Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Google Chrome Executables Running, but Chrome Not Installed


  • This topic is locked This topic is locked
36 replies to this topic

#1 danmcalpin

danmcalpin

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 11:32 AM

I have many "Google Chrome" processes running (jthzgxbastyz.exe *32), but I don’t have Chrome installed on this computer. I have tried to run Malwarebytes and Malwarebytes anti-root, MacAfee root kit, and several others. Anything I try to open, never actually opens. I ran DDS, but it doesn’t look like its accessing the file system. I am an administrator on this computer, but when I attempt to download anything now from Internet Explorer, I get a Security Alert " Your current security settings do not allow this file to be downloaded." I reset IE and it allows me to download the programs, but I still can’t run them. Hope this helps! Seems like I have a full blown infestation. L

 

Windows 7 Home Premium

 

Attached File  attach.txt   933bytes   2 downloads

DDS LOG

 

Attached File  FRST.txt   22.46KB   2 downloads

FRST LOG

 

Attached Files


Edited by danmcalpin, 20 January 2015 - 01:00 PM.


BC AdBot (Login to Remove)

 


m

#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:23 AM

Posted 20 January 2015 - 11:38 AM

Hey, :)

Please post the FRST Log into the thread rather attaching them. ;)

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 danmcalpin

danmcalpin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 11:43 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-01-2015 02
Ran by AAE (administrator) on AAE-HP on 13-01-2015 17:46:48
Running from C:\Users\AAE\Desktop
Loaded Profile: AAE (Available profiles: AAE)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(HP) C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
() C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
(Visioneer Inc.) C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Dropbox, Inc.) C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstaller.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-06-24] (IDT, Inc.)
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41336 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840568 2014-05-08] (Adobe Systems Inc.)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ( ())
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2014-10-14] (Microsoft Corporation)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1104256 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [rwklfvoriat] => regsvr32.exe /s "C:\Users\AAE\AppData\Local\WeatherBug\rwklfvoriat.dll" <===== ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ()
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {296e36e9-b4f3-11e3-9c8e-386077ed3287} - G:\iStudio.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {5b627beb-d1c3-11e2-89ed-00038a000015} - F:\VZW_Software_upgrade_assistant_installer.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {ad80981f-2fc6-11e2-88d1-00038a000015} - F:\LaunchU3.exe -a
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
Startup: C:\Users\AAE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> {0CEC1616-E978-49FC-A27E-A9CF5EE0FB2F} URL = http://www.mysearchresults.com/search?c=4205&t=20&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll (HP)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PasswordBox Helper -> {5DB69B97-934B-451D-94DB-32EF802A01CD} -> C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll (HP)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254 74.40.74.40

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-05-05]

Chrome:
=======
CHR Profile: C:\Users\AAE\AppData\Local\Google\Chrome\User Data\Default
CHR HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [jpgfhihjicjofdejkbjgnjlaglaciobe] - C:\Program Files (x86)\HP SimplePass 2011\tschrome.crx [2011-06-03]
CHR HKLM-x32\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-06-17] (Portrait Displays, Inc.)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2375168 2011-03-07] (Realsil Microelectronics Inc.) [File not signed]
R2 NvUpdSrv; C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe [159744 2015-01-06] () [File not signed]
R2 OneTouch 4.0 Monitor; C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe [210944 2009-12-17] (Visioneer Inc.) [File not signed]
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
S3 COMSysApp; %SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 NWVoltron; C:\Windows\system32\drivers\NWVoltron.sys [28440 2011-05-25] ()
S3 NWWakeFilterV; C:\Windows\system32\drivers\NWWakeFilterV.sys [16152 2011-05-25] (n/a)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-10-12] ()
S3 BS885513389; \??\C:\Users\AAE\AppData\Local\Temp\NTFS.sys [X]
S3 wanatw; system32\DRIVERS\wanatw64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 17:46 - 2015-01-13 17:50 - 00016757 _____ () C:\Users\AAE\Desktop\FRST.txt
2015-01-13 17:43 - 2015-01-13 17:43 - 00783120 _____ (McAfee, Inc.) C:\Users\AAE\Desktop\rootkitremover.exe
2015-01-13 17:42 - 2015-01-13 17:44 - 00000000 ___HD () C:\Windows\AxInstSV
2015-01-13 17:15 - 2015-01-13 17:18 - 00000000 ____D () C:\AdwCleaner
2015-01-13 17:02 - 2015-01-13 17:02 - 16448208 _____ (Malwarebytes Corp.) C:\Users\AAE\Desktop\malware.exe
2015-01-13 16:52 - 2015-01-13 17:47 - 00000000 ____D () C:\FRST
2015-01-13 16:51 - 2015-01-13 16:51 - 02124288 _____ (Farbar) C:\Users\AAE\Desktop\FRST64.exe
2015-01-13 12:15 - 2015-01-13 17:31 - 00000000 ____D () C:\Program Files (x86)\Panda Security
2015-01-13 12:12 - 2015-01-13 17:30 - 00000000 ____D () C:\ProgramData\Panda Security
2015-01-13 09:59 - 2015-01-13 09:59 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-10 14:41 - 2015-01-13 09:27 - 01348460 _____ () C:\Windows\system32\CFG885513389
2015-01-10 14:36 - 2015-01-13 11:43 - 00000000 ____D () C:\Windows\Minidump
2015-01-10 14:33 - 2015-01-10 14:33 - 00000248 _____ () C:\Windows\SysWOW64\0-G
2015-01-06 10:33 - 2015-01-06 10:33 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation
2014-12-19 13:37 - 2014-12-19 13:37 - 00001009 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk
2014-12-19 13:37 - 2014-12-19 13:37 - 00000997 _____ () C:\Users\Public\Desktop\TeamViewer 10.lnk

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-13 17:47 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-13 17:47 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-13 17:44 - 2011-10-12 17:31 - 01370611 _____ () C:\Windows\WindowsUpdate.log
2015-01-13 17:37 - 2014-05-05 11:18 - 00000000 ___RD () C:\Users\AAE\Dropbox
2015-01-13 17:32 - 2012-05-29 09:14 - 00000000 ____D () C:\Users\AAE\AppData\Roaming\Dropbox
2015-01-13 17:32 - 2011-10-12 17:52 - 00000000 ____D () C:\ProgramData\PDFC
2015-01-13 17:31 - 2013-08-22 16:09 - 00000196 _____ () C:\Windows\Tasks\AutoKMS.job
2015-01-13 17:31 - 2010-11-20 22:47 - 01054144 _____ () C:\Windows\PFRO.log
2015-01-13 17:31 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-13 17:31 - 2009-07-13 23:51 - 00091589 _____ () C:\Windows\setupact.log
2015-01-13 17:31 - 2009-07-13 23:45 - 00411704 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-13 17:27 - 2012-05-14 12:56 - 00111032 _____ () C:\Users\AAE\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-13 17:25 - 2009-07-14 00:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-13 16:36 - 2013-08-22 16:13 - 00000000 ____D () C:\Users\AAE\Documents\Outlook Files
2015-01-13 11:43 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011315-20186-01.dmp
2015-01-13 10:12 - 2012-05-14 12:57 - 00003910 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{696F204D-9FD4-4068-8736-4762623D5F60}
2015-01-13 09:16 - 2011-10-12 17:57 - 00000000 ____D () C:\ProgramData\truesuite
2015-01-12 14:03 - 2012-05-14 13:10 - 00000000 ___RD () C:\Scanner
2015-01-10 14:36 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011015-42089-01.dmp
2015-01-07 05:07 - 2012-12-21 07:35 - 00000000 ____D () C:\Users\AAE\AppData\Local\WeatherBug
2015-01-06 12:45 - 2012-05-14 12:54 - 00000000 ____D () C:\Users\AAE\AppData\Local\Hewlett-Packard
2015-01-06 04:36 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-01-04 09:18 - 2012-06-15 07:33 - 00003214 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE-HP$
2015-01-04 09:18 - 2012-06-15 07:33 - 00000338 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE-HP$.job
2014-12-31 09:57 - 2012-05-14 12:57 - 00003174 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE
2014-12-31 09:57 - 2012-05-14 12:57 - 00000324 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE.job
2014-12-22 13:43 - 2014-08-11 08:21 - 00001710 _____ () C:\Users\AAE\Desktop\Matt Scan.lnk
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight
2014-12-19 13:47 - 2012-06-06 15:43 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2014-12-19 13:37 - 2012-05-24 08:30 - 00000000 ____D () C:\Users\AAE\AppData\Roaming\TeamViewer
2014-12-14 03:01 - 2013-11-11 13:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

Some content of TEMP:
====================
C:\Users\AAE\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpbhctvd.dll
C:\Users\AAE\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2011-02-11 14:22

==================== End Of Log ============================



#4 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:23 AM

Posted 20 January 2015 - 11:50 AM

Hey, :)
What's with the Addition Log?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#5 danmcalpin

danmcalpin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 12:57 PM

Hey, :)
What's with the Addition Log?

Not sure actually... Ill remove it.  I thought it was part of the Farbar log, but I wasnt sure.  Ill just let you guys tell me what I need to upload.


Edited by danmcalpin, 20 January 2015 - 12:59 PM.


#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:23 AM

Posted 20 January 2015 - 02:00 PM

Hey, :)

Make a new Scan , make sure Addition.txt is checked and click on Scan. Post the logs here.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 danmcalpin

danmcalpin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 02:05 PM

Addition.txt:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-01-2015
Ran by AAE at 2015-01-20 13:56:22
Running from C:\Users\AAE\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

