Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HitmanPro flags thread20.ocx wave32.ocx & tweak bit


  • Please log in to reply
20 replies to this topic

#1 Paul_L

Paul_L

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 07 June 2016 - 04:42 PM

A few weeks ago my daily Malwarebytes scan found the nivdort.v trojan.

 

I used tdsskiller to remove the boot record infection, rkill to terminate nivdort.v, malwarebytes to remove win32/nivdort.v, hitmanpro to remove the win32/nivdort.v infection, and then emsisoft and malwarebytes reported no further infections.

 

Since then HitmanPro has been scanning on startup and reporting two suspicious files, c:\windows\syswow64\thread20.ocx and c:\windows\syswow64\wave32.ocx.

 

Today I updated Google Chrome, Firefox and installed several windows 7 updates.

 

After the windows update reboot HitmanPro scanned and found

hklm\software\wow6432node\auslogics\google analytics package\ tweak bit 

and offered to delete it.

 

When I selected delete HitmanPro then demanded $29 for a years worth of their protection.

 

What should I do about the three HitmanPro finds? Should I buy HitmanPro? Should I remove it?

 

Paul_L


Edited by Paul_L, 07 June 2016 - 04:44 PM.


BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 07 June 2016 - 05:13 PM

Adware Cleaner Scan.

 

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

JRT Scan.

Please download Junkware Removal Tool and save it on your desktop.

 

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.
  •  

Adware Removal Tool Scan.

 

Download Adware removal tool to your desktop, right click the icon and select Run as Administrator.

 

 

LOr0Gd7.png

 

Hit Ok.

 

sYFsqHx.png

 

Hit next make sure to leave all items checked, for removal.

 

8NcZjGc.png

 

 

The Program will close all open programs to complete the removal, so save any work and hit OK. Then hit OK after the removal process is complete, thenOK again to finish up. Post log generated by tool.

 

ZHP Scan.

Please download Zhp Cleaner  to your desktop.  Right Click the icon and select run as administrator.

 http://nicolascoolman.com/download/zhpcleaner

 

 

2. Once you have started the program, you will need to click the scanner button.

EgsT69u.png

The program will close all open browsers!

3. Once the scan is completed, the you will want to click the Repair button.

6QJjV50.png

At the end of the process you may be asked to reboot your machine. After you reboot a report will open on your desktop.

Copy and paste the report here in your next reply.

 Zemana Scan

 

 

Run a full scan with Zemana AntiMalware!

Install and select deep scan.

jdmyscF.jpg

Remove any infections found.

Then click on the icon in the pic below.

DOLGyto.jpg

Double click on the scan log, copy and paste here in your reply



#3 Paul_L

Paul_L
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 08 June 2016 - 01:23 AM

I ran the Adware Cleaner Scan. Here is its logfile.

 

# AdwCleaner v5.119 - Logfile created 07/06/2016 at 18:42:56
# Updated 30/05/2016 by Xplode
# Database : 2016-05-04.2 [Local]
# Operating system : Windows 7 Home Premium Service Pack 1 (X64)
# Username : PAJL - PWP3
# Running from : J:\z\adwcleaner_5.119.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\PAJL\AppData\Local\Google\Chrome\User Data\Default\Extensions\geooogfhpjdpeiphckpbgkhpbeobcaoi

***** [ Files ] *****

***** [ DLLs ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\geooogfhpjdpeiphckpbgkhpbeobcaoi
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CCC052E-BDEE-408A-BEA7-90914EF2964B}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61F47056-E400-43D3-AF1E-AB7DFFD4C4AD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E2B98EEA-EE55-4E9B-A8C1-6E5288DF785A}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\akamaihd.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\driverupdate.net

***** [ Web browsers ] *****

[-] [C:\Users\PAJL\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\PAJL\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\PAJL\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : geooogfhpjdpeiphckpbgkhpbeobcaoi

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2133 bytes] - [07/06/2016 18:42:56]
C:\AdwCleaner\AdwCleaner[R0].txt - [2879 bytes] - [04/07/2015 03:36:17]
C:\AdwCleaner\AdwCleaner[S0].txt - [2780 bytes] - [04/07/2015 03:39:06]
C:\AdwCleaner\AdwCleaner[S1].txt - [1928 bytes] - [07/05/2016 08:56:58]
C:\AdwCleaner\AdwCleaner[S2].txt - [2331 bytes] - [07/06/2016 18:39:59]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2498 bytes] ##########

 

 

Then I ran a scan with JRT. Here is its logfile.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 7 Home Premium x64
Ran by PAJL (Administrator) on Tue 06/07/2016 at 18:52:59.13
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 3

Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\PAJL\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45AGZ17H (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\45AGZ17H (Temporary Internet Files Folder)

 

Registry: 1

Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\0082131464397043mcinstcleanup (Registry Key)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 06/07/2016 at 19:01:15.95
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Then I scanned with the Adware Removal Tool. Here is its logfile.

 

[-] Deleted ->> File ->> C:\Program Files (x86)\Google\Google SketchUp 8\Materials\Colors-Named\0129_WhiteSmoke.skm
[-] Deleted ->> File ->> C:\Users\PAJL\Appdata\LocalLow\Microsoft\Internet Explorer\DOMStore\VQ3VVHVF\fromdoctopdf.dl.tb.ask[1].xml
[-] Repaired ->> File ->> C:\Users\PAJL\AppData\Roaming\Mozilla\Firefox\Profiles\l7wirvk9.default\prefs.js
[-] Repaired ->> File ->> C:\Users\PAJL\AppData\Local\Google\Chrome\User Data\Default\Preferences
[-] Deleted ->> Registry Key ->> HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Google\Chrome
[-] Deleted ->> Registry Key ->> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

 

Then I scanned with ZHP. Here is its logfile.

 

~ ZHPCleaner v2016.6.6.72 by Nicolas Coolman (2016/06/06)
~ Run by PAJL (Administrator)  (08/06/2016 00:47:50)
~ Site : http://www.nicolascoolman.com
~ Facebook : https://www.facebook.com/nicolascoolman1
~ State version : Version OK
~ Type : Repair
~ Report : C:\Users\PAJL\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\PAJL\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
Windows 7 Home Premium, 64-bit Service Pack 1 (Build 7601)

---\\  Services (0)
~ No malicious or unnecessary items found.

---\\  Browser internet (0)
~ No malicious or unnecessary items found.

---\\  Hosts file (1)
~ The hosts file is legitimate (21)

---\\  Scheduled automatic tasks. (0)
~ No malicious or unnecessary items found.

---\\  Explorer ( File, Folder) (5)
MOVED file: C:\ProgramData\InstallMate\{2F66CC9F-ACAF-4148-A3A3-E48DF485EE69}\Setup.exe [Tarma Software Research Pty Ltd - InstallMate® Setup]  =>.Superfluous.Tarma
MOVED file: C:\ProgramData\InstallMate\{2F66CC9F-ACAF-4148-A3A3-E48DF485EE69}\TsuDll.dll [Tarma Software Research Pty Ltd - InstallMate® Setup Library]  =>.Superfluous.Tarma
MOVED file: C:\Users\PAJL\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d2m2wsoho8qq12.cloudfront.net_0.localstorage    =>.Superfluous.CloudfrontNet
MOVED file: C:\Users\PAJL\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_putlocker.is_0.localstorage    =>PUP.Optional.PutLocker
MOVED folder: C:\ProgramData\InstallMate  =>.Superfluous.Tarma

---\\  Registry ( Key, Value, Data) (40)
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d10lpsik1i8c69.cloudfront.net [31608]  =>.Superfluous.CloudfrontNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d16fk4ms6rqz1v.cloudfront.net [2928]  =>.Superfluous.CloudfrontNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d2m2wsoho8qq12.cloudfront.net [36]  =>.Superfluous.CloudfrontNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d3jdlwnuo8nsnr.cloudfront.net [32]  =>.Superfluous.CloudfrontNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d3l3lkinz3f56t.cloudfront.net []  =>.Superfluous.CloudfrontNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dsms0mj1bbhn4.cloudfront.net [1013]  =>.Superfluous.CloudfrontNet
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\lulusoso.com []  =>.Superfluous.Tencent
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\sell.lulusoso.com [43]  =>.Superfluous.Tencent
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com []  =>.Superfluous.Softonic
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\soundcloud.com [404]  =>PUP.Optional.SoundCloud
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.olark.com [225973]  =>PUP.Optional.Generic
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\vwonwkaqvq-a.akamaihd.net [607]  =>.Superfluous.AkamaiHD
DELETED key*: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.lulusoso.com [43]  =>.Superfluous.Tencent
DELETED key*: [X64] HKLM\SOFTWARE\Classes\CCHDotNetTools13.ClientConnectRequest [CCH.DotNetTools.EFC.COM.ClientConnectRequestCom]  =>.Superfluous.ClientConnect
DELETED key*: [X64] HKLM\SOFTWARE\Classes\CCHDotNetTools13.ClientConnectResponse [CCH.DotNetTools.EFC.COM.ClientConnectResponseCom]  =>.Superfluous.ClientConnect
DELETED key*: [X64] HKLM\SOFTWARE\Classes\CCHDotNetTools14.ClientConnectRequest [CCH.DotNetTools.EFC.COM.ClientConnectRequestCom]  =>.Superfluous.ClientConnect
DELETED key*: [X64] HKLM\SOFTWARE\Classes\CCHDotNetTools14.ClientConnectResponse [CCH.DotNetTools.EFC.COM.ClientConnectResponseCom]  =>.Superfluous.ClientConnect
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Listbar.SSListBar [Sheridan ActiveListBar Control]  =>PUP.Optional.BHO
DELETED key*: [X64] HKLM\SOFTWARE\Classes\Listbar.SSListBar.1 [Sheridan ActiveListBar Control]  =>PUP.Optional.BHO
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX12.mxArrayDelta [mxArrayDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX12.mxArrayDelta.1 [mxArrayDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX12.mxDelta [mxDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX12.mxDelta.1 [mxDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX12.mxReturnDelta [mxReturnDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX12.mxReturnDelta.1 [mxReturnDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX13.mxArrayDelta [mxArrayDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX13.mxArrayDelta.1 [mxArrayDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX13.mxDelta [mxDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX13.mxDelta.1 [mxDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX13.mxReturnDelta [mxReturnDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX13.mxReturnDelta.1 [mxReturnDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX14.mxArrayDelta [mxArrayDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX14.mxArrayDelta.1 [mxArrayDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX14.mxDelta [mxDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX14.mxDelta.1 [mxDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX14.mxReturnDelta [mxReturnDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\MX14.mxReturnDelta.1 [mxReturnDelta Object]  =>.Superfluous.DeltaSearch
DELETED key*: [X64] HKLM\SOFTWARE\Classes\WirsboLIB6.clsPicRectangle [WirsboLIB6.clsPicRectangle]  =>PUP.Optional.PicRec
DELETED key*: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\02F56260BE1EC8244A0C53053F73B3D3 [C:\Program Files\Dassault Systemes\DraftSight\bin\FxCrashRpt.dll]  =>.Superfluous.CrashReports
DELETED key*: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} [Google Inc.]  =>Heuristic.Suspect

