Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox browser hijacker


  • This topic is locked This topic is locked
9 replies to this topic

#1 Mark Dunn

Mark Dunn

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 17 February 2016 - 08:39 AM

HI, I have a periodic hijacker to proc-search.com, todaytrendnews and some other unsavoury places but the hijackthis log looks OK to me.

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 13:02:08, on 17/02/2016
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.16521)

FIREFOX: 39.0 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
C:\Users\Mark\AppData\Local\YouGovPulse\YouGovPulse.exe
C:\Program Files\Met Office Desktop Widget\Met Office Desktop Widget.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_8.00_windows_intelx86.exe
C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_8.00_windows_intelx86.exe
C:\Users\Mark\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.uk.msn.com/HPDSK/2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:49342;https=127.0.0.1:49342
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll
O2 - BHO: YouGovPulse - {FB4D29C1-82DE-4b80-8BB0-A7CDDDCD2773} - C:\Users\Mark\AppData\Local\Wakoopa Shared\WakoopaBHO.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [YouGovPulse] C:\Users\Mark\AppData\Local\YouGovPulse\YouGovPulse.exe
O4 - HKCU\..\Run: [HP Photosmart 5520 series (NET)] "C:\Program Files\hp\HP Photosmart 5520 series\Bin\ScanToPCActivationApp.exe" -deviceID "CN34Q160BB0602:NW" -scfn "HP Photosmart 5520 series (NET)" -AutoStart 1
O4 - HKCU\..\Run: [AnalyzeMe] C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe /StartMinimized
O4 - HKCU\..\Run: [AnalyzeMeHealthcheck] C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
O4 - HKCU\..\Run: [Ihtsoft] regsvr32.exe C:\Users\Mark\AppData\Local\Ihtsoft\gctpixmk.dll
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Met Office Desktop Widget.exe - Shortcut.lnk = C:\Program Files\Met Office Desktop Widget\Met Office Desktop Widget.exe
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files (x86)\Mozilla Firefox\firefox.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe
O9 - Extra 'Tools' menuitem: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe
O9 - Extra button: Skype Click to Call settings - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} (PhotoboxPhotowaysUploader5 Control) - http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20101202072159
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Unknown owner - C:\Windows\system32\AEADISRV.EXE (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ALOT Update Service (AlotService) - Inuvo Inc. - C:\Users\Roger\AppData\LocalLow\alotservice\alotservice.exe
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AnalyzeMeSvc - RealityMine Ltd - C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe
O23 - Service: CalendarSynchService - Hewlett-Packard - C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
O23 - Service: ddmgr - Unknown owner - C:\Windows\system32\ddmgr.exe (file missing)
O23 - Service: DisplayLinkManager (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Easybits Services for Windows (ezSharedSvc) - EasyBits Software AS - C:\Windows\System32\ezSharedSvcHost.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GamesAppIntegrationService - WildTangent - C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBAMService - Malwarebytes - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NPEService - Unknown owner - C:\Users\Mark\Desktop\NPE.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: tbbLoaderService - thinkbroadband.com - C:\Program Files (x86)\thinkbroadband.com\tbbMeter\tbbLoaderService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13486 bytes
 

 

Thanks

Mark Dunn

 

 



BC AdBot (Login to Remove)

 


#2 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 17 February 2016 - 08:42 AM

It hijacks Google searches, not bookmarks.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:32 PM

Posted 17 February 2016 - 10:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

p.s.
HijackThis is no longer supported.
I suggest your remove it Using the Add/Remove programs applet.
Use the Farbar tool from now on to report problems.
<<<>>>

#4 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 17 February 2016 - 10:31 AM

Many thanks.