3M Products Update version 2012-05 for Microsoft Office 2010 (HKLM-x32\...\{605540BB-36B3-49F0-96D8-B760CBD6E0E8}_is1) (Version:  - 3M Company)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.11 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19120 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.9.900.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.7) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
AuthenTec TrueAPI (Version: 1.3.0.116 - AuthenTec, Inc.) Hidden
Bing Maps 3D (HKLM\...\{6ACE7F46-FACE-4125-AE86-672F4F2A6A28}) (Version: 4.0.903.16005 - Microsoft Corporation)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Dropbox (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Dual Stream 802.11n Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 3.01.18.0 - Ralink)
DVD Menu Pack for HP TouchSmart Video (HKLM-x32\...\InstallShield_{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}) (Version: 4.1.4412 - Hewlett-Packard)
DVD Menu Pack for HP TouchSmart Video (x32 Version: 4.1.4412 - Hewlett-Packard) Hidden
Facebook for HP TouchSmart (HKLM-x32\...\{8AE50893-3A87-4439-9A57-942ED43F7189}) (Version: 1.1.0004 - Hewlett-Packard)
Hewlett-Packard ACLM.NET v1.1.1.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Calendar (HKLM-x32\...\{2B38E0FA-D8A5-4EBF-A018-E3C1C8E7A2E2}) (Version: 5.1.4245.23508 - Hewlett-Packard)
HP Clock (HKLM-x32\...\{750E9D0F-B188-4A7E-ADD2-84B7ED7D32F6}) (Version: 5.1.4281.27332 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP LinkUp (HKLM-x32\...\{DB3147AB-4024-4773-8EC0-A1FE5B44933D}) (Version: 2.01.028 - Hewlett-Packard)
HP Magic Canvas (HKLM-x32\...\{DDFDC9D6-4220-41F8-BF9A-8E7512C4EF52}) (Version: 5.1.15.0 - Hewlett-Packard)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard Company)
HP My Display TouchSmart Edition (HKLM-x32\...\{1F4DDC90-5923-4E49-A4C7-F3CCC954DCA0}) (Version: 1.04.022 - Portrait Displays, Inc.)
HP Notes (HKLM-x32\...\{86BAB08A-5E66-4C53-82E3-C1E91673C7CA}) (Version: 5.1.4274.30382 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Photo Canvas (HKLM-x32\...\{27710506-32B1-49B3-B95B-B7C65FA6FA15}) (Version: 5.1.4267.27011 - Hewlett-Packard)
HP RSS (HKLM-x32\...\{A35E58D6-2A0F-4051-983B-79342081338E}) (Version: 5.1.4301.21494 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{D35B72B6-F0E4-462B-BDEB-E08032B3B681}) (Version: 8.7.4747.3786 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13880.3792 - Hewlett-Packard Company)
HP SimplePass PE 2011 (HKLM-x32\...\{00FF4EB6-6AAC-4E9D-A60A-8F388691BB27}) (Version: 5.3.0.194 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}) (Version: 6.0.5.4 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Touch Browser (HKLM-x32\...\{4E575BFF-51A0-474E-A3BA-C0FCF82E6A78}) (Version: 5.1.4227.17815 - Hewlett-Packard)
HP TouchSmart Ben10 Comic Book Reader (HKLM-x32\...\{9EFD323B-6ADB-4B3A-9253-EA1A75E00F25}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Bubble Wrap (HKLM-x32\...\{5BFFDDEB-AFD7-499F-BB13-7A6EAD927CDA}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart eBay (HKLM-x32\...\{F12C6162-10D4-444A-9182-05CC3DB2456E}) (Version: 1.0.4098.28440 - Hewlett-Packard)
HP TouchSmart Get Updated! (HKLM-x32\...\{2B720998-2E26-4DD6-8AC8-A1FCA4B58384}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Metric Converter (HKLM-x32\...\{D0661463-50F7-4A1E-83CB-37CC590589AE}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Music (HKLM-x32\...\InstallShield_{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart Paint Blast (HKLM-x32\...\{FBB0C095-4FF0-4AF6-8CD5-A80A390FB101}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Photo (HKLM-x32\...\InstallShield_{C9DCE03F-8CB7-4146-A99C-0612D75177EA}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart RecipeBox (HKLM-x32\...\{20714B53-FC73-4F9C-9687-49EB237D6FD7}) (Version: 3.0.3830.27730 - Hewlett-Packard)
HP TouchSmart Spot (HKLM-x32\...\{3D171340-B528-42E0-92E4-BDA7AEEF6F32}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Tap Tap Bear (HKLM-x32\...\{A393CDFF-BEB8-48EA-990D-2EB35B311D23}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Tutorials (HKLM-x32\...\{858FCB65-7C6D-4BA4-AD80-A3CB3744CE09}_is1) (Version: 4.0.0.4 - Hewlett-Packard)
HP TouchSmart Twitter (HKLM-x32\...\{75781594-73D9-4D7B-997F-14D41BF1514E}) (Version: 3.0.4276.30236 - Hewlett-Packard)
HP TouchSmart Video (HKLM-x32\...\InstallShield_{F04BFADD-C8CA-4C86-8F20-B1D7F4F8C66C}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart Webcam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.2.4214 - Hewlett-Packard)
HP Update (HKLM-x32\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.9.0.0 - Hewlett-Packard)
HP Weather (HKLM-x32\...\{8364E531-493B-4B05-8041-09D5CE38B975}) (Version: 5.1.4295.16450 - Hewlett-Packard)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6349.0 - IDT)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2430 - Intel Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kobo (HKLM-x32\...\Kobo) (Version: 1.6 - Kobo Inc.)
Kofax VirtualReScan 4.50 (HKLM-x32\...\{6A35E74B-68AD-4054-B93A-FEB7B687114C}) (Version: 4.50.032 - Kofax, Inc.)
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3925 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.3925 - CyberLink Corp.) Hidden
Max Uninstaller version 2.0 (HKLM-x32\...\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1) (Version: 2.0 -
http://www.maxuninstaller.com/)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Access database engine 2010 (English) (HKLM-x32\...\{90140000-00D1-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.31211.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Touch Pack for Windows 7 (HKLM-x32\...\{8FF90DB8-6DED-44A3-B182-244FEC09012F}) (Version: 1.0.40517.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.0 (HKLM-x32\...\{3898934B-05AE-41CD-96BE-70DA9BFBCE1F}) (Version: 3.0.11010.0 - Microsoft Corporation)
Movie Theme Pack for HP TouchSmart Video (HKLM-x32\...\InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 4.1.4412 - Hewlett-Packard)
Movie Theme Pack for HP TouchSmart Video (x32 Version: 4.1.4412 - Hewlett-Packard) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.97 - WildTangent) Hidden
Namco All-Stars: PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
OneTouch 4.0 (HKLM-x32\...\{AF8B1525-17EF-4D2E-A018-8D79CE260BA8}) (Version: 4.5.9.1125 - Visioneer)
OneTouch 4.0 ScanSoft OmniPage OCR Module (HKLM-x32\...\{34466787-FDAE-4B20-8DC0-72E97F39D237}) (Version: 1.1.0 - Visioneer)
PaperPort Image Printer (HKLM\...\{D16193A3-921A-4134-B381-597C8F4B8EBD}) (Version: 1.00.0000 - Nuance Communications, Inc.)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.54 - PDF Complete, Inc)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.5331 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.5331 - CyberLink Corp.) Hidden
PressReader (HKLM-x32\...\{912CED74-88D3-4C5B-ACB0-132318649765}) (Version: 5.10.1217.0 -  NewspaperDirect Inc.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.82 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.4222 - CyberLink Corp.) Hidden
Remote Graphics Receiver (HKLM-x32\...\{16FC3056-90C0-4757-8A68-64D8DA846ADA}) (Version: 5.4.5 - Hewlett-Packard)
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
ScanSoft PaperPort 11 (HKLM-x32\...\{1F68C868-B5AF-4836-8A46-C030BBE1EDB3}) (Version: 11.1.0000 - Nuance Communications, Inc.)
SDK (x32 Version: 2.26.005 - Portrait Displays, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Slingo Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.36897 - TeamViewer)
TSHostedAppLauncher (x32 Version: 5.1.15.0 - Hewlett-Packard) Hidden
Twitter (HKLM-x32\...\{75781594-73D9-4D7B-997F-14D41BF1514D}) (Version:  - )
Vacation Quest - The Hawaiian Islands (x32 Version: 2.2.0.97 - WildTangent) Hidden
VIP Access SDK (1.0.1.4)  (HKLM-x32\...\VIP Access SDK) (Version: 1.0.1.4 - Symantec Inc.)
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
WEB Book and Page Application (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\1095703109.129.71.117.165) (Version:  - 129.71.117.165)
WEB Inquiry SL (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\4251766495.129.71.117.165) (Version:  - 129.71.117.165)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Xerox DocuMate 3115 Driver (HKLM-x32\...\{E0467788-97EB-46C1-AB39-FB52C12A87DC}) (Version: 4.5.9.1217 - Visioneer)
Zinio Reader 4 (HKLM-x32\...\ZinioReader4) (Version: 4.2.4164 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.4164 - Zinio LLC) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2014-05-05 11:23 - 00006897 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 3dns-2.adobe.com #192.150.22.22
127.0.0.1 3dns-3.adobe.com #192.150.14.21
127.0.0.1 3dns-4.adobe.com #192.150.18.247
127.0.0.1 3dns-5.adobe.com #192.150.22.46
127.0.0.1 adobe-dns.adobe.com #192.150.11.30
127.0.0.1 adobe-dns-2.adobe.com #192.150.11.247
127.0.0.1 adobe-dns-3.adobe.com #192.150.22.30
127.0.0.1 adobe.activate.com #69.175.22.26
127.0.0.1 activate.adobe.com #192.150.22.40
127.0.0.1 activate.wip3.adobe.com #192.150.22.40
127.0.0.1 activate.wip4.adobe.com #192.150.22.40
127.0.0.1 activate-sea.adobe.com #192.150.22.40
127.0.0.1 activate-sjc0.adobe.com #192.150.14.69
127.0.0.1 ereg.adobe.com #192.150.18.103
127.0.0.1 ereg.wip3.adobe.com #192.150.18.63
127.0.0.1 ereg.wip4.adobe.com #192.150.18.103
127.0.0.1 practivate.adobe.com #192.150.18.54
127.0.0.1
www.wip3.adobe.com #192.150.8.60
127.0.0.1
www.wip4.adobe.com #192.150.18.200
127.0.0.1
www.adobeereg.com #75.125.24.83
127.0.0.1 adobeereg.com #207.66.2.10
127.0.0.1 hl2rcv.adobe.com #192.150.14.174
127.0.0.1 wwis-dubc1-vip30.adobe.com #192.150.8.30
127.0.0.1 wwis-dubc1-vip31.adobe.com #192.150.8.31
127.0.0.1 wwis-dubc1-vip32.adobe.com #192.150.8.32
127.0.0.1 wwis-dubc1-vip33.adobe.com #192.150.8.33
127.0.0.1 wwis-dubc1-vip34.adobe.com #192.150.8.34
127.0.0.1 wwis-dubc1-vip35.adobe.com #192.150.8.35
127.0.0.1 wwis-dubc1-vip36.adobe.com #192.150.8.36

There are 88 more lines.

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0A1FDFA5-7BE8-48DB-8A67-4383CD6E649B} - System32\Tasks\Microsoft\Windows\TabletPC\InputPersonalization => C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe [2009-07-13] (Microsoft Corporation)
Task: {273D57E5-EED3-4E25-94A0-B893E2115ACB} - System32\Tasks\HPCeeScheduleForAAE-HP$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {85934C2A-918C-4B23-8FB3-13EA0873454F} - System32\Tasks\HPCeeScheduleForAAE => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {932DDD87-F82B-4D2E-A4BD-0C67E4CB1C71} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS.exe
Task: {CAF01302-55FC-467B-B41A-85D5D47C149C} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS.exe
Task: C:\Windows\Tasks\HPCeeScheduleForAAE-HP$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\HPCeeScheduleForAAE.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============

2015-01-06 04:51 - 2015-01-06 04:51 - 00159744 _____ () C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe
2011-10-12 17:24 - 2011-06-26 21:16 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-05-14 11:45 - 2014-05-14 11:45 - 00090624 _____ () C:\Program Files (x86)\PasswordBox\libwebsocketswin32.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00750080 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2015-01-20 10:57 - 2015-01-20 10:57 - 00043008 _____ () c:\users\aae\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpyy6ati.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00047616 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\libEGL.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00863744 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00200704 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2013-09-05 00:14 - 2013-09-05 00:14 - 04300456 _____ () C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf
2013-02-14 15:46 - 2013-02-14 15:46 - 01044048 _____ () C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 00718152 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\libglesv2.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 00126280 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\libegl.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 08537928 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\pdf.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 00353096 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\ppGoogleNaClPluginChrome.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 01732936 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\ffmpegsumo.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 14669128 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\AAE\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\Users\AAE\Desktop\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: BeatsOSDApp => C:\Program Files\IDT\WDM\beats64.exe
MSCONFIG\startupreg: DT HPO => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -HPO
MSCONFIG\startupreg: IndexSearch => "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
MSCONFIG\startupreg: OtShot => C:\Program Files (x86)\OtShot\otshot.exe -minimize
MSCONFIG\startupreg: PaperPort PTD => "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
MSCONFIG\startupreg: PDF Complete => C:\Program Files (x86)\PDF Complete\pdfsty.exe
MSCONFIG\startupreg: PPort11reminder => "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
MSCONFIG\startupreg: SSBkgdUpdate => "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
MSCONFIG\startupreg: {d2a27cfe-9e0f-67df-a243-e42601bc0d6c} => "C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe"

========================= Accounts: ==========================

AAE (S-1-5-21-1327840045-3290688519-2440916738-1000 - Administrator - Enabled) => C:\Users\AAE
Administrator (S-1-5-21-1327840045-3290688519-2440916738-500 - Administrator - Disabled)
Guest (S-1-5-21-1327840045-3290688519-2440916738-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1327840045-3290688519-2440916738-1003 - Limited - Enabled)
Scanner (S-1-5-21-1327840045-3290688519-2440916738-1004 - Administrator - Enabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/20/2015 01:20:45 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft Outlook: Rejected Safe Mode action : Outlook experienced a serious problem with the 'acrobat pdfmaker office com addin' add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?.
Rejected Safe Mode action : Microsoft Outlook.

Error: (01/20/2015 00:49:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b
Faulting module name: IEFRAME.dll, version: 9.0.8112.16599, time stamp: 0x547396ec
Exception code: 0xc0000005
Fault offset: 0x001a8290
Faulting process id: 0x1018
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/20/2015 11:06:08 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x1428
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/20/2015 00:04:47 AM) (Source: Windows Backup) (EventID: 4100) (User: )
Description: Backup did not complete successfully because a shadow copy could not be created. Free up disk space on the drive that you are backing up by deleting unnecessary files and then try again.

Error: (01/20/2015 00:04:26 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:17 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:09 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:03:51 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:03:32 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000064,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

System errors:
=============
Error: (01/20/2015 10:59:38 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/20/2015 09:57:09 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x00000050 (0xfffff8a0139d2000, 0x0000000000000000, 0xfffff800031375aa, 0x0000000000000000)C:\Windows\Minidump\012015-27300-01.dmp012015-27300-01

Error: (01/20/2015 09:57:07 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:55:52 AM on ‎1/‎20/‎2015 was unexpected.

Error: (01/20/2015 09:52:42 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Microsoft Office Sessions:
=========================
Error: (01/20/2015 01:20:45 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft OutlookOutlook experienced a serious problem with the 'acrobat pdfmaker office com addin' add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?