---\\  Summary of the elements found (14)
http://www.nicolascoolman.fr/?p=259  =>.Superfluous.Tarma
http://www.nicolascoolman.fr/?p=5145  =>.Superfluous.CloudfrontNet
http://www.nicolascoolman.fr/?p=134  =>PUP.Optional.PutLocker
http://www.nicolascoolman.fr/?p=368  =>.Superfluous.Tencent
http://www.nicolascoolman.fr/?p=5145  =>.Superfluous.Softonic
http://www.nicolascoolman.fr/?p=4664  =>PUP.Optional.SoundCloud
https://www.nicolascoolman.info/2016/05/01/definition-dun-logiciel-pup-lpi/  =>PUP.Optional.Generic
http://www.nicolascoolman.fr/?p=5145  =>.Superfluous.AkamaiHD
http://www.nicolascoolman.fr/link-658/  =>.Superfluous.ClientConnect
http://www.nicolascoolman.fr/?p=4664  =>PUP.Optional.BHO
http://www.nicolascoolman.fr/?p=273  =>.Superfluous.DeltaSearch
http://www.nicolascoolman.fr/pup-picrec/  =>PUP.Optional.PicRec
http://www.nicolascoolman.fr/?p=5145  =>.Superfluous.CrashReports
https://www.nicolascoolman.info/2016/04/22/heuristic-suspect/  =>Heuristic.Suspect

---\\  Other deletions. (6)
~ Registry Keys Tracing deleted (6)
~ Remove the old reports ZHPCleaner. (0)

---\\ Result of repair
~ Repair carried out successfully
~ Browser not found (Opera Software)

---\\ Statistics
~ Items scanned : 600
~ Items found : 0
~ Items cancelled : 0
~ Items repaired : 45

~ End of clean in 00h00mn49s
~====================
ZHPCleaner-[R]-08062016-00_48_39.txt
ZHPCleaner-[S]-08062016-00_44_14.txt

 

 

At this point I believe that the garbage has been eliminated.

 

Then I scanned with Zemana as you requested.

 

It attempted to remove the FormatFactory video editing program which I have been using for years. I did not permit it to remove FormatFactory.

 

It also attempted to remove two years old windows installer files msid936.tmp and msi874.tmp, but it did not identify these files so I did not permit their removal. After the fact I see in the report that they have to do with the ask toolbar which has never appeared.

 

It also attempted to remove the H&R Block business tax return program for 2013. I did not permit this.

 

I let it quarantine a Nero 10 Essentials which was pre loaded by the OEM, Gateway and which I never used.

 

I also let it quarantine an old  Microsoft sysinternals file bluescreen.scr which I believe was a holdover from Win XP.

 

This Zemana program is overaggressive and should be watched carefully! Anyway, here is its logfile.

 

Zemana AntiMalware 2.20.2.911 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2016/6/8
Operating System       : Windows 7 64-bit
Processor              : 4X Intel® Core™ i5-2320 CPU @ 3.00GHz
BIOS Mode              : Legacy
CUID                   : 12DE8CD650A49B21FC33B5
Scan Type              : Deep Scan
Duration               : 45m 13s
Scanned Objects        : 264339
Detected Objects       : 9
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : PWP0,0,2

Detected Objects
-------------------------------------------------------

FormatFactory.exe
Status             : Scanned
Object             : %programfiles%\freetime\formatfactory\formatfactory.exe
MD5                : C20FF01B2CDBC0CCABEE37ABA8989F54
Publisher          : chen jun hao
Size               : 5723464
Version            : 3.6.0.0
Detection          : PUA:Win32/FormatFactory!Ep
Cleaning Action    : Exclude
Related Objects    :
                File - %programfiles%\freetime\formatfactory\formatfactory.exe
                Reference - C:\Users\PAJL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\V Format Factory.lnk

MSID936.tmp
Status             : Scanned
Object             : %systemroot%\installer\msid936.tmp
MD5                : 708519B8D9A91CC92E9D122F0C2A73DD
Publisher          : APN LLC
Size               : 90576
Version            : -
Detection          : PUA:Win32/AskToolbar.Gen
Cleaning Action    : Exclude
Related Objects    :
                File - %systemroot%\installer\msid936.tmp

MSI874.tmp
Status             : Scanned
Object             : %systemroot%\installer\msi874.tmp
MD5                : 708519B8D9A91CC92E9D122F0C2A73DD
Publisher          : APN LLC
Size               : 90576
Version            : -
Detection          : PUA:Win32/AskToolbar.Gen
Cleaning Action    : Exclude
Related Objects    :
                File - %systemroot%\installer\msi874.tmp

TAX2013.EXE
Status             : Scanned
Object             : %programfiles%\h&r block business 2013\tax2013.exe
MD5                : 3FA38014F745BD73A61ABC9AA9169708
Publisher          : -
Size               : 1991680
Version            : 2013.2.0.4
Detection          : Heur.Malicious!Pb
Cleaning Action    : Exclude
Related Objects    :
                File - %programfiles%\h&r block business 2013\tax2013.exe

RMEncoder.exe
Status             : Scanned
Object             : %programfiles%\freetime\formatfactory\ffmodules\rmencoder.exe
MD5                : C880C534BE8D99F920BD5BAC5586EF2E
Publisher          : chen jun hao
Size               : 208224
Version            : 2.0.0.0
Detection          : PUA:Win32/FormatFactory!Ep
Cleaning Action    : Exclude
Related Objects    :
                File - %programfiles%\freetime\formatfactory\ffmodules\rmencoder.exe

ffmpeg.exe
Status             : Scanned
Object             : %programfiles%\freetime\formatfactory\ffmodules\encoder\ffmpeg.exe
MD5                : 205B120F579E82B5CB19D20C954E1B49
Publisher          : chen jun hao
Size               : 16844800
Version            : -
Detection          : PUA:Win32/FormatFactory!Ep
Cleaning Action    : Exclude
Related Objects    :
                File - %programfiles%\freetime\formatfactory\ffmodules\encoder\ffmpeg.exe

FFInst.exe
Status             : Scanned
Object             : %programfiles%\freetime\formatfactory\ffinst.exe
MD5                : 7A4E1463E4EA301BF7CF7116F3927B8B
Publisher          : chen jun hao
Size               : 101192
Version            : 1.2.0.0
Detection          : PUA:Win32/FormatFactory!Ep
Cleaning Action    : Exclude
Related Objects    :
                File - %programfiles%\freetime\formatfactory\ffinst.exe

Toolbar.exe
Status             : Scanned
Object             : %homedrive%\oem\preload\autorun\app\nero 10 essentials gateway edition\issetupprerequisites\{bf80a1c0-c3ff-4b1c-abef-22cd4f97a0ab}\toolbar.exe
MD5                : C2FCE9CF9830BD11ECA9044BC3ABD178
Publisher          : Ask.com
Size               : 2723208
Version            : 15.0.0.498
Detection          : Adware:Win32/AskBrowserHijack!Ep
Cleaning Action    : Quarantine
Related Objects    :
                File - %homedrive%\oem\preload\autorun\app\nero 10 essentials gateway edition\issetupprerequisites\{bf80a1c0-c3ff-4b1c-abef-22cd4f97a0ab}\toolbar.exe

SysInternals Bluescreen.scr
Status             : Scanned
Object             : %homedrive%\microsoft utilities\sysinternals bluescreen.scr
MD5                : AC269D8CF5B8FEFCCE0D1FB0BA1122EA
Publisher          : -
Size               : 716800
Version            : 3.2.0.0
Detection          : Malware:Win32/Looper!Area
Cleaning Action    : Quarantine
Related Objects    :
                File - %homedrive%\microsoft utilities\sysinternals bluescreen.scr

 

 



#4 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 08 June 2016 - 04:28 PM

Malwarebytes Scan.

 

We need you to run MalwareBytes to get a log, please download the free version of MalwareBytes HERE

http://data-cdn.mbamupdates.com/web/mbam-setup-2.2.0.1024.exe  Alternate Link.

Save the file to somewhere you can easily find it. Double click the saved file to start the install, accept any security warnings that may appear, and after the install click the new desktop icon to start the program. We need to modify a couple of things with MalwareBytes before we use it so please follow the steps below.

  1. If the dashboard is not already displayed select it.
  2. Then select "Update Now" to get the latest database.

VSKiiIc.jpg

  1. Next we need to change a scanning option, select "Settings" on the main menu, then "Detection and Protection" on the left.
  2. Then select "Scan for rootkits" in the detection options, as well as the other two options already checked.

ZU4W2g2.jpg

  • Now return to Dashboard on the main menu and select "Scan Now" at the bottom of the screen.

nF8dOcq.jpg

  • Allow MalwareBytes to scan your system, it may take some time depending on what you have loaded onto your hard drive.

L8lsasM.jpg

When the scan is finished

  1. Click "Save Results"
  2. Then click on "Text file"

5x4JOvA.jpg

  • A window will then open allowing you to choose a name for the logfile and also allowing you to choose where to save it, save it to the desktop.
  • Please copy and paste the contents of this file in your next post.

 

 

Eset Online Scanner.

 

Eset Scan

Click Me To Download Eset Scan

Disable your antivirus prior to this scan.
 
 esetonlinebtn.png
 

  •  Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 

Minitoolbox scan.

 

 

Please download Minitoolbox and run it.



Checkmark following boxes:


Flush DNS
Reset FF proxy Settings
Reset Ie Proxy Settings
Report IE Proxy Settings
Report FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size
List Devices (problems only)



Click Go and post the result.

 

Security Check Scan.

 

Download Security Check to your desktop, right click it run as administrator. When the program completes, the tool will automatically open a log file, please post that log here in your next post.



#5 Paul_L

Paul_L
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 08 June 2016 - 07:50 PM

The checks I ran yesterday for you broke my installation of Format Factory. I am a retired engineer. Since about 1996 I have been providing video services for retired track greyhound adoption groups which are public charities. I shoot videos and still pictures of available dogs and post them to websites. Sometimes I shoot wedding videos for friends. I have been using Format Factory to edit these videos. I reinstalled Format Factory and it now works, but every time I start it I now get a warning from ByteFence that it is a potential threat.

 

Can you suggest a replacement for Format Factory if it is truly a threat?