 

# AdwCleaner v5.034 - Logfile created 17/02/2016 at 15:13:30
# Updated 16/02/2016 by Xplode
# Database : 2016-02-16.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Mark - MARK-HP
# Running from : C:\Users\Mark\Desktop\adwcleaner_5.034.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : AlotService

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Mark\Documents\Updater
[-] Folder Deleted : C:\Users\Public\Documents\iWin

***** [ Files ] *****

[-] File Deleted : C:\alotserviceruntime.log

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : GoogleUpdateTaskUserS-1-5-21-98195713-602771791-1229793500-1003Core
[-] Task Deleted : GoogleUpdateTaskUserS-1-5-21-98195713-602771791-1229793500-1003UA
[-] Task Deleted : GoogleUpdateTaskUserS-1-5-21-98195713-602771791-1229793500-1003Core
[-] Task Deleted : GoogleUpdateTaskUserS-1-5-21-98195713-602771791-1229793500-1003UA

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
[-] Key Deleted : HKCU\Software\alotservice
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C168639F-5810-4EC8-B1E8-0251AA8A771C}

***** [ Web browsers ] *****

[-] [C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : uk.ask.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1748 bytes] ##########
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-02-2016
Ran by Mark (administrator) on MARK-HP (17-02-2016 15:21:17)
Running from C:\Users\Mark\Desktop
Loaded Profiles: Mark (Available Profiles: Mark)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(DisplayLink Corp.) C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
(Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\SoundMAX\SoundMAX.exe
() C:\Windows\System32\flvga_tray.exe
(Space Sciences Laboratory) C:\Program Files\BOINC\boinctray.exe
(Space Sciences Laboratory) C:\Program Files\BOINC\boincmgr.exe
(Wakoopa) C:\Users\Mark\AppData\Local\YouGovPulse\YouGovPulse.exe
(Hewlett-Packard Co.) C:\Program Files\hp\HP Photosmart 5520 series\Bin\ScanToPCActivationApp.exe
(RealityMine Ltd) C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe
(RealityMine Ltd) C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler.exe
() C:\Program Files\Met Office Desktop Widget\Met Office Desktop Widget.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.29.5\GoogleCrashHandler64.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(OSBASE) C:\Windows\System32\ddmgr.exe
(EasyBits Software AS) C:\Windows\SysWOW64\ezSharedSvcHost.exe
(Hewlett-Packard Co.) C:\Program Files\hp\HP Photosmart 5520 series\Bin\HPNetworkCommunicator.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(Space Sciences Laboratory) C:\Program Files\BOINC\boinc.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Space Sciences Laboratory) C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_8.00_windows_intelx86.exe
(Space Sciences Laboratory) C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_8.00_windows_intelx86.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [FAHConsole] => C:\Program Files\File Association Helper\FAHConsole.exe
HKLM\...\Run: [SoundMax] => C:\Program Files (x86)\Analog Devices\SoundMAX\soundmax.exe [3866624 2009-10-02] (Analog Devices, Inc.)
HKLM\...\Run: [flvga_tray64] => C:\Windows\system32\flvga_tray.exe [419328 2014-10-09] ()
HKLM\...\Run: [boinctray] => C:\Program Files\BOINC\boinctray.exe [68928 2015-03-09] (Space Sciences Laboratory)
HKLM\...\Run: [boincmgr] => C:\Program Files\BOINC\boincmgr.exe [8926016 2015-03-09] (Space Sciences Laboratory)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [37296 2012-03-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-08-03] (Analog Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [YouGovPulse] => C:\Users\Mark\AppData\Local\YouGovPulse\YouGovPulse.exe [1214960 2015-09-07] (Wakoopa)
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [HP Photosmart 5520 series (NET)] => C:\Program Files\hp\HP Photosmart 5520 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [AnalyzeMe] => C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe [853864 2015-08-21] (RealityMine Ltd)
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [AnalyzeMeHealthcheck] => C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe [12136 2015-08-21] (RealityMine Ltd)
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8619224 2016-01-15] (Piriform Ltd)
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\MountPoints2: {71a8cd9b-7bd5-11e4-9e06-7071bc1cd28b} - V:\Setup.exe -auto
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Met Office Desktop Widget.exe - Shortcut.lnk [2014-12-03]
ShortcutTarget: Met Office Desktop Widget.exe - Shortcut.lnk -> C:\Program Files\Met Office Desktop Widget\Met Office Desktop Widget.exe ()
Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Firefox.lnk [2014-12-02]
ShortcutTarget: Mozilla Firefox.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)
Startup: C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mozilla Thunderbird.lnk [2014-12-02]
ShortcutTarget: Mozilla Thunderbird.lnk -> C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe (Mozilla Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [S-1-5-21-98195713-602771791-1229793500-1007] => Proxy is enabled.
ProxyServer: [S-1-5-21-98195713-602771791-1229793500-1007] => http=127.0.0.1:49366;https=127.0.0.1:49366
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{79FE6A06-47AD-4EF1-8C80-23CF335D0B67}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{C72E781B-E140-4C6E-8D55-CD3914837562}: [DhcpNameServer] 109.249.185.224 109.249.186.32