Error: (01/20/2015 00:49:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe9.0.8112.165995473964bIEFRAME.dll9.0.8112.16599547396ecc0000005001a8290101801d034d9619c3162C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\IEFRAME.dlla4bb1266-a0cc-11e4-9958-386077ed3287

Error: (01/20/2015 11:06:08 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe9.0.8112.165995473964bunknown0.0.0.000000000c000000500000000142801d034caff9546c6C:\Program Files (x86)\Internet Explorer\iexplore.exeunknown3e5ec72b-a0be-11e4-9958-386077ed3287

Error: (01/20/2015 00:04:47 AM) (Source: Windows Backup) (EventID: 4100) (User: )
Description: A shadow copy could not be created. Please check "VSS" and "SPP" application event logs for more information. (0x81000019)

Error: (01/20/2015 00:04:26 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:17 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:09 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:03:51 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:03:32 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(
\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000064,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

==================== Memory info ===========================

Processor: Intel® Core™ i3-2120 CPU @ 3.30GHz
Percentage of memory in use: 82%
Total physical RAM: 4000.31 MB
Available physical RAM: 708.67 MB
Total Pagefile: 8000.62 MB
Available Pagefile: 3653.27 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:916.71 GB) (Free:715.75 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:14.71 GB) (Free:1.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive z: (My Passport (JEN)) (Fixed) (Total:931.48 GB) (Free:0.01 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 0C983697)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=916.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: A74F124D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by AAE (administrator) on AAE-HP on 20-01-2015 13:55:27
Running from C:\Users\AAE\Desktop
Loaded Profiles: AAE (Available profiles: AAE)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(HP) C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
() C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe
(Visioneer Inc.) C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Dropbox, Inc.) C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdiSDKHelper.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_152_ActiveX.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-06-24] (IDT, Inc.)
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41336 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840568 2014-05-08] (Adobe Systems Inc.)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ( ())
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2014-10-14] (Microsoft Corporation)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1104256 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [rwklfvoriat] => regsvr32.exe /s "C:\Users\AAE\AppData\Local\Deployment\rwklfvoriat.dll" <===== ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ()
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {296e36e9-b4f3-11e3-9c8e-386077ed3287} - G:\iStudio.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {5b627beb-d1c3-11e2-89ed-00038a000015} - F:\VZW_Software_upgrade_assistant_installer.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {ad80981f-2fc6-11e2-88d1-00038a000015} - F:\LaunchU3.exe -a
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
Startup: C:\Users\AAE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll (HP)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PasswordBox Helper -> {5DB69B97-934B-451D-94DB-32EF802A01CD} -> C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll (HP)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254 74.40.74.41

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-05-05]

Chrome:
=======
CHR Profile: C:\Users\AAE\AppData\Local\Google\Chrome\User Data\Default
CHR HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [jpgfhihjicjofdejkbjgnjlaglaciobe] - C:\Program Files (x86)\HP SimplePass 2011\tschrome.crx [2011-06-03]
CHR HKLM-x32\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-06-17] (Portrait Displays, Inc.)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2375168 2011-03-07] (Realsil Microelectronics Inc.) [File not signed]
R2 NvUpdSrv; C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe [159744 2015-01-06] () [File not signed]
R2 OneTouch 4.0 Monitor; C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe [210944 2009-12-17] (Visioneer Inc.) [File not signed]
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 NWVoltron; C:\Windows\system32\drivers\NWVoltron.sys [28440 2011-05-25] ()
S3 NWWakeFilterV; C:\Windows\system32\drivers\NWWakeFilterV.sys [16152 2011-05-25] (n/a)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-10-12] ()
S3 BS885513389; \??\C:\Users\AAE\AppData\Local\Temp\NTFS.sys [X]
S3 wanatw; system32\DRIVERS\wanatw64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 12:51 - 2015-01-20 13:55 - 00016967 _____ () C:\Users\AAE\Desktop\FRST.txt
2015-01-19 14:33 - 2015-01-19 14:39 - 314472448 _____ () C:\Users\AAE\Desktop\kav_rescue_10.iso
2015-01-19 14:25 - 2015-01-20 11:13 - 00000933 _____ () C:\Users\AAE\Desktop\attach.txt
2015-01-14 14:54 - 2015-01-14 14:54 - 00688992 ____R (Swearware) C:\Users\AAE\Desktop\dds.com
2015-01-14 07:02 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 07:02 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 07:02 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 07:02 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 07:02 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 07:01 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 07:01 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 07:01 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 07:01 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 07:01 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 07:01 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 07:01 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 07:01 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 17:43 - 2015-01-13 17:43 - 00783120 _____ (McAfee, Inc.) C:\Users\AAE\Desktop\rootkitremover.exe
2015-01-13 17:42 - 2015-01-13 17:44 - 00000000 ___HD () C:\Windows\AxInstSV
2015-01-13 17:15 - 2015-01-13 17:18 - 00000000 ____D () C:\AdwCleaner
2015-01-13 17:02 - 2015-01-13 17:02 - 16448208 _____ (Malwarebytes Corp.) C:\Users\AAE\Desktop\malware.exe
2015-01-13 16:52 - 2015-01-20 13:55 - 00000000 ____D () C:\FRST
2015-01-13 16:51 - 2015-01-20 11:40 - 02126848 _____ (Farbar) C:\Users\AAE\Desktop\FRST64.exe
2015-01-13 12:15 - 2015-01-13 17:31 - 00000000 ____D () C:\Program Files (x86)\Panda Security
2015-01-13 12:12 - 2015-01-13 17:30 - 00000000 ____D () C:\ProgramData\Panda Security
2015-01-13 09:59 - 2015-01-14 19:03 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-10 14:41 - 2015-01-19 18:24 - 01232420 _____ () C:\Windows\system32\CFG885513389
2015-01-10 14:36 - 2015-01-20 09:57 - 00000000 ____D () C:\Windows\Minidump
2015-01-10 14:33 - 2015-01-10 14:33 - 00000248 _____ () C:\Windows\SysWOW64\0-G
2015-01-06 10:33 - 2015-01-06 10:33 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 13:52 - 2013-08-22 16:13 - 00000000 ____D () C:\Users\AAE\Documents\Outlook Files
2015-01-20 13:52 - 2011-10-12 17:31 - 02081375 _____ () C:\Windows\WindowsUpdate.log
2015-01-20 13:25 - 2012-05-14 12:57 - 00003910 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{696F204D-9FD4-4068-8736-4762623D5F60}
2015-01-20 11:49 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-20 11:49 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-20 11:02 - 2014-05-05 11:18 - 00000000 ___RD () C:\Users\AAE\Dropbox
2015-01-20 10:57 - 2012-05-29 09:14 - 00000000 ____D () C:\Users\AAE\AppData\Roaming\Dropbox
2015-01-20 09:57 - 2013-08-22 16:09 - 00000196 _____ () C:\Windows\Tasks\AutoKMS.job
2015-01-20 09:57 - 2011-10-12 17:52 - 00000000 ____D () C:\ProgramData\PDFC
2015-01-20 09:57 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 09:57 - 2009-07-13 23:51 - 00091813 _____ () C:\Windows\setupact.log
2015-01-20 09:56 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\012015-27300-01.dmp
2015-01-20 09:50 - 2011-10-12 17:57 - 00000000 ____D () C:\ProgramData\truesuite
2015-01-19 16:24 - 2009-07-14 00:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-16 13:27 - 2012-05-14 13:10 - 00000000 ___RD () C:\Scanner
2015-01-15 09:08 - 2013-07-26 15:32 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 03:00 - 2012-09-17 03:57 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-15 00:50 - 2013-03-13 12:53 - 00000000 ____D () C:\Users\AAE\AppData\Local\Deployment
2015-01-14 09:26 - 2012-05-14 12:56 - 00110560 _____ () C:\Users\AAE\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-13 17:31 - 2010-11-20 22:47 - 01054144 _____ () C:\Windows\PFRO.log
2015-01-13 17:31 - 2009-07-13 23:45 - 00411704 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-13 11:43 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011315-20186-01.dmp
2015-01-10 14:36 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011015-42089-01.dmp
2015-01-07 05:07 - 2012-12-21 07:35 - 00000000 ____D () C:\Users\AAE\AppData\Local\WeatherBug
2015-01-06 12:45 - 2012-05-14 12:54 - 00000000 ____D () C:\Users\AAE\AppData\Local\Hewlett-Packard
2015-01-06 04:36 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-01-04 09:18 - 2012-06-15 07:33 - 00003214 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE-HP$
2015-01-04 09:18 - 2012-06-15 07:33 - 00000338 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE-HP$.job
2014-12-31 09:57 - 2012-05-14 12:57 - 00003174 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE
2014-12-31 09:57 - 2012-05-14 12:57 - 00000324 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE.job
2014-12-22 13:43 - 2014-08-11 08:21 - 00001710 _____ () C:\Users\AAE\Desktop\Matt Scan.lnk
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight

==================== Files in the root of some directories =======
2011-10-12 17:56 - 2011-06-09 18:44 - 0002792 _____ () C:\Program Files\HP SimplePass 2011
2013-07-25 12:59 - 2013-07-25 13:01 - 0000274 _____ () C:\Users\AAE\AppData\Local\Tempgrantaccess.log
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.0
2012-12-03 14:35 - 2012-12-03 14:35 - 0053968 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.1
2012-12-03 14:35 - 2012-12-03 14:35 - 0056005 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.2
2012-12-03 14:35 - 2012-12-03 14:35 - 0056612 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.3
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.JPG
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.0
2012-12-03 14:35 - 2012-12-03 14:35 - 0053968 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.1
2012-12-03 14:35 - 2012-12-03 14:35 - 0056005 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.2
2012-12-03 14:35 - 2012-12-03 14:35 - 0056612 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.3
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.JPG

Some content of TEMP:
====================
C:\Users\AAE\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7di7oh.dll
C:\Users\AAE\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpyy6ati.dll
C:\Users\AAE\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2011-02-11 14:22

==================== End Of Log ============================



#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:23 AM

Posted 20 January 2015 - 03:54 PM

Hey, :)

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 danmcalpin

danmcalpin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 04:26 PM

When I attempt to download anything now from Internet Explorer, I get a "Security Alert" that says "Your current security settings do not allow this file to be downloaded." I reset IE, and it allows me to download the programs, but I still can’t run them. 

 

When I right-click and run as administrator on JRT computer thinks for a second, but does nothing. 

When I right-click and run as administrator on mbam-setup-2.0.4.1028 the computer thinks for a second, but does nothing. 

 

Here is the log for AdwCleaner:

# AdwCleaner v4.108 - Report created 20/01/2015 at 15:53:52
# Updated 17/01/2015 by Xplode
# Database : 2015-01-18.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : AAE - AAE-HP
# Running from : C:\Users\AAE\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

 

Here are the logs for Farbar:

FRST:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by AAE (administrator) on AAE-HP on 20-01-2015 16:14:31
Running from C:\Users\AAE\Desktop
Loaded Profiles: AAE (Available profiles: AAE)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(HP) C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
() C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
(Visioneer Inc.) C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(Microsoft Corporation) C:\Windows\System32\regsvr32.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Windows\SysWOW64\regsvr32.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Dropbox, Inc.) C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(CyberLink Corp.) C:\Program Files (x86)\Cyberlink\Power2Go\Power2Go.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_9_900_152_ActiveX.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe
(Google Inc.) C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\jthzgxbastyz.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-06-24] (IDT, Inc.)
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41336 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840568 2014-05-08] (Adobe Systems Inc.)
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ( ())
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2014-10-14] (Microsoft Corporation)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1104256 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [rwklfvoriat] => regsvr32.exe /s "C:\Users\AAE\AppData\Local\Deployment\rwklfvoriat.dll" <===== ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ()
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {296e36e9-b4f3-11e3-9c8e-386077ed3287} - G:\iStudio.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {5b627beb-d1c3-11e2-89ed-00038a000015} - F:\VZW_Software_upgrade_assistant_installer.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {ad80981f-2fc6-11e2-88d1-00038a000015} - F:\LaunchU3.exe -a
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
Startup: C:\Users\AAE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll (HP)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PasswordBox Helper -> {5DB69B97-934B-451D-94DB-32EF802A01CD} -> C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll (HP)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254 74.40.74.41

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-05-05]