 

I am trying to get this machine cleaned up and updated completely, and get all of my data off of the C: drive onto other drives, and then I will upgrade it to Windows 10. Do you think this is a good idea?

 

My ISP, Optimum Cablevision, provides subscribers with a free McAfee security suite which includes firewall and antivirus functions. It runs continuously.

 

 

HitmanPro is still installed. A scan done today produced the following logfile.

 

HitmanPro 3.7.14.265
www.hitmanpro.com
   Computer name . . . . : PWP3
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : PWP3\PAJL
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (Expired)
   Scan date . . . . . . : 2016-06-08 18:17:04
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 6m 22s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 7
   Objects scanned . . . : 2,062,623
   Files scanned . . . . : 45,711
   Remnants scanned  . . : 414,450 files / 1,602,462 keys
Suspicious files ____________________________________________________________
   C:\Windows\SysWOW64\Threed20.ocx
      Size . . . . . . . : 331,032 bytes
      Age  . . . . . . . : 1188.0 days (2013-03-08 18:37:09)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 55FA48CB7CC27DBE3C629F907D129B25550D46E3B553FB25F4D530FC8E397655
      Product  . . . . . : ActiveThreed
      Publisher  . . . . : Sheridan Software Systems, Inc.
      Description  . . . : ActiveThreed Controls
      Version  . . . . . : 2.01.0015
      Copyright  . . . . : Copyright(c) 1991-1997 Sheridan Software Systems, Inc.
      RSA Key Size . . . : 512
      LanguageID . . . . : 1033
      Authenticode . . . : Self-signed
      Fuzzy  . . . . . . : 26.0
         Program is code signed with a weak certificate. This is common to malware.
         Program is code self-signed.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
   C:\Windows\SysWOW64\wave32.ocx
      Size . . . . . . . : 43,432 bytes
      Age  . . . . . . . : 253.5 days (2015-09-29 05:55:21)
      Entropy  . . . . . : 5.5
      SHA-256  . . . . . : FB30C3D30AE30DC9F2B2F2F7C22F8BCCB5FC7E70C1ED6844380AD4374FD2A3CD
      Product  . . . . . : WAVE
      Publisher
      Description  . . . : Mabry Wave Control
      Version  . . . . . : 1.10.002
      Copyright  . . . . : Copyright © 1994-1998 by Mabry Software, Inc.
      RSA Key Size . . . : 512
      LanguageID . . . . : 1033
      Authenticode . . . : Self-signed
      Fuzzy  . . . . . . : 27.0
         Program is code signed with a weak certificate. This is common to malware.
         Program is code self-signed.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         Authors name is missing in version info. This is not common to most programs.

Potential Unwanted Programs _________________________________________________
   HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)
   HKLM\SOFTWARE\Wow6432Node\Auslogics\Google Analytics Package\ (TweakBit)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)
   HKU\S-1-5-21-1098351954-3930156471-2806673884-1000\Software\APN PIP\ (AskBar)
   HKU\S-1-5-21-1098351954-3930156471-2806673884-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)

 

As you can see HitmanPro still flags C:\Windows\SysWOW64\Threed20.ocx and C:\Windows\SysWOW64\wave32.ocx as suspicious. It also doesn't like SafeCharger, TweakBit or AskBar. I don't know what these files are.
 

Now, on to your most recent request for scans. You wanted me to download Malwarebytes and scan with it.

 

I have been running Malwarebytes Home Premium daily for years. I have a lifetime license. The version is 2.2.1.1043, the database version is v2016.06.08.07.

 

Here is the logfile it produced.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/8/2016
Scan Time: 6:40 PM
Logfile: log.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.08.07
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: PAJL

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 332109
Time Elapsed: 18 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

The Eset scanner link you provided only had scanners for MAC-OSX operating systems. I was unable to run the scan you wanted.

 

The MiniToolBox log follows.

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by PAJL (administrator) on 08-06-2016 at 20:04:20
Running from "J:\DD\Malwarebytes\stuff 2016"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: DX4860 Manufacturer: Gateway
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
0.0.0.0 media.opencandy.com
0.0.0.0 cdn.opencandy.com
0.0.0.0 tracking.opencandy.com
0.0.0.0 api.opencandy.com
0.0.0.0 api.recommendedsw.com
0.0.0.0 installer.betterinstaller.com
0.0.0.0 installer.filebulldog.com
0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
0.0.0.0 inno.bisrv.com
0.0.0.0 nsis.bisrv.com
0.0.0.0 cdn.file2desktop.com
0.0.0.0 cdn.goateastcach.us
0.0.0.0 cdn.guttastatdk.us
0.0.0.0 cdn.inskinmedia.com
0.0.0.0 cdn.insta.oibundles2.com
0.0.0.0 cdn.insta.playbryte.com
0.0.0.0 cdn.llogetfastcach.us
0.0.0.0 cdn.montiera.com
0.0.0.0 cdn.msdwnld.com
0.0.0.0 cdn.mypcbackup.com
0.0.0.0 cdn.ppdownload.com
0.0.0.0 cdn.riceateastcach.us
0.0.0.0 cdn.shyapotato.us
0.0.0.0 cdn.solimba.com
0.0.0.0 cdn.tuto4pc.com
0.0.0.0 cdn.appround.biz
0.0.0.0 cdn.bigspeedpro.com
0.0.0.0 cdn.bispd.com

There are 4 entries.

========================= IP Configuration: ================================

802.11n Wireless LAN Card = Wireless Network Connection (Connected)
Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled

popd
# End of IPv4 configuration

========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (06/08/2016 05:42:43 AM) (Source: Application Error) (User: )
Description: Faulting application name: FormatFactory.exe, version: 3.9.0.1, time stamp: 0x574332f2
Faulting module name: mfc120u.dll, version: 12.0.21005.1, time stamp: 0x524fabbd
Exception code: 0xc0000005
Fault offset: 0x0005b4e6
Faulting process id: 0x1540
Faulting application start time: 0xFormatFactory.exe0
Faulting application path: FormatFactory.exe1
Faulting module path: FormatFactory.exe2
Report Id: FormatFactory.exe3

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 Element not found.  (HRESULT : 0x80070490) (0x80070490)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot open the Jet property store.

Details:
 0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))

System errors:
=============
Error: (06/08/2016 06:55:00 AM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)
Description: The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Error: (06/08/2016 05:51:12 AM) (Source: iaStor) (User: )
Description: The device, \Device\Ide\iaStor0, did not respond within the timeout period.

Error: (06/08/2016 05:49:01 AM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)
Description: The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Error: (06/08/2016 05:36:21 AM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)
Description: The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Error: (06/07/2016 06:45:38 PM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)
Description: The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Error: (06/07/2016 06:43:46 PM) (Source: Service Control Manager) (User: )
Description: The Print Spooler service failed to start due to the following error:
%%1069

Error: (06/07/2016 06:43:46 PM) (Source: Service Control Manager) (User: )
Description: The Spooler service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error:
%%50

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (06/07/2016 06:42:58 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 3 time(s).

Error: (06/07/2016 06:42:58 PM) (Source: Service Control Manager) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (06/07/2016 06:42:56 PM) (Source: Service Control Manager) (User: )
Description: The Secunia Update Agent service terminated unexpectedly.  It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (06/08/2016 05:42:43 AM) (Source: Application Error)(User: )
Description: FormatFactory.exe3.9.0.1574332f2mfc120u.dll12.0.21005.1524fabbdc00000050005b4e6154001d1c16994b180f0C:\Program Files (x86)\FormatFactory\FormatFactory.exeC:\Program Files (x86)\FormatFactory\mfc120u.dll5870143f-2d5d-11e6-88b9-386077ec1ab1

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 Element not found.  (HRESULT : 0x80070490) (0x80070490)
Search.TripoliIndexer

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
Search.JetPropStore

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
The catalog is corrupt

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
4700

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))

CodeIntegrity Errors:
===================================
  Date: 2016-03-28 01:43:26.656
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume9\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-28 01:42:34.818
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-23 01:47:10.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-23 01:47:04.826
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-23 01:44:20.059
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume17\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-22 16:56:19.659
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Users\PAJL\AppData\Local\Temp\w4sC608.tmp because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2012-03-22 16:56:19.643
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Users\PAJL\AppData\Local\Temp\w4sC608.tmp because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

=========================== Installed Programs ============================

Dragon NaturallySpeaking 11 (HKLM-x32\...\{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}) (Version: 11.50.100 - Nuance Communications Inc.)
ExpressPCB (HKLM-x32\...\{ED5F7AF9-347B-4440-A211-C6236508CC08}) (Version: 7.0.2 - ExpressPCB)
H&R Block Premium + Efile + State 2012 (HKLM-x32\...\{89D20029-0578-4D8D-979A-695C8D868868}) (Version: 12.07.7803 - HRB Technology, LLC.)
Hotkey Utility (HKLM-x32\...\Hotkey Utility) (Version: 2.05.3505 - Gateway Incorporated)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.38 - Irfan Skiljan)
Karen's Replicator (HKLM-x32\...\Karen's Replicator) (Version: 3.6.0.9 - Karen Kenworthy)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-564E155DB1A7}) (Version: 10.6.10700.5.100 - Nero AG)
SES Driver (HKLM\...\{D8CC254C-C671-4664-9A38-FA368D1E2C97}) (Version: 1.0.0 - Western Digital)
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM  (01/19/2011 1.0.0009.0) (HKLM\...\4CA7CFBB29889F25ACB3DF6E3A42BAE29EB43B20) (Version: 01/19/2011 1.0.0009.0 - Western Digital Technologies)

========================= Devices: ================================

Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM
Device ID: ROOT\LEGACY_ZAM\0000
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM_Guard
Device ID: ROOT\LEGACY_ZAM_GUARD\0000
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

========================= Memory info: ===================================

Percentage of memory in use: 61%
Total physical RAM: 6048.28 MB
Available physical RAM: 2334.03 MB
Total Virtual: 18558.46 MB
Available Virtual: 14532.06 MB

========================= Partitions: =====================================

1 Drive c: (C: Gateway System) (Fixed) (Total:1848.92 GB) (Free:1556.32 GB) NTFS
8 Drive j: (J: INTERNAL DISK 2 - 2TB 201307) (Fixed) (Total:1817.83 GB) (Free:1626.19 GB) NTFS
9 Drive k: (K: INTERNAL DISK 2 - 1 TB 201307) (Fixed) (Total:976.56 GB) (Free:319.82 GB) NTFS
10 Drive u: (U: 5TB 20151229 A) (Fixed) (Total:4657.49 GB) (Free:1071.18 GB) NTFS
11 Drive v: (V: 5TB 20151229 B) (Fixed) (Total:4657.49 GB) (Free:1071.18 GB) NTFS
12 Drive x: (X: 3 TB 201401 A) (Fixed) (Total:2794.49 GB) (Free:2492.51 GB) NTFS
13 Drive y: (Y: 3 tb 201405) (Fixed) (Total:2794.49 GB) (Free:2492.32 GB) NTFS
14 Drive z: (Z: 1 TB 201207 B) (Fixed) (Total:931.51 GB) (Free:274.77 GB) NTFS

========================= Users: ========================================

User accounts for \\PWP3

Administrator            Guest                    PAJL                    

========================= Minidump Files ==================================

C:\Windows\Minidump\012416-72010-01.dmp
C:\Windows\Minidump\090315-40513-01.dmp
========================= Restore Points ==================================

02-05-2016 10:10:31 Scheduled Checkpoint
06-05-2016 09:47:28 After GWX Inst, Before WU
06-05-2016 09:53:55 Windows Update
07-05-2016 11:54:50 Checkpoint by HitmanPro
07-05-2016 11:56:02 Checkpoint by HitmanPro
07-05-2016 13:02:57 JRT Pre-Junkware Removal
10-05-2016 05:45:04 Windows Update
12-05-2016 01:34:43 Windows Update
20-05-2016 00:21:22 Scheduled Checkpoint
24-05-2016 10:18:07 after rsa machine keys deletion
24-05-2016 10:28:18 Windows Backup
01-06-2016 00:08:24 Scheduled Checkpoint
07-06-2016 20:33:03 Windows Update
07-06-2016 21:03:39 Checkpoint by HitmanPro
07-06-2016 22:53:33 JRT Pre-Junkware Removal

**** End of log ****

.