Internet Explorer:
==================
HKU\S-1-5-21-98195713-602771791-1229793500-1007\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.uk.msn.com/HPDSK/2
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM -> {43E5EAFF-6C4D-4C5E-933B-7A32CBBAD41A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {43E5EAFF-6C4D-4C5E-933B-7A32CBBAD41A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-98195713-602771791-1229793500-1007 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-98195713-602771791-1229793500-1007 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
BHO: YouGovPulse -> {FB4D29C1-82DE-4b80-8BB0-A7CDDDCD2773} -> C:\Users\Mark\AppData\Local\Wakoopa Shared\WakoopaBHO-x64.dll [2015-01-09] (Wakoopa)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-03-26] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-10-04] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-10-04] (Oracle Corporation)
BHO-x32: YouGovPulse -> {FB4D29C1-82DE-4b80-8BB0-A7CDDDCD2773} -> C:\Users\Mark\AppData\Local\Wakoopa Shared\WakoopaBHO.dll [2015-01-09] (Wakoopa)
IE Session Restore: HKU\S-1-5-21-98195713-602771791-1229793500-1007 -> is enabled.
DPF: HKLM-x32 {0972B098-DEE9-4279-AC7E-4BAAA029102D} hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20101202072159
DPF: HKLM-x32 {A8F2B9BD-A6A0-486A-9744-18920D898429} hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler-x32: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files (x86)\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL [2001-01-22] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-01-08] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-01-08] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489
FF Session Restore: -> is enabled.
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_306.dll [2016-02-10] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-10] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-20] (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll [2015-10-13] (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\dtplugin\npDeployJava1.dll [2015-10-04] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-10-04] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll [2014-02-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-22] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\9\NP_wtapp.dll [2016-01-04] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2012-03-26] (Adobe Systems Inc.)
FF Extension: Image Zoom - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi [2015-07-03]
FF Extension: Google  Image Search - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\{73007fef-a6e0-47d3-b4e7-dfc116ed6f65}.xpi [2015-07-03]
FF Extension: FxIF - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\{11483926-db67-4190-91b1-ef20fcec5f33}.xpi [2015-08-03]
FF Extension: eBay Sidebar for Firefox - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\{62760FD6-B943-48C9-AB09-F99C6FE96088}.xpi [2015-11-18]
FF Extension: Flash Killer - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\flashkiller@joli.clic.xpi [2015-12-08]
FF Extension: Autofill Forms - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\autofillForms@blueimp.net.xpi [2016-01-19]
FF Extension: Googlebar Lite - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\{79c50f9a-2ffe-4ee0-8a37-fae4f5dacd4f}.xpi [2016-02-10]
FF Extension: WlanDlg Suppress Autoplay Class - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\extensions\{0E070BBB-630C-FE71-F682-0FC77E1E549E} [2016-02-17] [not signed]
FF Extension: YouGovPulse - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\Extensions\addon@yougov.wakoopa.com.xpi [2015-12-15]
FF Extension: British English Dictionary (Updated) - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\Extensions\en-gb@flyingtophat.co.uk [2015-11-04] [not signed]
FF Extension: Translate This! - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\Extensions\jid0-k75TfRGfOXPHfEZmJ9cKu5eCgLc@jetpack.xpi [2015-11-07]
FF Extension: Lightbeam - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\Extensions\jid1-F9UJ2thwoAm5gQ@jetpack.xpi [2015-12-05]
FF Extension: UnMHT - C:\Users\Mark\AppData\Roaming\Mozilla\Firefox\Profiles\jcvow0ks.default-1418561727489\Extensions\{f759ca51-3a91-4dd1-ae78-9db5eee9ebf0}.xpi [2015-12-05] [not signed]
FF Extension: Skype - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi [2016-01-06]