Chrome:
=======
CHR Profile: C:\Users\AAE\AppData\Local\Google\Chrome\User Data\Default
CHR HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [jpgfhihjicjofdejkbjgnjlaglaciobe] - C:\Program Files (x86)\HP SimplePass 2011\tschrome.crx [2011-06-03]
CHR HKLM-x32\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-06-17] (Portrait Displays, Inc.)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2375168 2011-03-07] (Realsil Microelectronics Inc.) [File not signed]
R2 NvUpdSrv; C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe [159744 2015-01-06] () [File not signed]
R2 OneTouch 4.0 Monitor; C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe [210944 2009-12-17] (Visioneer Inc.) [File not signed]
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 NWVoltron; C:\Windows\system32\drivers\NWVoltron.sys [28440 2011-05-25] ()
S3 NWWakeFilterV; C:\Windows\system32\drivers\NWWakeFilterV.sys [16152 2011-05-25] (n/a)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-10-12] ()
S3 BS885513389; \??\C:\Users\AAE\AppData\Local\Temp\NTFS.sys [X]
S3 wanatw; system32\DRIVERS\wanatw64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 16:14 - 2015-01-20 16:16 - 00016184 _____ () C:\Users\AAE\Desktop\FRST.txt
2015-01-20 16:06 - 2015-01-20 16:06 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\AAE\Desktop\mbam-setup-2.0.4.1028.exe
2015-01-20 16:03 - 2015-01-20 16:03 - 00000000 ____D () C:\Windows\ERUNT
2015-01-20 16:02 - 2015-01-20 16:02 - 01707939 _____ (Thisisu) C:\Users\AAE\Desktop\JRT.exe
2015-01-20 15:59 - 2015-01-20 16:11 - 00001810 _____ () C:\Windows\system32\DB885513389
2015-01-20 15:57 - 2015-01-20 15:57 - 00000905 _____ () C:\Users\AAE\Desktop\AdwCleaner[S1].txt
2015-01-20 15:51 - 2015-01-20 15:51 - 02186752 _____ () C:\Users\AAE\Desktop\AdwCleaner.exe
2015-01-19 14:33 - 2015-01-19 14:39 - 314472448 _____ () C:\Users\AAE\Desktop\kav_rescue_10.iso
2015-01-19 14:25 - 2015-01-20 11:13 - 00000933 _____ () C:\Users\AAE\Desktop\attach.txt
2015-01-14 14:54 - 2015-01-14 14:54 - 00688992 ____R (Swearware) C:\Users\AAE\Desktop\dds.com
2015-01-14 07:02 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 07:02 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 07:02 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 07:02 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 07:02 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 07:01 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 07:01 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 07:01 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 07:01 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 07:01 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 07:01 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 07:01 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 07:01 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 17:43 - 2015-01-13 17:43 - 00783120 _____ (McAfee, Inc.) C:\Users\AAE\Desktop\rootkitremover.exe
2015-01-13 17:42 - 2015-01-13 17:44 - 00000000 ___HD () C:\Windows\AxInstSV
2015-01-13 17:15 - 2015-01-20 15:53 - 00000000 ____D () C:\AdwCleaner
2015-01-13 17:02 - 2015-01-13 17:02 - 16448208 _____ (Malwarebytes Corp.) C:\Users\AAE\Desktop\malware.exe
2015-01-13 16:52 - 2015-01-20 16:14 - 00000000 ____D () C:\FRST
2015-01-13 16:51 - 2015-01-20 11:40 - 02126848 _____ (Farbar) C:\Users\AAE\Desktop\FRST64.exe
2015-01-13 12:15 - 2015-01-13 17:31 - 00000000 ____D () C:\Program Files (x86)\Panda Security
2015-01-13 12:12 - 2015-01-13 17:30 - 00000000 ____D () C:\ProgramData\Panda Security
2015-01-13 09:59 - 2015-01-14 19:03 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-10 14:41 - 2015-01-19 18:24 - 01232420 _____ () C:\Windows\system32\CFG885513389
2015-01-10 14:36 - 2015-01-20 15:55 - 00000000 ____D () C:\Windows\Minidump
2015-01-10 14:33 - 2015-01-10 14:33 - 00000248 _____ () C:\Windows\SysWOW64\0-G
2015-01-06 10:33 - 2015-01-06 10:33 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 16:11 - 2012-05-14 12:57 - 00003910 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{696F204D-9FD4-4068-8736-4762623D5F60}
2015-01-20 16:09 - 2011-10-12 17:31 - 01048747 _____ () C:\Windows\WindowsUpdate.log
2015-01-20 16:05 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-20 16:05 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-20 16:01 - 2014-05-05 11:18 - 00000000 ___RD () C:\Users\AAE\Dropbox
2015-01-20 15:57 - 2012-05-29 09:14 - 00000000 ____D () C:\Users\AAE\AppData\Roaming\Dropbox
2015-01-20 15:56 - 2011-10-12 17:52 - 00000000 ____D () C:\ProgramData\PDFC
2015-01-20 15:55 - 2013-08-22 16:09 - 00000196 _____ () C:\Windows\Tasks\AutoKMS.job
2015-01-20 15:55 - 2011-10-12 18:10 - 00269578 ____N () C:\Windows\Minidump\012015-15366-01.dmp
2015-01-20 15:55 - 2010-11-20 22:47 - 01054772 _____ () C:\Windows\PFRO.log
2015-01-20 15:55 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 15:55 - 2009-07-13 23:51 - 00091869 _____ () C:\Windows\setupact.log
2015-01-20 15:50 - 2013-08-22 16:13 - 00000000 ____D () C:\Users\AAE\Documents\Outlook Files
2015-01-20 09:56 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\012015-27300-01.dmp
2015-01-20 09:50 - 2011-10-12 17:57 - 00000000 ____D () C:\ProgramData\truesuite
2015-01-19 16:24 - 2009-07-14 00:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-16 13:27 - 2012-05-14 13:10 - 00000000 ___RD () C:\Scanner
2015-01-15 09:08 - 2013-07-26 15:32 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 03:00 - 2012-09-17 03:57 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-15 00:50 - 2013-03-13 12:53 - 00000000 ____D () C:\Users\AAE\AppData\Local\Deployment
2015-01-14 09:26 - 2012-05-14 12:56 - 00110560 _____ () C:\Users\AAE\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-13 17:31 - 2009-07-13 23:45 - 00411704 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-13 11:43 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011315-20186-01.dmp
2015-01-10 14:36 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011015-42089-01.dmp
2015-01-07 05:07 - 2012-12-21 07:35 - 00000000 ____D () C:\Users\AAE\AppData\Local\WeatherBug
2015-01-06 12:45 - 2012-05-14 12:54 - 00000000 ____D () C:\Users\AAE\AppData\Local\Hewlett-Packard
2015-01-06 04:36 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-01-04 09:18 - 2012-06-15 07:33 - 00003214 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE-HP$
2015-01-04 09:18 - 2012-06-15 07:33 - 00000338 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE-HP$.job
2014-12-31 09:57 - 2012-05-14 12:57 - 00003174 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE
2014-12-31 09:57 - 2012-05-14 12:57 - 00000324 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE.job
2014-12-22 13:43 - 2014-08-11 08:21 - 00001710 _____ () C:\Users\AAE\Desktop\Matt Scan.lnk
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight

==================== Files in the root of some directories =======
2011-10-12 17:56 - 2011-06-09 18:44 - 0002792 _____ () C:\Program Files\HP SimplePass 2011
2013-07-25 12:59 - 2013-07-25 13:01 - 0000274 _____ () C:\Users\AAE\AppData\Local\Tempgrantaccess.log
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.0
2012-12-03 14:35 - 2012-12-03 14:35 - 0053968 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.1
2012-12-03 14:35 - 2012-12-03 14:35 - 0056005 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.2
2012-12-03 14:35 - 2012-12-03 14:35 - 0056612 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.3
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.JPG
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.0
2012-12-03 14:35 - 2012-12-03 14:35 - 0053968 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.1
2012-12-03 14:35 - 2012-12-03 14:35 - 0056005 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.2
2012-12-03 14:35 - 2012-12-03 14:35 - 0056612 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.3
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.JPG

Some content of TEMP:
====================
C:\Users\AAE\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpxbwsxu.dll
C:\Users\AAE\AppData\Local\Temp\ose00000.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2011-02-11 14:22

==================== End Of Log ============================

 

 

 

Addition:

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-01-2015
Ran by AAE at 2015-01-20 16:16:19
Running from C:\Users\AAE\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