 

 

The Security Check log follows.

SecurityCheck by glax24 & Severnyj v.1.4.0.40 [21.05.16]
WebSite: www.safezone.cc
DateLog: 08.06.2016 20:14:58
Path starting: C:\Users\PAJL\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: PAJL
VersionXML: 2.96s-18.05.2016
___________________________________________________________________________

Windows 7(6.1.7601) Service Pack 1 (x64) HomePremium Lang: English(0409)
Installation date OS: 12.03.2012 05:39:12
LicenseStatus: Windows® 7, HomePremium edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [1848.9 Gb] Used: [292.6 Gb] Free: [1556.3 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.0.9600.18314
User Account Control enabled
Notify of download and installation
Date install updates: 2016-06-07 20:36:23
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
Account guest is enabled. Not require a password.
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2013 x86 v.15.0.4569.1506
---------------------------- [ Antivirus_WMI ] ----------------------------
McAfee Anti-Virus and Anti-Spyware (enabled)
---------------------------- [ Firewall_WMI ] -----------------------------
McAfee Firewall
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (disabled and out of date)
Spybot - Search and Destroy (enabled and out of date)
McAfee Anti-Virus and Anti-Spyware (enabled)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
McAfee Multi Access - Total Protection v.14.0.8185
McAfee SafeKey(uninstall only) v.2.2.3
McAfee WebAdvisor v.4.0.189
-------------------------- [ SecurityUtilities ] --------------------------
HitmanPro 3.7 v.3.7.14.265
Eraser 5.8.8 v.Eraser 5.8.8
ByteFence Anti-Malware v.2.1.8.0
Malwarebytes Anti-Malware version 2.2.1.1043 v.2.2.1.1043
Secunia PSI (3.0.0.7009) v.3.0.0.7009
Spybot - Search & Destroy v.2.4.40
--------------------------- [ OtherUtilities ] ----------------------------
7-Zip 9.20 (x64 edition) v.9.20.00.0 Warning! Download Update
Uninstall old version and install new one.
Microsoft Silverlight v.5.1.41212.0
Foxit Reader v.7.0.6.1126 Warning! Download Update
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 91 v.8.0.910.14 Warning! Download Update
Uninstall old version and install new one.
--------------------------- [ AdobeProduction ] ---------------------------
Adobe AIR v.13.0.0.111 Warning! Download Update
Adobe Flash Player 21 ActiveX v.21.0.0.242
Adobe Flash Player 21 NPAPI v.21.0.0.242
Adobe Acrobat Reader DC v.15.016.20045 [+]
------------------------------- [ Browser ] -------------------------------
Google Chrome v.51.0.2704.84 [+]
Mozilla Firefox 47.0 (x86 en-US) v.47.0 [+]
----------------------------- [ EmailClient ] -----------------------------
Mozilla Thunderbird 17.0 (x86 en-US) v.17.0 Warning! Download Update
Windows Live Mail v.15.4.3502.0922
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.51.0.2704.84
C:\Program Files (x86)\Mozilla Firefox\firefox.exe v.47.0.0.5999
HitmanPro Scheduler (HitmanProScheduler) - The service is running
C:\Program Files\HitmanPro\hmpsched.exe v.3.7.0.5
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe v.2.3.173.0
MBAMScheduler (MBAMScheduler) - The service is running
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe v.3.1.7.0
MBAMService (MBAMService) - The service is running
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe v.3.2.21.0
C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe v.15.4.0.809
McAfee Validation Trust Protection Service (mfevtp) - The service is running
C:\Windows\System32\mfevtps.exe
C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe v.1.4.1.459
McAfee Firewall Core Service (mfefire) - The service is running
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe v.15.4.0.809
McAfee AP Service (McAPExe) - The service is running
C:\Program Files\McAfee\MSC\McAPExe.exe v.14.0.8185.0
McAfee Personal Firewall Service (McMPFSvc) - The service is running
C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe v.5.0.8094.0
C:\Program Files\Common Files\McAfee\Platform\McUICnt.exe v.7.0.8093.0
McAfee CSP Service (mccspsvc) - The service is running
C:\Program Files\Common Files\McAfee\CSP\1.9.656.0\McCSPServiceHost.exe v.1.9.656.0
McAfee Scanner (McODS) - The service has stopped
McAfee SiteAdvisor Service (McAfee SiteAdvisor Service) - The service is running
C:\Program Files (x86)\McAfee\SiteAdvisor\mcsacore.exe v.4.0.2.189
McAfee Service Controller (mfemms) - The service is running
C:\Program Files\Common Files\McAfee\SystemCore\mfemms.exe v.15.4.0.809
McAfee Module Core Service (ModuleCoreService) - The service is running
C:\Program Files\Common Files\McAfee\ModuleCore\ModuleCoreService.exe v.1.1.112.0
McAfee Home Network (HomeNetSvc) - The service is running
McAfee VirusScan Announcer (McNaiAnn) - The service is running
McAfee Platform Services (mcpltsvc) - The service is running
McAfee Proxy Service (McProxy) - The service is running
McAfee Boot Delay Start Service (McBootDelayStartSvc) - The service is running
McAfee Platform Services (mcpltsvc) - The service is running
Spybot-S&D 2 Scanner Service (SDScannerService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe v.2.4.40.217
Spybot-S&D 2 Security Center Service (SDWSCService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe v.2.3.39.2
Spybot-S&D 2 Updating Service (SDUpdateService) - The service is running
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe v.2.4.40.77
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe v.2.4.40.129
Windows Defender (WinDefend) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
ByteFence Anti-Malware v.2.1.8.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
Auslogics DiskDefrag v.6.2.1.0 Warning! Suspected demo version of anti-spyware or optimization program - scareware or badware. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------



#6 Paul_L

Paul_L
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 08 June 2016 - 07:59 PM

I find it intriguing that the last lines in the Security Check logfile above list ByteFence Anti-Malware and Auslogics DiskDefrag as being suspicious.

 

It is ByteFence, which I installed yesterday per your request, which flags FormatFactory as being suspicious.

 

Paul_L



#7 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 08 June 2016 - 08:56 PM

Just letting you know I do not have time tonight to look over anything really but Bytefence was not ment to be installed, so uninstall it. Please run these scans below/. I have to leave for work at 4 am and I will check things tomorrow. Also, uninstall spybot from your machine.

 

Scan & Clean With Ads Fix

 

  • Disable Windows Defender & Antivirus Prior To Running This Tool!!
  • Save Ads Fix to your desktop.
  • Right Click & Run As Administrator.
  • You will then be prompted to install Certificates.
  • Install then click OK.
  • Right Click & Run As Administrator Again.
  • Click Options then select Unlock the deletion.
  • Then click on clean.

Reset Host File

 

 

  • Click here to download RstHosts v2.0
  • Save the file to your desktop.
  • Right Click and Run as Administrator.
  • Click on Restaurer, then click OK at the prompt.
  • This will restore the default host file.
  • Next Click on Creer Un Rapport.
  • This will open a logfile, post that in your next reply.

 

 

Pre_Scan

 

Please download Pre_Scan.

Save it to your desktop.

Disable your antivirus, and windows defender.

Close All open work Pre_Scan will close all processes to run.

Right Click Run as Admin.

Allow completion, when it completes the program will reboot your machine and open a log.

Please post that log here in your next reply.

 

 

 

9-Lab Scan.

 

  • Download 9-Lab Removal Tool.
  • CLICK HERE to determine whether you're running 32-bit or 64-bit for Windows.
  • Install the program onto your computer, then right click the icon  run as administrator.
  • Update the program and then run a full scan!
  • Make sure the program updates, might be better to install it update reboot and check for updates again.
  • You need to make sure the database updates!!!
  • Upon Scan Completion Click on Show Results.
  • Then Click On Clean 
  • Then Click on Save Log.
  • Save it to your desktop, copy and paste the contents of the log here in your next reply.


#8 Paul_L

Paul_L
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 09 June 2016 - 04:49 AM

I had trouble with your requests.

 

I disabled McAfee antivirus and firewall.

I downloaded and ran adsfix_3_07.06.2016.1.exe as administrator.
I installed the certificates.
I then ran adsfix again as administrator.
No window opened but an icon with a tornado graphic appeared in the bottom taskbar.
I clicked on that icon and an additional instance of the same icon appeared.
I could not get a window to open, could not click on Options or Clean.
I could not terminate adsfix.
I could not restart McAfee antivirus or firewall.

I rebooted and McAfee antivirus and firewall restarted.

 

I did a full scan with McAfee and it showed nothing.

 

The daily scheduled Malwarebytes scan still showed nothing.

 

HitmanPro still shows Threed20.ocx and wave32.ocx as suspicious, and suggests I ignore them, and it shows SaleCharger, AskBar and TweakBit remnants and offers to remove them if I pay for the program. Should I buy it?

 

I installed the certificates under adsfix. How do I remove them?

 

I suspected that you wanted me to run RstHosts v2.0, Pre_Scan and 9-Lab removal tool sequentially after adsfix so I did not run them. Do you want me to run them without running adsjfix successfully?