Chrome:
=======
CHR Session Restore: Default -> is enabled.
CHR Profile: C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-04-22]
CHR Extension: (Google Docs) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-04-22]
CHR Extension: (Google Drive) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-03]
CHR Extension: (YouTube) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-03]
CHR Extension: (Google Search) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-03]
CHR Extension: (Google Sheets) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-04-22]
CHR Extension: (Google Docs Offline) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-12-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-11-04]
CHR Extension: (Gmail) - C:\Users\Mark\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-22]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-01-08]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Adobe LM Service; C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [72704 2014-12-04] (Adobe Systems) [File not signed]
R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2008-07-15] (Andrea Electronics Corporation)
S2 AnalyzeMeSvc; C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe [28008 2015-08-21] (RealityMine Ltd)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1433216 2016-01-08] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1773696 2016-01-08] (Microsoft Corporation)
R2 ddmgr; C:\Windows\system32\ddmgr.exe [858784 2014-10-04] (OSBASE)
R2 DisplayLinkService; C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe [9663848 2011-04-10] (DisplayLink Corp.)
R2 ezSharedSvc; C:\Windows\SysWOW64\ezSharedSvcHost.exe [514232 2010-01-25] (EasyBits Software AS) [File not signed]
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [349728 2016-01-04] (WildTangent)
R2 LightScribeService; c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-01-22] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S2 tbbLoaderService; C:\Program Files (x86)\thinkbroadband.com\tbbMeter\tbbLoaderService.exe [14848 2010-10-09] (thinkbroadband.com) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 NPEService; "C:\Users\Mark\Desktop\NPE.exe" /service [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ACPIService; C:\Windows\System32\DRIVERS\OSDACPI.SYS [17992 2009-06-18] ()
R4 ddkmd; C:\Windows\system32\drivers\ddkmd.sys [190112 2014-10-04] (OSBASE)
R0 ddkmdldr; C:\Windows\System32\drivers\ddkmdldr.sys [19104 2014-10-04] (OSBASE)
R3 DisplayLinkUsbPort; C:\Windows\System32\DRIVERS\DisplayLinkUsbPort_5.6.31854.0.sys [17408 2011-04-10] (hxxp://libusb-win32.sourceforge.net)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 FLxHCIv; C:\Windows\System32\Drivers\FLxHCIv.sys [177320 2014-10-16] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 NANMp50; C:\Windows\System32\Drivers\NANMp50.sys [46776 2010-03-25] (Printing Communications Assoc., Inc. (PCAUSA))
S3 NANSp50; C:\Windows\System32\Drivers\NANSp50.sys [45752 2010-03-25] (Printing Communications Assoc., Inc. (PCAUSA))
S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl64.sys [22528 2011-05-10] (Apple Inc.) [File not signed]
R3 NW1950; C:\Windows\System32\DRIVERS\NW1950.sys [25080 2009-09-17] ()
S3 PSSDKLBF; C:\Windows\system32\Drivers\pssdklbf.sys [65600 2016-01-27] (microOLAP Technologies LTD)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2012-12-13] (Apple, Inc.) [File not signed]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