3M Products Update version 2012-05 for Microsoft Office 2010 (HKLM-x32\...\{605540BB-36B3-49F0-96D8-B760CBD6E0E8}_is1) (Version:  - 3M Company)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.11 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19120 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.9.900.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.7) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
AuthenTec TrueAPI (Version: 1.3.0.116 - AuthenTec, Inc.) Hidden
Bing Maps 3D (HKLM\...\{6ACE7F46-FACE-4125-AE86-672F4F2A6A28}) (Version: 4.0.903.16005 - Microsoft Corporation)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Dropbox (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Dual Stream 802.11n Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 3.01.18.0 - Ralink)
DVD Menu Pack for HP TouchSmart Video (HKLM-x32\...\InstallShield_{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}) (Version: 4.1.4412 - Hewlett-Packard)
DVD Menu Pack for HP TouchSmart Video (x32 Version: 4.1.4412 - Hewlett-Packard) Hidden
Facebook for HP TouchSmart (HKLM-x32\...\{8AE50893-3A87-4439-9A57-942ED43F7189}) (Version: 1.1.0004 - Hewlett-Packard)
Hewlett-Packard ACLM.NET v1.1.1.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Calendar (HKLM-x32\...\{2B38E0FA-D8A5-4EBF-A018-E3C1C8E7A2E2}) (Version: 5.1.4245.23508 - Hewlett-Packard)
HP Clock (HKLM-x32\...\{750E9D0F-B188-4A7E-ADD2-84B7ED7D32F6}) (Version: 5.1.4281.27332 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP LinkUp (HKLM-x32\...\{DB3147AB-4024-4773-8EC0-A1FE5B44933D}) (Version: 2.01.028 - Hewlett-Packard)
HP Magic Canvas (HKLM-x32\...\{DDFDC9D6-4220-41F8-BF9A-8E7512C4EF52}) (Version: 5.1.15.0 - Hewlett-Packard)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard Company)
HP My Display TouchSmart Edition (HKLM-x32\...\{1F4DDC90-5923-4E49-A4C7-F3CCC954DCA0}) (Version: 1.04.022 - Portrait Displays, Inc.)
HP Notes (HKLM-x32\...\{86BAB08A-5E66-4C53-82E3-C1E91673C7CA}) (Version: 5.1.4274.30382 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Photo Canvas (HKLM-x32\...\{27710506-32B1-49B3-B95B-B7C65FA6FA15}) (Version: 5.1.4267.27011 - Hewlett-Packard)
HP RSS (HKLM-x32\...\{A35E58D6-2A0F-4051-983B-79342081338E}) (Version: 5.1.4301.21494 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{D35B72B6-F0E4-462B-BDEB-E08032B3B681}) (Version: 8.7.4747.3786 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13880.3792 - Hewlett-Packard Company)
HP SimplePass PE 2011 (HKLM-x32\...\{00FF4EB6-6AAC-4E9D-A60A-8F388691BB27}) (Version: 5.3.0.194 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}) (Version: 6.0.5.4 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Touch Browser (HKLM-x32\...\{4E575BFF-51A0-474E-A3BA-C0FCF82E6A78}) (Version: 5.1.4227.17815 - Hewlett-Packard)
HP TouchSmart Ben10 Comic Book Reader (HKLM-x32\...\{9EFD323B-6ADB-4B3A-9253-EA1A75E00F25}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Bubble Wrap (HKLM-x32\...\{5BFFDDEB-AFD7-499F-BB13-7A6EAD927CDA}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart eBay (HKLM-x32\...\{F12C6162-10D4-444A-9182-05CC3DB2456E}) (Version: 1.0.4098.28440 - Hewlett-Packard)
HP TouchSmart Get Updated! (HKLM-x32\...\{2B720998-2E26-4DD6-8AC8-A1FCA4B58384}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Metric Converter (HKLM-x32\...\{D0661463-50F7-4A1E-83CB-37CC590589AE}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Music (HKLM-x32\...\InstallShield_{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart Paint Blast (HKLM-x32\...\{FBB0C095-4FF0-4AF6-8CD5-A80A390FB101}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Photo (HKLM-x32\...\InstallShield_{C9DCE03F-8CB7-4146-A99C-0612D75177EA}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart RecipeBox (HKLM-x32\...\{20714B53-FC73-4F9C-9687-49EB237D6FD7}) (Version: 3.0.3830.27730 - Hewlett-Packard)
HP TouchSmart Spot (HKLM-x32\...\{3D171340-B528-42E0-92E4-BDA7AEEF6F32}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Tap Tap Bear (HKLM-x32\...\{A393CDFF-BEB8-48EA-990D-2EB35B311D23}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Tutorials (HKLM-x32\...\{858FCB65-7C6D-4BA4-AD80-A3CB3744CE09}_is1) (Version: 4.0.0.4 - Hewlett-Packard)
HP TouchSmart Twitter (HKLM-x32\...\{75781594-73D9-4D7B-997F-14D41BF1514E}) (Version: 3.0.4276.30236 - Hewlett-Packard)
HP TouchSmart Video (HKLM-x32\...\InstallShield_{F04BFADD-C8CA-4C86-8F20-B1D7F4F8C66C}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart Webcam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.2.4214 - Hewlett-Packard)
HP Update (HKLM-x32\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.9.0.0 - Hewlett-Packard)
HP Weather (HKLM-x32\...\{8364E531-493B-4B05-8041-09D5CE38B975}) (Version: 5.1.4295.16450 - Hewlett-Packard)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6349.0 - IDT)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2430 - Intel Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kobo (HKLM-x32\...\Kobo) (Version: 1.6 - Kobo Inc.)
Kofax VirtualReScan 4.50 (HKLM-x32\...\{6A35E74B-68AD-4054-B93A-FEB7B687114C}) (Version: 4.50.032 - Kofax, Inc.)
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3925 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.3925 - CyberLink Corp.) Hidden
Max Uninstaller version 2.0 (HKLM-x32\...\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1) (Version: 2.0 - http://www.maxuninstaller.com/)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Access database engine 2010 (English) (HKLM-x32\...\{90140000-00D1-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.31211.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Touch Pack for Windows 7 (HKLM-x32\...\{8FF90DB8-6DED-44A3-B182-244FEC09012F}) (Version: 1.0.40517.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.0 (HKLM-x32\...\{3898934B-05AE-41CD-96BE-70DA9BFBCE1F}) (Version: 3.0.11010.0 - Microsoft Corporation)
Movie Theme Pack for HP TouchSmart Video (HKLM-x32\...\InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 4.1.4412 - Hewlett-Packard)
Movie Theme Pack for HP TouchSmart Video (x32 Version: 4.1.4412 - Hewlett-Packard) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.97 - WildTangent) Hidden
Namco All-Stars: PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
OneTouch 4.0 (HKLM-x32\...\{AF8B1525-17EF-4D2E-A018-8D79CE260BA8}) (Version: 4.5.9.1125 - Visioneer)
OneTouch 4.0 ScanSoft OmniPage OCR Module (HKLM-x32\...\{34466787-FDAE-4B20-8DC0-72E97F39D237}) (Version: 1.1.0 - Visioneer)
PaperPort Image Printer (HKLM\...\{D16193A3-921A-4134-B381-597C8F4B8EBD}) (Version: 1.00.0000 - Nuance Communications, Inc.)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.54 - PDF Complete, Inc)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.5331 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.5331 - CyberLink Corp.) Hidden
PressReader (HKLM-x32\...\{912CED74-88D3-4C5B-ACB0-132318649765}) (Version: 5.10.1217.0 -  NewspaperDirect Inc.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.82 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.4222 - CyberLink Corp.) Hidden
Remote Graphics Receiver (HKLM-x32\...\{16FC3056-90C0-4757-8A68-64D8DA846ADA}) (Version: 5.4.5 - Hewlett-Packard)
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
ScanSoft PaperPort 11 (HKLM-x32\...\{1F68C868-B5AF-4836-8A46-C030BBE1EDB3}) (Version: 11.1.0000 - Nuance Communications, Inc.)
SDK (x32 Version: 2.26.005 - Portrait Displays, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Slingo Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.36897 - TeamViewer)
TSHostedAppLauncher (x32 Version: 5.1.15.0 - Hewlett-Packard) Hidden
Twitter (HKLM-x32\...\{75781594-73D9-4D7B-997F-14D41BF1514D}) (Version:  - )
Vacation Quest - The Hawaiian Islands (x32 Version: 2.2.0.97 - WildTangent) Hidden
VIP Access SDK (1.0.1.4)  (HKLM-x32\...\VIP Access SDK) (Version: 1.0.1.4 - Symantec Inc.)
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
WEB Book and Page Application (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\1095703109.129.71.117.165) (Version:  - 129.71.117.165)
WEB Inquiry SL (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\4251766495.129.71.117.165) (Version:  - 129.71.117.165)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Xerox DocuMate 3115 Driver (HKLM-x32\...\{E0467788-97EB-46C1-AB39-FB52C12A87DC}) (Version: 4.5.9.1217 - Visioneer)
Zinio Reader 4 (HKLM-x32\...\ZinioReader4) (Version: 4.2.4164 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.4164 - Zinio LLC) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2014-05-05 11:23 - 00006897 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 3dns-2.adobe.com #192.150.22.22
127.0.0.1 3dns-3.adobe.com #192.150.14.21
127.0.0.1 3dns-4.adobe.com #192.150.18.247
127.0.0.1 3dns-5.adobe.com #192.150.22.46
127.0.0.1 adobe-dns.adobe.com #192.150.11.30
127.0.0.1 adobe-dns-2.adobe.com #192.150.11.247
127.0.0.1 adobe-dns-3.adobe.com #192.150.22.30
127.0.0.1 adobe.activate.com #69.175.22.26
127.0.0.1 activate.adobe.com #192.150.22.40
127.0.0.1 activate.wip3.adobe.com #192.150.22.40
127.0.0.1 activate.wip4.adobe.com #192.150.22.40
127.0.0.1 activate-sea.adobe.com #192.150.22.40
127.0.0.1 activate-sjc0.adobe.com #192.150.14.69
127.0.0.1 ereg.adobe.com #192.150.18.103
127.0.0.1 ereg.wip3.adobe.com #192.150.18.63
127.0.0.1 ereg.wip4.adobe.com #192.150.18.103
127.0.0.1 practivate.adobe.com #192.150.18.54
127.0.0.1 www.wip3.adobe.com #192.150.8.60
127.0.0.1 www.wip4.adobe.com #192.150.18.200
127.0.0.1 www.adobeereg.com #75.125.24.83
127.0.0.1 adobeereg.com #207.66.2.10
127.0.0.1 hl2rcv.adobe.com #192.150.14.174
127.0.0.1 wwis-dubc1-vip30.adobe.com #192.150.8.30
127.0.0.1 wwis-dubc1-vip31.adobe.com #192.150.8.31
127.0.0.1 wwis-dubc1-vip32.adobe.com #192.150.8.32
127.0.0.1 wwis-dubc1-vip33.adobe.com #192.150.8.33
127.0.0.1 wwis-dubc1-vip34.adobe.com #192.150.8.34
127.0.0.1 wwis-dubc1-vip35.adobe.com #192.150.8.35
127.0.0.1 wwis-dubc1-vip36.adobe.com #192.150.8.36

There are 88 more lines.

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0A1FDFA5-7BE8-48DB-8A67-4383CD6E649B} - System32\Tasks\Microsoft\Windows\TabletPC\InputPersonalization => C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe [2009-07-13] (Microsoft Corporation)
Task: {273D57E5-EED3-4E25-94A0-B893E2115ACB} - System32\Tasks\HPCeeScheduleForAAE-HP$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {85934C2A-918C-4B23-8FB3-13EA0873454F} - System32\Tasks\HPCeeScheduleForAAE => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {932DDD87-F82B-4D2E-A4BD-0C67E4CB1C71} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS.exe
Task: {CAF01302-55FC-467B-B41A-85D5D47C149C} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS.exe
Task: C:\Windows\Tasks\HPCeeScheduleForAAE-HP$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\HPCeeScheduleForAAE.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============

2015-01-06 04:51 - 2015-01-06 04:51 - 00159744 _____ () C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe
2011-10-12 17:24 - 2011-06-26 21:16 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-05-14 11:45 - 2014-05-14 11:45 - 00090624 _____ () C:\Program Files (x86)\PasswordBox\libwebsocketswin32.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00750080 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2015-01-20 15:56 - 2015-01-20 15:56 - 00043008 _____ () c:\users\aae\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpxbwsxu.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00047616 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\libEGL.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00863744 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00200704 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 00718152 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\libglesv2.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 00126280 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\libegl.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 08537928 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\pdf.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 00353096 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\ppGoogleNaClPluginChrome.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 01732936 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\ffmpegsumo.dll
2015-01-13 17:22 - 2015-01-13 17:22 - 00310088 _____ () C:\Users\AAE\AppData\LocalLow\Unity\Txwadme\ibxywia\36.0.1985.143\libexif.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\AAE\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\Users\AAE\Desktop\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: BeatsOSDApp => C:\Program Files\IDT\WDM\beats64.exe
MSCONFIG\startupreg: DT HPO => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -HPO
MSCONFIG\startupreg: IndexSearch => "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
MSCONFIG\startupreg: OtShot => C:\Program Files (x86)\OtShot\otshot.exe -minimize
MSCONFIG\startupreg: PaperPort PTD => "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
MSCONFIG\startupreg: PDF Complete => C:\Program Files (x86)\PDF Complete\pdfsty.exe
MSCONFIG\startupreg: PPort11reminder => "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
MSCONFIG\startupreg: SSBkgdUpdate => "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
MSCONFIG\startupreg: {d2a27cfe-9e0f-67df-a243-e42601bc0d6c} => "C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe"

========================= Accounts: ==========================

AAE (S-1-5-21-1327840045-3290688519-2440916738-1000 - Administrator - Enabled) => C:\Users\AAE
Administrator (S-1-5-21-1327840045-3290688519-2440916738-500 - Administrator - Disabled)
Guest (S-1-5-21-1327840045-3290688519-2440916738-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1327840045-3290688519-2440916738-1003 - Limited - Enabled)
Scanner (S-1-5-21-1327840045-3290688519-2440916738-1004 - Administrator - Enabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/20/2015 03:58:43 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 9.0.8112.16599 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 193c

Start Time: 01d034f3c530afee

Termination Time: 16

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id:

Error: (01/20/2015 01:20:45 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft Outlook: Rejected Safe Mode action : Outlook experienced a serious problem with the 'acrobat pdfmaker office com addin' add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?.
Rejected Safe Mode action : Microsoft Outlook.

Error: (01/20/2015 00:49:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b
Faulting module name: IEFRAME.dll, version: 9.0.8112.16599, time stamp: 0x547396ec
Exception code: 0xc0000005
Fault offset: 0x001a8290
Faulting process id: 0x1018
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/20/2015 11:06:08 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x1428
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/20/2015 00:04:47 AM) (Source: Windows Backup) (EventID: 4100) (User: )
Description: Backup did not complete successfully because a shadow copy could not be created. Free up disk space on the drive that you are backing up by deleting unnecessary files and then try again.

Error: (01/20/2015 00:04:26 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:17 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:09 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:03:51 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

System errors:
=============
Error: (01/20/2015 04:02:54 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (01/20/2015 03:57:35 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/20/2015 03:55:48 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x00000050 (0xfffff8a00b5b8000, 0x0000000000000000, 0xfffff800030e45aa, 0x0000000000000000)C:\Windows\Minidump\012015-15366-01.dmp012015-15366-01

Error: (01/20/2015 02:56:04 PM) (Source: DCOM) (EventID: 10016) (User: AAE-HP)
Description: machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}{9BA05972-F6A8-11CF-A442-00A0C90A8F39}AAE-HPAAES-1-5-21-1327840045-3290688519-2440916738-1000LocalHost (Using LRPC)

Error: (01/20/2015 10:59:38 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/20/2015 09:57:09 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x00000050 (0xfffff8a0139d2000, 0x0000000000000000, 0xfffff800031375aa, 0x0000000000000000)C:\Windows\Minidump\012015-27300-01.dmp012015-27300-01

Error: (01/20/2015 09:57:07 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:55:52 AM on ‎1/‎20/‎2015 was unexpected.

Error: (01/20/2015 09:52:42 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Error: (01/20/2015 00:04:26 AM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk0\DR0.

Microsoft Office Sessions:
=========================
Error: (01/20/2015 03:58:43 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe9.0.8112.16599193c01d034f3c530afee16C:\Program Files (x86)\Internet Explorer\iexplore.exe

Error: (01/20/2015 01:20:45 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft OutlookOutlook experienced a serious problem with the 'acrobat pdfmaker office com addin' add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?