 

Paul_L



#9 Paul_L

Paul_L
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 09 June 2016 - 04:54 AM

I did uninstall Bytefence and Spybot before trying to run adsfix above. I also ran CCleaner after uninstalling Bytefence and Spybot and it found dozens of broken links and registry entries left over from Bytefence and Spybot. I let CCleaner remove the broken links and delete the registry keys which pointed to nothing.

 

Windows can really get into a mess, can't it. I blew about 3 hours on all this just today.

 

Paul_L



#10 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 09 June 2016 - 05:47 PM

Can you post a fresh minitoolbox log please. :)

 

Also, please post the exact file paths of the items found by hitman please. We will check them at virustotal....



#11 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 09 June 2016 - 09:18 PM

Upload Files to VirusTotal

  • Please go to VirusTotal.
  • Click the Choose File button.
  • Navigate to >>>>>>>>  

    C:\Windows\SysWOW64\wave32.ocx

  • or simply copy and paste it.
  • Click the Scan it! button.
  • You might see a message saying File already analysed, if you do click Reanalyse.
  • Wait for all the scans to finish then copy and paste the web address from your broswer's address bar.
    Example of web address :
    VirusTotalresultslink.jpg
  • Include the link in your next reply.

Edited by InadequateInfirmity, 09 June 2016 - 09:19 PM.


#12 Paul_L

Paul_L
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 09 June 2016 - 09:19 PM

I just tried to run HitmanPro again and it stalled twice. After waiting a few minutes I terminated it with Task Manager.

 

Here is a HitmanPro data file from yesterday. The suspicious files it found are at the bottom of the report.

 

HitmanPro 3.7.14.265
www.hitmanpro.com
   Computer name . . . . : PWP3
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : PWP3\PAJL
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (Expired)
   Scan date . . . . . . : 2016-06-08 18:17:04
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 6m 22s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 7
   Objects scanned . . . : 2,062,623
   Files scanned . . . . : 45,711
   Remnants scanned  . . : 414,450 files / 1,602,462 keys
Suspicious files ____________________________________________________________
   C:\Windows\SysWOW64\Threed20.ocx
      Size . . . . . . . : 331,032 bytes
      Age  . . . . . . . : 1188.0 days (2013-03-08 18:37:09)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 55FA48CB7CC27DBE3C629F907D129B25550D46E3B553FB25F4D530FC8E397655
      Product  . . . . . : ActiveThreed
      Publisher  . . . . : Sheridan Software Systems, Inc.
      Description  . . . : ActiveThreed Controls
      Version  . . . . . : 2.01.0015
      Copyright  . . . . : Copyright(c) 1991-1997 Sheridan Software Systems, Inc.
      RSA Key Size . . . : 512
      LanguageID . . . . : 1033
      Authenticode . . . : Self-signed
      Fuzzy  . . . . . . : 26.0
         Program is code signed with a weak certificate. This is common to malware.
         Program is code self-signed.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
   C:\Windows\SysWOW64\wave32.ocx
      Size . . . . . . . : 43,432 bytes
      Age  . . . . . . . : 253.5 days (2015-09-29 05:55:21)
      Entropy  . . . . . : 5.5
      SHA-256  . . . . . : FB30C3D30AE30DC9F2B2F2F7C22F8BCCB5FC7E70C1ED6844380AD4374FD2A3CD
      Product  . . . . . : WAVE
      Publisher
      Description  . . . : Mabry Wave Control
      Version  . . . . . : 1.10.002
      Copyright  . . . . : Copyright © 1994-1998 by Mabry Software, Inc.
      RSA Key Size . . . : 512
      LanguageID . . . . : 1033
      Authenticode . . . : Self-signed
      Fuzzy  . . . . . . : 27.0
         Program is code signed with a weak certificate. This is common to malware.
         Program is code self-signed.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         Authors name is missing in version info. This is not common to most programs.

Potential Unwanted Programs _________________________________________________
   HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)
   HKLM\SOFTWARE\Wow6432Node\Auslogics\Google Analytics Package\ (TweakBit)
   HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)
   HKU\S-1-5-21-1098351954-3930156471-2806673884-1000\Software\APN PIP\ (AskBar)
   HKU\S-1-5-21-1098351954-3930156471-2806673884-1000\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}\ (SaleCharger)

 

HitmanPro doesn't like thread20.ocx and wave32.ocx because they are self signed with weak certificates. I can zip them up and send them to you if you want.

 

It also looks like HitmanPro doesn't like five registry keys.

 

Here is a new log from minitoolbox.

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by PAJL (administrator) on 09-06-2016 at 20:57:56
Running from "J:\DD\Malwarebytes\stuff 2016"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Model: DX4860 Manufacturer: Gateway
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================

"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
========================= IP Configuration: ================================

802.11n Wireless LAN Card = Wireless Network Connection (Connected)
Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled

popd
# End of IPv4 configuration

 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PWP3
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : home

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 38-60-77-EC-1A-B1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : 802.11n Wireless LAN Card
   Physical Address. . . . . . . . . : 9C-B7-0D-08-1C-FE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::fd58:d2dd:acb0:39f6%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.3(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, June 09, 2016 7:46:00 PM
   Lease Expires . . . . . . . . . . : Thursday, June 09, 2016 9:46:00 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 194819853
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-82-4C-93-9C-B7-0D-08-1C-FE
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.home:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  openrg.home
Address:  192.168.1.1

Name:    google.com
Addresses:  2607:f8b0:4006:80e::200e
   167.206.145.183
   167.206.145.187
   167.206.145.172
   167.206.145.153
   167.206.145.163
   167.206.145.168
   167.206.145.173
   167.206.145.157
   167.206.145.177
   167.206.145.178
   167.206.145.162
   167.206.145.182
   167.206.145.158
   167.206.145.152
   167.206.145.167
   167.206.145.148

Pinging google.com [167.206.252.168] with 32 bytes of data:
Reply from 167.206.252.168: bytes=32 time=63ms TTL=59
Reply from 167.206.252.168: bytes=32 time=11ms TTL=59

Ping statistics for 167.206.252.168:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 63ms, Average = 37ms
Server:  openrg.home
Address:  192.168.1.1

Name:    yahoo.com
Addresses:  2001:4998:c:a06::2:4008
   2001:4998:44:204::a7
   2001:4998:58:c02::a9
   206.190.36.45
   98.139.183.24
   98.138.253.109

Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
General failure.
Reply from 98.139.183.24: bytes=32 time=40ms TTL=51

Ping statistics for 98.139.183.24:
    Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 40ms, Average = 40ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 12...38 60 77 ec 1a b1 ......Realtek PCIe GBE Family Controller
 11...9c b7 0d 08 1c fe ......802.11n Wireless LAN Card
  1...........................Software Loopback Interface 1
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.3     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.1.0    255.255.255.0         On-link       192.168.1.3    281
      192.168.1.3  255.255.255.255         On-link       192.168.1.3    281
    192.168.1.255  255.255.255.255         On-link       192.168.1.3    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       192.168.1.3    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       192.168.1.3    281
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 11    281 fe80::/64                On-link
 11    281 fe80::fd58:d2dd:acb0:39f6/128
                                    On-link
  1    306 ff00::/8                 On-link
 11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation)
Catalog5 02 C:\Windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation)
Catalog5 03 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 04 C:\Windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog5 06 C:\Windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog5 08 C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [145280] (Microsoft Corp.)
Catalog9 01 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 02 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 03 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 04 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 05 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 06 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 07 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 08 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 09 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
Catalog9 10 C:\Windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog5 08 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL [170880] (Microsoft Corp.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (06/08/2016 05:42:43 AM) (Source: Application Error) (User: )
Description: Faulting application name: FormatFactory.exe, version: 3.9.0.1, time stamp: 0x574332f2
Faulting module name: mfc120u.dll, version: 12.0.21005.1, time stamp: 0x524fabbd
Exception code: 0xc0000005
Fault offset: 0x0005b4e6
Faulting process id: 0x1540
Faulting application start time: 0xFormatFactory.exe0
Faulting application path: FormatFactory.exe1
Faulting module path: FormatFactory.exe2
Report Id: FormatFactory.exe3

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 Element not found.  (HRESULT : 0x80070490) (0x80070490)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
 The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service) (User: )
Description: The Windows Search Service cannot open the Jet property store.

Details:
 0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))

System errors:
=============
Error: (06/09/2016 08:51:40 PM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR3.

Error: (06/09/2016 06:10:33 AM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)
Description: The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Error: (06/09/2016 05:56:16 AM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (06/09/2016 05:37:07 AM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)
Description: The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Error: (06/09/2016 03:23:23 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk2\DR2.

Error: (06/09/2016 03:22:33 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (06/09/2016 03:22:32 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk6\DR6.

Error: (06/09/2016 03:22:10 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk3\DR3.

Error: (06/09/2016 03:21:51 AM) (Source: Disk) (User: )
Description: The driver detected a controller error on \Device\Harddisk4\DR4.

Error: (06/09/2016 02:01:21 AM) (Source: Microsoft-Windows-Time-Service) (User: NT AUTHORITY)
Description: The time provider 'VMICTimeProvider' failed to start due to the following error: The specified module could not be found. (0x8007007E)

Microsoft Office Sessions:
=========================
Error: (06/08/2016 05:42:43 AM) (Source: Application Error)(User: )
Description: FormatFactory.exe3.9.0.1574332f2mfc120u.dll12.0.21005.1524fabbdc00000050005b4e6154001d1c16994b180f0C:\Program Files (x86)\FormatFactory\FormatFactory.exeC:\Program Files (x86)\FormatFactory\mfc120u.dll5870143f-2d5d-11e6-88b9-386077ec1ab1

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 Element not found.  (HRESULT : 0x80070490) (0x80070490)
Search.TripoliIndexer

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
Search.JetPropStore

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application, SystemIndex Catalog

Details:
 The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
The catalog is corrupt

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)
4700

Error: (06/07/2016 06:42:57 PM) (Source: Windows Search Service)(User: )
Description:
Details:
 0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))

CodeIntegrity Errors:
===================================
  Date: 2016-03-28 01:43:26.656
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume9\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-28 01:42:34.818
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-23 01:47:10.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-23 01:47:04.826
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume8\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2016-03-23 01:44:20.059
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume17\Cfiles\Windows\System32\MRT.exe because the set of per-page image hashes could not be found on the system.