S3 usbbus; system32\DRIVERS\lgx64bus.sys [X]
S3 UsbDiag; system32\DRIVERS\lgx64diag.sys [X]
S3 USBModem; system32\DRIVERS\lgx64modem.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-17 15:21 - 2016-02-17 15:21 - 00023700 _____ C:\Users\Mark\Desktop\FRST.txt
2016-02-17 15:21 - 2016-02-17 15:21 - 00000000 ____D C:\FRST
2016-02-17 15:20 - 2016-02-17 15:20 - 02370560 _____ (Farbar) C:\Users\Mark\Desktop\FRST64.exe
2016-02-17 15:08 - 2016-02-17 15:13 - 00000000 ____D C:\AdwCleaner
2016-02-17 15:08 - 2016-02-17 15:08 - 01511936 _____ C:\Users\Mark\Desktop\adwcleaner_5.034.exe
2016-02-17 13:04 - 2016-02-17 13:06 - 00000000 ____D C:\Users\Mark\Desktop\backups
2016-02-17 10:11 - 2016-02-17 10:39 - 00000000 ____D C:\NPE
2016-02-17 10:09 - 2016-02-16 17:57 - 00174434 _____ C:\Windows\ntbtlog.txt
2016-02-17 10:07 - 2016-02-17 10:07 - 00000000 ____D C:\ProgramData\SMR501
2016-02-17 09:49 - 2016-02-17 10:38 - 00000000 ____D C:\Users\Mark\AppData\Local\NPE
2016-02-17 09:00 - 2016-02-17 09:49 - 00000000 ____D C:\Users\Mark\AppData\Local\Ihtsoft
2016-02-16 17:48 - 2016-02-17 15:07 - 00000000 ____D C:\Program Files (x86)\NirSoft
2016-02-16 17:44 - 2016-02-16 17:44 - 00000000 ____D C:\Windows\system32\RightClickFiles
2016-02-13 17:39 - 2016-02-13 17:39 - 00049949 _____ C:\Users\Mark\AppData\Roaming\Vaduz
2016-02-13 17:39 - 2016-02-13 17:39 - 00002135 _____ C:\Users\Mark\AppData\Roaming\HexachloropheneSlave
2016-02-11 10:26 - 2016-02-11 10:26 - 00002145 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-02-08 11:38 - 2016-02-08 11:38 - 00000000 ____D C:\Users\Mark\Downloads\Mark Edwards - Follow You Home 2015 (Thriller) ePUB+MOBI
2016-02-08 10:41 - 2016-02-08 10:41 - 00000000 ____D C:\Users\Mark\Downloads\Adobe Illustrator CS6 v16.0.0 (x32-x64)
2016-02-05 12:47 - 2016-02-05 12:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2016-02-02 15:19 - 2016-02-02 15:19 - 00001476 _____ C:\Users\Mark\AppData\Roaming\CausaNardoo
2016-01-28 11:12 - 2016-01-28 12:38 - 00001177 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Media Encoder CS4.lnk
2016-01-27 19:33 - 2016-01-27 19:36 - 00000000 ____D C:\Users\Mark\AdobeLicensingFilesBackup
2016-01-27 19:31 - 2016-01-27 19:31 - 00003294 _____ C:\Windows\System32\Tasks\{F1C49A12-4F0B-4249-AB26-23EE7DFF70D9}
2016-01-27 19:22 - 2016-01-27 19:22 - 00002786 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-01-27 19:22 - 2016-01-27 19:22 - 00000000 ____D C:\Program Files\CCleaner
2016-01-27 16:23 - 2016-01-27 16:23 - 00003226 _____ C:\Windows\System32\Tasks\{52F71AC4-5BC7-448C-A67D-0E1607625212}
2016-01-27 16:18 - 2016-01-27 16:18 - 00002849 _____ C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Install Clean Up.lnk
2016-01-27 16:18 - 2016-01-27 16:18 - 00000000 ____D C:\Program Files (x86)\Windows Installer Clean Up
2016-01-26 10:34 - 2016-01-27 16:17 - 00000000 ____D C:\Program Files (x86)\MSECACHE
2016-01-18 12:58 - 2016-01-18 12:58 - 00000000 ____D C:\Users\Mark\AppData\Roaming\WinRAR
2016-01-18 12:58 - 2016-01-18 12:58 - 00000000 ____D C:\Users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-01-18 12:58 - 2016-01-18 12:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-01-18 12:57 - 2016-01-18 12:58 - 00000000 ____D C:\Program Files (x86)\WinRAR

