Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

EmieBrowserModeList Virus Removal


  • This topic is locked This topic is locked
41 replies to this topic

#1 hep3

hep3

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 09 March 2015 - 02:32 PM

My computer appears to be infected with what I'm calling the "EmieBrowserModeList Virus", or "Emie" for short.  I was unable to find a commonly used name in my research.  However, there are a number of Forum Topics on BleepingComputer which seem to be about the same problem, the links to which are:

Emie's symptoms include the following:

  1. Three folders in each of two locations, which are either empty or contain a "container.dat" file of 0kb size, and which upon deletion, reappear upon rebooting the computer.  The folders are:  EmieBrowserModeList, EmieSiteList, and EmieUserList.  The locations are:  C:\Users\Hank\AppData\Local\ and C:\Users\Hank\AppData\Locallow\.
  2. The computer bogs down several times a day, especially when Google Chrome is open.

Emie exists despite having a firewall and Norton Internet Security.

 

The following applications have not identified and/or fixed the virus:  Malwarebytes Anti-Malware,  AdwCleaner, Malicious Software Removal Tool (full scan), and RogueKiller.  No changes were made to the registry.  FRST seems promising as a potential cure, but as a layman I couldn't interpret the output confidently, and I am certainly not qualified to run a fixlist.  This is where I hope you can help.

 

FRST.txt follows

 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 08-03-2015 03
Ran by Hank (administrator) on HANK-DESKTOP on 09-03-2015 14:12:14
Running from C:\1 Allwork\1 EmieBrowserModeList\Malware Scanning & Removal Programs\Farbar Recovery Scan Tool FRST
Loaded Profiles: Hank & UpdatusUser (Available profiles: Hank & UpdatusUser & Administrator)
Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft) C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe
(Microsoft) C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
() C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-488345948-2998503178-2589646183-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5503768 2015-02-19] (Piriform Ltd)
HKU\S-1-5-21-488345948-2998503178-2589646183-1001\...\MountPoints2: {1bfbc185-c404-11e3-b7cb-806e6f6e6963} - E:\Welcome.exe
HKU\S-1-5-18\...\Run: [DevconDefaultDB] => C:\Windows\system32\READREG /SILENT /FAIL=1
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()
Startup: C:\Users\Hank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
HKU\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
HKU\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-488345948-2998503178-2589646183-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2014-01-24] (CANON INC.)
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-05] (IvoSoft)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll [2014-09-20] (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL [2014-07-23] (Symantec Corporation)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2013-07-31] (Logitech, Inc.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll [2014-09-20] (Symantec Corporation)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-05] (IvoSoft)
Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2014-01-24] (CANON INC.)
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\ExpressView\expressview.dll [2013-07-09] (LizardTech)
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\ExpressView\expressview.dll [2013-07-09] (LizardTech)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
FireFox:
========
FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)
FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2014-08-12] (Google, Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Plugin: Lizardtech ExpressViewPlugin -> C:\Program Files\LizardTech\ExpressView\npexview.dll [2013-07-09] (LizardTech)
FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF [2014-04-14]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn [2015-03-09]
FF HKLM\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2014-04-24]
 