Error: (01/20/2015 00:49:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe9.0.8112.165995473964bIEFRAME.dll9.0.8112.16599547396ecc0000005001a8290101801d034d9619c3162C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\IEFRAME.dlla4bb1266-a0cc-11e4-9958-386077ed3287

Error: (01/20/2015 11:06:08 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe9.0.8112.165995473964bunknown0.0.0.000000000c000000500000000142801d034caff9546c6C:\Program Files (x86)\Internet Explorer\iexplore.exeunknown3e5ec72b-a0be-11e4-9958-386077ed3287

Error: (01/20/2015 00:04:47 AM) (Source: Windows Backup) (EventID: 4100) (User: )
Description: A shadow copy could not be created. Please check "VSS" and "SPP" application event logs for more information. (0x81000019)

Error: (01/20/2015 00:04:26 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:17 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:09 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:03:51 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

==================== Memory info ===========================

Processor: Intel® Core™ i3-2120 CPU @ 3.30GHz
Percentage of memory in use: 54%
Total physical RAM: 4000.31 MB
Available physical RAM: 1816.55 MB
Total Pagefile: 8000.62 MB
Available Pagefile: 5334.87 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:916.71 GB) (Free:715.66 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:14.71 GB) (Free:1.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive z: (My Passport (JEN)) (Fixed) (Total:931.48 GB) (Free:0.01 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 0C983697)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=916.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: A74F124D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16599

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [6221 octets] - [13/01/2015 17:15:36]
AdwCleaner[R1].txt - [845 octets] - [20/01/2015 15:52:09]
AdwCleaner[S0].txt - [5536 octets] - [13/01/2015 17:18:33]
AdwCleaner[S1].txt - [767 octets] - [20/01/2015 15:53:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [826 octets] ##########


Edited by danmcalpin, 20 January 2015 - 04:27 PM.


#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:23 AM

Posted 20 January 2015 - 05:34 PM

Hey, :)
Can you please post the full Adwarecleaner Log?

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#11 danmcalpin

danmcalpin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 06:10 PM

Sorry... I don't know why it all didn't make it.  Please see below:

 

# AdwCleaner v4.108 - Report created 20/01/2015 at 15:53:52
# Updated 17/01/2015 by Xplode
# Database : 2015-01-18.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : AAE - AAE-HP
# Running from : C:\Users\AAE\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16599

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [6221 octets] - [13/01/2015 17:15:36]
AdwCleaner[R1].txt - [845 octets] - [20/01/2015 15:52:09]
AdwCleaner[S0].txt - [5536 octets] - [13/01/2015 17:18:33]
AdwCleaner[S1].txt - [767 octets] - [20/01/2015 15:53:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [826 octets] ##########



#12 danmcalpin

danmcalpin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 06:11 PM

I did run this on 1/13 and it had a lot more items returned.  Here is the log from 1/13 in case it helps you identify something:

 

# AdwCleaner v4.107 - Report created 13/01/2015 at 17:18:33
# Updated 07/01/2015 by Xplode
# Database : 2015-01-13.2 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : AAE - AAE-HP
# Running from : C:\Users\AAE\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EF87954I\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\SearchProtect
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\otshot
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\AAE\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\AAE\AppData\Local\Conduit
Folder Deleted : C:\Users\AAE\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\AAE\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\AAE\AppData\Roaming\DriverCure
File Deleted : C:\END

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\lonndllmbldmmoefheenkmgkencnkdkh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lonndllmbldmmoefheenkmgkencnkdkh
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\speedupmypc
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3284668
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3287822
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{EEE6C35B-6118-11DC-9C72-001320C79847}]
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9E8EE68D-8A28-41D3-87CA-2B9C45BBE4C0}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B6CD661E-C11D-412B-9B5B-81A067341FEE}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{F8BB2EF0-A7DB-4CD8-9B10-710BC041159F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{318A4709-A667-41FA-B9E2-601B10080B0A}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Cr_Installer
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\BetterSurf
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\InfoAtoms
Key Deleted : HKLM\SOFTWARE\Uniblue
Key Deleted : HKLM\SOFTWARE\Viewpoint

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16599

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [6221 octets] - [13/01/2015 17:15:36]
AdwCleaner[S0].txt - [5368 octets] - [13/01/2015 17:18:33]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5428 octets] ##########



#13 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:23 AM

Posted 20 January 2015 - 06:14 PM

Hey, :)

First,
  • Please open Notepad.exe. Make sure that you don't use any other software than Notepad.exe!
  • Copy and Paste the content of the codebox below into the empty textfile:

    HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
    HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
    HKLM-x32\...\Run: [] => [X]
    HKLM\...\Policies\Explorer\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ( ())
    HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
    HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [rwklfvoriat] => regsvr32.exe /s "C:\Users\AAE\AppData\Local\Deployment\rwklfvoriat.dll" <===== ATTENTION
    HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ()
    HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {296e36e9-b4f3-11e3-9c8e-386077ed3287} - G:\iStudio.exe
    HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {5b627beb-d1c3-11e2-89ed-00038a000015} - F:\VZW_Software_upgrade_assistant_installer.exe
    HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {ad80981f-2fc6-11e2-88d1-00038a000015} - F:\LaunchU3.exe -a
    HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
    C:\Users\AAE\AppData\Local\Deployment\rwklfvoriat.dll
    C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
    Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    CHR HKLM-x32\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]
    AlternateDataStreams: C:\Users\AAE\.DS_Store:AFP_AfpInfo
    AlternateDataStreams: C:\Users\AAE\Desktop\.DS_Store:AFP_AfpInfo
    AlternateDataStreams: C:\ProgramData\Temp:373E1720
    AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo
    EmptyTemp:
    
  • Then click on File >> Save as
    • File Name: Fixlist.txt
    • From the Save as type drop down list, choose All Files
  • It is very important that you save this textfile on your Desktop!
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe (Note: If FRST advises there is a new updated version to be downloaded, allow this.)and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Next,
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#14 danmcalpin

danmcalpin
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 January 2015 - 07:57 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015
Ran by AAE at 2015-01-20 18:18:46 Run:1
Running from C:\Users\AAE\Desktop
Loaded Profiles: AAE (Available profiles: AAE)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION
HKLM-x32\...\Run: [] => [X]
HKLM\...\Policies\Explorer\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ( ())
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [rwklfvoriat] => regsvr32.exe /s "C:\Users\AAE\AppData\Local\Deployment\rwklfvoriat.dll" <===== ATTENTION
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe [269350 2015-01-06] ()
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {296e36e9-b4f3-11e3-9c8e-386077ed3287} - G:\iStudio.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {5b627beb-d1c3-11e2-89ed-00038a000015} - F:\VZW_Software_upgrade_assistant_installer.exe
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\MountPoints2: {ad80981f-2fc6-11e2-88d1-00038a000015} - F:\LaunchU3.exe -a
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
C:\Users\AAE\AppData\Local\Deployment\rwklfvoriat.dll
C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HKLM-x32\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]
AlternateDataStreams: C:\Users\AAE\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\Users\AAE\Desktop\.DS_Store:AFP_AfpInfo
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Public\.DS_Store:AFP_AfpInfo
EmptyTemp:
*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c} => value deleted successfully.
"HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully.
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Windows\CurrentVersion\Run\\rwklfvoriat => value deleted successfully.
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Windows\CurrentVersion\Run\\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c} => value deleted successfully.
"HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{296e36e9-b4f3-11e3-9c8e-386077ed3287}" => Key deleted successfully.
HKCR\CLSID\{296e36e9-b4f3-11e3-9c8e-386077ed3287} => Key not found.
"HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5b627beb-d1c3-11e2-89ed-00038a000015}" => Key deleted successfully.
HKCR\CLSID\{5b627beb-d1c3-11e2-89ed-00038a000015} => Key not found.
"HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ad80981f-2fc6-11e2-88d1-00038a000015}" => Key deleted successfully.
HKCR\CLSID\{ad80981f-2fc6-11e2-88d1-00038a000015} => Key not found.
"HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.
"HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
C:\Users\AAE\AppData\Local\Deployment\rwklfvoriat.dll => Moved successfully.

"C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}" directory move:

Could not move "C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe" => Scheduled to move on reboot.
Could not move "C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}" directory. => Scheduled to move on reboot.

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\oajgghejjpgkmpgbchgjieahoefimdle" => Key deleted successfully.
C:\Users\AAE\.DS_Store => ":AFP_AfpInfo" ADS removed successfully.
C:\Users\AAE\Desktop\.DS_Store => ":AFP_AfpInfo" ADS removed successfully.
C:\ProgramData\Temp => ":373E1720" ADS removed successfully.
C:\Users\Public\.DS_Store => ":AFP_AfpInfo" ADS removed successfully.
EmptyTemp: => Removed 34.1 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-01-20 19:40:21)<=

C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe => Is moved successfully.
C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c} => Is moved successfully.

==== End of Fixlog 19:40:21 ====

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015
Ran by AAE (administrator) on AAE-HP on 20-01-2015 19:46:48
Running from C:\Users\AAE\Desktop
Loaded Profiles: AAE (Available profiles: AAE)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(HP) C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
() C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe
(Visioneer Inc.) C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer_Desktop.exe
(Microsoft Corporation) C:\Windows\System32\wisptis.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\tv_x64.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
(Dropbox, Inc.) C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
(Microsoft Corporation) C:\Windows\System32\sdclt.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-06-24] (IDT, Inc.)
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [41336 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [840568 2014-05-08] (Adobe Systems Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [OfficeSyncProcess] => C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE [720064 2014-10-14] (Microsoft Corporation)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [Adobe Acrobat Synchronizer] => C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\AdobeCollabSync.exe [1104256 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => "C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe"
Startup: C:\Users\AAE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {DA7A13F4-6AC9-4773-A4C8-56F89D72C133} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll (HP)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PasswordBox Helper -> {5DB69B97-934B-451D-94DB-32EF802A01CD} -> C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll (HP)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
DPF: HKLM {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254 74.40.74.41

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/VirtualEarth3D,version=4.0 -> c:\Program Files (x86)\Virtual Earth 3D\ ()
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2014-05-05]