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-17 15:24 - 2009-07-14 05:13 - 00783400 _____ C:\Windows\system32\PerfStringBackup.INI
2016-02-17 15:24 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\inf
2016-02-17 15:18 - 2014-12-05 12:06 - 00000000 ____D C:\ProgramData\BOINC
2016-02-17 15:16 - 2014-12-20 11:07 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-02-17 15:15 - 2009-07-14 05:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-02-17 15:13 - 2014-12-03 20:52 - 00000000 ____D C:\Users\Mark\AppData\Local\CrashDumps
2016-02-17 15:11 - 2014-12-20 11:07 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-02-17 14:33 - 2015-07-15 14:46 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-02-17 13:41 - 2015-02-22 12:42 - 00003918 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{9E81C48D-1EAB-406D-B73F-B85B1F3E07DA}
2016-02-17 13:04 - 2009-07-14 05:32 - 00000000 ____D C:\Windows\Downloaded Program Files
2016-02-17 11:12 - 2014-12-05 12:02 - 00000000 ____D C:\Users\Mark\Desktop\temps
2016-02-17 10:51 - 2009-07-14 04:45 - 00015792 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-02-17 10:51 - 2009-07-14 04:45 - 00015792 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-02-17 10:42 - 2015-10-03 15:12 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-02-17 10:02 - 2011-12-05 09:57 - 00000000 ____D C:\Windows\Minidump
2016-02-17 09:49 - 2010-06-24 01:01 - 00000000 ____D C:\ProgramData\Norton
2016-02-17 09:06 - 2015-07-14 11:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-02-16 19:08 - 2014-12-03 15:37 - 00003584 ___SH C:\Users\Mark\AppData\Roaming\Thumbs.db
2016-02-16 17:51 - 2014-12-06 12:14 - 00000000 ____D C:\Program Files\File Association Helper
2016-02-16 17:05 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\Registration
2016-02-16 17:03 - 2014-12-02 12:48 - 00000000 ____D C:\Users\Mark\AppData\Roaming\SoftGrid Client
2016-02-16 16:47 - 2014-12-02 15:23 - 00000000 ____D C:\Users\Mark\AppData\Roaming\vlc
2016-02-16 16:41 - 2015-02-01 17:05 - 01936384 ___SH C:\Users\Mark\Desktop\Thumbs.db
2016-02-16 16:32 - 2015-10-03 15:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-02-16 16:32 - 2015-10-03 15:11 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-02-16 14:29 - 2014-12-02 14:40 - 00000000 ____D C:\lightroom 2 catalog
2016-02-15 12:42 - 2015-07-06 10:00 - 00000000 ____D C:\Program Files (x86)\Sony
2016-02-15 12:42 - 2010-06-24 00:18 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-02-15 12:39 - 2014-12-01 22:38 - 00000000 ____D C:\Users\Mark\AppData\Roaming\Adobe
2016-02-14 15:47 - 2014-12-04 23:16 - 00003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForMark
2016-02-14 15:47 - 2014-12-04 23:16 - 00000328 _____ C:\Windows\Tasks\HPCeeScheduleForMark.job
2016-02-12 16:43 - 2014-12-03 11:19 - 00000000 ____D C:\alamyresize
2016-02-11 10:26 - 2015-04-22 13:42 - 00002174 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-02-10 16:33 - 2015-07-15 14:46 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-02-10 16:33 - 2015-01-15 09:40 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-02-10 16:33 - 2015-01-15 09:40 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-02-10 12:27 - 2015-03-12 09:27 - 00000000 ____D C:\Users\Mark\AppData\Roaming\FileZilla
2016-02-08 16:28 - 2009-07-14 05:08 - 00032620 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-02-08 11:50 - 2014-12-02 15:26 - 00000000 ____D C:\Users\Mark\AppData\Roaming\uTorrent
2016-02-08 11:39 - 2014-12-03 15:57 - 00000000 ____D C:\Users\Mark\Documents\Calibre Library
2016-02-08 10:55 - 2014-12-02 12:53 - 00000000 ____D C:\Users\Mark\AppData\Local\Adobe
2016-02-05 12:47 - 2015-10-03 17:40 - 00000000 ____D C:\Program Files (x86)\QuickTime
2016-02-03 16:06 - 2014-12-20 11:07 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-02-03 16:06 - 2014-12-20 11:07 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-02-02 17:23 - 2014-12-02 13:48 - 00000000 ___RD C:\DIGITALf
2016-02-02 15:14 - 2014-12-02 13:03 - 00000000 ____D C:\Users\Mark\AppData\Local\ElevatedDiagnostics
2016-02-02 15:14 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\system32\NDF
2016-01-31 10:15 - 2010-09-05 12:38 - 00000544 _____ C:\Windows\Tasks\PCDRScheduledMaintenance.job
2016-01-30 16:57 - 2009-07-14 04:45 - 03060296 _____ C:\Windows\system32\FNTCACHE.DAT
2016-01-29 15:10 - 2014-12-02 16:20 - 00000000 ___DC C:\Users\Mark\AppData\Local\MigWiz
2016-01-29 15:10 - 2009-07-24 19:22 - 00000000 ____D C:\Windows\Panther
2016-01-28 12:50 - 2014-12-01 22:50 - 00130920 _____ C:\Users\Mark\AppData\Local\GDIPFONTCACHEV1.DAT
2016-01-28 12:42 - 2014-12-22 16:45 - 00001093 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Encore CS4.lnk
2016-01-28 12:40 - 2014-12-04 11:47 - 00000000 ____D C:\Program Files\Common Files\Adobe
2016-01-28 12:38 - 2014-12-22 16:38 - 00001369 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe ExtendScript Toolkit CS4.lnk
2016-01-28 12:31 - 2014-12-22 16:46 - 00001165 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Premiere Pro CS4.lnk
2016-01-28 12:25 - 2014-12-22 16:41 - 00001154 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Device Central CS4.lnk
2016-01-28 12:23 - 2014-12-22 16:40 - 00001061 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Bridge CS4.lnk
2016-01-28 12:22 - 2014-12-22 16:39 - 00001245 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Extension Manager CS4.lnk
2016-01-28 12:06 - 2014-12-22 16:45 - 00001141 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe OnLocation CS4.lnk
2016-01-28 11:15 - 2010-09-06 11:30 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-01-27 19:36 - 2014-12-04 11:58 - 00000000 ____D C:\ProgramData\FLEXnet
2016-01-27 19:33 - 2014-12-01 22:37 - 00000000 ____D C:\Users\Mark
2016-01-27 15:45 - 2015-11-16 10:17 - 00065600 _____ (microOLAP Technologies LTD) C:\Windows\system32\Drivers\pssdklbf.sys
2016-01-27 15:45 - 2015-11-16 10:17 - 00053312 _____ (microOLAP Technologies LTD) C:\Windows\system32\Drivers\pssdk42.sys