Chrome: 
=======
CHR Profile: C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-15]
CHR Extension: (YouTube) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-15]
CHR Extension: (Google Search) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-15]
CHR Extension: (AdBlock) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-04-15]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-08]
CHR Extension: (Google Wallet) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-15]
CHR Extension: (Gmail) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-15]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-28]
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 MouseWithoutBordersSvc; C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe [27872 2012-12-28] (Microsoft)
R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\BASHDefs\20150224.001\BHDrvx86.sys [1164504 2015-02-02] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1506000.020\ccSetx86.sys [127064 2014-02-24] (Symantec Corporation)
R3 COMMONFX.DLL; C:\Windows\System32\COMMONFX.DLL [98600 2007-04-18] (Creative Technology Ltd)
S3 CT20XUT.DLL; C:\Windows\System32\CT20XUT.DLL [164608 2007-04-12] (Creative Technology Ltd.)
R3 CTAUDFX.DLL; C:\Windows\System32\CTAUDFX.DLL [546048 2007-04-12] (Creative Technology Ltd)
S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [347128 2007-04-10] (Creative Technology Ltd)
S3 CTEAPSFX.DLL; C:\Windows\System32\CTEAPSFX.DLL [168192 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPFX.DLL; C:\Windows\System32\CTEDSPFX.DLL [280320 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPIO.DLL; C:\Windows\System32\CTEDSPIO.DLL [128768 2007-04-12] (Creative Technology Ltd)
S3 CTEDSPSY.DLL; C:\Windows\System32\CTEDSPSY.DLL [323328 2007-04-12] (Creative Technology Ltd)
S3 CTERFXFX.DLL; C:\Windows\System32\CTERFXFX.DLL [94976 2007-04-12] (Creative Technology Ltd)
S3 CTEXFIFX.DLL; C:\Windows\System32\CTEXFIFX.DLL [1317632 2007-04-12] (Creative Technology Ltd.)
S3 CTHWIUT.DLL; C:\Windows\System32\CTHWIUT.DLL [66816 2007-04-12] (Creative Technology Ltd.)
R3 CTSBLFX.DLL; C:\Windows\System32\CTSBLFX.DLL [560384 2007-04-12] (Creative Technology Ltd)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2015-02-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-11] (Symantec Corporation)
R3 ha10kx2k; C:\Windows\System32\drivers\ha10kx2k.sys [797992 2007-04-10] (Creative Technology Ltd)
R3 hap16v2k; C:\Windows\System32\drivers\hap16v2k.sys [163112 2007-04-10] (Creative Technology Ltd)
S3 hap17v2k; C:\Windows\System32\drivers\hap17v2k.sys [189736 2007-04-10] (Creative Technology Ltd)
R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\IPSDefs\20150306.001\IDSvix86.sys [503512 2015-02-04] (Symantec Corporation)
R3 IntelC51; C:\Windows\System32\DRIVERS\IntelC51.sys [1339776 2005-05-06] (Intel Corporation)
R3 IntelC52; C:\Windows\System32\DRIVERS\IntelC52.sys [618880 2006-03-02] (Intel Corporation)
R3 IntelC53; C:\Windows\System32\DRIVERS\IntelC53.sys [47360 2005-05-06] (Intel Corporation)
R3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [42264 2013-05-23] (Logitech, Inc.)
R3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [10136 2013-05-23] (Logitech, Inc.)
R3 mohfilt; C:\Windows\System32\DRIVERS\mohfilt.sys [36880 2005-05-06] (Intel Corporation)
R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20150308.039\NAVENG.SYS [95704 2015-02-11] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20150308.039\NAVEX15.SYS [1636696 2015-02-11] (Symantec Corporation)
R2 PMEM; C:\Windows\system32\drivers\pmemnt.sys [7168 1999-03-08] (Microsoft Corporation) [File not signed]
R3 SRTSP; C:\Windows\System32\Drivers\NIS\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NIS\1506000.020\SYMDS.SYS [367704 2013-10-30] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NIS\1506000.020\SYMEFA.SYS [936152 2014-03-04] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-04-14] (Symantec Corporation)
R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [63576 2013-10-30] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NIS\1506000.020\SYMNETS.SYS [447704 2014-02-17] (Symantec Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-09 13:52 - 2015-03-05 16:54 - 01132544 _____ (Farbar) C:\Users\Hank\Desktop\FRST.exe
2015-03-09 07:51 - 2015-03-09 07:51 - 00001179 _____ () C:\Users\Hank\Desktop\SecurityCheck.lnk
2015-03-08 15:13 - 2015-03-08 15:17 - 00000000 ____D () C:\Users\Hank\AppData\Local\File Viewer
2015-03-08 15:13 - 2015-03-08 15:13 - 00000000 ____D () C:\Program Files\File Identifier
2015-03-08 15:12 - 2015-03-08 15:12 - 00000985 _____ () C:\Users\Public\Desktop\File Viewer Lite.lnk
2015-03-08 15:12 - 2015-03-08 15:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\File Viewer Lite
2015-03-08 15:12 - 2015-03-08 15:12 - 00000000 ____D () C:\Program Files\File Viewer Lite
2015-03-08 11:56 - 2015-03-08 11:56 - 00000000 __SHD () C:\Users\Hank\AppData\Local\EmieUserList
2015-03-08 11:56 - 2015-03-08 11:56 - 00000000 __SHD () C:\Users\Hank\AppData\Local\EmieSiteList
2015-03-08 11:56 - 2015-03-08 11:56 - 00000000 __SHD () C:\Users\Hank\AppData\Local\EmieBrowserModeList
2015-03-08 10:03 - 2015-03-08 12:18 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-03-08 10:03 - 2015-03-08 11:49 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-03-07 11:34 - 2015-03-07 11:34 - 00000000 ____D () C:\KVRT_Data
2015-03-07 10:43 - 2015-03-07 10:43 - 00000965 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-03-07 10:43 - 2015-03-07 10:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-03-07 10:43 - 2015-03-07 10:43 - 00000000 ____D () C:\Program Files\CCleaner
2015-03-06 18:56 - 2015-03-06 18:57 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-06 18:56 - 2015-03-06 18:56 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-06 18:56 - 2015-03-06 18:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-06 18:56 - 2015-03-06 18:56 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-03-06 18:56 - 2015-03-06 18:56 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-03-06 18:56 - 2014-11-21 07:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-03-06 18:56 - 2014-11-21 07:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-03-06 18:56 - 2014-11-21 07:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-03-06 18:04 - 2015-03-06 18:48 - 00000000 ____D () C:\AdwCleaner
2015-03-06 14:36 - 2015-03-06 14:41 - 00002201 _____ () C:\Users\Administrator\Desktop\Google Chrome.lnk
2015-03-06 14:36 - 2015-03-06 14:36 - 00121864 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2015-03-06 14:36 - 2015-03-06 14:36 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google
2015-03-06 14:35 - 2015-03-06 14:36 - 00000000 ____D () C:\Users\Administrator
2015-03-06 14:35 - 2015-03-06 14:35 - 00001413 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-03-06 14:35 - 2015-03-06 14:35 - 00000020 ___SH () C:\Users\Administrator\ntuser.ini
2015-03-06 14:35 - 2015-03-06 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe
2015-03-06 14:35 - 2014-04-15 03:07 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Microsoft Help
2015-03-06 14:35 - 2009-07-14 00:42 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-06 14:35 - 2009-07-14 00:37 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-03-05 16:58 - 2015-03-09 14:12 - 00000000 ____D () C:\FRST
2015-03-01 17:00 - 2015-03-01 17:00 - 00000078 _____ () C:\Windows\system32\HANK-DESKTOP.Windows 7 Home Premium, 32-bit Service Pack 1 (build 7601).txt
2015-03-01 17:00 - 2015-03-01 17:00 - 00000000 ____D () C:\Windows\RegBak
2015-03-01 13:44 - 2015-03-01 13:44 - 00000898 _____ () C:\Users\Hank\Desktop\regbak.chm.lnk
2015-03-01 13:42 - 2015-03-01 13:42 - 00001353 _____ () C:\Users\Hank\Desktop\regbak.exe.lnk
2015-02-25 22:03 - 2015-01-08 19:44 - 00419936 _____ () C:\Windows\system32\locale.nls
2015-02-25 15:53 - 2015-01-08 22:48 - 00635904 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll
2015-02-25 15:53 - 2015-01-08 22:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll
2015-02-25 15:53 - 2015-01-08 22:48 - 00027136 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll
2015-02-12 07:14 - 2015-01-22 23:43 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-02-12 07:14 - 2015-01-22 23:17 - 04300800 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-02-11 07:36 - 2015-01-15 03:46 - 00136640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-02-11 07:36 - 2015-01-15 03:46 - 00067520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-02-11 07:36 - 2015-01-15 03:43 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-02-11 07:36 - 2015-01-15 03:43 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-02-11 07:36 - 2015-01-15 03:42 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-02-11 07:36 - 2015-01-15 03:42 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-02-11 07:36 - 2015-01-15 03:42 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-02-11 07:36 - 2015-01-15 03:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-02-11 07:36 - 2015-01-15 03:39 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-02-11 07:36 - 2015-01-15 03:39 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-02-11 07:36 - 2015-01-15 03:37 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-02-11 07:36 - 2015-01-15 00:21 - 00369968 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-02-11 07:36 - 2015-01-08 21:45 - 02380288 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-02-11 07:35 - 2015-02-03 22:54 - 00482304 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-02-11 07:35 - 2015-02-03 22:53 - 00767488 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-02-11 07:35 - 2015-02-03 22:53 - 00621056 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-02-11 07:35 - 2015-02-03 22:53 - 00325632 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-02-11 07:35 - 2015-02-03 22:53 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-02-11 07:35 - 2015-02-03 22:53 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-02-11 07:35 - 2015-02-03 22:49 - 00886784 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-02-11 07:35 - 2015-01-27 19:36 - 01167520 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2015-02-11 07:35 - 2015-01-14 01:44 - 03972544 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-02-11 07:35 - 2015-01-14 01:44 - 03917760 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-02-11 07:35 - 2015-01-14 01:09 - 00342712 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-02-11 07:35 - 2015-01-11 22:21 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-02-11 07:35 - 2015-01-11 22:21 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-02-11 07:35 - 2015-01-11 22:07 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-02-11 07:35 - 2015-01-11 22:07 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-02-11 07:35 - 2015-01-11 22:00 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-02-11 07:35 - 2015-01-11 21:59 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-02-11 07:35 - 2015-01-11 21:55 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-02-11 07:35 - 2015-01-11 21:55 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-02-11 07:35 - 2015-01-11 21:48 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-02-11 07:35 - 2015-01-11 21:45 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-02-11 07:35 - 2015-01-11 21:40 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-02-11 07:35 - 2015-01-11 21:36 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-02-11 07:35 - 2015-01-11 21:23 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-02-11 07:35 - 2015-01-11 21:23 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-02-11 07:35 - 2015-01-11 21:23 - 00684544 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-02-11 07:35 - 2015-01-11 21:00 - 01888256 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-02-11 07:35 - 2015-01-11 20:56 - 01307136 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-02-11 07:35 - 2015-01-11 20:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-02-11 07:35 - 2015-01-10 02:27 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-02-11 07:35 - 2015-01-10 02:27 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-02-11 07:35 - 2015-01-10 02:27 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-02-11 07:35 - 2015-01-10 02:27 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-02-11 07:35 - 2015-01-10 02:27 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-02-11 07:35 - 2015-01-10 02:27 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-02-11 07:35 - 2015-01-10 02:27 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-02-11 07:35 - 2014-11-25 23:32 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2015-02-11 07:35 - 2014-10-03 21:42 - 03221504 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-02-11 07:35 - 2014-10-03 21:42 - 00131584 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll
2015-02-11 07:34 - 2015-01-11 22:25 - 19740160 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-02-11 07:34 - 2015-01-11 22:08 - 00503296 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-02-11 07:34 - 2015-01-11 22:05 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-02-11 07:34 - 2015-01-11 22:02 - 02277888 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-02-11 07:34 - 2015-01-11 21:57 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-02-11 07:34 - 2015-01-11 21:35 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-02-11 07:34 - 2015-01-11 21:33 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-02-11 07:34 - 2015-01-11 21:22 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-02-11 07:34 - 2015-01-11 21:14 - 12829184 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-02-11 07:34 - 2014-12-12 01:07 - 01174528 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-02-11 07:34 - 2014-12-07 22:46 - 00308224 _____ (Microsoft Corporation) C:\Windows\system32\scesrv.dll
2015-02-11 07:33 - 2015-01-12 22:49 - 01230336 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-02-10 11:30 - 2015-02-10 11:30 - 00002503 _____ () C:\Users\Public\Desktop\TurboTax 2014.lnk
2015-02-10 11:30 - 2015-02-10 11:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2014
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-03-09 14:11 - 2014-04-15 01:09 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-09 13:16 - 2014-04-14 14:43 - 01630651 _____ () C:\Windows\WindowsUpdate.log
2015-03-09 08:11 - 2014-04-15 01:09 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-09 04:29 - 2009-07-14 00:34 - 00028944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-09 04:29 - 2009-07-14 00:34 - 00028944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-09 04:27 - 2010-11-20 17:01 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-09 04:21 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-09 04:21 - 2009-07-14 00:39 - 00047753 _____ () C:\Windows\setupact.log
2015-03-08 07:24 - 2010-11-20 17:48 - 00031590 _____ () C:\Windows\PFRO.log
2015-03-07 10:53 - 2014-08-08 06:23 - 00000000 ____D () C:\Windows\Minidump
2015-03-07 10:53 - 2014-05-08 07:38 - 00000000 ____D () C:\Users\Hank\AppData\Local\CrashDumps
2015-03-06 15:03 - 2014-04-27 05:39 - 00000000 ___HD () C:\1 Allwork
2015-03-06 14:36 - 2009-07-14 00:46 - 00001515 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-03-01 13:35 - 2006-10-16 07:43 - 00000000 ____D () C:\unzipped
2015-02-26 08:13 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\tracing
2015-02-18 16:34 - 2014-04-14 22:00 - 00000000 ____D () C:\Program Files\Wisdom-soft ScreenHunter 6.0 Free
2015-02-15 17:57 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache
2015-02-12 16:11 - 2014-05-13 10:41 - 00000000 ____D () C:\Users\Hank\Documents\TurboTax
2015-02-12 06:57 - 2009-07-14 00:33 - 00447728 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-02-12 06:55 - 2014-12-11 09:28 - 00000000 ____D () C:\Windows\system32\appraiser
2015-02-12 06:55 - 2014-05-06 07:04 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-02-11 20:32 - 2014-04-14 01:10 - 00000000 ____D () C:\Windows\system32\MRT
2015-02-11 20:22 - 2014-04-15 01:21 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-02-10 11:35 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2015-02-10 11:32 - 2014-05-13 10:41 - 00000590 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2015-02-10 11:26 - 2014-05-13 10:34 - 00000000 ____D () C:\Program Files\TurboTax
 
==================== Files in the root of some directories =======
 
2014-05-13 10:41 - 2015-02-10 11:32 - 0000590 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
 
Files to move or delete:
====================
C:\Users\Hank\cnmss Canon MX920 series Printer (Local).dll
 
 
Some content of TEMP:
====================
C:\Users\Hank\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-03-08 00:39
 
