Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Blocked Profile In Win7


  • This topic is locked This topic is locked
59 replies to this topic

#1 337stat

337stat

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 15 December 2015 - 10:34 PM

About a week ago, an internet outage happened here.  When service returned, on normal startup, 
my profile wasn't restored.  Or, more accurately, stopped being used by the computer.
 
I got a bubble window from the icon tray showing "Windows cannot find the local profile and is logging you on 
with a temporary profile. Changes you make to this profile will be lost when you log off."
 
My system runs Windows 7.  I use Opera as my main browser, though sometimes try FireFox, Chrome, & IE (an
older version here).  Baidu had been installed for a time, but was removed with an uninstall program.
 
I've tried a bit on my own to resolve the issue, and have come up with other symptoms as a result.  I wasn't
able to find a matching set of concerns elsewhere on this forum.
 
The profile does show in safe mode...with the many limitations of safe mode along with it, so it's still
something needing resolution.  But, that also seems to say the data for the profile is still there, including
things like saved passwords on selected sites, the start menu as I expect it, and so on.  With normal startup,
most file associations I need are gone.
 
I can't get any restore points to correctly install on my machine, even though I have administrator rights.
I tried creating another account, also with administrator rights, but can't get results from there, either.
I tried to use the hidden administrator account, but so far haven't gotten it to come up among options on
startup, and switching user to that account hasn't worked.  I tried to call this up at the command line
(Net user administrator /active:yes).  The restore points failures happen both in normal and safe modes,
though, at this point, as my profile isn't active with normal startup, that part isn't a surprise.  I'm actually
getting messages stating the restores fail.
 
I've tried to copy files from the Users sub-directory to overwrite what might have been (at the time I didn't
know) corrupted profile files.  Again, as I'm seeing things in Safe Mode but not in a regular startup,
I think the files are still there, in one piece, and it's something about normal mode that's preventing
a fix, as well as access to the profile, though it works in Safe Mode.
 
One of the event logs shows a Microsoft update the morning of the outage.  Since I'd long ago shut off
automatic updates from MS, this is suspicious all by itself, suggesting a virus or a hack, possibly
something stopped mid-stream by the internet outage.  If somehow something forced an MS update to happen,
I don't see why it's impossible something running that stopped before finishing could also have caused 
this...but the log showed no other MS updates going back at least a month, so I'm confident of my settings.
I've no clue why this would legitimately be an MS update, but have no clue what someone would have to do to
create something to show this way.
 
I've used msconfig to go back and forth between normal settings and safe mode to try to troubleshoot.
 
Malwarebytes was active, and scans continue to show no issues.  If a virus, it may not be in the database yet.
Or, is it possible it ran some scripts it knew would be a problem then got rid of itself?  Or hid itself?
 
I did a general backup of files on to a virgin external drive already, trying to protect data as well as
potentially isolate a future recontamination of something.
 
Thunderbird setup was wiped at one point, couldn't access my e-mail suddenly, but, by copying essential files 
from my backup got Thunderbird back up and running in Safe Mode immediately.
 
However, MS Word now fails in Safe Mode, claiming a repair attempt failed or was cancelled by the user, and will
no longer run at all.  (I'll probably need help on this, if possible, too.)
 
 
Something called TrueSuite failed.  I've never seen it before.  Got an error message once, haven't seen it again,
but see it in the Farbar run.
 
STANLEY is a computer name, not a user name.  Seeing it as a user name in the Farbar run is a concern. (see below)
 
I've attempted to edit the registry, according to some other advice on line regarding similar-sounding
issues...similar until the point where a corrupted profile is fixed, which I don't think is the issue now.  I
went to HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList to adjust the
ProfileImagePath.  It didn't change anything in how the system is working.
 
At one point, there were also some messages showing "15 user registry handles leaked from"....  All of them
down a Windows Live path, on something I was able to print out (3 pages long).  I'm trying to
track that list down, but haven't seen it in about 4 days.  It was in a log file I can't track down for the
moment, that appeared on screen after my first startup following the outage then shut itself down some minutes
later.
 
Windows logs have also seemed to show with a normal startup I can't access my profile because it's in use
by some other program somewhere.  I can't figure that one out at all.  At this point I suspect it's to do with
the registry handles leaks.
 
A Farbar run yields the following:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:14-12-2015
Ran by Michael (2015-12-15 21:04:51)
Running from C:\AdwCleaner\FRST-OlderVersion
Windows 7 Home Premium Service Pack 1 (X64) (2013-01-09 18:45:25)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3401309329-141017374-686467349-500 - Administrator - Disabled)
Guest (S-1-5-21-3401309329-141017374-686467349-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3401309329-141017374-686467349-1002 - Limited - Enabled)
Michael (S-1-5-21-3401309329-141017374-686467349-1001 - Administrator - Enabled) => C:\Users\TEMP.STANLEY.003
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
802.11n Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 3.01.18.0 - Ralink)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20079 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19120 - Adobe Systems Incorporated)
Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.235 - Adobe Systems Incorporated)
Adobe Flash Player 20 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Agatha Christie - Peril at End House (x32 Version: 2.2.0.95 - WildTangent) Hidden
AuthenTec TrueAPI (Version: 1.3.0.116 - AuthenTec, Inc.) Hidden
Avery Wizard 4.0 (HKLM-x32\...\{7196E6BD-4B65-43F9-9D30-73A8E58D0E84}) (Version: 4.0.103 - Avery)
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blasterball 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blio (HKLM-x32\...\{9368DDD5-CE7F-4BD7-A83A-F00FABE338EC}) (Version: 2.2.6699 - K-NFB Reading Technology, Inc.)
Bounce Symphony (x32 Version: 2.2.0.97 - WildTangent) Hidden
Cake Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chronicles of Albian (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Farm Frenzy (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.1.1.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
HP LinkUp (HKLM-x32\...\{DB3147AB-4024-4773-8EC0-A1FE5B44933D}) (Version: 2.01.028 - Hewlett-Packard)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard Company)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{D35B72B6-F0E4-462B-BDEB-E08032B3B681}) (Version: 8.7.4747.3786 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13880.3792 - Hewlett-Packard Company)
HP SimplePass PE 2011 (HKLM-x32\...\{00FF4EB6-6AAC-4E9D-A60A-8F388691BB27}) (Version: 5.3.0.194 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{34681D92-5958-406A-A654-1B57E7A7B3DC}) (Version: 6.0.4.1 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{DE77FE3F-A33D-499A-87AD-5FC406617B40}) (Version: 5.002.003.003 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.9.0.0 - Hewlett-Packard)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2291 - Intel Corporation)
Jewel Quest: The Sleepless Star - Collector's Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kobo (HKLM-x32\...\Kobo) (Version: 1.6 - Kobo Inc.)
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3925 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.3925 - CyberLink Corp.) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Mathematics (HKLM-x32\...\{4D090F70-6F08-4B60-9357-A1DFD4458F09}) (Version: 4.0 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.1.10329.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Firefox 42.0 (x86 en-US) (HKU\TS_KeyLodaded\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
Mozilla Thunderbird 38.4.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 38.4.0 (x86 en-US)) (Version: 38.4.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.97 - WildTangent) Hidden
Namco All-Stars: PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
Opera 12.17 (HKLM-x32\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
Opera Stable 33.0.1990.115 (HKLM-x32\...\Opera 33.0.1990.115) (Version: 33.0.1990.115 - Opera Software)
Opera Stable 34.0.2036.31 (HKLM-x32\...\Opera 34.0.2036.31) (Version: 34.0.2036.31 - Opera Software)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.54 - PDF Complete, Inc)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.5331 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.5331 - CyberLink Corp.) Hidden
PressReader (HKLM-x32\...\{912CED74-88D3-4C5B-ACB0-132318649765}) (Version: 5.10.1217.0 -  NewspaperDirect Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6378 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.4222 - CyberLink Corp.) Hidden
Remote Graphics Receiver (HKLM-x32\...\{16FC3056-90C0-4757-8A68-64D8DA846ADA}) (Version: 5.4.5 - Hewlett-Packard)
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
Slingo Supreme (x32 Version: 2.2.0.97 - WildTangent) Hidden
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2014 (HKLM-x32\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest - The Hawaiian Islands (x32 Version: 2.2.0.97 - WildTangent) Hidden
VIP Access SDK (1.0.1.4)  (HKLM-x32\...\VIP Access SDK) (Version: 1.0.1.4 - Symantec Inc.)
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
WildTangent Games App (HP Games) (x32 Version: 4.0.5.2 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Wizard101 (HKLM-x32\...\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}) (Version: 1.0.0 - KingsIsle Entertainment, Inc.)
Zinio Reader 4 (HKLM-x32\...\ZinioReader4) (Version: 4.2.4164 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.4164 - Zinio LLC) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
11-12-2015 05:10:58 Windows Update
11-12-2015 14:22:14 Restore Operation
11-12-2015 22:32:14 Windows Backup
12-12-2015 03:58:39 Windows Update
12-12-2015 21:58:41 Installed SES Driver
13-12-2015 22:39:19 Restore Operation
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {217670BF-600A-45CF-89EE-5FE1CC2F9669} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe [2011-06-08] (Hewlett-Packard)
Task: {27018909-47D9-434E-BF89-39642EAE1AED} - System32\Tasks\Opera scheduled Autoupdate 1393787718 => C:\Program Files (x86)\Opera\launcher.exe [2015-12-09] (Opera Software)
Task: {28CD8656-9AF6-4FF2-A503-DB92FF9CA744} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-14] (Adobe Systems Incorporated)
Task: {A36FD2DF-37F6-4604-930C-53B4EF39CBB3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-06-09] (Hewlett-Packard Company)
Task: {A4F4CDAD-26FC-479F-8706-3CCFB25189CB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-06-09] (Hewlett-Packard Company)
Task: {C07B252F-58C9-4F19-9E6A-35B95CC61D39} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {C1AA2E0E-0F1C-4EEE-8F51-C3FD5344A9EA} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Total Care Tune-Up => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPTuneUp.exe [2011-03-22] (Hewlett-Packard Company)
Task: {FA4CA98A-C82A-47F4-A5B3-5BA6B7F9D5CC} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe [2011-06-09] (Hewlett-Packard Company)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
ShortcutWithArgument: C:\Users\TEMP.STANLEY.003\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\HP Download Store.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://redirect.hp.com/svs/rdr?locale=en_us&bd=all&tp=onlinesvs&pf=cndt&s=hp_softwarestore&c=114&TYPE=4 <==== ATTENTION
ShortcutWithArgument: C:\Users\Public\Desktop\Discover HP webOS.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://redirect.hp.com/svs/rdr?locale=en_us&bd=pavilion&c=none&pf=cndt&s=hp_palm&tp=dticon_webOS&TYPE=4 <==== ATTENTION
ShortcutWithArgument: C:\Users\Public\Desktop\Snapfish.lnk -> C:\Program Files (x86)\Hewlett-Packard\Shared\WizLink.exe () -> hxxp://www.snapfish.com/hp_desktop_desktopicon_2011_us <==== ATTENTION
 