==================== Files in the root of some directories =======

2016-01-13 21:48 - 2016-01-13 21:48 - 0000524 _____ () C:\Users\Mark\AppData\Roaming\424 bl 1.ADO
2016-02-02 15:19 - 2016-02-02 15:19 - 0053636 _____ () C:\Users\Mark\AppData\Roaming\app_updater_smartbutton_disabled.png
2016-02-02 15:19 - 2016-02-02 15:19 - 0001476 _____ () C:\Users\Mark\AppData\Roaming\CausaNardoo
2014-05-08 05:44 - 2014-05-08 05:44 - 0001783 _____ () C:\Users\Mark\AppData\Roaming\f30.png
2014-05-08 04:05 - 2014-05-08 04:05 - 0000518 _____ () C:\Users\Mark\AppData\Roaming\goURL_lr_photoshop_it.csv
2016-02-13 17:39 - 2016-02-13 17:39 - 0002135 _____ () C:\Users\Mark\AppData\Roaming\HexachloropheneSlave
2015-05-20 01:28 - 2015-05-20 01:28 - 0004637 _____ () C:\Users\Mark\AppData\Roaming\log.png
2013-10-02 02:54 - 2013-10-02 02:54 - 0001560 _____ () C:\Users\Mark\AppData\Roaming\Los_Angeles
2014-05-08 04:05 - 2014-05-08 04:05 - 0000768 _____ () C:\Users\Mark\AppData\Roaming\Mac OS.act
2015-05-20 01:28 - 2015-05-20 01:28 - 0001583 _____ () C:\Users\Mark\AppData\Roaming\media-computer.png
2013-10-02 02:56 - 2013-10-02 02:56 - 0000791 _____ () C:\Users\Mark\AppData\Roaming\ObjectViewer.vbp
2015-08-21 15:17 - 2015-08-21 15:23 - 0001158 _____ () C:\Users\Mark\AppData\Roaming\ShiftN.ini
2014-12-03 15:37 - 2016-02-16 19:08 - 0003584 ___SH () C:\Users\Mark\AppData\Roaming\Thumbs.db
2015-05-20 01:14 - 2015-05-20 01:14 - 0000149 _____ () C:\Users\Mark\AppData\Roaming\tweakRepairWinsock_es.p5p
2016-02-13 17:39 - 2016-02-13 17:39 - 0049949 _____ () C:\Users\Mark\AppData\Roaming\Vaduz
2014-12-02 12:21 - 2014-12-02 12:21 - 0000000 _____ () C:\Users\Mark\AppData\Roaming\wklnhst.dat
2015-01-14 14:19 - 2015-01-14 14:19 - 0000038 ___SH () C:\Users\Mark\AppData\Local\42747051538627b9063d49.45359236
2014-12-03 16:42 - 2015-08-04 15:43 - 0005120 _____ () C:\Users\Mark\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-12-22 15:54 - 2015-04-03 12:26 - 0007637 _____ () C:\Users\Mark\AppData\Local\Resmon.ResmonCfg
2014-12-02 13:07 - 2014-12-02 13:07 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-07-05 13:18 - 2011-07-05 13:18 - 0000012 _____ () C:\ProgramData\GEN3BrightnessLevel.INI