==================== End Of Log ============================
 
 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 08-03-2015 03
Ran by Hank at 2015-03-09 14:13:18
Running from C:\1 Allwork\1 EmieBrowserModeList\Malware Scanning & Removal Programs\Farbar Recovery Scan Tool FRST
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Norton Internet Security (Disabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
AS: Norton Internet Security (Disabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.22beta (HKLM\...\7-Zip) (Version:  - )
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
ArcSoft Software Suite (HKLM\...\ArcSoft Software Suite) (Version:  - )
Audacity 2.0.5 (HKLM\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
Canon Easy-WebPrint EX (HKLM\...\Easy-WebPrint EX) (Version: 1.4.1.0 - Canon Inc.)
Canon IJ Network Scanner Selector EX (HKLM\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - Canon Inc.)
Canon IJ Network Tool (HKLM\...\Canon_IJ_Network_UTILITY) (Version: 3.2.0 - Canon Inc.)
Canon IJ Scan Utility (HKLM\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MX920 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX920_series) (Version: 1.00 - Canon Inc.)
Canon MX920 series On-screen Manual (HKLM\...\Canon MX920 series On-screen Manual) (Version: 7.6.0 - Canon Inc.)
Canon MX920 series User Registration (HKLM\...\Canon MX920 series User Registration) (Version:  - ‭Canon Inc.)
Canon My Printer (HKLM\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (HKLM\...\CanonQuickMenu) (Version: 2.1.0 - Canon Inc.)
Canon Speed Dial Utility (HKLM\...\Speed Dial Utility) (Version: 1.3.0 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.03 - Piriform)
Classic Shell (HKLM\...\{BF43C874-9793-40DC-B2F4-C87C360E8CE1}) (Version: 4.0.6 - IvoSoft)
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
DeleteOnClick (HKLM\...\DeleteOnClick_is1) (Version:  - 2BrightSparks)
EncryptOnClick (HKLM\...\EncryptOnClick_is1) (Version:  - 2BrightSparks)
eReg (Version: 1.20.138.34 - Logitech, Inc.) Hidden
Extended Asian Language font pack for Adobe Reader XI (HKLM\...\{AC76BA86-7AD7-2530-0000-A00000000049}) (Version: 11.0.09 - Adobe Systems Incorporated)
File Identifier (HKLM\...\{C257E434-E8F1-4E06-A616-598E4933553E}_is1) (Version: 1.0.8 - Sharpened Productions)
File Viewer Lite (HKLM\...\{C8B24B83-920A-446E-B027-38F72C9D8898}_is1) (Version: 1.3.2 - Sharpened Productions)
FindOnClick (HKLM\...\FindOnClick_is1) (Version: 2.5.0.0 - 2BrightSparks)
Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.76 - Google Inc.)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden
HashOnClick (HKLM\...\HashOnClick_is1) (Version:  - 2BrightSparks)
Image Resizer for Windows (HKLM\...\{69d72156-6582-4556-8637-06f40aa7f85b}) (Version: 3.0.4802.35565 - Brice Lambson)
Image Resizer for Windows (Version: 3.0.4802.35565 - Brice Lambson) Hidden
Intel® 537EP V9x DF PCI Modem (HKLM\...\Intel® 537EP V9x DF PCI Modem) (Version:  - )
LizardTech ExpressView Browser Plug-in (HKLM\...\{74843B9D-9C66-4E5F-B75B-9C3D4A3ECABB}) (Version: 6.5.1 - LizardTech)
Logitech SetPoint 6.61 (HKLM\...\sp6) (Version: 6.61.15 - Logitech)
Lotus SmartSuite - English (HKLM\...\{536D6172-7453-7569-7465-392E37300409}) (Version: 9.7.0 - Lotus Development Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Garage Mouse without Borders (HKLM\...\{D3BC954F-D661-474C-B367-30EB6E56542E}) (Version: 2.1.2.1212 - Microsoft Garage)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Nikon View 5 (HKLM\...\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}) (Version:  - )
Norton Bootable Recovery Tool Wizard (HKLM\...\NBRTWizard) (Version: 6.0.0.74 - Symantec Corporation)
Norton Internet Security (HKLM\...\NIS) (Version: 21.6.0.32 - Symantec Corporation)
NVIDIA Graphics Driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)
NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
OfficeSharedAddInSetup (HKLM\...\{3D316CFB-1825-4030-A13A-29D18DC6B177}) (Version: 1.0.0 - Smart Soft)
OnClick Help (HKLM\...\OnClick Help_is1) (Version:  - 2BrightSparks)
PatchOnClick (HKLM\...\PatchOnClick_is1) (Version:  - 2BrightSparks)
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
QuickTime (HKLM\...\QuickTime) (Version:  - )
ScrambleOnClick (HKLM\...\ScrambleOnClick_is1) (Version: 1.3.0.0 - 2BrightSparks Pte Ltd)
Smart PDF Creator Pro 6.3.0.467 (HKLM\...\Smart PDF Creator Pro_is1) (Version: 6.3.0.467 - Smart Soft)
SyncBackFree (HKLM\...\SyncBackFree_is1) (Version: 6.3.13.0 - 2BrightSparks)
SyncBackSE (HKLM\...\SyncBackSE_is1) (Version: 6.5.30.0 - 2BrightSparks)
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2014 (HKLM\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
UndeleteOnClick (HKLM\...\UndeleteOnClick_is1) (Version:  - 2BrightSparks)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
WinTasks (HKLM\...\{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}) (Version: 5.03 - Uniblue Systems Ltd)
WinZip (HKLM\...\WinZip) (Version:  8.1  (4331) - WinZip Computing, Inc.)
Wisdom-soft ScreenHunter 6.0 Free (HKLM\...\Wisdom-soft ScreenHunter 6.0 Free) (Version:  - Wisdom Software Inc.)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
25-02-2015 22:03:01 Windows Update
03-03-2015 13:06:49 Pre EMIE Restore Point
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {1755B8DA-0E73-4E32-BAEF-7418C5BDE99E} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {249C00B0-68DE-49B2-8DAB-640D9E67A936} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {42A1069B-5F94-42FB-A561-8539C0B0B32B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-04-15] (Google Inc.)
Task: {66614EBB-0049-4223-9335-BB18C0160F98} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-02-19] (Piriform Ltd)
Task: {B5381C9E-3375-4F74-803E-60D4EDE4FB8F} - System32\Tasks\{A529644E-C7AE-40E3-8921-9C4A2C4BA3EA} => pcalua.exe -a E:\Welcome.exe -d E:\
Task: {B74F78E5-4BC9-4814-BE41-EFF533BF846B} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {D140E975-DBD2-4F84-8D11-903FE5BD6BDA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-04-15] (Google Inc.)
Task: {E6ABA05F-36B2-4F4A-B408-EF07B487A3B1} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe [2014-09-21] (Symantec Corporation)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2014-04-14 00:16 - 2013-01-31 05:00 - 00079648 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll
2014-04-15 02:52 - 2011-12-12 13:42 - 00281304 _____ () C:\Program Files\Smart PDF Creator Pro\ExplorerExt.dll
2012-12-28 10:44 - 2012-12-28 10:44 - 00039648 _____ () C:\Program Files\Microsoft Garage\Mouse without Borders\MousewithoutBordersHelper.exe
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-488345948-2998503178-2589646183-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-488345948-2998503178-2589646183-501 - Limited - Enabled)
Hank (S-1-5-21-488345948-2998503178-2589646183-1000 - Administrator - Enabled) => C:\Users\Hank
HomeGroupUser$ (S-1-5-21-488345948-2998503178-2589646183-1003 - Limited - Enabled)
UpdatusUser (S-1-5-21-488345948-2998503178-2589646183-1001 - Limited - Enabled) => C:\Users\UpdatusUser
 
==================== Faulty Device Manager Devices =============
 
Name: PCI Input Device
Description: PCI Input Device
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/09/2015 04:23:03 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/08/2015 06:49:13 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/08/2015 11:53:10 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/08/2015 07:26:02 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/08/2015 00:40:36 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (03/07/2015 05:58:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/06/2015 07:13:57 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/06/2015 06:42:37 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/06/2015 06:35:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/06/2015 04:35:43 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (03/08/2015 05:41:39 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.
 
Error: (03/08/2015 04:39:06 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
 
Error: (03/08/2015 04:29:35 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
 
Error: (03/08/2015 04:10:44 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
 
Error: (03/08/2015 03:58:32 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}
 
Error: (03/08/2015 03:58:27 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.
 
Error: (03/08/2015 11:54:22 AM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{77730859-EDB0-42C7-9357-6F0C0A988A37}.
The backup browser is stopping.
 
Error: (03/08/2015 10:07:39 AM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{77730859-EDB0-42C7-9357-6F0C0A988A37}.
The backup browser is stopping.
 
Error: (03/07/2015 00:54:04 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
 
Error: (03/06/2015 07:15:22 PM) (Source: BROWSER) (EventID: 8032) (User: )
Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{77730859-EDB0-42C7-9357-6F0C0A988A37}.
The backup browser is stopping.
 
 
Microsoft Office Sessions:
=========================
Error: (09/28/2014 02:19:17 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 20585 seconds with 60 seconds of active time.  This session ended with a crash.
 
Error: (07/11/2014 03:21:07 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 6456 seconds with 3600 seconds of active time.  This session ended with a crash.
 
Error: (05/23/2014 11:37:36 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6695.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 18 seconds with 0 seconds of active time.  This session ended with a crash.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® 4 CPU 3.20GHz
Percentage of memory in use: 37%
Total physical RAM: 2046.16 MB
Available physical RAM: 1286.67 MB
Total Pagefile: 4092.33 MB
Available Pagefile: 2966.9 MB
Total Virtual: 2047.88 MB
Available Virtual: 1910.08 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:71.26 GB) (Free:7.03 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive f: (2nd Hard Drive) (Fixed) (Total:931.51 GB) (Free:851.27 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 03E280A1)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: D0F4738C)
Partition 1: (Not Active) - (Size=63 MB) - (Type=DE)
Partition 2: (Active) - (Size=71.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=3.2 GB) - (Type=DB)
 
==================== End Of Log ============================

 

 



BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 14 March 2015 - 02:35 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/569570 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 hep3

hep3
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 14 March 2015 - 04:00 PM

BC Post

3/14/15

 

BC Bot

 

In response to the Bot post:

 

I'm still in need of assistance.  Please refer to my original post for a detailed description of the problem.  If you have additional requirements, please let me know.

 

Per your question:  I do have my original Windows CD/DVD available.

 

The requested reruns of FRST.txt and Addition.txt follow.

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015

Ran by Hank (administrator) on HANK-DESKTOP on 14-03-2015 17:32:55

Running from C:\1 Allwork\1 EmieBrowserModeList\2 Malware Scanning & Removal Programs\Farbar Recovery Scan Tool FRST

Loaded Profiles: Hank & UpdatusUser (Available profiles: Hank & UpdatusUser & Administrator)

Platform: Microsoft Windows 7 Home Premium  Service Pack 1 (X86) OS Language: English (United States)

Internet Explorer Version 11 (Default browser: Chrome)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe

(Google Inc.) C:\Program Files\Google\Update\1.3.26.9\GoogleCrashHandler.exe

(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe

(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe

(Microsoft) C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe

(Microsoft) C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBorders.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

() C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBordersHelper.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)

HKU\S-1-5-21-488345948-2998503178-2589646183-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5503768 2015-02-19] (Piriform Ltd)

HKU\S-1-5-21-488345948-2998503178-2589646183-1001\...\MountPoints2: {1bfbc185-c404-11e3-b7cb-806e6f6e6963} - E:\Welcome.exe

HKU\S-1-5-18\...\Run: [DevconDefaultDB] => C:\Windows\system32\READREG /SILENT /FAIL=1

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()

Startup: C:\Users\Hank\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled ()

ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKU\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

HKU\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

HKU\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 

SearchScopes: HKU\S-1-5-21-488345948-2998503178-2589646183-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}

BHO: Canon Easy-WebPrint EX BHO -> {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} -> C:\Program Files\Canon\Easy-WebPrint EX\ewpexbho.dll [2014-01-24] (CANON INC.)

BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-05] (IvoSoft)

BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll [2014-09-20] (Symantec Corporation)

BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL [2014-07-23] (Symantec Corporation)

BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll [2013-07-31] (Logitech, Inc.)

Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll [2014-09-20] (Symantec Corporation)

Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-05] (IvoSoft)

Toolbar: HKLM - Canon Easy-WebPrint EX - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files\Canon\Easy-WebPrint EX\ewpexhlp.dll [2014-01-24] (CANON INC.)

Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\ExpressView\expressview.dll [2013-07-09] (LizardTech)

Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\ExpressView\expressview.dll [2013-07-09] (LizardTech)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

 

FireFox:

========

FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll [2013-10-07] (Google)

FF Plugin: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files\Google\Picasa3\npPicasa3.dll [2014-08-12] (Google, Inc.)

FF Plugin: @microsoft.com/GENUINE -> disabled No File

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)

FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)

FF Plugin: Lizardtech ExpressViewPlugin -> C:\Program Files\LizardTech\ExpressView\npexview.dll [2013-07-09] (LizardTech)

FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF

FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\IPSFF [2014-04-14]

FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn

FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.2.0.38\coFFPlgn [2015-03-14]

FF HKLM\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt

FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2014-04-24]

 

Chrome: 

=======

CHR HomePage: Default -> https://www.google.com/

CHR StartupUrls: Default -> "https://www.google.com/"

CHR Profile: C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Drive) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-15]

CHR Extension: (YouTube) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-15]

CHR Extension: (Google Search) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-15]

CHR Extension: (AdBlock) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-04-15]

CHR Extension: (New Tab Redirect) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2015-03-12]

CHR Extension: (Cookies) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\iphcomljdfghbkdcfndaijbokpgddeno [2015-03-13]

CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-08]

CHR Extension: (Google Wallet) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-15]

CHR Extension: (Gmail) - C:\Users\Hank\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-15]

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - https://clients2.google.com/service/update2/crx

CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-28]

 

========================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

S2 MouseWithoutBordersSvc; C:\Program Files\Microsoft Garage\Mouse without Borders\MouseWithoutBordersSvc.exe [27872 2012-12-28] (Microsoft)

R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)

S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\BASHDefs\20150309.001\BHDrvx86.sys [1164504 2015-02-02] (Symantec Corporation)

R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1506000.020\ccSetx86.sys [127064 2014-02-24] (Symantec Corporation)

R3 COMMONFX.DLL; C:\Windows\System32\COMMONFX.DLL [98600 2007-04-18] (Creative Technology Ltd)

S3 CT20XUT.DLL; C:\Windows\System32\CT20XUT.DLL [164608 2007-04-12] (Creative Technology Ltd.)

R3 CTAUDFX.DLL; C:\Windows\System32\CTAUDFX.DLL [546048 2007-04-12] (Creative Technology Ltd)

S3 ctdvda2k; C:\Windows\System32\drivers\ctdvda2k.sys [347128 2007-04-10] (Creative Technology Ltd)

S3 CTEAPSFX.DLL; C:\Windows\System32\CTEAPSFX.DLL [168192 2007-04-12] (Creative Technology Ltd)

S3 CTEDSPFX.DLL; C:\Windows\System32\CTEDSPFX.DLL [280320 2007-04-12] (Creative Technology Ltd)

S3 CTEDSPIO.DLL; C:\Windows\System32\CTEDSPIO.DLL [128768 2007-04-12] (Creative Technology Ltd)

S3 CTEDSPSY.DLL; C:\Windows\System32\CTEDSPSY.DLL [323328 2007-04-12] (Creative Technology Ltd)

S3 CTERFXFX.DLL; C:\Windows\System32\CTERFXFX.DLL [94976 2007-04-12] (Creative Technology Ltd)

S3 CTEXFIFX.DLL; C:\Windows\System32\CTEXFIFX.DLL [1317632 2007-04-12] (Creative Technology Ltd.)

S3 CTHWIUT.DLL; C:\Windows\System32\CTHWIUT.DLL [66816 2007-04-12] (Creative Technology Ltd.)

R3 CTSBLFX.DLL; C:\Windows\System32\CTSBLFX.DLL [560384 2007-04-12] (Creative Technology Ltd)

R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2015-02-11] (Symantec Corporation)

R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-12-11] (Symantec Corporation)

R3 ha10kx2k; C:\Windows\System32\drivers\ha10kx2k.sys [797992 2007-04-10] (Creative Technology Ltd)

R3 hap16v2k; C:\Windows\System32\drivers\hap16v2k.sys [163112 2007-04-10] (Creative Technology Ltd)

S3 hap17v2k; C:\Windows\System32\drivers\hap17v2k.sys [189736 2007-04-10] (Creative Technology Ltd)

R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\IPSDefs\20150313.001\IDSvix86.sys [503512 2015-02-04] (Symantec Corporation)

R3 IntelC51; C:\Windows\System32\DRIVERS\IntelC51.sys [1339776 2005-05-06] (Intel Corporation)

R3 IntelC52; C:\Windows\System32\DRIVERS\IntelC52.sys [618880 2006-03-02] (Intel Corporation)

R3 IntelC53; C:\Windows\System32\DRIVERS\IntelC53.sys [47360 2005-05-06] (Intel Corporation)

R3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [42264 2013-05-23] (Logitech, Inc.)

R3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [10136 2013-05-23] (Logitech, Inc.)

R3 mohfilt; C:\Windows\System32\DRIVERS\mohfilt.sys [36880 2005-05-06] (Intel Corporation)

R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20150313.003\NAVENG.SYS [95704 2015-02-11] (Symantec Corporation)

R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.2.0.38\Definitions\VirusDefs\20150313.003\NAVEX15.SYS [1636696 2015-02-11] (Symantec Corporation)

R2 PMEM; C:\Windows\system32\drivers\pmemnt.sys [7168 1999-03-08] (Microsoft Corporation) [File not signed]

R3 SRTSP; C:\Windows\System32\Drivers\NIS\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)

R1 SRTSPX; C:\Windows\system32\drivers\NIS\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)

R0 SymDS; C:\Windows\System32\drivers\NIS\1506000.020\SYMDS.SYS [367704 2013-10-30] (Symantec Corporation)

R0 SymEFA; C:\Windows\System32\drivers\NIS\1506000.020\SYMEFA.SYS [936152 2014-03-04] (Symantec Corporation)

R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-04-14] (Symantec Corporation)

R1 SymIM; C:\Windows\System32\DRIVERS\SymIMv.sys [63576 2013-10-30] (Symantec Corporation)

R1 SymIRON; C:\Windows\system32\drivers\NIS\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)

R1 SymNetS; C:\Windows\System32\Drivers\NIS\1506000.020\SYMNETS.SYS [447704 2014-02-17] (Symantec Corporation)

 

==================== NetSvcs (Whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-03-14 17:30 - 2015-03-14 17:30 - 00001931 _____ () C:\Users\Hank\Desktop\FRST.exe - Shortcut.lnk

2015-03-13 15:45 - 2015-03-13 15:45 - 00000989 _____ () C:\Users\UpdatusUser\Desktop\WinDirStat.lnk

2015-03-13 15:45 - 2015-03-13 15:45 - 00000989 _____ () C:\Users\Hank\Desktop\WinDirStat.lnk

2015-03-13 15:45 - 2015-03-13 15:45 - 00000989 _____ () C:\Users\Administrator\Desktop\WinDirStat.lnk

2015-03-13 15:45 - 2015-03-13 15:45 - 00000000 ____D () C:\Program Files\WinDirStat

2015-03-11 16:48 - 2015-03-11 16:48 - 00001863 _____ () C:\Users\Hank\Desktop\AdwCleaner_4.112.exe.lnk

2015-03-11 05:57 - 2015-02-25 23:11 - 02381312 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2015-03-11 05:57 - 2015-02-23 22:32 - 00342696 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll

2015-03-11 05:57 - 2015-02-19 22:08 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll

2015-03-11 05:57 - 2015-02-19 22:01 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll

2015-03-11 05:57 - 2015-02-19 22:00 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll

2015-03-11 05:57 - 2015-02-19 21:56 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe

2015-03-11 05:57 - 2015-02-19 21:50 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe

2015-03-11 05:57 - 2015-02-19 21:41 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll

2015-03-11 05:57 - 2015-02-19 21:24 - 00684544 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2015-03-11 05:57 - 2015-02-19 20:57 - 01311232 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2015-03-11 05:57 - 2015-02-13 01:26 - 12875264 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll

2015-03-11 05:57 - 2015-02-02 23:12 - 01230848 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll

2015-03-11 05:57 - 2015-01-16 22:30 - 00828928 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll

2015-03-11 05:56 - 2015-03-06 01:15 - 00137656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys

2015-03-11 05:56 - 2015-03-06 01:15 - 00067512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys

2015-03-11 05:56 - 2015-03-06 01:10 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll

2015-03-11 05:56 - 2015-03-06 01:10 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll

2015-03-11 05:56 - 2015-03-06 01:09 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe

2015-03-11 05:56 - 2015-03-06 01:09 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe

2015-03-11 05:56 - 2015-03-06 01:07 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll

2015-03-11 05:56 - 2015-03-06 01:07 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll

2015-03-11 05:56 - 2015-03-06 01:06 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll

2015-03-11 05:56 - 2015-02-20 20:41 - 12827648 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2015-03-11 05:56 - 2015-02-20 20:27 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll

2015-03-11 05:56 - 2015-02-20 20:27 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2015-03-11 05:56 - 2015-02-20 20:25 - 19720192 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2015-03-11 05:56 - 2015-02-20 19:32 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2015-03-11 05:56 - 2015-02-20 00:13 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll

2015-03-11 05:56 - 2015-02-20 00:13 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll

2015-03-11 05:56 - 2015-02-20 00:13 - 00026624 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll

2015-03-11 05:56 - 2015-02-20 00:13 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll

2015-03-11 05:56 - 2015-02-19 23:09 - 00299008 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll

2015-03-11 05:56 - 2015-02-19 22:22 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb

2015-03-11 05:56 - 2015-02-19 22:22 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll

2015-03-11 05:56 - 2015-02-19 22:09 - 00503296 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2015-03-11 05:56 - 2015-02-19 22:08 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll

2015-03-11 05:56 - 2015-02-19 22:06 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll

2015-03-11 05:56 - 2015-02-19 22:03 - 02278400 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2015-03-11 05:56 - 2015-02-19 21:58 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll

2015-03-11 05:56 - 2015-02-19 21:56 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll

2015-03-11 05:56 - 2015-02-19 21:56 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe

2015-03-11 05:56 - 2015-02-19 21:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll

2015-03-11 05:56 - 2015-02-19 21:30 - 04300288 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2015-03-11 05:56 - 2015-02-19 21:24 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2015-03-11 05:56 - 2015-02-19 21:24 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2015-03-11 05:56 - 2015-02-19 21:23 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll

2015-03-11 05:56 - 2015-02-19 21:01 - 01888256 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2015-03-11 05:56 - 2015-02-19 20:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2015-03-11 05:56 - 2015-02-03 22:54 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll

2015-03-11 05:56 - 2015-02-02 23:12 - 03209728 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll

2015-03-11 05:56 - 2015-02-02 23:12 - 00171520 _____ (Microsoft Corporation) C:\Windows\system32\ubpm.dll

2015-03-11 05:55 - 2015-02-02 23:16 - 03973048 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe

2015-03-11 05:55 - 2015-02-02 23:16 - 03917760 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe

2015-03-11 05:55 - 2015-02-02 23:16 - 00078784 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys

2015-03-11 05:55 - 2015-02-02 23:12 - 11411968 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 01329664 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 01174528 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 01005056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00988160 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00744960 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00617984 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00406016 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00354816 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00157184 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00103936 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe

2015-03-11 05:55 - 2015-02-02 23:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00027648 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll

2015-03-11 05:55 - 2015-02-02 23:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx

2015-03-11 05:55 - 2015-02-02 23:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll

2015-03-11 05:55 - 2015-02-02 23:11 - 12625408 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL

2015-03-11 05:55 - 2015-02-02 23:11 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe

2015-03-11 05:55 - 2015-02-02 23:11 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe

2015-03-11 05:55 - 2015-02-02 23:11 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe

2015-03-11 05:55 - 2015-02-02 23:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe

2015-03-11 05:55 - 2015-02-02 23:11 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe

2015-03-11 05:55 - 2015-02-02 23:11 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe

2015-03-11 05:55 - 2015-02-02 23:11 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\pcawrk.exe

2015-03-11 05:55 - 2015-02-02 23:11 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe

2015-03-11 05:55 - 2015-02-02 23:10 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\pcaevts.dll

2015-03-11 05:55 - 2015-02-02 23:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll

2015-03-11 05:55 - 2015-02-02 23:08 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll

2015-03-11 05:55 - 2015-02-02 23:00 - 00593920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys

2015-03-11 05:55 - 2015-02-02 22:26 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys

2015-03-11 05:55 - 2015-01-30 19:56 - 00370488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys

2015-03-11 05:55 - 2014-10-31 18:22 - 00521384 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe

2015-03-10 09:01 - 2015-03-10 09:41 - 00000000 ____D () C:\Users\Hank\AppData\Roaming\Wise Registry Cleaner

2015-03-10 08:54 - 2015-03-10 08:54 - 00001185 _____ () C:\Users\Public\Desktop\Wise Registry Cleaner.lnk

2015-03-10 08:54 - 2015-03-10 08:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wise Registry Cleaner

2015-03-10 08:54 - 2015-03-10 08:54 - 00000000 ____D () C:\Program Files\Wise

2015-03-09 07:51 - 2015-03-09 07:51 - 00001179 _____ () C:\Users\Hank\Desktop\SecurityCheck.lnk

2015-03-08 15:13 - 2015-03-08 15:17 - 00000000 ____D () C:\Users\Hank\AppData\Local\File Viewer

2015-03-08 15:13 - 2015-03-08 15:13 - 00000000 ____D () C:\Program Files\File Identifier

2015-03-08 15:12 - 2015-03-08 15:12 - 00000985 _____ () C:\Users\Public\Desktop\File Viewer Lite.lnk

2015-03-08 15:12 - 2015-03-08 15:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\File Viewer Lite

2015-03-08 15:12 - 2015-03-08 15:12 - 00000000 ____D () C:\Program Files\File Viewer Lite

2015-03-08 11:56 - 2015-03-08 11:56 - 00000000 __SHD () C:\Users\Hank\AppData\Local\EmieUserList

2015-03-08 11:56 - 2015-03-08 11:56 - 00000000 __SHD () C:\Users\Hank\AppData\Local\EmieSiteList

2015-03-08 11:56 - 2015-03-08 11:56 - 00000000 __SHD () C:\Users\Hank\AppData\Local\EmieBrowserModeList

2015-03-08 10:03 - 2015-03-08 12:18 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys

2015-03-08 10:03 - 2015-03-08 11:49 - 00000000 ____D () C:\ProgramData\RogueKiller

2015-03-07 11:34 - 2015-03-07 11:34 - 00000000 ____D () C:\KVRT_Data

2015-03-07 10:43 - 2015-03-07 10:43 - 00000965 _____ () C:\Users\Public\Desktop\CCleaner.lnk

2015-03-07 10:43 - 2015-03-07 10:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner

2015-03-07 10:43 - 2015-03-07 10:43 - 00000000 ____D () C:\Program Files\CCleaner

2015-03-06 18:56 - 2015-03-06 18:57 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2015-03-06 18:56 - 2015-03-06 18:56 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2015-03-06 18:56 - 2015-03-06 18:56 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2015-03-06 18:56 - 2015-03-06 18:56 - 00000000 ____D () C:\ProgramData\Malwarebytes

2015-03-06 18:56 - 2015-03-06 18:56 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware

2015-03-06 18:56 - 2014-11-21 07:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2015-03-06 18:56 - 2014-11-21 07:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2015-03-06 18:56 - 2014-11-21 07:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2015-03-06 18:04 - 2015-03-11 17:12 - 00000000 ____D () C:\AdwCleaner

2015-03-06 14:36 - 2015-03-06 14:41 - 00002201 _____ () C:\Users\Administrator\Desktop\Google Chrome.lnk

2015-03-06 14:36 - 2015-03-06 14:36 - 00121864 _____ () C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT

2015-03-06 14:36 - 2015-03-06 14:36 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Google

2015-03-06 14:35 - 2015-03-06 14:36 - 00000000 ____D () C:\Users\Administrator

2015-03-06 14:35 - 2015-03-06 14:35 - 00001413 _____ () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

2015-03-06 14:35 - 2015-03-06 14:35 - 00000020 ___SH () C:\Users\Administrator\ntuser.ini

2015-03-06 14:35 - 2015-03-06 14:35 - 00000000 ____D () C:\Users\Administrator\AppData\Roaming\Adobe

2015-03-06 14:35 - 2014-04-15 03:07 - 00000000 ____D () C:\Users\Administrator\AppData\Local\Microsoft Help

2015-03-06 14:35 - 2009-07-14 00:42 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2015-03-06 14:35 - 2009-07-14 00:37 - 00000000 ___RD () C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2015-03-05 16:58 - 2015-03-14 17:33 - 00000000 ____D () C:\FRST

2015-03-01 17:00 - 2015-03-01 17:00 - 00000078 _____ () C:\Windows\system32\HANK-DESKTOP.Windows 7 Home Premium, 32-bit Service Pack 1 (build 7601).txt

2015-03-01 17:00 - 2015-03-01 17:00 - 00000000 ____D () C:\Windows\RegBak

2015-03-01 13:44 - 2015-03-01 13:44 - 00000898 _____ () C:\Users\Hank\Desktop\regbak.chm.lnk

2015-03-01 13:42 - 2015-03-01 13:42 - 00001353 _____ () C:\Users\Hank\Desktop\regbak.exe.lnk

2015-02-25 22:03 - 2015-01-08 19:44 - 00419936 _____ () C:\Windows\system32\locale.nls

2015-02-25 15:53 - 2015-01-08 22:48 - 00635904 _____ (Microsoft Corporation) C:\Windows\system32\perftrack.dll

2015-02-25 15:53 - 2015-01-08 22:48 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\wdi.dll

2015-02-25 15:53 - 2015-01-08 22:48 - 00027136 _____ (Microsoft Corporation) C:\Windows\system32\powertracker.dll

2015-02-17 16:04 - 2015-02-17 16:04 - 01202848 _____ (Microsoft Corporation) C:\Windows\system32\FM20.DLL

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2015-03-14 17:11 - 2014-04-15 01:09 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2015-03-14 16:55 - 2014-04-14 14:43 - 01586219 _____ () C:\Windows\WindowsUpdate.log

2015-03-14 11:45 - 2014-04-27 05:39 - 00000000 ___HD () C:\1 Allwork

2015-03-14 08:11 - 2014-04-15 01:09 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2015-03-14 08:00 - 2009-07-14 00:34 - 00028944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2015-03-14 08:00 - 2009-07-14 00:34 - 00028944 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2015-03-14 07:52 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2015-03-14 07:52 - 2009-07-14 00:39 - 00048257 _____ () C:\Windows\setupact.log

