\config\ELAM
2016-12-31 11:49 - 2016-07-16 06:47 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2016-12-31 11:37 - 2016-12-30 10:09 - 00000000 ____D C:\WINDOWS\System32\Tasks\McAfee
2016-12-31 11:26 - 2016-12-29 16:26 - 00000000 ____D C:\Users\pete\Downloads\ESET
2016-12-31 07:03 - 2016-12-30 10:11 - 00000000 __RSD C:\Users\pete\Documents\McAfee Vaults

==================== Files in the root of some directories =======

2016-12-19 12:35 - 2017-01-08 12:27 - 0000396 _____ () C:\Users\pete\AppData\Roaming\burnaware.ini
2014-03-01 15:18 - 2015-02-28 11:19 - 0000000 _____ () C:\Users\pete\AppData\Roaming\sversion.ini
2014-01-18 13:51 - 2014-01-18 13:51 - 0003584 _____ () C:\Users\pete\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-06-04 10:04 - 2014-06-04 10:04 - 0000036 _____ () C:\Users\pete\AppData\Local\housecall.guid.cache
2013-12-29 14:41 - 2015-05-15 14:44 - 0007598 _____ () C:\Users\pete\AppData\Local\Resmon.ResmonCfg
2015-08-10 11:54 - 2015-08-10 11:54 - 3429056 _____ (COMODO) C:\ProgramData\cis378C.exe
2013-12-29 15:16 - 2015-06-16 12:42 - 0006387 _____ () C:\ProgramData\hpzinstall.log
2016-02-01 15:05 - 2017-01-12 09:45 - 0000629 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-06-19 23:58 - 2013-06-19 23:58 - 0000119 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2013-06-19 23:54 - 2013-06-19 23:55 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2013-06-19 23:55 - 2013-06-19 23:56 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2013-06-19 23:54 - 2013-06-19 23:54 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2013-06-19 23:56 - 2013-06-19 23:58 - 0000108 _____ () C:\ProgramData\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}.log

Files to move or delete:
====================
C:\ProgramData\cis378C.exe
C:\Users\pete\avast_free_antivirus_setup.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-01-27 14:31

==================== End of FRST.txt ============================

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #4 on: January 30, 2017, 07:16:33 PM »
For some reason "Windows Defender tried to stop me from running the tools, so I disabled it.

After I finished posting the above, I turned "periodic scanning" back on.
A few minutes later It asked me to reboot so it could remove  Ransom:Win32/Nemreq.A
I rebooted and checked the Defender "History"

There were two instances  of Ransom:Win32/Nemreq.A in quarantine.
There was one instance of !#UACTrigger.A that had been cleaned.

For now I'm leaving it that way...
The documents and other "libraries" appear to be intact.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7190
  • Liverpool FC - YNWA
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #5 on: January 30, 2017, 07:35:31 PM »
I wonder if this is related to the false positive with Emsisoft that has been reported in the last week or so ...

For example: https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/on-how-to-submit-for-checking-a-possible-false/0b3e1f20-fb0b-4737-9f77-5b68ca845380

See quietman7's post.
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #6 on: January 30, 2017, 08:04:59 PM »
It's possible.
I installed Emsisoft for the first time last week.
Both current instances were suposedly in the Emsisoft directory.
ESET, MBAM, SuperAntiSpyware, and Emsisoft scans found nothing.

Maybe my "never had a virus" record is still clean. :)

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19231
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Ransom: Win32/Nemreq.A ?
« Reply #7 on: January 30, 2017, 10:54:21 PM »
Your "never  had a virus" record  is still clean!  It is a false/positive. 

Emsisoft Forum:  Windows Defender thinks a2hooks32.dll is a trojan - Emsisoft Internet Security and essentially the same at BC:  Nemreq.a - Am I infected? What do I do?.

Not only that, I see in your log that you have CryptoPrevent installed, which has used Group Policy restrictions to prevent the renaming of file extensions.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #8 on: January 31, 2017, 12:48:38 PM »
Thanks for the reassurance.
One of the drawbacks of "never had a virus", is when you think you have one, and it keeps coming back after being removed, you don't have the foggiest idea what to do.

As long as I leave it in "quarantine", and don't "remove" it, Defender doesn't seem to react.
I'm not seeing any symptoms, but I wonder if it "broke" something in Emsisoft.

FRST and RGSA are not listed in "Programs and Features". Can I just delete them? Or should I look at one of your other troubleshooting topics for removal instructions?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19231
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Ransom: Win32/Nemreq.A ?
« Reply #9 on: January 31, 2017, 01:11:32 PM »
You can run Delfix:

Please download Delfix from here.

Ensure the following boxes are checked:
  • Remove disinfection tools
  • Create registry backup
  • Purge system restore

  • Click Run
The program will run for a few moments and then notepad will open with a log.   


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #10 on: January 31, 2017, 01:31:16 PM »
I Ran DELFIX with only delete disinfection tools checked...(Before I saw your post).

# DelFix v1.010 - Logfile created 31/01/2017 at 10:04:13
# Updated 26/04/2015 by Xplode
# Username : pete - DELL
# Operating System : Windows 10 Home  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\pete\Desktop\Addition.txt
Deleted : C:\Users\pete\Desktop\FRST.txt
Deleted : C:\Users\pete\Desktop\FRST64.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

########## - EOF - ##########



As I went to post the above, I noticed that Corrine posted while I was typing. Ran DELFIX again with the boxes checked per her advice.

# DelFix v1.010 - Logfile created 31/01/2017 at 10:22:53
# Updated 26/04/2015 by Xplode
# Username : pete - DELL
# Operating System : Windows 10 Home  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\AdwCleaner

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #29 [Scheduled Checkpoint | 01/16/2017 19:36:36]
Deleted : RP #30 [Windows Update | 01/25/2017 12:58:59]

New restore point created !

########## - EOF - ##########

RGSA.exe (and it's log) are still on the desktop.
Can it just be deleted or are there registry entries and/or other files to cleanup?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19231
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Ransom: Win32/Nemreq.A ?
« Reply #11 on: January 31, 2017, 01:58:13 PM »
You can just delete it. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Pete!

  • Hero Member
  • *****
  • Posts: 5166
    • View Profile
Re: Ransom: Win32/Nemreq.A ?
« Reply #12 on: January 31, 2017, 02:04:27 PM »