  Date: 2012-03-22 16:56:19.659
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Users\PAJL\AppData\Local\Temp\w4sC608.tmp because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2012-03-22 16:56:19.643
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Users\PAJL\AppData\Local\Temp\w4sC608.tmp because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

=========================== Installed Programs ============================

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Acronis True Image 2014 (HKLM-x32\...\{6B38A7DF-F641-45D5-BBCA-3E676ABCF5C8}) (Version: 17.0.6673 - Acronis) Hidden
Acronis True Image 2014 (HKLM-x32\...\{6B38A7DF-F641-45D5-BBCA-3E676ABCF5C8}Visible) (Version: 17.0.6673 - Acronis)
Acronis True Image WD Edition (HKLM-x32\...\{9B683A28-2172-4CF1-B85D-41375E80652A}) (Version: 13.0.14157 - Acronis)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.016.20045 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 13.0.0.111 - Adobe Systems Incorporated)
Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.242 - Adobe Systems Incorporated)
Agatha Christie - Death on the Nile (HKLM-x32\...\WTA-5a56a6d1-3286-4d22-a36e-f3626b367c58) (Version: 2.2.0.98 - WildTangent) Hidden
Amazon Cloud Player (HKCU\...\Amazon Amazon Cloud Player) (Version: 2.1.0.378 - Amazon Services LLC)
Audacity 1.2.6 (HKLM-x32\...\Audacity_is1) (Version:  - )
Auslogics DiskDefrag (HKLM-x32\...\{DF6A13C0-77DF-41FE-BD05-6D5201EB0CE7}_is1) (Version: 6.2.1.0 - Auslogics Labs Pty Ltd)
Bejeweled 2 Deluxe (HKLM-x32\...\WTA-de669fe3-c4dc-4eba-83c0-922acec35d09) (Version: 2.2.0.95 - WildTangent) Hidden
Belarc Advisor 8.4 (HKLM-x32\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Brother MFL-Pro Suite MFC-7860DW (HKLM-x32\...\{3ACCCFB3-7B17-4E9F-ACB0-46868FCD4487}) (Version: 1.1.3.0 - Brother Industries, Ltd.)
Brother MFL-Pro Suite MFC-J5910DW (HKLM-x32\...\{830F55B6-4398-4B72-A0D8-66397B902C0E}) (Version: 1.0.5.0 - Brother Industries, Ltd.)
Brother Product Research and Support Program (HKLM-x32\...\{8040527F-DD74-4B45-8A06-C4BF145B6C76}) (Version: 2.1.0.0000 - Brother Industries, Ltd.)
Build-a-lot 4 - Power Source (HKLM-x32\...\WTA-e551f055-c644-43f9-b0b8-cbb54a8099a1) (Version: 2.2.0.97 - WildTangent) Hidden
Bulk Rename Utility 2.7.1.3 (HKLM\...\Bulk Rename Utility_is1) (Version:  - TGRMN Software)
Bullzip PDF Printer 8.2.0.1394 (HKLM\...\Bullzip PDF Printer_is1) (Version: 8.2.0.1394 - Bullzip)
CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.5.5666 - CDBurnerXP)
Chronicles of Albian (HKLM-x32\...\WTA-88485b0d-3be9-45dc-b822-d498f7c95e7d) (Version: 2.2.0.95 - WildTangent) Hidden
Copper Connection (HKLM-x32\...\{69408EB7-A625-499E-862A-54D2F2CCE56D}) (Version: 2.50.5143 - Robot Room)
Cradle of Rome 2 (HKLM-x32\...\WTA-13f15115-468e-4f21-8822-df39593cf295) (Version: 2.2.0.95 - WildTangent) Hidden
CyberLink MediaEspresso (HKLM-x32\...\InstallShield_{E3739848-5329-48E3-8D28-5BBD6E8BE384}) (Version: 6.5.1720_38230 - CyberLink Corp.)
CyberLink PowerDVD 10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.2531.52 - CyberLink Corp.)
D3DX10 (HKLM-x32\...\{E09C4DB7-630C-4F06-A631-8EA7239923AF}) (Version: 15.4.2368.0902 - Microsoft) Hidden
DesignSpark PCB 5.0 (HKLM-x32\...\{D50500AA-D25A-463B-98BF-E09585325711}) (Version: 5.0 - RS Components) Hidden
DesignSpark PCB Version 5.0 (HKLM-x32\...\InstallShield_{D50500AA-D25A-463B-98BF-E09585325711}) (Version: 5.0 - RS Components)
Dora's World Adventure (HKLM-x32\...\WTA-fae28133-315b-4d2d-90cb-dcad16169613) (Version: 2.2.0.95 - WildTangent) Hidden
Draft IT (HKLM-x32\...\{61F9913C-39FA-46E1-B2B0-DB2D9B1887EB}) (Version: 4.0.6 - CADlogic Limited)
Draft IT (HKLM-x32\...\{EBF0AFAA-F07B-4279-9EAF-652788B9CF6D}) (Version: 3.0.8 - CADlogic Limited)
DraftSight x64 (HKLM\...\{8EB86B18-38DB-4A2D-8559-35B6D1EC3A0A}) (Version: 11.0.1258 - Dassault Systemes)
Dragon NaturallySpeaking 11 (HKLM-x32\...\{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}) (Version: 11.50.100 - Nuance Communications Inc.)
Easy Video Splitter 1.28 (HKLM-x32\...\Easy Video Splitter_is1) (Version:  - DoEasier Tech Inc)
Eraser 5.8.8 (HKLM\...\{B80CC46C-5839-4A48-B051-3CACF23A2718}_is1) (Version: Eraser 5.8.8 - The Eraser Project)
eReg (HKLM-x32\...\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}) (Version: 1.20.138.34 - Logitech, Inc.) Hidden
Esp (HKLM-x32\...\{D97741D0-39A5-11D5-BFB7-000102B33C8F}) (Version:  - )
EspPlus - Syzer (HKLM-x32\...\{0F5294DF-34C0-4D9E-AC1B-3C291A0F6E78}) (Version: 4.4 - ESP)
Etron USB3.0 Host Controller (HKLM-x32\...\{DFBB738C-71D8-4DC5-B8D2-D65C37680E27}) (Version: 0.103 - Etron Technology) Hidden
Evernote v. 4.5.1 (HKLM-x32\...\{28921580-E4BB-11E0-9FD7-1CC1DEF07CBE}) (Version: 4.5.1.5451 - Evernote Corp.)
ExamDiff 1.9 (Build 1.9.0.2) (HKLM-x32\...\ExamDiff_is1) (Version: 1.9.0.2 - PrestoSoft LLC)
ExpressPCB (HKLM-x32\...\{ED5F7AF9-347B-4440-A211-C6236508CC08}) (Version: 7.0.2 - ExpressPCB)
FileASSASSIN (HKLM-x32\...\FileASSASSIN) (Version: 1.06 - Malwarebytes)
Final Drive: Nitro (HKLM-x32\...\WTA-f3280b10-e8d2-4fd3-a8a5-336b4eeb5997) (Version: 2.2.0.95 - WildTangent) Hidden
FormatFactory 3.6.0.0 (HKLM-x32\...\FormatFactory) (Version: 3.6.0.0 - Format Factory)
Foxit Cloud (HKLM-x32\...\{41914D8B-9D6E-4764-A1F9-BC43FB6782C1}_is1) (Version: 2.3.25.1124 - Foxit Software Inc.)
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 7.0.6.1126 - Foxit Software Inc.)
Free Stopwatch (HKLM-x32\...\{A1FAC1AF-5615-47FE-B5C8-5E981EC8522B}_is1) (Version: 4.0.0.0 - Comfort Software Group)
Galerie de photos Windows Live (HKLM-x32\...\{488F0347-C4A7-4374-91A7-30818BEDA710}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Gateway Games (HKLM-x32\...\WildTangent gateway Master Uninstall) (Version: 1.0.2.5 - WildTangent)
Gateway Recovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 5.00.3502 - Gateway Incorporated)
Gateway Registration (HKLM-x32\...\Gateway Registration) (Version: 1.04.3503 - Gateway Incorporated)
Gateway ScreenSaver (HKLM-x32\...\Gateway Screensaver) (Version: 1.1.0225.2011 - Gateway Incorporated)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.84 - Google Inc.)
Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google SketchUp 8 (HKLM-x32\...\{47BBA5AA-CA6F-4A41-858D-A7A776F29A8B}) (Version: 3.0.11752 - Google, Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.30.3 - Google Inc.) Hidden
GWX Control Panel (HKLM-x32\...\UltimateOutsider_GwxControlPanel) (Version:  - UltimateOutsider)
H&R Block Business 2012 (Remove Only) (HKLM-x32\...\H&R Block Business 2012) (Version:  - )
H&R Block Business 2013 (Remove Only) (HKLM-x32\...\H&R Block Business 2013) (Version:  - )
H&R Block Business 2014 (Remove Only) (HKLM-x32\...\H&R Block Business 2014) (Version:  - )
H&R Block New York 2012 (HKLM-x32\...\{0A5FB059-9FF1-4A78-9753-4D7656560DAF}) (Version: 1.12.7001 - HRB Technology, LLC.)
H&R Block New York 2013 (HKLM-x32\...\{E3B9117D-7476-4C74-8C22-337F630D6602}) (Version: 1.13.6101 - HRB Technology, LLC.)
H&R Block New York 2014 (HKLM-x32\...\{28BD4A92-3071-4FF3-8014-05CE6738780D}) (Version: 1.14.9301 - HRB Technology, LLC.)
H&R Block New York 2015 (HKLM-x32\...\{2399CB53-B2D3-447E-905C-90E8C422D225}) (Version: 1.15.11301 - HRB Technology, LLC.)
H&R Block Premium + Efile + State 2012 (HKLM-x32\...\{89D20029-0578-4D8D-979A-695C8D868868}) (Version: 12.07.7803 - HRB Technology, LLC.)
H&R Block Premium + Efile + State 2013 (HKLM-x32\...\{7304A91F-F4AF-41B3-85B6-C5923EDBF899}) (Version: 13.07.7601 - HRB Technology, LLC.)
H&R Block Premium + Efile + State 2014 (HKLM-x32\...\{CDB1D329-A168-427D-837C-2075CDD3DC62}) (Version: 14.07.7401 - HRB Technology, LLC.)
H&R Block Premium + Efile + State 2015 (HKLM-x32\...\{388CC13F-FAC4-4D3E-83BF-C849E5D4552A}) (Version: 15.07.8101 - HRB Technology, LLC.)
HandBrake 0.10.5 (HKLM-x32\...\HandBrake) (Version: 0.10.5 - )
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.14.265 - SurfRight B.V.)
Hotkey Utility (HKLM-x32\...\Hotkey Utility) (Version: 2.05.3505 - Gateway Incorporated)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3501 - Gateway Incorporated)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2353 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.38 - Irfan Skiljan)
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)
Jewel Match 3 (HKLM-x32\...\WTA-d3ffd6a4-c44c-45fe-bb68-b8ef2f023cd7) (Version: 2.2.0.97 - WildTangent) Hidden
Junk Mail filter update (HKLM-x32\...\{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}) (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
JustCad 10.0 (HKLM-x32\...\ST6UNST #1) (Version:  - )
Karen's Replicator (HKLM-x32\...\Karen's Replicator) (Version: 3.6.0.9 - Karen Kenworthy)
Lenovo Mouse Suite (HKLM\...\MouseSuite98) (Version: 6.32 - Lenovo)
Logitech Flow Scroll 4.0 (HKLM\...\Sn1) (Version: 4.00.33 - Logitech)