2015-03-13 16:01 - 2014-05-08 07:38 - 00000000 ____D () C:\Users\Hank\AppData\Local\CrashDumps

2015-03-12 16:34 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\rescache

2015-03-11 20:38 - 2009-07-14 00:33 - 00447728 _____ () C:\Windows\system32\FNTCACHE.DAT

2015-03-11 20:22 - 2014-04-15 01:21 - 00000000 ____D () C:\ProgramData\Microsoft Help

2015-03-11 20:20 - 2014-04-14 01:10 - 00000000 ____D () C:\Windows\system32\MRT

2015-03-11 20:11 - 2014-04-14 01:10 - 119837696 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2015-03-11 13:26 - 2010-11-20 17:48 - 00032946 _____ () C:\Windows\PFRO.log

2015-03-11 05:44 - 2010-11-20 17:01 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI

2015-03-07 10:53 - 2014-08-08 06:23 - 00000000 ____D () C:\Windows\Minidump

2015-03-06 14:36 - 2009-07-14 00:46 - 00001515 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk

2015-03-01 13:35 - 2006-10-16 07:43 - 00000000 ____D () C:\unzipped

2015-02-26 08:13 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\tracing

2015-02-18 16:34 - 2014-04-14 22:00 - 00000000 ____D () C:\Program Files\Wisdom-soft ScreenHunter 6.0 Free

2015-02-12 16:11 - 2014-05-13 10:41 - 00000000 ____D () C:\Users\Hank\Documents\TurboTax

2015-02-12 06:55 - 2014-12-11 09:28 - 00000000 ____D () C:\Windows\system32\appraiser

2015-02-12 06:55 - 2014-05-06 07:04 - 00000000 ___SD () C:\Windows\system32\CompatTel

 

==================== Files in the root of some directories =======

 

2014-05-13 10:41 - 2015-02-10 11:32 - 0000590 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

 

Files to move or delete:

====================

C:\Users\Hank\cnmss Canon MX920 series Printer (Local).dll

 

 

Some content of TEMP:

====================

C:\Users\Hank\AppData\Local\Temp\dllnt_dump.dll

C:\Users\Hank\AppData\Local\Temp\Quarantine.exe

C:\Users\Hank\AppData\Local\Temp\sqlite3.dll

 

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2015-03-08 00:39

 

==================== End Of Log ============================

 

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 11-03-2015

Ran by Hank at 2015-03-14 17:34:46

Running from C:\1 Allwork\1 EmieBrowserModeList\2 Malware Scanning & Removal Programs\Farbar Recovery Scan Tool FRST

Boot Mode: Normal

==========================================================

 

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: Norton Internet Security (Disabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}

AS: Norton Internet Security (Disabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

FW: Norton Internet Security (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

7-Zip 9.22beta (HKLM\...\7-Zip) (Version:  - )

Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)

ArcSoft Software Suite (HKLM\...\ArcSoft Software Suite) (Version:  - )

Audacity 2.0.5 (HKLM\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)

Canon Easy-WebPrint EX (HKLM\...\Easy-WebPrint EX) (Version: 1.4.1.0 - Canon Inc.)

Canon IJ Network Scanner Selector EX (HKLM\...\Canon_IJ_Network_Scanner_Selector_EX) (Version:  - Canon Inc.)

Canon IJ Network Tool (HKLM\...\Canon_IJ_Network_UTILITY) (Version: 3.2.0 - Canon Inc.)

Canon IJ Scan Utility (HKLM\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)

Canon MX920 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX920_series) (Version: 1.00 - Canon Inc.)

Canon MX920 series On-screen Manual (HKLM\...\Canon MX920 series On-screen Manual) (Version: 7.6.0 - Canon Inc.)

Canon MX920 series User Registration (HKLM\...\Canon MX920 series User Registration) (Version:  - Canon Inc.)

Canon My Printer (HKLM\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)

Canon Quick Menu (HKLM\...\CanonQuickMenu) (Version: 2.1.0 - Canon Inc.)

Canon Speed Dial Utility (HKLM\...\Speed Dial Utility) (Version: 1.3.0 - Canon Inc.)

CCleaner (HKLM\...\CCleaner) (Version: 5.03 - Piriform)

Classic Shell (HKLM\...\{BF43C874-9793-40DC-B2F4-C87C360E8CE1}) (Version: 4.0.6 - IvoSoft)

Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)

DeleteOnClick (HKLM\...\DeleteOnClick_is1) (Version:  - 2BrightSparks)

EncryptOnClick (HKLM\...\EncryptOnClick_is1) (Version:  - 2BrightSparks)

eReg (Version: 1.20.138.34 - Logitech, Inc.) Hidden

Extended Asian Language font pack for Adobe Reader XI (HKLM\...\{AC76BA86-7AD7-2530-0000-A00000000049}) (Version: 11.0.09 - Adobe Systems Incorporated)

File Identifier (HKLM\...\{C257E434-E8F1-4E06-A616-598E4933553E}_is1) (Version: 1.0.8 - Sharpened Productions)

File Viewer Lite (HKLM\...\{C8B24B83-920A-446E-B027-38F72C9D8898}_is1) (Version: 1.3.2 - Sharpened Productions)

FindOnClick (HKLM\...\FindOnClick_is1) (Version: 2.5.0.0 - 2BrightSparks)

Google Chrome (HKLM\...\Google Chrome) (Version: 41.0.2272.89 - Google Inc.)

Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)

Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden

Google Update Helper (Version: 1.3.26.9 - Google Inc.) Hidden

HashOnClick (HKLM\...\HashOnClick_is1) (Version:  - 2BrightSparks)

Image Resizer for Windows (HKLM\...\{69d72156-6582-4556-8637-06f40aa7f85b}) (Version: 3.0.4802.35565 - Brice Lambson)

Image Resizer for Windows (Version: 3.0.4802.35565 - Brice Lambson) Hidden

Intel® 537EP V9x DF PCI Modem (HKLM\...\Intel® 537EP V9x DF PCI Modem) (Version:  - )

LizardTech ExpressView Browser Plug-in (HKLM\...\{74843B9D-9C66-4E5F-B75B-9C3D4A3ECABB}) (Version: 6.5.1 - LizardTech)

Logitech SetPoint 6.61 (HKLM\...\sp6) (Version: 6.61.15 - Logitech)

Lotus SmartSuite - English (HKLM\...\{536D6172-7453-7569-7465-392E37300409}) (Version: 9.7.0 - Lotus Development Corporation)

Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)

Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft Garage Mouse without Borders (HKLM\...\{D3BC954F-D661-474C-B367-30EB6E56542E}) (Version: 2.1.2.1212 - Microsoft Garage)

Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)

Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)

Microsoft Office Professional Plus 2007 (HKLM\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Nikon View 5 (HKLM\...\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}) (Version:  - )

Norton Bootable Recovery Tool Wizard (HKLM\...\NBRTWizard) (Version: 6.0.0.74 - Symantec Corporation)

Norton Internet Security (HKLM\...\NIS) (Version: 21.6.0.32 - Symantec Corporation)

NVIDIA Graphics Driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)

NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)

OfficeSharedAddInSetup (HKLM\...\{3D316CFB-1825-4030-A13A-29D18DC6B177}) (Version: 1.0.0 - Smart Soft)

OnClick Help (HKLM\...\OnClick Help_is1) (Version:  - 2BrightSparks)

PatchOnClick (HKLM\...\PatchOnClick_is1) (Version:  - 2BrightSparks)

Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)

QuickTime (HKLM\...\QuickTime) (Version:  - )

ScrambleOnClick (HKLM\...\ScrambleOnClick_is1) (Version: 1.3.0.0 - 2BrightSparks Pte Ltd)

Smart PDF Creator Pro 6.3.0.467 (HKLM\...\Smart PDF Creator Pro_is1) (Version: 6.3.0.467 - Smart Soft)

SyncBackFree (HKLM\...\SyncBackFree_is1) (Version: 6.3.13.0 - 2BrightSparks)

SyncBackSE (HKLM\...\SyncBackSE_is1) (Version: 6.5.30.0 - 2BrightSparks)

TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)

TurboTax 2014 (HKLM\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)

UndeleteOnClick (HKLM\...\UndeleteOnClick_is1) (Version:  - 2BrightSparks)

Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)

WinDirStat 1.1.2 (HKU\S-1-5-21-488345948-2998503178-2589646183-1000\...\WinDirStat) (Version:  - )

WinTasks (HKLM\...\{8C92D38B-C1DE-490A-B6D1-AAAA8E17DCE2}) (Version: 5.03 - Uniblue Systems Ltd)

WinZip (HKLM\...\WinZip) (Version:  8.1  (4331) - WinZip Computing, Inc.)

Wisdom-soft ScreenHunter 6.0 Free (HKLM\...\Wisdom-soft ScreenHunter 6.0 Free) (Version:  - Wisdom Software Inc.)

Wise Registry Cleaner 8.31 (HKLM\...\Wise Registry Cleaner_is1) (Version: 8.31 - WiseCleaner.com, Inc.)

 

==================== Custom CLSID (selected items): ==========================

 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

 

 

==================== Restore Points  =========================

 

03-03-2015 13:06:49 Pre EMIE Restore Point

11-03-2015 19:57:13 Windows Update

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

 

Task: {1755B8DA-0E73-4E32-BAEF-7418C5BDE99E} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)

Task: {249C00B0-68DE-49B2-8DAB-640D9E67A936} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)

Task: {42A1069B-5F94-42FB-A561-8539C0B0B32B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-04-15] (Google Inc.)