==================== Loaded Modules (Whitelisted) ==============
 
2013-01-09 22:02 - 2012-08-31 15:03 - 00288768 _____ () C:\Windows\System32\HP1100LM.DLL
2013-01-09 22:02 - 2012-08-31 15:02 - 00074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2013-01-09 22:02 - 2012-08-31 15:03 - 03034112 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\hp1100su.dll
2013-01-09 22:02 - 2012-08-31 15:02 - 01038336 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\HP1100GC.dll
2011-06-22 22:14 - 2011-06-22 22:14 - 00451880 _____ () C:\Program Files (x86)\Hewlett-Packard\Recovery\Protect.dll
2011-09-02 17:00 - 2011-01-27 12:11 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2015-12-14 01:25 - 2015-12-09 10:11 - 61564536 _____ () C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.dll
2015-12-14 01:25 - 2015-12-09 10:11 - 01983096 _____ () C:\Program Files (x86)\Opera\34.0.2036.31_1\libglesv2.dll
2015-12-14 01:25 - 2015-12-09 10:11 - 00081528 _____ () C:\Program Files (x86)\Opera\34.0.2036.31_1\libegl.dll
2015-12-14 04:05 - 2015-12-14 04:05 - 16573120 _____ () C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer32_20_0_0_228.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE restricted site: HKU\TS_KeyLodaded\...\inbrowsersettings.com -> inbrowsersettings.com
IE restricted site: HKU\TS_KeyLodaded\...\livejasmin.com -> livejasmin.com
IE restricted site: HKU\TS_KeyLodaded\...\seekbooks.com -> hxxp://www.seekbooks.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3401309329-141017374-686467349-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\TEMP.STANLEY.003\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\TS_KeyLodaded\Control Panel\Desktop\\Wallpaper -> C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 71.10.216.1 - 71.10.216.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{1CFE60D3-6AC1-4D44-84A1-E39E6597CA12}] => (Allow) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe
FirewallRules: [{4C66D4C7-79CD-4147-AC8A-E4E95D0F758E}] => (Allow) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe
FirewallRules: [{25BCBF4B-1325-4EA6-8CE1-6B6AA33D17A1}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{15E76C3C-89FF-4E34-89C7-A35E45D013E6}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{39F9F0E5-10E6-4F3E-A2E0-E32D2D2157FF}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Remote Graphics Receiver\rgreceiver.exe
FirewallRules: [{657C336D-0703-4F28-8244-5AA070C1DCD4}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Remote Graphics Receiver\rgreceiver.exe
FirewallRules: [{F49B160A-48EE-4AE9-9344-AD39B0A0D2AB}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP LinkUp\HP LinkUp Viewer.exe
FirewallRules: [{7CFAEFFB-6E76-4BA8-8963-323F85067120}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP LinkUp\HP LinkUp Viewer.exe
FirewallRules: [{6544B564-518B-4D86-94E9-E5714BBC1540}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{175F617A-E440-49E7-B4CE-5D4161657078}] => (Allow) LPort=2869
FirewallRules: [{F5AC0E2B-2FD8-42AA-8999-40A247D75212}] => (Allow) LPort=1900
FirewallRules: [{017BC506-409F-4534-9A45-FF0C9F4D2620}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{0D430450-0552-47A4-92C9-172A28976AF9}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{FE4FCFA5-8D04-4069-9A75-65022362C1CD}] => (Allow) C:\Program Files (x86)\Opera\opera.exe
FirewallRules: [{CEA4059B-4AB1-4C41-B859-4C0111BE5DE7}] => (Allow) C:\Program Files (x86)\Opera\opera.exe
FirewallRules: [{BBA37AA9-090A-4FFB-8E52-95B099265041}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{37DD69B2-F4A2-414B-9C0B-612068ECC150}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{58686881-FE4D-4D9E-86F6-F1538246F399}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{0CEF5DD6-4CE8-431D-B099-77C412735A52}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{9CB0AD6C-A159-4B11-BC88-9C00048C9AE1}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{340B891F-92E5-44D7-BFD0-5B5839A2384C}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{F9707E72-E1F5-4686-B412-CF990793491D}] => (Allow) C:\Program Files (x86)\baidu\Baidu Browser\Spark.exe
FirewallRules: [{DD887E53-CBE9-4320-8370-9F761786509F}] => (Allow) C:\Program Files (x86)\baidu\Baidu Browser\Spark.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/15/2015 08:28:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Faulting module name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Exception code: 0xc0000417
Fault offset: 0x0001280a
Faulting process id: 0x344
Faulting application start time: 0xTrueSuiteService.exe0
Faulting application path: TrueSuiteService.exe1
Faulting module path: TrueSuiteService.exe2
Report Id: TrueSuiteService.exe3
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: STANLEY)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: STANLEY)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: STANLEY)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\Michael\ntuser.dat
 
Error: (12/15/2015 08:06:36 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding; Description = Configured Microsoft Office Home and Student 2010; Error = 0x8007043c).
 
Error: (12/15/2015 08:05:41 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding; Description = Configured Microsoft Office Home and Student 2010; Error = 0x8007043c).
 
Error: (12/15/2015 10:18:36 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Faulting module name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Exception code: 0xc0000417
Fault offset: 0x0001280a
Faulting process id: 0x33c
Faulting application start time: 0xTrueSuiteService.exe0
Faulting application path: TrueSuiteService.exe1
Faulting module path: TrueSuiteService.exe2
Report Id: TrueSuiteService.exe3
 
Error: (12/15/2015 10:18:28 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: STANLEY)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
 
Error: (12/15/2015 10:18:28 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: STANLEY)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
 
 
System errors:
=============
Error: (12/15/2015 08:54:14 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/15/2015 08:28:49 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The TrueSuiteService service terminated unexpectedly.  It has done this 1 time(s).
 