Chrome:
=======
CHR Profile: C:\Users\AAE\AppData\Local\Google\Chrome\User Data\Default
CHR HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Chrome\Extension: [oajgghejjpgkmpgbchgjieahoefimdle] - C:\Users\AAE\AppData\Local\CRE\oajgghejjpgkmpgbchgjieahoefimdle.crx [Not Found]
CHR HKLM-x32\...\Chrome\Extension: [jpgfhihjicjofdejkbjgnjlaglaciobe] - C:\Program Files (x86)\HP SimplePass 2011\tschrome.crx [2011-06-03]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129840 2011-06-17] (Portrait Displays, Inc.)
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2375168 2011-03-07] (Realsil Microelectronics Inc.) [File not signed]
R2 NvUpdSrv; C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe [159744 2015-01-06] () [File not signed]
R2 OneTouch 4.0 Monitor; C:\Program Files (x86)\Visioneer\OneTouch 4.0\OtService.exe [210944 2009-12-17] (Visioneer Inc.) [File not signed]
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2014-05-14] (PasswordBox, Inc.) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc)
R2 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5426448 2014-12-15] (TeamViewer GmbH)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 NWVoltron; C:\Windows\system32\drivers\NWVoltron.sys [28440 2011-05-25] ()
S3 NWWakeFilterV; C:\Windows\system32\drivers\NWWakeFilterV.sys [16152 2011-05-25] (n/a)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-10-12] ()
S3 BS885513389; \??\C:\Users\AAE\AppData\Local\Temp\NTFS.sys [X]
S3 wanatw; system32\DRIVERS\wanatw64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 19:46 - 2015-01-20 19:47 - 00013234 _____ () C:\Users\AAE\Desktop\FRST.txt
2015-01-20 16:06 - 2015-01-20 16:06 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\AAE\Desktop\mbam-setup-2.0.4.1028.exe
2015-01-20 16:03 - 2015-01-20 16:03 - 00000000 ____D () C:\Windows\ERUNT
2015-01-20 16:02 - 2015-01-20 16:02 - 01707939 _____ (Thisisu) C:\Users\AAE\Desktop\JRT.exe
2015-01-20 15:51 - 2015-01-20 15:51 - 02186752 _____ () C:\Users\AAE\Desktop\AdwCleaner.exe
2015-01-19 14:33 - 2015-01-19 14:39 - 314472448 _____ () C:\Users\AAE\Desktop\kav_rescue_10.iso
2015-01-14 14:54 - 2015-01-14 14:54 - 00688992 ____R (Swearware) C:\Users\AAE\Desktop\dds.com
2015-01-14 07:02 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 07:02 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 07:02 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 07:02 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 07:02 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-14 07:01 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 07:01 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 07:01 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 07:01 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 07:01 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 07:01 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 07:01 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 07:01 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 17:43 - 2015-01-13 17:43 - 00783120 _____ (McAfee, Inc.) C:\Users\AAE\Desktop\rootkitremover.exe
2015-01-13 17:42 - 2015-01-13 17:44 - 00000000 ___HD () C:\Windows\AxInstSV
2015-01-13 17:15 - 2015-01-20 15:53 - 00000000 ____D () C:\AdwCleaner
2015-01-13 17:02 - 2015-01-13 17:02 - 16448208 _____ (Malwarebytes Corp.) C:\Users\AAE\Desktop\malware.exe
2015-01-13 16:52 - 2015-01-20 19:46 - 00000000 ____D () C:\FRST
2015-01-13 16:51 - 2015-01-20 11:40 - 02126848 _____ (Farbar) C:\Users\AAE\Desktop\FRST64.exe
2015-01-13 12:15 - 2015-01-13 17:31 - 00000000 ____D () C:\Program Files (x86)\Panda Security
2015-01-13 12:12 - 2015-01-13 17:30 - 00000000 ____D () C:\ProgramData\Panda Security
2015-01-13 09:59 - 2015-01-14 19:03 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-10 14:41 - 2015-01-20 19:40 - 01233116 _____ () C:\Windows\system32\CFG885513389
2015-01-10 14:36 - 2015-01-20 15:55 - 00000000 ____D () C:\Windows\Minidump
2015-01-10 14:33 - 2015-01-10 14:33 - 00000248 _____ () C:\Windows\SysWOW64\0-G
2015-01-06 10:33 - 2015-01-06 10:33 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-20 19:44 - 2014-05-05 11:18 - 00000000 ___RD () C:\Users\AAE\Dropbox
2015-01-20 19:41 - 2012-05-29 09:14 - 00000000 ____D () C:\Users\AAE\AppData\Roaming\Dropbox
2015-01-20 19:39 - 2013-08-22 16:09 - 00000196 _____ () C:\Windows\Tasks\AutoKMS.job
2015-01-20 19:39 - 2011-10-12 17:52 - 00000000 ____D () C:\ProgramData\PDFC
2015-01-20 19:39 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-20 19:38 - 2011-10-12 17:31 - 01091970 _____ () C:\Windows\WindowsUpdate.log
2015-01-20 19:38 - 2009-07-13 23:51 - 00091925 _____ () C:\Windows\setupact.log
2015-01-20 18:18 - 2013-03-13 12:53 - 00000000 ____D () C:\Users\AAE\AppData\Local\Deployment
2015-01-20 16:11 - 2012-05-14 12:57 - 00003910 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{696F204D-9FD4-4068-8736-4762623D5F60}
2015-01-20 16:05 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-20 16:05 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-20 15:55 - 2011-10-12 18:10 - 00269578 ____N () C:\Windows\Minidump\012015-15366-01.dmp
2015-01-20 15:55 - 2010-11-20 22:47 - 01054772 _____ () C:\Windows\PFRO.log
2015-01-20 15:50 - 2013-08-22 16:13 - 00000000 ____D () C:\Users\AAE\Documents\Outlook Files
2015-01-20 09:56 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\012015-27300-01.dmp
2015-01-20 09:50 - 2011-10-12 17:57 - 00000000 ____D () C:\ProgramData\truesuite
2015-01-19 16:24 - 2009-07-14 00:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-16 13:27 - 2012-05-14 13:10 - 00000000 ___RD () C:\Scanner
2015-01-15 09:08 - 2013-07-26 15:32 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 03:00 - 2012-09-17 03:57 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 09:26 - 2012-05-14 12:56 - 00110560 _____ () C:\Users\AAE\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-13 17:31 - 2009-07-13 23:45 - 00411704 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-13 11:43 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011315-20186-01.dmp
2015-01-10 14:36 - 2011-10-12 18:10 - 00320089 ____N () C:\Windows\Minidump\011015-42089-01.dmp
2015-01-07 05:07 - 2012-12-21 07:35 - 00000000 ____D () C:\Users\AAE\AppData\Local\WeatherBug
2015-01-06 12:45 - 2012-05-14 12:54 - 00000000 ____D () C:\Users\AAE\AppData\Local\Hewlett-Packard
2015-01-06 04:36 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-01-04 09:18 - 2012-06-15 07:33 - 00003214 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE-HP$
2015-01-04 09:18 - 2012-06-15 07:33 - 00000338 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE-HP$.job
2014-12-31 09:57 - 2012-05-14 12:57 - 00003174 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAAE
2014-12-31 09:57 - 2012-05-14 12:57 - 00000324 _____ () C:\Windows\Tasks\HPCeeScheduleForAAE.job
2014-12-22 13:43 - 2014-08-11 08:21 - 00001710 _____ () C:\Users\AAE\Desktop\Matt Scan.lnk
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-12-22 13:37 - 2013-11-11 13:56 - 00000000 ____D () C:\Program Files (x86)\Microsoft Silverlight

==================== Files in the root of some directories =======
2011-10-12 17:56 - 2011-06-09 18:44 - 0002792 _____ () C:\Program Files\HP SimplePass 2011
2013-07-25 12:59 - 2013-07-25 13:01 - 0000274 _____ () C:\Users\AAE\AppData\Local\Tempgrantaccess.log
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.0
2012-12-03 14:35 - 2012-12-03 14:35 - 0053968 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.1
2012-12-03 14:35 - 2012-12-03 14:35 - 0056005 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.2
2012-12-03 14:35 - 2012-12-03 14:35 - 0056612 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.3
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpOriPHOTO (1)_2.JPG
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.0
2012-12-03 14:35 - 2012-12-03 14:35 - 0053968 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.1
2012-12-03 14:35 - 2012-12-03 14:35 - 0056005 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.2
2012-12-03 14:35 - 2012-12-03 14:35 - 0056612 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.3
2012-12-03 14:35 - 2012-12-03 14:35 - 0036136 _____ () C:\Users\AAE\AppData\Local\tmpPHOTO (1)_2.JPG

Some content of TEMP:
====================
C:\Users\AAE\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqvgqxu.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2011-02-11 14:22

==================== End Of Log ============================

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-01-2015
Ran by AAE at 2015-01-20 19:48:08
Running from C:\Users\AAE\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

3M Products Update version 2012-05 for Microsoft Office 2010 (HKLM-x32\...\{605540BB-36B3-49F0-96D8-B760CBD6E0E8}_is1) (Version:  - 3M Company)
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.11 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19120 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.9.900.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.7) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.7 - Adobe Systems Incorporated)
AuthenTec TrueAPI (Version: 1.3.0.116 - AuthenTec, Inc.) Hidden
Bing Maps 3D (HKLM\...\{6ACE7F46-FACE-4125-AE86-672F4F2A6A28}) (Version: 4.0.903.16005 - Microsoft Corporation)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Dropbox (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Dropbox) (Version: 3.0.3 - Dropbox, Inc.)
Dual Stream 802.11n Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 3.01.18.0 - Ralink)
DVD Menu Pack for HP TouchSmart Video (HKLM-x32\...\InstallShield_{FB4BB287-37F9-4E27-9C4D-2D3882E08EFF}) (Version: 4.1.4412 - Hewlett-Packard)
DVD Menu Pack for HP TouchSmart Video (x32 Version: 4.1.4412 - Hewlett-Packard) Hidden
Facebook for HP TouchSmart (HKLM-x32\...\{8AE50893-3A87-4439-9A57-942ED43F7189}) (Version: 1.1.0004 - Hewlett-Packard)
Hewlett-Packard ACLM.NET v1.1.1.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Calendar (HKLM-x32\...\{2B38E0FA-D8A5-4EBF-A018-E3C1C8E7A2E2}) (Version: 5.1.4245.23508 - Hewlett-Packard)
HP Clock (HKLM-x32\...\{750E9D0F-B188-4A7E-ADD2-84B7ED7D32F6}) (Version: 5.1.4281.27332 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP LinkUp (HKLM-x32\...\{DB3147AB-4024-4773-8EC0-A1FE5B44933D}) (Version: 2.01.028 - Hewlett-Packard)
HP Magic Canvas (HKLM-x32\...\{DDFDC9D6-4220-41F8-BF9A-8E7512C4EF52}) (Version: 5.1.15.0 - Hewlett-Packard)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard Company)
HP My Display TouchSmart Edition (HKLM-x32\...\{1F4DDC90-5923-4E49-A4C7-F3CCC954DCA0}) (Version: 1.04.022 - Portrait Displays, Inc.)
HP Notes (HKLM-x32\...\{86BAB08A-5E66-4C53-82E3-C1E91673C7CA}) (Version: 5.1.4274.30382 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Photo Canvas (HKLM-x32\...\{27710506-32B1-49B3-B95B-B7C65FA6FA15}) (Version: 5.1.4267.27011 - Hewlett-Packard)
HP RSS (HKLM-x32\...\{A35E58D6-2A0F-4051-983B-79342081338E}) (Version: 5.1.4301.21494 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{D35B72B6-F0E4-462B-BDEB-E08032B3B681}) (Version: 8.7.4747.3786 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13880.3792 - Hewlett-Packard Company)
HP SimplePass PE 2011 (HKLM-x32\...\{00FF4EB6-6AAC-4E9D-A60A-8F388691BB27}) (Version: 5.3.0.194 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}) (Version: 6.0.5.4 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Touch Browser (HKLM-x32\...\{4E575BFF-51A0-474E-A3BA-C0FCF82E6A78}) (Version: 5.1.4227.17815 - Hewlett-Packard)
HP TouchSmart Ben10 Comic Book Reader (HKLM-x32\...\{9EFD323B-6ADB-4B3A-9253-EA1A75E00F25}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Bubble Wrap (HKLM-x32\...\{5BFFDDEB-AFD7-499F-BB13-7A6EAD927CDA}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart eBay (HKLM-x32\...\{F12C6162-10D4-444A-9182-05CC3DB2456E}) (Version: 1.0.4098.28440 - Hewlett-Packard)
HP TouchSmart Get Updated! (HKLM-x32\...\{2B720998-2E26-4DD6-8AC8-A1FCA4B58384}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Metric Converter (HKLM-x32\...\{D0661463-50F7-4A1E-83CB-37CC590589AE}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Music (HKLM-x32\...\InstallShield_{91A34181-9FAD-43AB-A35F-E7A8945B7E1C}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart Paint Blast (HKLM-x32\...\{FBB0C095-4FF0-4AF6-8CD5-A80A390FB101}_is1) (Version: 4.0.0.0 - Turner Entertainment Networks Asia, Inc.)
HP TouchSmart Photo (HKLM-x32\...\InstallShield_{C9DCE03F-8CB7-4146-A99C-0612D75177EA}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart RecipeBox (HKLM-x32\...\{20714B53-FC73-4F9C-9687-49EB237D6FD7}) (Version: 3.0.3830.27730 - Hewlett-Packard)
HP TouchSmart Spot (HKLM-x32\...\{3D171340-B528-42E0-92E4-BDA7AEEF6F32}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Tap Tap Bear (HKLM-x32\...\{A393CDFF-BEB8-48EA-990D-2EB35B311D23}_is1) (Version: 1.0.0.0 - Hewlett-Packard)
HP TouchSmart Tutorials (HKLM-x32\...\{858FCB65-7C6D-4BA4-AD80-A3CB3744CE09}_is1) (Version: 4.0.0.4 - Hewlett-Packard)
HP TouchSmart Twitter (HKLM-x32\...\{75781594-73D9-4D7B-997F-14D41BF1514E}) (Version: 3.0.4276.30236 - Hewlett-Packard)
HP TouchSmart Video (HKLM-x32\...\InstallShield_{F04BFADD-C8CA-4C86-8F20-B1D7F4F8C66C}) (Version: 4.2.5414 - Hewlett-Packard)
HP TouchSmart Webcam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.2.4214 - Hewlett-Packard)
HP Update (HKLM-x32\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.9.0.0 - Hewlett-Packard)
HP Weather (HKLM-x32\...\{8364E531-493B-4B05-8041-09D5CE38B975}) (Version: 5.1.4295.16450 - Hewlett-Packard)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6349.0 - IDT)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2430 - Intel Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kobo (HKLM-x32\...\Kobo) (Version: 1.6 - Kobo Inc.)
Kofax VirtualReScan 4.50 (HKLM-x32\...\{6A35E74B-68AD-4054-B93A-FEB7B687114C}) (Version: 4.50.032 - Kofax, Inc.)
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3925 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.3925 - CyberLink Corp.) Hidden
Max Uninstaller version 2.0 (HKLM-x32\...\{C7022C9B-4DE0-4A57-B395-ED3BFDB78D73}_is1) (Version: 2.0 - http://www.maxuninstaller.com/)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Access database engine 2010 (English) (HKLM-x32\...\{90140000-00D1-0409-0000-0000000FF1CE}) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.31211.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Touch Pack for Windows 7 (HKLM-x32\...\{8FF90DB8-6DED-44A3-B182-244FEC09012F}) (Version: 1.0.40517.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.0 (HKLM-x32\...\{3898934B-05AE-41CD-96BE-70DA9BFBCE1F}) (Version: 3.0.11010.0 - Microsoft Corporation)
Movie Theme Pack for HP TouchSmart Video (HKLM-x32\...\InstallShield_{3023EBDA-BF1B-4831-B347-E5018555F26E}) (Version: 4.1.4412 - Hewlett-Packard)
Movie Theme Pack for HP TouchSmart Video (x32 Version: 4.1.4412 - Hewlett-Packard) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.97 - WildTangent) Hidden
Namco All-Stars: PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
OneTouch 4.0 (HKLM-x32\...\{AF8B1525-17EF-4D2E-A018-8D79CE260BA8}) (Version: 4.5.9.1125 - Visioneer)
OneTouch 4.0 ScanSoft OmniPage OCR Module (HKLM-x32\...\{34466787-FDAE-4B20-8DC0-72E97F39D237}) (Version: 1.1.0 - Visioneer)
PaperPort Image Printer (HKLM\...\{D16193A3-921A-4134-B381-597C8F4B8EBD}) (Version: 1.00.0000 - Nuance Communications, Inc.)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.54 - PDF Complete, Inc)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.5331 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.5331 - CyberLink Corp.) Hidden
PressReader (HKLM-x32\...\{912CED74-88D3-4C5B-ACB0-132318649765}) (Version: 5.10.1217.0 -  NewspaperDirect Inc.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7601.82 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.4222 - CyberLink Corp.) Hidden
Remote Graphics Receiver (HKLM-x32\...\{16FC3056-90C0-4757-8A68-64D8DA846ADA}) (Version: 5.4.5 - Hewlett-Packard)
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
ScanSoft PaperPort 11 (HKLM-x32\...\{1F68C868-B5AF-4836-8A46-C030BBE1EDB3}) (Version: 11.1.0000 - Nuance Communications, Inc.)
SDK (x32 Version: 2.26.005 - Portrait Displays, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Slingo Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.36897 - TeamViewer)
TSHostedAppLauncher (x32 Version: 5.1.15.0 - Hewlett-Packard) Hidden
Twitter (HKLM-x32\...\{75781594-73D9-4D7B-997F-14D41BF1514D}) (Version:  - )
Vacation Quest - The Hawaiian Islands (x32 Version: 2.2.0.97 - WildTangent) Hidden
VIP Access SDK (1.0.1.4)  (HKLM-x32\...\VIP Access SDK) (Version: 1.0.1.4 - Symantec Inc.)
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
WEB Book and Page Application (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\1095703109.129.71.117.165) (Version:  - 129.71.117.165)
WEB Inquiry SL (HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\4251766495.129.71.117.165) (Version:  - 129.71.117.165)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Xerox DocuMate 3115 Driver (HKLM-x32\...\{E0467788-97EB-46C1-AB39-FB52C12A87DC}) (Version: 4.5.9.1217 - Visioneer)
Zinio Reader 4 (HKLM-x32\...\ZinioReader4) (Version: 4.2.4164 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.4164 - Zinio LLC) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-1327840045-3290688519-2440916738-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\AAE\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2015-01-20 18:18 - 00000035 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0A1FDFA5-7BE8-48DB-8A67-4383CD6E649B} - System32\Tasks\Microsoft\Windows\TabletPC\InputPersonalization => C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe [2009-07-13] (Microsoft Corporation)
Task: {273D57E5-EED3-4E25-94A0-B893E2115ACB} - System32\Tasks\HPCeeScheduleForAAE-HP$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {85934C2A-918C-4B23-8FB3-13EA0873454F} - System32\Tasks\HPCeeScheduleForAAE => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-14] (Hewlett-Packard)
Task: {932DDD87-F82B-4D2E-A4BD-0C67E4CB1C71} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS.exe
Task: {CAF01302-55FC-467B-B41A-85D5D47C149C} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS.exe
Task: C:\Windows\Tasks\HPCeeScheduleForAAE-HP$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\HPCeeScheduleForAAE.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============