Task: {66614EBB-0049-4223-9335-BB18C0160F98} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-02-19] (Piriform Ltd)

Task: {B5381C9E-3375-4F74-803E-60D4EDE4FB8F} - System32\Tasks\{A529644E-C7AE-40E3-8921-9C4A2C4BA3EA} => pcalua.exe -a E:\Welcome.exe -d E:\

Task: {B74F78E5-4BC9-4814-BE41-EFF533BF846B} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)

Task: {D140E975-DBD2-4F84-8D11-903FE5BD6BDA} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-04-15] (Google Inc.)

Task: {E6ABA05F-36B2-4F4A-B408-EF07B487A3B1} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe [2014-09-21] (Symantec Corporation)

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

 

==================== Loaded Modules (whitelisted) ==============

 

2014-04-14 00:16 - 2013-01-31 05:00 - 00079648 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll

2014-04-15 02:52 - 2011-12-12 13:42 - 00281304 _____ () C:\Program Files\Smart PDF Creator Pro\ExplorerExt.dll

2009-02-26 13:46 - 2009-02-26 13:46 - 00064344 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll

2011-06-22 11:46 - 2011-06-22 11:46 - 00434016 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll

2013-07-10 18:07 - 2013-07-10 18:07 - 00756888 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL

2015-03-12 11:12 - 2015-03-07 02:12 - 01174856 _____ () C:\Program Files\Google\Chrome\Application\41.0.2272.89\libglesv2.dll

2015-03-12 11:12 - 2015-03-07 02:12 - 00080200 _____ () C:\Program Files\Google\Chrome\Application\41.0.2272.89\libegl.dll

2015-03-12 11:12 - 2015-03-07 02:13 - 09279304 _____ () C:\Program Files\Google\Chrome\Application\41.0.2272.89\pdf.dll

2012-12-28 10:44 - 2012-12-28 10:44 - 00039648 _____ () C:\Program Files\Microsoft Garage\Mouse without Borders\MousewithoutBordersHelper.exe

 

==================== Safe Mode (whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

 

==================== EXE Association (whitelisted) ===============

 

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

 

==================== Other Areas ============================

 

(Currently there is no automatic fix for this section.)

 

HKU\S-1-5-21-488345948-2998503178-2589646183-1000\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg

DNS Servers: 75.75.75.75 - 75.75.76.76

 

==================== MSCONFIG/TASK MANAGER disabled items ==

 

(Currently there is no automatic fix for this section.)

 

 

==================== Accounts: =============================

 

Administrator (S-1-5-21-488345948-2998503178-2589646183-500 - Administrator - Disabled) => C:\Users\Administrator

Guest (S-1-5-21-488345948-2998503178-2589646183-501 - Limited - Enabled)

Hank (S-1-5-21-488345948-2998503178-2589646183-1000 - Administrator - Enabled) => C:\Users\Hank

HomeGroupUser$ (S-1-5-21-488345948-2998503178-2589646183-1003 - Limited - Enabled)

UpdatusUser (S-1-5-21-488345948-2998503178-2589646183-1001 - Limited - Enabled) => C:\Users\UpdatusUser

 

==================== Faulty Device Manager Devices =============

 

Name: PCI Input Device

Description: PCI Input Device

Class Guid: 

Manufacturer: 

Service: 

Problem: : The drivers for this device are not installed. (Code 28)

Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (03/14/2015 07:53:57 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (03/13/2015 04:01:07 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: 123w.exe, version: 9.7.108.1700, time stamp: 0x3b7d2422

Faulting module name: LTICNC90.DLL, version: 9.1.0.0, time stamp: 0x38dfc40f

Exception code: 0xc0000005

Fault offset: 0x00014fdd

Faulting process id: 0x910

Faulting application start time: 0x123w.exe0

Faulting application path: 123w.exe1

Faulting module path: 123w.exe2

Report Id: 123w.exe3

 

Error: (03/13/2015 09:20:13 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (03/13/2015 09:12:32 AM) (Source: Application Hang) (EventID: 1002) (User: )

Description: The program 123w.exe version 9.7.108.1700 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

 

Process ID: bf0

 

Start Time: 01d05d8f1ff02702

 

Termination Time: 15

 

Application Path: F:\lotus\123\123w.exe

 

Report Id: 91e7ece9-c982-11e4-b392-001111c3d06e

 

Error: (03/13/2015 06:07:31 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (03/12/2015 04:28:52 PM) (Source: SideBySide) (EventID: 33) (User: )

Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".

Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.

Please use sxstrace.exe for detailed diagnosis.

 

Error: (03/12/2015 05:32:08 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (03/11/2015 08:39:05 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (03/11/2015 05:15:46 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (03/11/2015 01:28:37 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

 

System errors:

=============

Error: (03/12/2015 06:29:42 PM) (Source: Service Control Manager) (EventID: 7011) (User: )

Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.

 

Error: (03/12/2015 06:12:22 PM) (Source: Service Control Manager) (EventID: 7011) (User: )

Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

 

Error: (03/11/2015 05:43:16 AM) (Source: bowser) (EventID: 8003) (User: )

Description: The master browser has received a server announcement from the computer HANKS-LAPTOP

that believes that it is the master browser for the domain on transport NetBT_Tcpip_{77730859-EDB0-42C7-9357-6F0C0.

The master browser is stopping or an election is being forced.

 

Error: (03/08/2015 05:41:39 PM) (Source: Service Control Manager) (EventID: 7011) (User: )

Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.

 

Error: (03/08/2015 04:39:06 PM) (Source: Service Control Manager) (EventID: 7011) (User: )

Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

 

Error: (03/08/2015 04:29:35 PM) (Source: Service Control Manager) (EventID: 7011) (User: )

Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.

 

Error: (03/08/2015 04:10:44 PM) (Source: Service Control Manager) (EventID: 7011) (User: )

Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.

 

Error: (03/08/2015 03:58:32 PM) (Source: DCOM) (EventID: 10010) (User: )

Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

 

Error: (03/08/2015 03:58:27 PM) (Source: Service Control Manager) (EventID: 7011) (User: )

Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.

 

Error: (03/08/2015 11:54:22 AM) (Source: BROWSER) (EventID: 8032) (User: )

Description: The browser service has failed to retrieve the backup list too many times on transport \Device\NetBT_Tcpip_{77730859-EDB0-42C7-9357-6F0C0A988A37}.

The backup browser is stopping.

 

 

Microsoft Office Sessions:

=========================

Error: (09/28/2014 02:19:17 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )

Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 20585 seconds with 60 seconds of active time.  This session ended with a crash.

 

Error: (07/11/2014 03:21:07 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )

Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 6456 seconds with 3600 seconds of active time.  This session ended with a crash.

 

Error: (05/23/2014 11:37:36 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )

Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6695.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 18 seconds with 0 seconds of active time.  This session ended with a crash.

 

 

==================== Memory info =========================== 

 

Processor: Intel® Pentium® 4 CPU 3.20GHz

Percentage of memory in use: 55%

Total physical RAM: 2046.16 MB

Available physical RAM: 903.8 MB

Total Pagefile: 4092.33 MB

Available Pagefile: 2447.13 MB

Total Virtual: 2047.88 MB

Available Virtual: 1911.2 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:71.26 GB) (Free:16.85 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

Drive f: (2nd Hard Drive) (Fixed) (Total:931.51 GB) (Free:861.03 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows XP) (Size: 931.5 GB) (Disk ID: 03E280A1)

Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

 

========================================================

Disk: 1 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: D0F4738C)

Partition 1: (Not Active) - (Size=63 MB) - (Type=DE)

Partition 2: (Active) - (Size=71.3 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=3.2 GB) - (Type=DB)

 

==================== End Of Log ============================

 

Thanks

 

hep3



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:02 PM

Posted 14 March 2015 - 05:51 PM

Greetings hep3 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please move FRST.exe onto your desktop:

Running from C:\1 Allwork\1 EmieBrowserModeList\Malware Scanning & Removal Programs\Farbar Recovery Scan Tool FRST


The folders you are concerned about are legitimate. Please run the below.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKU\S-1-5-21-488345948-2998503178-2589646183-1001\...\MountPoints2: {1bfbc185-c404-11e3-b7cb-806e6f6e6963} - E:\Welcome.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-488345948-2998503178-2589646183-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
C:\Users\Hank\cnmss Canon MX920 series Printer (Local).dll
C:\Users\Hank\AppData\Local\Temp\dllnt_dump.dll
Task: {B5381C9E-3375-4F74-803E-60D4EDE4FB8F} - System32\Tasks\{A529644E-C7AE-40E3-8921-9C4A2C4BA3EA} => pcalua.exe -a E:\Welcome.exe -d E:\
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Junkware log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 hep3

hep3
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 March 2015 - 06:11 AM

Hi Gary,

 

Great to hear from you.  By all means call me Hank.

 

As you requested, the following files are either copied or attached below.

 

Thanks for your help.

 

Hank

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Hank at 2015-03-15 06:28:44 Run:1
Running from C:\Users\Hank\Desktop
Loaded Profiles: Hank & UpdatusUser (Available profiles: Hank & UpdatusUser & Administrator)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
HKU\S-1-5-21-488345948-2998503178-2589646183-1001\...\MountPoints2: {1bfbc185-c404-11e3-b7cb-806e6f6e6963} - E:\Welcome.exe
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-488345948-2998503178-2589646183-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
C:\Users\Hank\cnmss Canon MX920 series Printer (Local).dll
C:\Users\Hank\AppData\Local\Temp\dllnt_dump.dll
Task: {B5381C9E-3375-4F74-803E-60D4EDE4FB8F} - System32\Tasks\{A529644E-C7AE-40E3-8921-9C4A2C4BA3EA} => pcalua.exe -a E:\Welcome.exe -d E:\
*****************
 
"HKU\S-1-5-21-488345948-2998503178-2589646183-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1bfbc185-c404-11e3-b7cb-806e6f6e6963}" => Key deleted successfully.
HKCR\CLSID\{1bfbc185-c404-11e3-b7cb-806e6f6e6963} => Key not found. 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-488345948-2998503178-2589646183-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" => Key deleted successfully.
HKCR\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => Key not found. 
C:\Users\Hank\cnmss Canon MX920 series Printer (Local).dll => Moved successfully.
C:\Users\Hank\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B5381C9E-3375-4F74-803E-60D4EDE4FB8F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B5381C9E-3375-4F74-803E-60D4EDE4FB8F}" => Key deleted successfully.
C:\Windows\System32\Tasks\{A529644E-C7AE-40E3-8921-9C4A2C4BA3EA} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A529644E-C7AE-40E3-8921-9C4A2C4BA3EA}" => Key deleted successfully.
 