Logitech SetPoint 6.32 (HKLM\...\sp6) (Version: 6.32.20 - Logitech)
Lua for Windows 5.1.4-46 (HKLM-x32\...\Lua_is1) (Version: 5.1.4.46 - The Lua for Windows Project and Lua and Tecgraf, PUC-Rio)
LuaEdit 2010 (x86 - 3.0.10.0) (HKLM-x32\...\LuaEdit 2010_is1) (Version:  - Open Source)
Macrium Reflect Free Edition (HKLM\...\{90DAB387-766E-4815-9E18-5200681CDD22}) (Version: 6.0.753 - Paramount Software (UK) Ltd.) Hidden
Macrium Reflect Free Edition (HKLM\...\MacriumReflect) (Version: 6.0 - Paramount Software (UK) Ltd.)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
McAfee Multi Access - Total Protection (HKLM-x32\...\MSC) (Version: 14.0.8185 - McAfee, Inc.)
McAfee SafeKey(uninstall only) (HKLM-x32\...\SafeKey) (Version: 2.2.3 - McAfee, Inc.)
McAfee WebAdvisor (HKLM-x32\...\{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}) (Version: 4.0.189 - McAfee, Inc.)
Mesh Runtime (HKLM-x32\...\{8C6D6116-B724-4810-8F2D-D047E6B7D68E}) (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.6.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.6.01055 - Microsoft Corporation)
Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM-x32\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Outlook Configuration Analyzer Tool 2.0 (HKLM-x32\...\{2488B526-0B60-4DE1-A736-C3B5D64ACDEB}) (Version: 2.0.3 - Microsoft)
Microsoft RichCopy 4.0 (HKLM-x32\...\{86F4F32B-77C7-4951-B33C-05D41A8190C1}) (Version: 4.0.216 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x64) ENU  (HKLM\...\{8CCBEC22-D2DB-4DC9-A58A-E1A1F3A38C8A}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x64) ENU  (HKLM\...\{03AC245F-4C64-425C-89CF-7783C1D3AB2C}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual FoxPro 9.0 Professional - English (HKLM-x32\...\Visual FoxPro 9.0 Professional - English) (Version:  - Microsoft)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Mozilla Firefox 47.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla)
Mozilla Thunderbird 17.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 17.0 (x86 en-US)) (Version: 17.0 - Mozilla)
MPC-HC 1.7.9 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.9 - MPC-HC Team)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2721691) (HKLM-x32\...\{355B5AC0-CEEE-42C5-AD4D-7F3CFD806C36}) (Version: 4.30.2114.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
MyDriveConnect 4.0.7.2442 (HKLM-x32\...\MyDriveConnect) (Version: 4.0.7.2442 - TomTom)
Mystery of Mortlake Mansion (HKLM-x32\...\WTA-c6aa98be-1d7e-4100-a4a2-87c938b92a89) (Version: 2.2.0.98 - WildTangent) Hidden
Nero BackItUp 10 (HKLM-x32\...\{68AB6930-5BFF-4FF6-923B-516A91984FE6}) (Version: 5.8.10800.8.100 - Nero AG)
Nero DiscSpeed 10 (HKLM-x32\...\{34490F4E-48D0-492E-8249-B48BECF0537C}) (Version: 6.2.10500.2.100 - Nero AG)
Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-564E155DB1A7}) (Version: 10.6.10700.5.100 - Nero AG)
Nero Multimedia Suite 10 Essentials (HKLM-x32\...\{62BF4BD3-B1F6-4FA2-8388-CC0647ACBF86}) (Version: 10.5.10300 - Nero AG)
Nero Multimedia Suite 10 Essentials (HKLM-x32\...\{68AFA3A7-9265-4ABD-994A-ACA413E3715C}) (Version: 10.6.10100 - Nero AG)
Nero RescueAgent 10 (HKLM-x32\...\{E337E787-CF61-4B7B-B84F-509202A54023}) (Version: 3.6.10500.3.100 - Nero AG)
Nero StartSmart 10 (HKLM-x32\...\{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}) (Version: 10.2.11600.14.100 - Nero AG)
Nero Update (HKLM-x32\...\{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}) (Version: 1.0.10900.31.0 - Nero AG)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.9.1 - Notepad++ Team)
Nuance PaperPort 12 (HKLM-x32\...\{6C0A559F-8583-4B5A-8B50-20BEE15D8E64}) (Version: 12.1.0000 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM-x32\...\{28656860-4728-433C-8AD4-D1A930437BC8}) (Version: 5.30.3290 - Nuance Communications, Inc)
Outils de vérification linguistique 2013 de Microsoft Office - Français (HKLM-x32\...\{90150000-001F-040C-0000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
PaperPort Image Printer 64-bit (HKLM\...\{715CAACC-579B-4831-A5F4-A83A8DE3EFE2}) (Version: 1.00.0001 - Nuance Communications, Inc.)
Paragon Backup and Recovery™ 14 Free (HKLM\...\{C268B5E1-A5DA-11DF-A289-005056C00008}) (Version: 90.00.0003 - Paragon Software)
Paragon Partition Manager™ 14 Free (HKLM\...\{47E5588F-C3A0-11DE-9857-005056C00008}) (Version: 90.00.0003 - Paragon Software)
PCB Artist Version 2.0 (HKLM-x32\...\{284A25AA-96B4-449D-BBA0-D0C97A5E213E}) (Version: 2.0 - Advanced Circuits)
PCB123 V5.0.3 (HKLM-x32\...\{48EC59F4-383D-437D-890F-58FE3C143CF4}) (Version: 5.0.3 - Sunstone Circuits)
PCLinq3 (HKLM-x32\...\{BD77C684-DF3C-4237-A9F9-FA90ED58CA3F}) (Version: 3.0.0.3 - Prolific Technology Inc.)
Penguins! (HKLM-x32\...\WTA-14bf4f38-1b1c-43f9-9a13-ce98f24022d9) (Version: 2.2.0.95 - WildTangent) Hidden
PerfectDisk Professional (HKLM\...\{C4E01CDC-0063-493C-B383-9C4FCF7A89F7}) (Version: 14.0.890 - Raxco Software Inc.)
PICAXE Editor (HKLM-x32\...\{0E156A47-4C65-40CB-A39F-BA8A677DE948}) (Version: 6.08.0000 - Revolution Education Ltd)
Plants vs. Zombies - Game of the Year (HKLM-x32\...\WTA-df068abe-afbe-496d-8ca1-6811fa8f7f21) (Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (HKLM-x32\...\WTA-017e4ce6-f6b6-4681-9df3-71296439acbf) (Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (HKLM-x32\...\WTA-7ad9ae12-d43d-4656-a30e-31afd633a08b) (Version: 2.2.0.95 - WildTangent) Hidden
PrintFile (HKLM-x32\...\PrintFile) (Version:  - )
Programming Editor (HKLM-x32\...\{428A38D6-791D-4FE5-BA82-D093D26D1D9F}) (Version: 5.5.5 - Revolution Education Ltd)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.45.516.2011 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6257 - Realtek Semiconductor Corp.)
Scansoft PDF Professional (HKLM-x32\...\{068724F8-D8BE-4B43-8DDD-B9FE9E49FD76}) (Version:  - ) Hidden
Secunia PSI (3.0.0.7009) (HKLM-x32\...\Secunia PSI) (Version: 3.0.0.7009 - Secunia)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 32-Bit Edition (HKLM-x32\...\{90150000-0011-0000-0000-0000000FF1CE}_Office15.PROPLUS_{7F6C4883-A18C-459A-82C1-A2F9403F2DA6}) (Version:  - Microsoft)
SES Driver (HKLM\...\{D8CC254C-C671-4664-9A38-FA368D1E2C97}) (Version: 1.0.0 - Western Digital)
SoftPerfect RAM Disk 3.4.6 (HKLM\...\{33A14ED9-0340-4193-BEDB-B95BC8196182}_is1) (Version:  - SoftPerfect)
Spears® Source Book (HKLM-x32\...\{5A1114A1-5B1C-4AF4-AD66-F6D69DA1978A}) (Version: 1.0 - )
Speccy (HKLM\...\Speccy) (Version: 1.16 - Piriform)
StopWatch ( Remove only) (HKLM-x32\...\StopWatch) (Version:  - )
Tina 9 - TI (HKLM-x32\...\{8EFA0E8C-D134-472A-8477-188A48C8B910}) (Version: 9.00.000 - DesignSoft)
TinyCAD 2.80.03 (HKLM-x32\...\TinyCAD) (Version: 2.80.03 - TinyCAD)
Torchlight (HKLM-x32\...\WTA-3c3daaaf-b6d7-4b0f-ac3e-e85886082123) (Version: 2.2.0.97 - WildTangent) Hidden
Total Commander (Remove or Repair) (HKLM-x32\...\Totalcmd) (Version: 7.57a - Ghisler Software GmbH)
Total Commander 64-bit (Remove or Repair) (HKLM\...\Totalcmd64) (Version: 8.52a - Ghisler Software GmbH)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax Business 2013 (HKLM-x32\...\TurboTax Business 2013) (Version: 2013.0 - Intuit, Inc)
Unlocker 1.9.2 (HKLM\...\Unlocker) (Version: 1.9.2 - Cedrick Collomb)
Update for Skype for Business 2015 (KB3039776) 32-Bit Edition (HKLM-x32\...\{90150000-012B-0409-0000-0000000FF1CE}_Office15.PROPLUS_{9F6B3627-AF9E-40A5-AAD5-3497C4327616}) (Version:  - Microsoft)
Uponor 2000 (HKLM-x32\...\ST6UNST #2) (Version:  - )
Uponor Advanced Design Suite 7 (HKLM-x32\...\Uponor Advanced Design Suite 7) (Version:  - )
Virtual Villagers 5 - New Believers (HKLM-x32\...\WTA-b38d372d-31c3-4c36-81a8-0d29c11573c7) (Version: 2.2.0.97 - WildTangent) Hidden
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking 64bit (x64) (HKLM\...\{4A5A427F-BA39-4BF0-7777-9A47FBE60C9F}) (Version: 11.0.200 - Nuance Communications Inc.)
Visual Studio C++ 10.0 Runtime (HKLM-x32\...\{4412F224-3849-4461-A3E9-DEEF8D252790}) (Version: 10.0.0 - TomTom International B.V.)
Welcome Center (HKLM-x32\...\Gateway Welcome Center) (Version: 1.02.3504 - Gateway Incorporated)
Windows Driver Package - Western Digital Technologies (WDC_SAM) WDC_SAM  (01/19/2011 1.0.0009.0) (HKLM\...\4CA7CFBB29889F25ACB3DF6E3A42BAE29EB43B20) (Version: 01/19/2011 1.0.0009.0 - Western Digital Technologies)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
WinX DVD Ripper 5.5.14 (HKLM-x32\...\WinX DVD Ripper_is1) (Version:  - Digiarty Software, Inc.)
WinX DVD Ripper Platinum 7.5.15 (HKLM-x32\...\WinX DVD Ripper Platinum_is1) (Version:  - Digiarty Software, Inc.)
Wondershare Video Converter Ultimate(Build 8.6.0.0) (HKLM-x32\...\Wondershare Video Converter Ultimate_is1) (Version: 8.6.0.0 - Wondershare Software)
Zuma's Revenge (HKLM-x32\...\WTA-cf771659-2a1d-40e8-99d7-b0d3270e3aa7) (Version: 2.2.0.97 - WildTangent) Hidden