Error: (12/15/2015 08:27:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/15/2015 08:27:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/15/2015 08:27:42 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/15/2015 08:22:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/15/2015 08:22:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/15/2015 08:22:56 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/15/2015 08:20:34 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
Error: (12/15/2015 08:20:34 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Computer Browser service depends on the Server service which failed to start because of the following error: 
%%1068
 
 
CodeIntegrity:
===================================
  Date: 2015-12-13 21:23:19.647
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-12-13 21:23:19.647
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-12-12 21:34:53.078
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-12-12 21:34:53.078
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-2130 CPU @ 3.40GHz
Percentage of memory in use: 34%
Total physical RAM: 8098.52 MB
Available physical RAM: 5303.67 MB
Total Virtual: 16195.22 MB
Available Virtual: 13153.87 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:1385.49 GB) (Free:1261.91 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (HP_RECOVERY) (Fixed) (Total:11.68 GB) (Free:1.39 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive j: (TOSHIBA EXT) (Fixed) (Total:931.51 GB) (Free:107.56 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 8D579A26)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1385.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11.7 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 609756FA)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================

Attached Files


Edited by hamluis, 16 December 2015 - 09:44 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:17 PM

Posted 16 December 2015 - 09:28 PM

Greetings 337stat and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

I would like to review a full FRST report. What you posted is only Addtion.txt. Please delete the current FRST.exe from your computer then do this.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 337stat

337stat
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 17 December 2015 - 07:09 PM

Gary,

 

You have my patience and my gratitude.  I know this will take time.  I know resources are limited.

 

Where I will not intentionally run things to impact this process, it's possible you will ask me for something to make me go between safe mode and normal mode here, which seems to have its own impacts on things for now.

 

I'm in normal startup mode at the moment, and results may reflect that.

 

If you see *anything* incorrect or incomplete in my replies, please tell me and I'll do all I can to make things right.  For the moment, instructions seem crystal clear and I'm attempting to give you complete and accurate responses in all regards.

 

I can't get to my e-mail without a toggle back to safe mode here.  I'm in normal startup mode for now, and e-mail may not work for me...I've read your ground rules with some care, and want to be sure up front to mention this, as I hope it's not going to cause a problem.  I'll still do the "Follow This Topic" step momentarily.

 

I will attach the Summary folder here, but there seems to be a "Choose Files..." button rather than a Browse.  It seemed

to work as I would have expected.  Please tell me if it is an issue.

 

Sorry to have somehow confused the FRST outputs...actually thought I'd copied one to the bottom of the other in a file to copy them both in.  But, have now deleted FRST from my system, downloaded a fresh copy, and have run again, with the following results:

 

=============> FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-12-2015
Ran by Michael (administrator) on STANLEY (16-12-2015 21:50:25)
Running from C:\AdwCleaner
Loaded Profiles: Michael (Available Profiles: Michael)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: Opera)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
(HP) C:\Windows\System32\HPSIsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Services\IPT\jhi_service.exe
(HP) C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera_crashreporter.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Adobe Systems Incorporated) C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_20_0_0_228_ActiveX.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
(Opera Software) C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [658424 2011-05-05] (PDF Complete Inc)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\TS_KeyLodaded\...\MountPoints2: {2879b8ca-5a9c-11e2-bd0e-806e6f6e6963} - E:\setup.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 71.10.216.1 71.10.216.2 192.168.1.1
Tcpip\..\Interfaces\{09930399-2AAB-4AC8-A969-E1D954324492}: [DhcpNameServer] 71.10.216.1 71.10.216.2 192.168.1.1
Tcpip\..\Interfaces\{1568F502-BFA3-4538-A6FB-8F7E135124A8}: [DhcpNameServer] 71.10.216.1 71.10.216.2 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK/1
HKU\S-1-5-21-3401309329-141017374-686467349-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK/1
HKU\S-1-5-21-3401309329-141017374-686467349-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK/1
HKU\TS_KeyLodaded\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.blackle.com/
HKU\TS_KeyLodaded\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK/1
SearchScopes: HKLM -> {3B8401CE-773E-48A7-BE19-7AC34659A2A1} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> {3B8401CE-773E-48A7-BE19-7AC34659A2A1} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> {3B8401CE-773E-48A7-BE19-7AC34659A2A1} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\TS_KeyLodaded -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\TS_KeyLodaded -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\TS_KeyLodaded -> {3B8401CE-773E-48A7-BE19-7AC34659A2A1} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\TS_KeyLodaded -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
BHO: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\x64\IEBHO.dll [2011-06-09] (HP)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: TrueSuite Website Log On -> {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} -> C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll [2011-06-09] (HP)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
Toolbar: HKU\TS_KeyLodaded -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_20_0_0_235.dll [2015-12-14] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_235.dll [2015-12-14] ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll [2012-03-29] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2010-12-07] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Extension: TrueSuite Website Logon - C:\Program Files (x86)\Mozilla Firefox\extensions\websitelogon@truesuite.com [2015-12-15] [not signed]
 