2015-01-06 04:51 - 2015-01-06 04:51 - 00159744 _____ () C:\Program Files (x86)\NVIDIA Corporation\Updates\NvdUpd.exe
2011-10-12 17:24 - 2011-06-26 21:16 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-05-14 11:45 - 2014-05-14 11:45 - 00090624 _____ () C:\Program Files (x86)\PasswordBox\libwebsocketswin32.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00750080 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2015-01-20 19:41 - 2015-01-20 19:41 - 00043008 _____ () c:\users\aae\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpqvgqxu.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00047616 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\libEGL.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00863744 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2014-10-21 19:22 - 2014-10-21 19:22 - 00200704 _____ () C:\Users\AAE\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: BeatsOSDApp => C:\Program Files\IDT\WDM\beats64.exe
MSCONFIG\startupreg: DT HPO => C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -HPO
MSCONFIG\startupreg: IndexSearch => "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
MSCONFIG\startupreg: OtShot => C:\Program Files (x86)\OtShot\otshot.exe -minimize
MSCONFIG\startupreg: PaperPort PTD => "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
MSCONFIG\startupreg: PDF Complete => C:\Program Files (x86)\PDF Complete\pdfsty.exe
MSCONFIG\startupreg: PPort11reminder => "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini
MSCONFIG\startupreg: SSBkgdUpdate => "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
MSCONFIG\startupreg: {d2a27cfe-9e0f-67df-a243-e42601bc0d6c} => "C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe"

========================= Accounts: ==========================

AAE (S-1-5-21-1327840045-3290688519-2440916738-1000 - Administrator - Enabled) => C:\Users\AAE
Administrator (S-1-5-21-1327840045-3290688519-2440916738-500 - Administrator - Disabled)
Guest (S-1-5-21-1327840045-3290688519-2440916738-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1327840045-3290688519-2440916738-1003 - Limited - Enabled)
Scanner (S-1-5-21-1327840045-3290688519-2440916738-1004 - Administrator - Enabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/20/2015 07:26:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x19a8
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/20/2015 03:58:43 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 9.0.8112.16599 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 193c

Start Time: 01d034f3c530afee

Termination Time: 16

Application Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Report Id:

Error: (01/20/2015 01:20:45 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft Outlook: Rejected Safe Mode action : Outlook experienced a serious problem with the 'acrobat pdfmaker office com addin' add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?.
Rejected Safe Mode action : Microsoft Outlook.

Error: (01/20/2015 00:49:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b
Faulting module name: IEFRAME.dll, version: 9.0.8112.16599, time stamp: 0x547396ec
Exception code: 0xc0000005
Fault offset: 0x001a8290
Faulting process id: 0x1018
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/20/2015 11:06:08 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 9.0.8112.16599, time stamp: 0x5473964b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0x1428
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/20/2015 00:04:47 AM) (Source: Windows Backup) (EventID: 4100) (User: )
Description: Backup did not complete successfully because a shadow copy could not be created. Free up disk space on the drive that you are backing up by deleting unnecessary files and then try again.

Error: (01/20/2015 00:04:26 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:17 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:09 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: Volume Shadow Copy Service error: Unexpected error DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0]).  hr = 0x8007045d, The request could not be performed because of an I/O device error.
.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

System errors:
=============
Error: (01/20/2015 07:47:38 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Intel® Management and Security Application User Notification Service service hung on starting.

Error: (01/20/2015 07:45:38 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (01/20/2015 04:02:54 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (01/20/2015 03:57:35 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/20/2015 03:55:48 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x00000050 (0xfffff8a00b5b8000, 0x0000000000000000, 0xfffff800030e45aa, 0x0000000000000000)C:\Windows\Minidump\012015-15366-01.dmp012015-15366-01

Error: (01/20/2015 02:56:04 PM) (Source: DCOM) (EventID: 10016) (User: AAE-HP)
Description: machine-defaultLocalActivation{9BA05972-F6A8-11CF-A442-00A0C90A8F39}{9BA05972-F6A8-11CF-A442-00A0C90A8F39}AAE-HPAAES-1-5-21-1327840045-3290688519-2440916738-1000LocalHost (Using LRPC)

Error: (01/20/2015 10:59:38 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/20/2015 09:57:09 AM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x00000050 (0xfffff8a0139d2000, 0x0000000000000000, 0xfffff800031375aa, 0x0000000000000000)C:\Windows\Minidump\012015-27300-01.dmp012015-27300-01

Error: (01/20/2015 09:57:07 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 9:55:52 AM on ‎1/‎20/‎2015 was unexpected.

Error: (01/20/2015 09:52:42 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Microsoft Office Sessions:
=========================
Error: (01/20/2015 07:26:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe9.0.8112.165995473964bunknown0.0.0.000000000c00000050000000019a801d03510ecd1b5edC:\Program Files (x86)\Internet Explorer\iexplore.exeunknown2be9a076-a104-11e4-8e65-386077ed3287

Error: (01/20/2015 03:58:43 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe9.0.8112.16599193c01d034f3c530afee16C:\Program Files (x86)\Internet Explorer\iexplore.exe

Error: (01/20/2015 01:20:45 PM) (Source: Microsoft Office 14) (EventID: 2001) (User: )
Description: Microsoft OutlookOutlook experienced a serious problem with the 'acrobat pdfmaker office com addin' add-in. If you have seen this message multiple times, you should disable this add-in and check to see if an update is available. Do you want to disable this add-in?

Error: (01/20/2015 00:49:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe9.0.8112.165995473964bIEFRAME.dll9.0.8112.16599547396ecc0000005001a8290101801d034d9619c3162C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Windows\system32\IEFRAME.dlla4bb1266-a0cc-11e4-9958-386077ed3287

Error: (01/20/2015 11:06:08 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe9.0.8112.165995473964bunknown0.0.0.000000000c000000500000000142801d034caff9546c6C:\Program Files (x86)\Internet Explorer\iexplore.exeunknown3e5ec72b-a0be-11e4-9958-386077ed3287

Error: (01/20/2015 00:04:47 AM) (Source: Windows Backup) (EventID: 4100) (User: )
Description: A shadow copy could not be created. Please check "VSS" and "SPP" application event logs for more information. (0x81000019)

Error: (01/20/2015 00:04:26 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:17 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:09 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000100,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

Error: (01/20/2015 00:04:00 AM) (Source: VSS) (EventID: 12289) (User: )
Description: DeviceIoControl(\\?\Volume{8eaf15f6-9e68-11e1-be32-806e6f6e6963} - 0000000000000190,0x0053c06c,00000000003741B0,0,0000000000368B30,4096,[0])0x8007045d, The request could not be performed because of an I/O device error.

Operation:
   Automatically choosing a diff-area volume
   Processing EndPrepareSnapshots

Context:
   Execution Context: System Provider

==================== Memory info ===========================

Processor: Intel® Core™ i3-2120 CPU @ 3.30GHz
Percentage of memory in use: 42%
Total physical RAM: 4000.31 MB
Available physical RAM: 2315.6 MB
Total Pagefile: 8000.62 MB
Available Pagefile: 6139 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:916.71 GB) (Free:750.27 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:14.71 GB) (Free:1.81 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive z: (My Passport (JEN)) (Fixed) (Total:931.48 GB) (Free:0.01 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 0C983697)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=916.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: A74F124D)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#15 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 3,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:23 AM

Posted 21 January 2015 - 12:47 AM

Hey, :)

First,
  • Please open Notepad.exe. Make sure that you don't use any other software than Notepad.exe!
  • Copy and Paste the content of the codebox below into the empty textfile:

    HKU\S-1-5-21-1327840045-3290688519-2440916738-1000\...\Run: [{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}] => "C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}.exe"
    C:\ProgramData\Microsoft\{d2a27cfe-9e0f-67df-a243-e42601bc0d6c}
  • Then click on File >> Save as
    • File Name: Fixlist.txt
    • From the Save as type drop down list, choose All Files
  • It is very important that you save this textfile on your Desktop!
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe (Note: If FRST advises there is a new updated version to be downloaded, allow this.)and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Then,
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users