========================= Devices: ================================

Name: ZAM Helper Driver
Description: ZAM Helper Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM
Device ID: ROOT\LEGACY_ZAM\0000
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: ZAM Guard Driver
Description: ZAM Guard Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: ZAM_Guard
Device ID: ROOT\LEGACY_ZAM_GUARD\0000
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

========================= Memory info: ===================================

Percentage of memory in use: 43%
Total physical RAM: 6048.28 MB
Available physical RAM: 3406.11 MB
Total Virtual: 18558.46 MB
Available Virtual: 15740.2 MB

========================= Partitions: =====================================

1 Drive c: (C: Gateway System) (Fixed) (Total:1848.92 GB) (Free:1541.76 GB) NTFS
8 Drive j: (J: INTERNAL DISK 2 - 2TB 201307) (Fixed) (Total:1817.83 GB) (Free:1626.17 GB) NTFS
9 Drive k: (K: INTERNAL DISK 2 - 1 TB 201307) (Fixed) (Total:976.56 GB) (Free:319.82 GB) NTFS
10 Drive u: (U: 5TB 20151229 A) (Fixed) (Total:4657.49 GB) (Free:1068.74 GB) NTFS
11 Drive v: (V: 5TB 20151229 B) (Fixed) (Total:4657.49 GB) (Free:1068.73 GB) NTFS
12 Drive x: (X: 3 TB 201401 A) (Fixed) (Total:2794.49 GB) (Free:2492.88 GB) NTFS
13 Drive y: (Y: 3 tb 201405) (Fixed) (Total:2794.49 GB) (Free:2492.69 GB) NTFS
14 Drive z: (Z: 1 TB 201207 B) (Fixed) (Total:931.51 GB) (Free:274.77 GB) NTFS

========================= Users: ========================================

User accounts for \\PWP3

Administrator            Guest                    PAJL                    

========================= Minidump Files ==================================

C:\Windows\Minidump\012416-72010-01.dmp
C:\Windows\Minidump\090315-40513-01.dmp
========================= Restore Points ==================================

02-05-2016 10:10:31 Scheduled Checkpoint
06-05-2016 09:47:28 After GWX Inst, Before WU
06-05-2016 09:53:55 Windows Update
07-05-2016 11:54:50 Checkpoint by HitmanPro
07-05-2016 11:56:02 Checkpoint by HitmanPro
07-05-2016 13:02:57 JRT Pre-Junkware Removal
10-05-2016 05:45:04 Windows Update
12-05-2016 01:34:43 Windows Update
20-05-2016 00:21:22 Scheduled Checkpoint
24-05-2016 10:18:07 after rsa machine keys deletion
24-05-2016 10:28:18 Windows Backup
01-06-2016 00:08:24 Scheduled Checkpoint
07-06-2016 20:33:03 Windows Update
07-06-2016 21:03:39 Checkpoint by HitmanPro
07-06-2016 22:53:33 JRT Pre-Junkware Removal
09-06-2016 09:22:01 Checkpoint by HitmanPro
09-06-2016 09:22:28 Checkpoint by HitmanPro
09-06-2016 09:22:57 Checkpoint by HitmanPro
09-06-2016 09:23:33 Checkpoint by HitmanPro
09-06-2016 09:24:03 Checkpoint by HitmanPro

**** End of log ****

 

MTB detected the ZAM devices. They are part of the Zemana antimalware which you had me run yesterday.

 

ZAM didn't like the FormatFactory video editor program at all.

 

ZAM also didn't like the %systemroot%\installer\msid936.tmp and %systemroot%\installer\msi874.tmp files which it identified as part of the ASK toolbar, but I prevented it from quarantining them because I didn't know what they were until I saw the report.

 

ZAM also didn't like the %programfiles%\h&r block business 2013\tax2013.exe file which it thought was Heur.Malicious!Pb, I prevented it from quarantining this file because I knew what it was.

 

ZAM also didn't like the %homedrive%\microsoft utilities\sysinternals bluescreen.scr which it though was Malware:Win32/Looper!Area, I allowed it to quarantine this because it is an obsolete joke file from Microsoft which simulated the BSD on XP machines.

 

 

I still don't know what to do with the originally detected files C:\Windows\SysWOW64\Threed20.ocx and C:\Windows\SysWOW64\wave32.ocx.

 

I also don't know how to remove the certificates I installed for adsfix. Adsfix failed. Do I need to remove the certificates?

 

Do you think I should purchase HitmanPro or remove it?



#13 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 09 June 2016 - 09:25 PM

 

ZAM also didn't like the %systemroot%\installer\msid936.tmp and %systemroot%\installer\msi874.tmp files which it identified as part of the ASK toolbar, but I prevented it from quarantining them because I didn't know what they were until I saw the report.

 

Allow it to quarantine it.

 

ZAM also didn't like the %programfiles%\h&r block business 2013\tax2013.exe file which it thought was Heur.Malicious!Pb, I prevented it from quarantining this file because I knew what it was.

 

 

Ok

ZAM also didn't like the %homedrive%\microsoft utilities\sysinternals bluescreen.scr which it though was Malware:Win32/Looper!Area, I allowed it to quarantine this because it is an obsolete joke file from Microsoft which simulated the BSD on XP machines.

 

It's a false positive ignore it.

 

I still don't know what to do with the originally detected files C:\Windows\SysWOW64\Threed20.ocx and C:\Windows\SysWOW64\wave32.ocx.

 

Check them at virus total...

 

I also don't know how to remove the certificates I installed for adsfix. Adsfix failed. Do I need to remove the certificates?

 

No not a big deal, they are not gonna cause any issue.
 

 

Do you think I should purchase HitmanPro or remove it?

 

Keep it, but do not purchase. :) 

 

Run chkdsk /f /r from elevated command prompt.

 

 

 

Disable IPV6

 

https://support.microsoft.com/en-us/kb/929852

 

 

Reset Host File

 

 

  • Click here to download RstHosts v2.0
  • Save the file to your desktop.
  • Right Click and Run as Administrator.
  • Click on Restaurer, then click OK at the prompt.
  • This will restore the default host file.
  • Next Click on Creer Un Rapport.
  • This will open a logfile, post that in your next reply.




Change some settings.



Use this tool to remove the Tunnel adapters.





Disable Computer Browser Service



1. Press the Windows + R key at the same time, a Run Window will appear

2. Type or copy and paste Services.msc hit enter.

3. Scroll to the Computer Browser Service

4. Right-Click Computer Browser Service and choose Stop the service.

5. Right Click Computer Browser Service again select Properties.

6. Change the Startup type to disabled.

8cPC1j3.png
7. Hit Apply then Ok.





Uninstall Netbt Driver.



1. Press the Windows + R key at the same time, a Run Window will appear.

2. Now enter or copy and paste devmgmt.msc in the Run Window and click on OK

3. Click on View and select Show Hidden Devices

Crp3oNM.png



4. Then click on and unfold Non-Plug and Play Driver

27sS1dS.png




5. Then find NET BT, Right-click the device and choose to Uninstall the Driver.

6. Reboot your device when asked.





Hit enter after each command.




1. Open Start and type cmd, then right-click Command Prompt and choose Run as Administrator

2. Once Command Prompt has started enter the following command. nbtstat -R

3. Wait for that command to complete, a new line will appear, now enter the following command. nbtstat -RR

4 Wait for that command to complete, a new line will appear, now enter the following command. Shutdown – R


Disable netbios over tcpip.

 

 

Windows key & r at the same time.
Type or copy and paste ncpa.cpl hit enter.
Right click your connection hit properties.
Select internet protocol version 4 then properties.
Select Advanced, then Wins tab.
Put a tick next to Disable Net Bios over TCPIP.

 

 

 

Use DNS Jumper to set your dns to google dns.

 

http://www.sordum.org/7952/dns-jumper-v2-0/

 

 

Please post a fresh minitoolbox log after this.



#14 Paul_L

Paul_L
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hudson Valley, NY, IBM country!
  • Local time:06:39 AM

Posted 09 June 2016 - 09:41 PM

Hi, we cross posted within four minutes!

 

I sent both files to virustotal.com and both came back as harmless. Take a look for yourself.

 

C:\Windows\SysWOW64\thread20.ocx

https://www.virustotal.com/en/file/55fa48cb7cc27dbe3c629f907d129b25550d46e3b553fb25f4d530fc8e397655/analysis/1465525579/

 

C:\Windows\SysWOW64\wave32.ocx

https://www.virustotal.com/en/file/fb30c3d30ae30dc9f2b2f2f7c22f8bccb5fc7e70c1ed6844380ad4374fd2a3cd/analysis/1465526039/

 

That leaves just the one open problem.

 

I don't know how to remove the certificates I installed for adsfix and then adsfix failed to run. Do I need to remove the certificates?

 

And my final questions, do you think I should purchase HitmanPro or remove it, and why did you tell me to remove SpyBot which I had been using occasionally for many years?

 

Paul_L



#15 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 09 June 2016 - 09:46 PM

I don't know how to remove the certificates I installed for adsfix and then adsfix failed to run. Do I need to remove the certificates?

 

no need to remove those, they will not harm your machine at all..
 

 

And my final questions, do you think I should purchase HitmanPro or remove it, and why did you tell me to remove SpyBot which I had been using occasionally for many years?

 

 

No need to purchase hitman pro. And spybot is useless, it was good at one time  but now it really does nothing but slow a machine down, by adding a large host file. To block trash on your machine you can get better results with ublock origin and it takes less resources.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users