Chrome: 
=======
CHR HKLM-x32\...\Chrome\Extension: [jpgfhihjicjofdejkbjgnjlaglaciobe] - C:\Program Files (x86)\HP SimplePass 2011\tschrome.crx [2011-06-03]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R2 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2015-12-16] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
R3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [19968 2012-11-07] (Marvell Semiconductor, Inc.)
S3 pmxdrv; C:\Windows\system32\drivers\pmxdrv.sys [31152 2011-09-02] ()
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-11-13] ()
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-16 21:48 - 2015-12-16 21:48 - 02370048 _____ (Farbar) C:\Users\TEMP.STANLEY.003\Desktop\FRST64 (2).exe
2015-12-16 21:47 - 2015-12-16 21:47 - 02370048 _____ (Farbar) C:\Users\TEMP.STANLEY.003\Downloads\FRST64.exe
2015-12-16 21:47 - 2015-12-16 21:47 - 02370048 _____ (Farbar) C:\Users\TEMP.STANLEY.003\Downloads\FRST64 (1).exe
2015-12-15 22:18 - 2015-12-15 22:18 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Roaming\Adobe
2015-12-15 21:02 - 2015-12-15 21:02 - 00088704 _____ C:\Users\TEMP.STANLEY.003\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-15 20:45 - 2015-12-15 22:33 - 00036700 _____ C:\Users\TEMP.STANLEY.003\Documents\20151215a.txt
2015-12-15 20:30 - 2015-12-15 20:30 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Roaming\Opera Software
2015-12-15 20:30 - 2015-12-15 20:30 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Local\Opera Software
2015-12-15 20:29 - 2015-12-16 21:22 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{FBB37489-D6AC-4FBD-B642-79FA8A580537}
2015-12-15 20:29 - 2015-12-16 11:07 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Local\PDFC
2015-12-15 20:29 - 2015-12-15 20:29 - 00001445 _____ C:\Users\TEMP.STANLEY.003\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-12-15 20:29 - 2015-12-15 20:29 - 00001411 _____ C:\Users\TEMP.STANLEY.003\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2015-12-15 20:29 - 2015-12-15 20:29 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Roaming\Symantec
2015-12-15 20:29 - 2015-12-15 20:29 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\LocalLow\AuthenTec
2015-12-15 20:29 - 2015-12-15 20:29 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Local\AuthenTec
2015-12-15 20:28 - 2015-12-15 20:29 - 00000000 ____D C:\Users\TEMP.STANLEY.003
2015-12-15 20:28 - 2015-12-15 20:28 - 00000020 ___SH C:\Users\TEMP.STANLEY.003\ntuser.ini
2015-12-15 20:28 - 2015-12-15 20:28 - 00000000 _SHDL C:\Users\TEMP.STANLEY.003\My Documents
2015-12-15 20:28 - 2015-12-15 20:28 - 00000000 _SHDL C:\Users\TEMP.STANLEY.003\Documents\My Videos
2015-12-15 20:28 - 2015-12-15 20:28 - 00000000 _SHDL C:\Users\TEMP.STANLEY.003\Documents\My Pictures
2015-12-15 20:28 - 2015-12-15 20:28 - 00000000 _SHDL C:\Users\TEMP.STANLEY.003\Documents\My Music
2015-12-15 20:28 - 2015-12-15 20:28 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Local\VirtualStore
2015-12-15 20:28 - 2013-01-11 03:05 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Local\Microsoft Help
2015-12-15 20:28 - 2011-09-02 17:16 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Roaming\Macromedia
2015-12-15 20:28 - 2010-11-21 02:16 - 00000000 ____D C:\Users\TEMP.STANLEY.003\AppData\Roaming\Media Center Programs
2015-12-15 20:26 - 2015-12-15 20:26 - 00000832 _____ C:\20151215a.txt
2015-12-15 20:18 - 2015-12-15 20:18 - 00088704 _____ C:\Users\Michael\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-15 10:20 - 2015-12-15 10:20 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{09016904-E67C-4F38-B249-7AE39625A55E}
2015-12-14 20:21 - 2015-12-15 05:26 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{C5943E56-09F3-4EF0-9474-5B2FA6852B5A}
2015-12-14 14:51 - 2015-12-15 10:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2015-12-14 01:28 - 2015-12-14 01:28 - 00000000 ____D C:\Program Files (x86)\ACDSee32
2015-12-14 01:27 - 2015-12-14 01:27 - 00000000 ____D C:\ACDSee32v2.4
2015-12-14 01:22 - 2015-12-14 01:22 - 00000000 ____D C:\ProfileIssue
2015-12-14 01:20 - 2015-12-14 05:49 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{D9A3828C-C382-4055-88F1-9F448A46712B}
2015-12-14 01:17 - 2015-12-14 10:09 - 00000000 ____D C:\Users\TEMP.STANLEY.002
2015-12-13 21:23 - 2015-12-13 22:40 - 00000000 ____D C:\Users\TEMP.STANLEY.001
2015-12-13 18:59 - 2015-12-13 18:59 - 00000000 ____D C:\Users\Michael 2015\AppData\Roaming\hewlett-packard
2015-12-13 18:50 - 2015-12-13 18:50 - 00000000 ____D C:\Users\Michael 2015\AppData\Roaming\Opera Software
2015-12-13 18:50 - 2015-12-13 18:50 - 00000000 ____D C:\Users\Michael 2015\AppData\Local\Opera Software
2015-12-13 17:21 - 2015-12-13 17:21 - 00000000 ____D C:\Users\Michael 2015\AppData\Local\PDFC
2015-12-13 16:18 - 2015-12-14 02:34 - 00000000 ____D C:\Users\Michael 2015\Documents\Malwarebytes  Online Store_files
2015-12-13 16:18 - 2015-12-13 16:18 - 00000000 ____D C:\Users\Michael 2015\hpremote
2015-12-13 16:18 - 2015-12-13 16:18 - 00000000 ____D C:\Users\Michael 2015\Downloads\media
2015-12-13 16:18 - 2015-12-13 16:18 - 00000000 ____D C:\Users\Michael 2015\Downloads\images
2015-12-13 16:18 - 2015-12-13 16:18 - 00000000 ____D C:\Users\Michael 2015\Documents\TurboTax
2015-12-13 16:18 - 2015-12-13 16:18 - 00000000 ____D C:\Users\Michael 2015\Documents\ANNIES
2015-12-13 16:18 - 2015-12-13 16:18 - 00000000 ____D C:\Users\Michael 2015\Desktop\Old Firefox Data
2015-12-13 16:18 - 2015-12-13 16:18 - 00000000 ____D C:\Users\Michael 2015\Desktop\images
2015-12-13 16:18 - 2015-11-13 15:19 - 00007062 _____ C:\Users\Michael 2015\Downloads\fixlist.txt
2015-12-13 16:18 - 2015-11-13 15:17 - 00019763 _____ C:\Users\Michael 2015\Downloads\FRST.txt
2015-12-13 16:18 - 2015-11-13 11:59 - 00033835 _____ C:\Users\Michael 2015\Downloads\Addition.txt
2015-12-13 16:18 - 2015-11-13 11:54 - 02198528 _____ C:\Users\Michael 2015\Downloads\FRST64.exe.downloading
2015-12-13 16:18 - 2015-10-01 12:32 - 00660924 _____ C:\Users\Michael 2015\Downloads\VTR-262 (2).pdf
2015-12-13 16:18 - 2015-10-01 12:28 - 00660924 _____ C:\Users\Michael 2015\Downloads\VTR-262 (1).pdf
2015-12-13 16:18 - 2015-09-30 20:27 - 00660924 _____ C:\Users\Michael 2015\Downloads\VTR-262.pdf
2015-12-13 16:18 - 2015-06-05 00:30 - 05490769 _____ C:\Users\Michael 2015\Downloads\bb_futafan_previewclip.wmv
2015-12-13 16:18 - 2015-03-16 16:50 - 262264332 _____ C:\Users\Michael 2015\Downloads\UT Catalog 2015.03.12.pdf
2015-12-13 16:18 - 2015-03-14 11:34 - 00098545 _____ C:\Users\Michael 2015\Downloads\WBSkills.bmp
2015-12-13 16:18 - 2015-03-14 11:33 - 00227280 _____ C:\Users\Michael 2015\Downloads\Slyph (2).bmp
2015-12-13 16:18 - 2015-03-14 11:33 - 00227280 _____ C:\Users\Michael 2015\Downloads\Slyph (1).bmp
2015-12-13 16:18 - 2015-03-14 11:31 - 00227280 _____ C:\Users\Michael 2015\Downloads\Slyph.bmp
2015-12-13 16:18 - 2015-03-04 15:01 - 00056690 _____ C:\Users\Michael 2015\Downloads\b1a352f1-5928-4bcd-b180-ff8b7d854f4f (1).xlsx
2015-12-13 16:18 - 2015-03-04 15:00 - 00056690 _____ C:\Users\Michael 2015\Downloads\b1a352f1-5928-4bcd-b180-ff8b7d854f4f.xlsx
2015-12-13 16:18 - 2015-01-17 22:30 - 14193921 _____ C:\Users\Michael 2015\Downloads\flashplayer16_debug_mac_ppapi.dmg
2015-12-13 16:18 - 2015-01-01 22:36 - 00000327 _____ C:\Users\Michael 2015\Downloads\NewCityScript.txt
2015-12-13 16:18 - 2015-01-01 22:36 - 00000168 _____ C:\Users\Michael 2015\Downloads\NewCityGoals.txt
2015-12-13 16:18 - 2014-12-22 12:33 - 00000231 _____ C:\Users\Michael 2015\Downloads\For Windows Double Click Me.zip
2015-12-13 16:18 - 2014-12-14 18:51 - 06991170 _____ C:\Users\Michael 2015\Downloads\Label-319248992.pdf
2015-12-13 16:18 - 2014-11-19 13:42 - 00413352 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.11.18+(FM)+.xlsx
2015-12-13 16:18 - 2014-11-19 13:42 - 00413352 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.11.18+(FM)+ (3).xlsx
2015-12-13 16:18 - 2014-11-19 13:42 - 00413352 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.11.18+(FM)+ (2).xlsx