==== End of Fixlog 06:28:48 ====
 
 
JRT.txt
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.3 (03.01.2015:1)
OS: Windows 7 Home Premium x86
Ran by Hank on Sun 03/15/2015 at  6:42:00.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Users\Hank\appdata\local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 03/15/2015 at  6:48:20.64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
 

 

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:02 PM

Posted 15 March 2015 - 09:04 AM

Greetings Hank.

Thanks for the reports. Please do this.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click Run ESET Online Scanner.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Click Enable detection of potentially unwanted applications
  • Accept any security warnings from your browser.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Check Uninstall application on close and Delete quarantined files
  • Click the Finish button.
  • Close the ESET window and reboot your computer
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 hep3

hep3
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 15 March 2015 - 02:53 PM

Gary,

 

The logs from running the ESET and Security Check scans are copied below.

 

The ESET scan revealed and quarantined the same three *.exe files on my C:\ and F:\ drives, the F:\ drive being where I back up all of my files from the C:\ drive.  As you can see, the files are in folders at C:\1 Allwork\DOWNLOADS\"Application Name" for each application I've downloaded off of the internet.  My objective is to be able to re-install these applications quickly and easily in the event of a problem and therefore I keep the installation *.exe files for the applications in those folders.  If there is no "real" risk to maintaining these installation *.exe files on my drives, I would prefer to re-file them in their original locations.  If, on the other hand, you think they pose a risk that you wouldn't take on your own computer, I'll be glad to have them deleted.  What's your advice?

 

My computer seems to be working reasonably well, but then again, the "infection" symptoms were intermittent before this clean up effort.  Time will tell. 

 

There are two other, possibly related, issues that I would like your thoughts on.

 

First, when looking at the "Properties" for Drive C:\ , total usage of the drive is at 58 GB, which for a variety of reasons I felt was too high by about 15 GB.  I ran WinDirStat to double check these results and it found only 45 GB of usage, which is in line with my expectations.  My original concern was that some malware had loaded up the drive with hidden files.  Now I'm thinking that the Windows "Properties" function isn't working properly.  Any thoughts?

 

Second, in the research I did before contacting BleepingComputer, I ran a RogueKiller scan which reported a number of "hooks", which I really don't understand but are implicitly related to malware or RogueKiller wouldn't be reporting them.  I've copied the RogueKiller log below for your review and comment.

 

Thanks for your Help

 

Hank

 

 

ESET Log

 

C:\1 Allwork\DOWNLOADS\Screen Hunter Screen Shot  4.10.14\cbsidlm-cbsi145-ScreenHunter_Free-SEO-10063246.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
 
C:\1 Allwork\DOWNLOADS\WinTasks 5 Pro  4.10.14\SoftonicDownloader_for_windows-7-tweaker.exe a variant of Win32/SoftonicDownloader.F potentially unwanted application deleted - quarantined
 
C:\1 Allwork\DOWNLOADS\WinZip 8.1  4.10.14\winzip180xp.exe a variant of Win32/InstallCore.BY potentially unwanted application deleted - quarantined
 
F:\1 Allwork\DOWNLOADS\Screen Hunter Screen Shot  4.10.14\cbsidlm-cbsi145-ScreenHunter_Free-SEO-10063246.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined
 
F:\1 Allwork\DOWNLOADS\WinTasks 5 Pro  4.10.14\SoftonicDownloader_for_windows-7-tweaker.exe a variant of Win32/SoftonicDownloader.F potentially unwanted application deleted - quarantined
 
F:\1 Allwork\DOWNLOADS\WinZip 8.1  4.10.14\winzip180xp.exe a variant of Win32/InstallCore.BY potentially unwanted application deleted - quarantined
 
Security Check Log
 

 Results of screen317's Security Check version 0.99.97  
 Windows 7 Service Pack 1 x86 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Norton Internet Security   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 CCleaner     
 Wise Registry Cleaner 8.31  
  Java 64-bit 8 Update 31  
 Adobe Reader XI  
 Google Chrome (40.0.2214.115) 
 Google Chrome (41.0.2272.76) 
 Google Chrome (41.0.2272.89) 
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1% 
````````````````````End of Log`````````````````````` 
 
 
RogueKiller Log
 

RogueKiller V10.5.1.0 [Mar 5 2015] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : Hank [Administrator]

Started from : C:\1 Allwork\1 EmieBrowserModeList\Malware Scanning & Removal Programs\RogueKiller\RogueKiller.exe

Mode : Delete -- Date : 03/08/2015 11:31:22

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 10 ¤¤¤

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Not selected

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Not selected

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Not selected

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Not selected

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyMusic : 0 -> Not selected

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0 -> Not selected

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowPrinters : 0 -> Not selected

[PUM.StartMenu] HKEY_USERS\S-1-5-21-488345948-2998503178-2589646183-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Not selected

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected

[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ Hosts File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 45 (Driver: Loaded) ¤¤¤

[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x8639cda8

[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x8639ce40

[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x863d7f80

[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x85cddc98

[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x8639c820

[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x8639cbd0

[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x863d77b0

[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x86394fb0

[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x863d7858

[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x8639c8b8

[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x86399260

[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x863d7e10

[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x8639cc78

[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x8639cd10

[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x85cd0d50

[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x863d7d58

[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x8639cb38

[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x86394f68

[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x863991c8

[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x8639ca08

[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x863992e8

[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x863d78f0

[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x863d7708

[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x863d7660

[SSDT:Addr(Hook.SSDT)] NtReadVirtualMemory[277] : Unknown @ 0x863d75b8

[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x8639ced8

[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x863d7b80

[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x863d7c18

[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x8639c950

[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x8639caa0

[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x8639cf70

[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x85e8f0d0

[SSDT:Addr(Hook.SSDT)] unknown[371] : Unknown @ 0x863d7ae8

[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x863d7cc0

[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x863d7eb8

[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x86dfdf08

[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x87752140

[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x876ed5e8

[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x864dac00

[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x870cfee0

[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x86e14198

[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x876d3398

[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x87689ae0

[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x876ddea0

[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x876a8e68

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: WDC WD10EZEX-00KUWA0 ATA Device +++++

--- User ---

[MBR] c253eef9020f8896a3cf9092f242d1fa

[BSP] fb6a00b2a43828eb31917d3d995050ed : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 953867 MB [Windows XP Bootstrap | Windows XP Bootloader]

User = LL1 ... OK

User = LL2 ... OK
 
 


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:02 PM

Posted 15 March 2015 - 07:20 PM

Greetings Hank,

Please simply copy and paste the information in your reply rather than use code boxes.

You can re-download those programs. They are considered "Potententially" Unwanted Programs.

Quite often hooks are normal and the ones listed are of no concern.

Please run this program to compare C: Drive usage.

===================================================

Folder Size

--------------------

  • Download Folder Size and save it on your Desktop
  • Double click the icon and click Run
  • Click Next
  • Select I accept the agreement then click Next
  • Click Next 3 times then click Install
  • Close the browser window that will appear
  • Double click Finish
  • Left click on C:\ in the lower left hand corner to highlight the line
  • Click Scan, then Scan Selected Drive
  • Compare this to your C: Drive properties

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:

  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 hep3

hep3
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 March 2015 - 08:55 AM

Gary,

 

Folder Size revealed that total usage for drive C: was essentially the same as that reported by Windows Drive Properties.  It also show that there is 14 GB of data in the System Volume Information (SVI) folder that was not identified by Windows.  That 14 GB is what I was looking for in hidden files storage.

 

I suspect SVI folder is much larger than it needs to be and should be cleaned out.  If you agree, I would use CCleaner to do this as it retains the last Restore Point which I set just before we got started on this effort.

 

Hank



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:02 PM

Posted 16 March 2015 - 09:57 AM

Hi Hank, yes the storage is most likely being used by by Restore Points. If you would like, you can us CCleaner but I would caution against using he Registry cleaning component.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 hep3

hep3
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 March 2015 - 10:36 AM

Gary,

 

Removing the Restore Points only removed 4 GB from the original 14 GB SVI folder.  According to Folder Size, a single sub-folder of SVI, "_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}", accounts for the majority, 9.9 GB, of the now 10.2 GB SVI folder.  Is it possible to delete this folder?  If so, is it advisable?  If so again, how do you do it?

 

Hank



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:02 PM

Posted 16 March 2015 - 10:55 AM

Hi Hank,

Let's look at it a little deeper. Please do this.

===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:dir
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F} /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SystemLook log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 hep3

hep3
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 March 2015 - 11:16 AM

Gary,

 

Here's the SystemLook log.

 

Hank

 

SystemLook 30.07.11 by jpshortstuff
Log created at 12:10 on 16/03/2015 by Hank
Administrator - Elevation successful
 
No Context: C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F} /s
 
-= EOF =-


#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:02 PM

Posted 16 March 2015 - 11:32 AM

Are you able to manually navigate to that folder to see if that entry is there? You might not have permissions for that.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 hep3

hep3
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 16 March 2015 - 12:06 PM

Gary,

 

Yes.  I can get to it in both Windows Explorer and Folder Size.  The file is hidden in Explorer and I can't see what's in it.  Folder Size shows 31 sub-folders which are sequentially named from RP2434 to RP2465 and which range in size from 76 to 1829 MB.

 

Folder Size also shows the contents of the sub-folders which includes a "snapshot" folder and many .exe, .dll, .ocx, et cetera.  I tried to take a couple of screen shots of the files and folders so that you could see for yourself but I can't copy the images here nor can I attach the files.

 

If you'd like to see screen shots tell me how I can get file attachments to you.

 

Hank






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users