Some files in TEMP:
====================
C:\Users\Mark\AppData\Local\Temp\sqlite3.dll


Some zero byte size files/folders:
==========================
C:\Windows\SysWOW64\dlumd10.dll
C:\Windows\SysWOW64\dlumd11.dll
C:\Windows\SysWOW64\dlumd9.dll
C:\Windows\System32\dlumd10.dll
C:\Windows\System32\dlumd11.dll
C:\Windows\System32\dlumd9.dll

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-01-17 17:23

==================== End of FRST.txt ============================



#5 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 17 February 2016 - 11:12 AM

...and the hijacker is still present.



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:32 PM

Posted 18 February 2016 - 08:09 AM

This is from RealityMine Limited
It tracks consumer behavior and gives a unique view of the contexts in which purchasing decisions are made.
Remove is if not installed by you.

Read about it: http://www.realitymine.com/
 

C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe
C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [AnalyzeMe] => C:\Program Files\AnalyzeMe\UsageMonitor.UI.App.exe [853864 2015-08-21] (RealityMine Ltd)
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [AnalyzeMeHealthcheck] => C:\Program Files\AnalyzeMe\UsageMonitor.HealthCheck.exe [12136 2015-08-21] (RealityMine Ltd)
S2 AnalyzeMeSvc; C:\Program Files\AnalyzeMe\UsageMonitor.WindowsService.exe


p.s.
You may be able to remove it via the Control Panel > Programs and features applet.

====

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to the a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-98195713-602771791-1229793500-1007\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ProxyEnable: [S-1-5-21-98195713-602771791-1229793500-1007] => Proxy is enabled.
ProxyServer: [S-1-5-21-98195713-602771791-1229793500-1007] => http=127.0.0.1:49366;https=127.0.0.1:49366
SearchScopes: HKU\S-1-5-21-98195713-602771791-1229793500-1007 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKU\S-1-5-21-98195713-602771791-1229793500-1007 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
S2 NPEService; "C:\Users\Mark\Desktop\NPE.exe" /service [X]
S3 clwvd; system32\DRIVERS\clwvd.sys [X]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [X]
S3 usbbus; system32\DRIVERS\lgx64bus.sys [X]
S3 UsbDiag; system32\DRIVERS\lgx64diag.sys [X]
S3 USBModem; system32\DRIVERS\lgx64modem.sys [X]


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please post the Fixlog.txt and include the Addition.txt file that was created by the Farbar tool.

Please let me know what problem persists with this computer.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:32 PM

Posted 24 February 2016 - 08:21 AM

Are you still with me?

#8 Mark Dunn

Mark Dunn
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 24 February 2016 - 11:25 AM

Sorry for the delay. Thanks for all the help.

There's been no sign of the hijacker since my last post- should I still apply the fix?



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:32 PM

Posted 24 February 2016 - 11:41 AM

The fix will create a Restore point and delete unwanted entries that are mostly empty.

It's your call.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,197 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:32 PM

Posted 01 March 2016 - 09:55 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users