2015-12-13 16:18 - 2014-11-19 13:42 - 00413352 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.11.18+(FM)+ (1).xlsx
2015-12-13 16:18 - 2014-11-10 15:26 - 00105943 _____ C:\Users\Michael 2015\Downloads\gift-of-the-futanari-goddess-pt-1.pdf
2015-12-13 16:18 - 2014-10-20 18:01 - 01399279 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (37).pdf
2015-12-13 16:18 - 2014-10-14 21:37 - 02797215 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (36).pdf
2015-12-13 16:18 - 2014-09-17 18:46 - 00869612 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.09.17+(FM).xlsx
2015-12-13 16:18 - 2014-09-17 18:44 - 00681551 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.09.17+(FM) (1).pdf
2015-12-13 16:18 - 2014-09-17 18:31 - 00681551 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.09.17+(FM).pdf
2015-12-13 16:18 - 2014-08-31 14:55 - 00616153 _____ C:\Users\Michael 2015\Downloads\UT_Customer+InStock+2014.08.26+(DT).pdf
2015-12-13 16:18 - 2014-08-30 17:46 - 00435267 _____ C:\Users\Michael 2015\Downloads\The Genie (1).pdf
2015-12-13 16:18 - 2014-08-30 17:37 - 00435267 _____ C:\Users\Michael 2015\Downloads\The Genie.pdf
2015-12-13 16:18 - 2014-08-29 20:25 - 01398949 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (35).pdf
2015-12-13 16:18 - 2014-08-19 23:52 - 00024195 _____ C:\Users\Michael 2015\Documents\Malwarebytes  Online Store.htm
2015-12-13 16:18 - 2014-08-18 16:51 - 00002382 _____ C:\Users\Michael 2015\Downloads\fixlist (1).txt
2015-12-13 16:18 - 2014-08-17 14:33 - 00010043 _____ C:\Users\Michael 2015\Desktop\attach.txt
2015-12-13 16:18 - 2014-08-10 15:54 - 01398962 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (34).pdf
2015-12-13 16:18 - 2014-08-04 22:03 - 00000029 _____ C:\Users\Michael 2015\Documents\AVG_Free_License_NUMBER.txt
2015-12-13 16:18 - 2014-07-31 10:21 - 04210120 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (33).pdf
2015-12-13 16:18 - 2014-07-27 15:17 - 01398925 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (32).pdf
2015-12-13 16:18 - 2014-07-27 15:17 - 01398925 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (31).pdf
2015-12-13 16:18 - 2014-07-22 15:23 - 01398883 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (30).pdf
2015-12-13 16:18 - 2014-07-14 23:53 - 01399000 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (29).pdf
2015-12-13 16:18 - 2014-07-14 23:49 - 01399404 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (28).pdf
2015-12-13 16:18 - 2014-07-14 16:40 - 01028650 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (27).pdf
2015-12-13 16:18 - 2014-07-14 00:27 - 01398972 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (26).pdf
2015-12-13 16:18 - 2014-07-14 00:26 - 01398972 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (25).pdf
2015-12-13 16:18 - 2014-07-10 16:44 - 01399359 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (24).pdf
2015-12-13 16:18 - 2014-07-10 10:15 - 01398889 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (23).pdf
2015-12-13 16:18 - 2014-07-06 21:44 - 01398993 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (22).pdf
2015-12-13 16:18 - 2014-04-15 17:30 - 01502643 _____ C:\Users\Michael 2015\Downloads\WarReport.swf
2015-12-13 16:18 - 2014-04-08 13:38 - 02797080 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (21).pdf
2015-12-13 16:18 - 2014-04-08 13:33 - 01399320 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (20).pdf
2015-12-13 16:18 - 2014-04-06 22:03 - 01693546 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (19).pdf
2015-12-13 16:18 - 2014-04-05 16:44 - 01399284 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (18).pdf
2015-12-13 16:18 - 2014-04-05 15:30 - 01693933 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (17).pdf
2015-12-13 16:18 - 2014-04-04 21:29 - 01398970 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (16).pdf
2015-12-13 16:18 - 2014-04-04 18:36 - 01398975 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (15).pdf
2015-12-13 16:18 - 2014-04-04 18:06 - 01399337 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (14).pdf
2015-12-13 16:18 - 2014-04-03 15:11 - 01693513 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (13).pdf
2015-12-13 16:18 - 2014-03-29 00:41 - 01398988 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (12).pdf
2015-12-13 16:18 - 2014-03-28 22:46 - 01398994 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (11).pdf
2015-12-13 16:18 - 2014-03-24 00:12 - 01399002 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (10).pdf
2015-12-13 16:18 - 2014-03-24 00:06 - 01400277 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (9).pdf
2015-12-13 16:18 - 2014-03-24 00:01 - 01399761 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (8).pdf
2015-12-13 16:18 - 2014-03-24 00:01 - 01399761 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (7).pdf
2015-12-13 16:18 - 2014-03-20 17:21 - 01040848 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (6).pdf
2015-12-13 16:18 - 2014-03-19 18:00 - 11207005 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (5).pdf
2015-12-13 16:18 - 2014-03-19 14:37 - 01399333 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (4).pdf
2015-12-13 16:18 - 2014-03-19 10:25 - 04211034 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (3).pdf
2015-12-13 16:18 - 2014-03-13 20:19 - 04211315 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (2).pdf
2015-12-13 16:18 - 2014-03-06 19:50 - 01398631 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction.pdf
2015-12-13 16:18 - 2014-03-06 19:50 - 01398631 _____ C:\Users\Michael 2015\Downloads\LabelDownloadAction (1).pdf
2015-12-13 16:18 - 2013-07-11 03:31 - 01502643 _____ C:\Users\Michael 2015\Desktop\WarReport.swf
2015-12-13 16:18 - 2013-03-11 22:18 - 00703083 _____ C:\Users\Michael 2015\Downloads\Label-258197677-390106844.pdf
2015-12-13 16:18 - 2013-03-11 22:18 - 00703083 _____ C:\Users\Michael 2015\Downloads\Label-258197677-390106844(1).pdf
2015-12-13 16:18 - 2013-03-11 21:32 - 02106663 _____ C:\Users\Michael 2015\Downloads\Label-258195895-390103338.pdf
2015-12-13 16:18 - 2013-03-11 06:30 - 01828675 _____ C:\Users\Michael 2015\Downloads\Label-258068418-389890185.pdf
2015-12-13 16:18 - 2013-01-09 14:04 - 00000248 _____ C:\Users\Michael 2015\Desktop\Filefirefox.exe.URL
2015-12-13 16:16 - 2015-12-14 02:34 - 00000000 ____D C:\Users\Michael 2015
2015-12-13 16:16 - 2015-12-13 16:16 - 00000000 _SHDL C:\Users\Michael 2015\My Documents
2015-12-13 16:16 - 2013-01-11 03:05 - 00000000 ____D C:\Users\Michael 2015\AppData\Local\Microsoft Help
2015-12-13 16:16 - 2011-09-02 17:16 - 00000000 ____D C:\Users\Michael 2015\AppData\Roaming\Macromedia
2015-12-13 16:16 - 2010-11-21 02:16 - 00000000 ____D C:\Users\Michael 2015\AppData\Roaming\Media Center Programs
2015-12-13 13:50 - 2015-12-13 13:50 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Western Digital
2015-12-12 21:44 - 2015-12-14 02:34 - 00000000 ____D C:\ProgramData\Package Cache
2015-12-12 21:44 - 2015-12-14 02:34 - 00000000 ____D C:\Program Files (x86)\Western Digital
2015-12-12 21:44 - 2015-12-12 21:44 - 00000000 ____D C:\ProgramData\Western Digital
2015-12-11 22:20 - 2015-12-13 13:42 - 00000000 ____D C:\Users\TEMP.STANLEY.000
2015-12-11 22:02 - 2015-12-15 20:27 - 00000000 ____D C:\Windows\pss
2015-12-11 16:24 - 2015-12-11 16:24 - 00088704 _____ C:\Users\TEMP.STANLEY\AppData\Local\GDIPFONTCACHEV1.DAT
2015-12-11 16:12 - 2015-12-11 16:12 - 00000000 ____D C:\Users\TEMP.STANLEY\AppData\Roaming\Symantec
2015-12-11 16:12 - 2015-12-11 16:12 - 00000000 ____D C:\Users\TEMP.STANLEY\AppData\LocalLow\AuthenTec
2015-12-11 16:12 - 2015-12-11 16:12 - 00000000 ____D C:\Users\TEMP.STANLEY\AppData\Local\PDFC
2015-12-11 16:11 - 2015-12-12 01:12 - 00000000 ____D C:\Users\TEMP.STANLEY
2015-12-11 16:11 - 2015-12-11 16:11 - 00000000 _SHDL C:\Users\TEMP.STANLEY\My Documents
2015-12-11 16:11 - 2015-12-11 16:11 - 00000000 _SHDL C:\Users\TEMP.STANLEY\Documents\My Videos
2015-12-11 16:11 - 2015-12-11 16:11 - 00000000 _SHDL C:\Users\TEMP.STANLEY\Documents\My Pictures
2015-12-11 16:11 - 2015-12-11 16:11 - 00000000 _SHDL C:\Users\TEMP.STANLEY\Documents\My Music
2015-12-11 16:11 - 2015-12-11 16:11 - 00000000 ____D C:\Users\TEMP.STANLEY\AppData\Local\VirtualStore
2015-12-11 16:11 - 2013-01-11 03:05 - 00000000 ____D C:\Users\TEMP.STANLEY\AppData\Local\Microsoft Help
2015-12-11 16:11 - 2011-09-02 17:16 - 00000000 ____D C:\Users\TEMP.STANLEY\AppData\Roaming\Macromedia
2015-12-11 16:11 - 2010-11-21 02:16 - 00000000 ____D C:\Users\TEMP.STANLEY\AppData\Roaming\Media Center Programs
2015-12-11 15:54 - 2015-12-11 15:54 - 00000000 ____D C:\Users\TEMP\AppData\Local\PDFC
2015-12-11 15:53 - 2015-12-12 01:12 - 00000000 ____D C:\Users\TEMP
2015-12-11 15:53 - 2015-12-11 15:53 - 00000000 _SHDL C:\Users\TEMP\My Documents
2015-12-11 15:53 - 2015-12-11 15:53 - 00000000 _SHDL C:\Users\TEMP\Documents\My Videos
2015-12-11 15:53 - 2015-12-11 15:53 - 00000000 _SHDL C:\Users\TEMP\Documents\My Pictures
2015-12-11 15:53 - 2015-12-11 15:53 - 00000000 _SHDL C:\Users\TEMP\Documents\My Music
2015-12-11 15:53 - 2015-12-11 15:53 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Symantec
2015-12-11 15:53 - 2015-12-11 15:53 - 00000000 ____D C:\Users\TEMP\AppData\LocalLow\AuthenTec
2015-12-11 15:53 - 2015-12-11 15:53 - 00000000 ____D C:\Users\TEMP\AppData\Local\VirtualStore
2015-12-11 15:53 - 2013-01-11 03:05 - 00000000 ____D C:\Users\TEMP\AppData\Local\Microsoft Help
2015-12-11 15:53 - 2011-09-02 17:16 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Macromedia
2015-12-11 15:53 - 2010-11-21 02:16 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Media Center Programs
2015-12-10 16:38 - 2015-12-10 16:38 - 00000000 ____D C:\Windows\System32\Tasks\Event Viewer Tasks
2015-12-08 14:24 - 2015-12-08 14:28 - 00000000 ____D C:\JMTGutters
2015-11-18 22:56 - 2015-12-14 02:34 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-12-16 21:50 - 2014-08-18 14:44 - 00000000 ____D C:\FRST
2015-12-16 21:49 - 2014-08-12 11:22 - 00000000 ____D C:\AdwCleaner
2015-12-16 21:38 - 2009-07-13 22:20 - 00000000 ____D C:\Windows
2015-12-16 21:33 - 2014-08-04 22:32 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-12-16 21:29 - 2011-09-02 17:21 - 00000000 ____D C:\ProgramData\truesuite
2015-12-16 21:05 - 2015-11-13 14:24 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-12-15 20:36 - 2009-07-13 23:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-12-15 20:36 - 2009-07-13 23:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-12-15 20:34 - 2009-07-14 00:13 - 00778834 _____ C:\Windows\system32\PerfStringBackup.INI
2015-12-15 20:34 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\inf
2015-12-15 20:28 - 2013-01-09 14:04 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-12-15 20:28 - 2011-09-02 17:17 - 00000000 ____D C:\ProgramData\PDFC
2015-12-15 20:28 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-12-15 20:06 - 2013-01-09 14:44 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-12-14 04:05 - 2015-11-13 14:24 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-12-14 04:05 - 2015-09-25 18:31 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-12-14 04:05 - 2015-09-25 18:31 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-12-14 02:35 - 2014-08-19 23:52 - 00000000 ____D C:\Users\Michael\Documents\Malwarebytes  Online Store_files
2015-12-14 02:35 - 2014-08-18 10:24 - 00000000 ____D C:\Users\Michael\AppData\LocalLow\NotifyDisk
2015-12-14 02:35 - 2014-03-09 19:32 - 00000000 ____D C:\Users\Michael\AppData\Roaming\Thunderbird
2015-12-14 02:35 - 2013-01-09 15:10 - 00000000 ____D C:\Windows\system32\Macromed
2015-12-14 02:35 - 2011-09-02 17:19 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live
2015-12-14 02:35 - 2011-09-02 17:19 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2015-12-14 02:35 - 2011-09-02 17:16 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eReaders and Document Viewers
2015-12-14 02:35 - 2011-09-02 17:15 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2015-12-14 02:35 - 2011-09-02 17:13 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Communication and Chat
2015-12-14 02:35 - 2011-09-02 17:11 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recovery Manager
2015-12-14 02:35 - 2011-09-02 17:09 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel
2015-12-14 02:35 - 2011-09-02 17:07 - 00000000 ___SD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PC Help & Tools
2015-12-14 02:35 - 2009-07-14 00:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-12-14 02:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\NDF
2015-12-14 02:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\system32\Msdtc
2015-12-14 02:35 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\AppCompat
2015-12-14 02:34 - 2015-04-10 15:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2014
2015-12-14 02:34 - 2014-08-05 04:28 - 00000000 ____D C:\Users\Michael\AppData\Local\browser_dir
2015-12-14 02:34 - 2014-08-04 22:32 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-12-14 02:34 - 2014-08-04 22:32 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-12-14 02:34 - 2014-03-30 11:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2013
2015-12-14 02:34 - 2014-02-08 00:20 - 00000000 ____D C:\Users\Michael\AppData\Local\Google
2015-12-14 02:34 - 2013-11-10 11:00 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KingsIsle Entertainment
2015-12-14 02:34 - 2013-10-03 16:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TurboTax 2012
2015-12-14 02:34 - 2013-01-09 15:40 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Online Services
2015-12-14 02:34 - 2013-01-09 14:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office
2015-12-14 02:34 - 2013-01-09 14:44 - 00000000 ____D C:\Users\Michael\AppData\Local\Microsoft Help
2015-12-14 02:34 - 2013-01-09 13:46 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services
2015-12-14 02:34 - 2013-01-09 13:46 - 00000000 ____D C:\Users\Michael\AppData\Local\Hewlett-Packard_Company
2015-12-14 02:34 - 2013-01-09 13:46 - 00000000 ____D C:\Users\Michael\AppData\Local\Hewlett-Packard
2015-12-14 02:34 - 2013-01-09 13:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP User Manuals
2015-12-14 02:34 - 2013-01-09 13:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Mathematics
2015-12-14 02:34 - 2011-09-02 17:17 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-12-14 02:34 - 2011-09-02 17:15 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Productivity and Tools
2015-12-14 02:34 - 2011-09-02 17:12 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Music, Photos and Videos
2015-12-14 02:34 - 2011-09-02 17:12 - 00000000 ____D C:\ProgramData\RoxioNow
2015-12-14 02:34 - 2011-09-02 17:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2015-12-14 02:32 - 2009-07-13 22:20 - 00000000 ____D C:\Windows\registration
2015-12-14 02:27 - 2014-08-04 22:32 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-12-14 02:27 - 2011-09-02 17:07 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2015-12-14 02:26 - 2013-01-09 14:10 - 00000000 ____D C:\Pics
2015-12-14 01:25 - 2014-06-03 11:03 - 00003838 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1393787718
2015-12-14 01:25 - 2014-03-02 14:15 - 00000000 ____D C:\Program Files (x86)\Opera
2015-12-14 01:17 - 2013-01-09 13:45 - 00000000 ____D C:\Users\Michael
2015-12-13 19:42 - 2013-01-23 17:39 - 00000000 ____D C:\business
2015-12-13 17:21 - 2015-02-19 16:18 - 00000000 ____D C:\Home - 10 Blaine
2015-12-09 15:14 - 2015-02-26 16:42 - 00000000 ____D C:\StVincentHospital
2015-12-08 22:07 - 2015-10-18 19:28 - 00000000 ____D C:\Estate2015
2015-12-03 19:00 - 2013-01-09 13:45 - 00000000 ____D C:\Users\Michael\AppData\LocalLow\AuthenTec
2015-11-29 11:30 - 2013-01-09 13:49 - 00003930 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{356DDD8A-8824-4B12-9E6A-E1A879240B73}
2015-11-28 10:52 - 2015-11-14 12:09 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
 
==================== Files in the root of some directories =======
 
2011-09-02 17:20 - 2011-06-09 18:44 - 0002792 _____ () C:\Program Files\HP SimplePass 2011
2013-10-03 16:41 - 2015-04-10 15:59 - 0000935 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
 
Some files in TEMP:
====================
C:\Users\Michael\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Michael\AppData\Local\Temp\FRST.exe
C:\Users\Michael\AppData\Local\Temp\FRST64.exe
C:\Users\Michael\AppData\Local\Temp\NEAT3260.exe
C:\Users\Michael\AppData\Local\Temp\RogueKiller.exe
C:\Users\Michael\AppData\Local\Temp\spark_install.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-12-10 22:55
 
==================== End of FRST.txt ============================
 
 
 
==========> Addition
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:17-12-2015
Ran by Michael (2015-12-16 21:50:44)
Running from C:\AdwCleaner
Windows 7 Home Premium Service Pack 1 (X64) (2013-01-09 18:45:25)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3401309329-141017374-686467349-500 - Administrator - Disabled)
Guest (S-1-5-21-3401309329-141017374-686467349-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3401309329-141017374-686467349-1002 - Limited - Enabled)
Michael (S-1-5-21-3401309329-141017374-686467349-1001 - Administrator - Enabled) => C:\Users\TEMP.STANLEY.003
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
802.11n Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 3.01.18.0 - Ralink)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.009.20079 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.6.0.19120 - Adobe Systems Incorporated)
Adobe Flash Player 20 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.235 - Adobe Systems Incorporated)
Adobe Flash Player 20 PPAPI (HKLM-x32\...\Adobe Flash Player PPAPI) (Version: 20.0.0.228 - Adobe Systems Incorporated)
Agatha Christie - Peril at End House (x32 Version: 2.2.0.95 - WildTangent) Hidden
AuthenTec TrueAPI (Version: 1.3.0.116 - AuthenTec, Inc.) Hidden
Avery Wizard 4.0 (HKLM-x32\...\{7196E6BD-4B65-43F9-9D30-73A8E58D0E84}) (Version: 4.0.103 - Avery)
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blasterball 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Blio (HKLM-x32\...\{9368DDD5-CE7F-4BD7-A83A-F00FABE338EC}) (Version: 2.2.6699 - K-NFB Reading Technology, Inc.)
Bounce Symphony (x32 Version: 2.2.0.97 - WildTangent) Hidden
Cake Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chronicles of Albian (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Farm Frenzy (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.1.1.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.5 - WildTangent)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version:  - )
HP LinkUp (HKLM-x32\...\{DB3147AB-4024-4773-8EC0-A1FE5B44933D}) (Version: 2.01.028 - Hewlett-Packard)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard Company)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{D35B72B6-F0E4-462B-BDEB-E08032B3B681}) (Version: 8.7.4747.3786 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13880.3792 - Hewlett-Packard Company)
HP SimplePass PE 2011 (HKLM-x32\...\{00FF4EB6-6AAC-4E9D-A60A-8F388691BB27}) (Version: 5.3.0.194 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{34681D92-5958-406A-A654-1B57E7A7B3DC}) (Version: 6.0.4.1 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{DE77FE3F-A33D-499A-87AD-5FC406617B40}) (Version: 5.002.003.003 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.9.0.0 - Hewlett-Packard)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Identity Protection Technology 1.1.2.0 (HKLM-x32\...\{C01A86F5-56E7-101F-9BC9-E3F1025EB779}) (Version: 1.1.2.0 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2291 - Intel Corporation)
Jewel Quest: The Sleepless Star - Collector's Edition (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kobo (HKLM-x32\...\Kobo) (Version: 1.6 - Kobo Inc.)
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3925 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.3925 - CyberLink Corp.) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Mathematics (HKLM-x32\...\{4D090F70-6F08-4B60-9357-A1DFD4458F09}) (Version: 4.0 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Home and Student 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.1.10329.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Firefox 42.0 (x86 en-US) (HKU\TS_KeyLodaded\...\Mozilla Firefox 42.0 (x86 en-US)) (Version: 42.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 42.0.0.5780 - Mozilla)
Mozilla Thunderbird 38.4.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 38.4.0 (x86 en-US)) (Version: 38.4.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery of Mortlake Mansion (x32 Version: 2.2.0.97 - WildTangent) Hidden
Namco All-Stars: PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
Opera 12.17 (HKLM-x32\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
Opera Stable 33.0.1990.115 (HKLM-x32\...\Opera 33.0.1990.115) (Version: 33.0.1990.115 - Opera Software)
Opera Stable 34.0.2036.31 (HKLM-x32\...\Opera 34.0.2036.31) (Version: 34.0.2036.31 - Opera Software)
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.54 - PDF Complete, Inc)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.5331 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.5331 - CyberLink Corp.) Hidden
PressReader (HKLM-x32\...\{912CED74-88D3-4C5B-ACB0-132318649765}) (Version: 5.10.1217.0 -  NewspaperDirect Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6378 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.4222 - CyberLink Corp.) Hidden
Remote Graphics Receiver (HKLM-x32\...\{16FC3056-90C0-4757-8A68-64D8DA846ADA}) (Version: 5.4.5 - Hewlett-Packard)
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
Slingo Supreme (x32 Version: 2.2.0.97 - WildTangent) Hidden
TurboTax 2012 (HKLM-x32\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2014 (HKLM-x32\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest - The Hawaiian Islands (x32 Version: 2.2.0.97 - WildTangent) Hidden
VIP Access SDK (1.0.1.4)  (HKLM-x32\...\VIP Access SDK) (Version: 1.0.1.4 - Symantec Inc.)
Virtual Villagers 5 - New Believers (x32 Version: 2.2.0.97 - WildTangent) Hidden
WildTangent Games App (HP Games) (x32 Version: 4.0.5.2 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Wizard101 (HKLM-x32\...\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}) (Version: 1.0.0 - KingsIsle Entertainment, Inc.)
Zinio Reader 4 (HKLM-x32\...\ZinioReader4) (Version: 4.2.4164 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.4164 - Zinio LLC) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
11-12-2015 05:10:58 Windows Update
11-12-2015 14:22:14 Restore Operation
11-12-2015 22:32:14 Windows Backup
12-12-2015 03:58:39 Windows Update
12-12-2015 21:58:41 Installed SES Driver
13-12-2015 22:39:19 Restore Operation
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {217670BF-600A-45CF-89EE-5FE1CC2F9669} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe [2011-06-08] (Hewlett-Packard)
Task: {27018909-47D9-434E-BF89-39642EAE1AED} - System32\Tasks\Opera scheduled Autoupdate 1393787718 => C:\Program Files (x86)\Opera\launcher.exe [2015-12-09] (Opera Software)
Task: {28CD8656-9AF6-4FF2-A503-DB92FF9CA744} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-12-14] (Adobe Systems Incorporated)
Task: {A36FD2DF-37F6-4604-930C-53B4EF39CBB3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-06-09] (Hewlett-Packard Company)
Task: {A4F4CDAD-26FC-479F-8706-3CCFB25189CB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2011-06-09] (Hewlett-Packard Company)
Task: {C07B252F-58C9-4F19-9E6A-35B95CC61D39} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-10-28] (Adobe Systems Incorporated)
Task: {C1AA2E0E-0F1C-4EEE-8F51-C3FD5344A9EA} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Total Care Tune-Up => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPTuneUp.exe [2011-03-22] (Hewlett-Packard Company)
Task: {FA4CA98A-C82A-47F4-A5B3-5BA6B7F9D5CC} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe [2011-06-09] (Hewlett-Packard Company)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2013-01-09 22:02 - 2012-08-31 15:03 - 00288768 _____ () C:\Windows\System32\HP1100LM.DLL
2013-01-09 22:02 - 2012-08-31 15:02 - 00074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2013-01-09 22:02 - 2012-08-31 15:02 - 01038336 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\HP1100GC.dll
2011-06-22 22:14 - 2011-06-22 22:14 - 00451880 _____ () C:\Program Files (x86)\Hewlett-Packard\Recovery\Protect.dll
2011-09-02 17:00 - 2011-01-27 12:11 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-01-09 22:02 - 2012-08-31 15:03 - 03034112 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\hp1100su.dll
2013-01-09 22:02 - 2012-08-31 15:03 - 00373760 _____ () C:\Windows\system32\spool\DRIVERS\x64\3\hp1100sd.dll
2015-12-14 01:25 - 2015-12-09 10:11 - 61564536 _____ () C:\Program Files (x86)\Opera\34.0.2036.31_1\opera.dll
2015-12-14 01:25 - 2015-12-09 10:11 - 01983096 _____ () C:\Program Files (x86)\Opera\34.0.2036.31_1\libglesv2.dll
2015-12-14 01:25 - 2015-12-09 10:11 - 00081528 _____ () C:\Program Files (x86)\Opera\34.0.2036.31_1\libegl.dll
2015-12-14 04:05 - 2015-12-14 04:05 - 16573120 _____ () C:\Windows\SysWOW64\Macromed\Flash\pepflashplayer32_20_0_0_228.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE restricted site: HKU\TS_KeyLodaded\...\inbrowsersettings.com -> inbrowsersettings.com
IE restricted site: HKU\TS_KeyLodaded\...\livejasmin.com -> livejasmin.com
IE restricted site: HKU\TS_KeyLodaded\...\seekbooks.com -> hxxp://www.seekbooks.com
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3401309329-141017374-686467349-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\TEMP.STANLEY.003\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
HKU\TS_KeyLodaded\Control Panel\Desktop\\Wallpaper -> C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 71.10.216.1 - 71.10.216.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{1CFE60D3-6AC1-4D44-84A1-E39E6597CA12}] => (Allow) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe
FirewallRules: [{4C66D4C7-79CD-4147-AC8A-E4E95D0F758E}] => (Allow) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowShell.exe
FirewallRules: [{25BCBF4B-1325-4EA6-8CE1-6B6AA33D17A1}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{15E76C3C-89FF-4E34-89C7-A35E45D013E6}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\RoxioNow\RNow.exe
FirewallRules: [{39F9F0E5-10E6-4F3E-A2E0-E32D2D2157FF}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Remote Graphics Receiver\rgreceiver.exe
FirewallRules: [{657C336D-0703-4F28-8244-5AA070C1DCD4}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\Remote Graphics Receiver\rgreceiver.exe
FirewallRules: [{F49B160A-48EE-4AE9-9344-AD39B0A0D2AB}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP LinkUp\HP LinkUp Viewer.exe
FirewallRules: [{7CFAEFFB-6E76-4BA8-8963-323F85067120}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP LinkUp\HP LinkUp Viewer.exe
FirewallRules: [{6544B564-518B-4D86-94E9-E5714BBC1540}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{175F617A-E440-49E7-B4CE-5D4161657078}] => (Allow) LPort=2869
FirewallRules: [{F5AC0E2B-2FD8-42AA-8999-40A247D75212}] => (Allow) LPort=1900
FirewallRules: [{017BC506-409F-4534-9A45-FF0C9F4D2620}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{0D430450-0552-47A4-92C9-172A28976AF9}] => (Allow) C:\Program Files (x86)\Windows Live\Mesh\MOE.exe
FirewallRules: [{FE4FCFA5-8D04-4069-9A75-65022362C1CD}] => (Allow) C:\Program Files (x86)\Opera\opera.exe
FirewallRules: [{CEA4059B-4AB1-4C41-B859-4C0111BE5DE7}] => (Allow) C:\Program Files (x86)\Opera\opera.exe
FirewallRules: [{BBA37AA9-090A-4FFB-8E52-95B099265041}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{37DD69B2-F4A2-414B-9C0B-612068ECC150}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{58686881-FE4D-4D9E-86F6-F1538246F399}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{0CEF5DD6-4CE8-431D-B099-77C412735A52}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{9CB0AD6C-A159-4B11-BC88-9C00048C9AE1}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{340B891F-92E5-44D7-BFD0-5B5839A2384C}] => (Allow) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{F9707E72-E1F5-4686-B412-CF990793491D}] => (Allow) C:\Program Files (x86)\baidu\Baidu Browser\Spark.exe
FirewallRules: [{DD887E53-CBE9-4320-8370-9F761786509F}] => (Allow) C:\Program Files (x86)\baidu\Baidu Browser\Spark.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (12/15/2015 08:28:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Faulting module name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Exception code: 0xc0000417
Fault offset: 0x0001280a
Faulting process id: 0x344
Faulting application start time: 0xTrueSuiteService.exe0
Faulting application path: TrueSuiteService.exe1
Faulting module path: TrueSuiteService.exe2
Report Id: TrueSuiteService.exe3
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: STANLEY)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: STANLEY)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1502) (User: STANLEY)
Description: Windows cannot load the locally stored profile. Possible causes of this error include insufficient security rights or a corrupt local profile. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 
Error: (12/15/2015 08:28:29 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1508) (User: NT AUTHORITY)
Description: Windows was unable to load the registry. This problem is often caused by insufficient memory or insufficient security rights. 
 
 DETAIL - The process cannot access the file because it is being used by another process.
 for C:\Users\Michael\ntuser.dat
 
Error: (12/15/2015 08:06:36 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding; Description = Configured Microsoft Office Home and Student 2010; Error = 0x8007043c).
 
Error: (12/15/2015 08:05:41 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe Files (x86)\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Setup.exe" -Embedding; Description = Configured Microsoft Office Home and Student 2010; Error = 0x8007043c).
 
Error: (12/15/2015 10:18:36 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Faulting module name: TrueSuiteService.exe, version: 5.3.0.194, time stamp: 0x4df09290
Exception code: 0xc0000417
Fault offset: 0x0001280a
Faulting process id: 0x33c
Faulting application start time: 0xTrueSuiteService.exe0
Faulting application path: TrueSuiteService.exe1
Faulting module path: TrueSuiteService.exe2
Report Id: TrueSuiteService.exe3
 
Error: (12/15/2015 10:18:28 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1511) (User: STANLEY)
Description: Windows cannot find the local profile and is logging you on with a temporary profile. Changes you make to this profile will be lost when you log off.
 
Error: (12/15/2015 10:18:28 AM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1515) (User: STANLEY)
Description: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.
 
 
System errors:
=============
Error: (12/16/2015 09:27:40 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 08:55:50 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 07:51:54 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 05:11:36 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 04:39:36 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 04:07:36 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 03:35:36 PM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 06:30:38 AM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 03:50:20 AM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
Error: (12/16/2015 02:14:11 AM) (Source: NetBT) (EventID: 4319) (User: )
Description: A duplicate name has been detected on the TCP network.  The IP address of
the computer that sent the message is in the data. Use nbtstat -n in a
command window to see which name is in the Conflict state.
 
 
CodeIntegrity:
===================================
  Date: 2015-12-13 21:23:19.647
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-12-13 21:23:19.647
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-12-12 21:34:53.078
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-12-12 21:34:53.078
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\wdcsam64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i3-2130 CPU @ 3.40GHz
Percentage of memory in use: 67%
Total physical RAM: 8098.52 MB
Available physical RAM: 2652.61 MB
Total Virtual: 16195.22 MB
Available Virtual: 9946.07 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:1385.49 GB) (Free:1261.22 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (HP_RECOVERY) (Fixed) (Total:11.68 GB) (Free:1.39 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive j: (TOSHIBA EXT) (Fixed) (Total:931.51 GB) (Free:107.56 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 8D579A26)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1385.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11.7 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 609756FA)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
==================== End of Addition.txt ============================
 
 
 
 
 
 
 
 

 

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:17 PM

Posted 17 December 2015 - 08:38 PM

Thank you for the information. Regarding the System Summary you did it correctly. The web site was updated recently and the user interface was changed.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
SearchScopes: HKU\S-1-5-21-3401309329-141017374-686467349-1001 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
Toolbar: HKU\TS_KeyLodaded -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
C:\Users\Michael\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Michael\AppData\Local\Temp\FRST.exe
C:\Users\Michael\AppData\Local\Temp\FRST64.exe
C:\Users\Michael\AppData\Local\Temp\NEAT3260.exe
C:\Users\Michael\AppData\Local\Temp\RogueKiller.exe
C:\Users\Michael\AppData\Local\Temp\spark_install.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Creating a New User Profile

--------------
  • Click Start, Control Panel, then User Accounts
  • NOTE: For Windows 8 press the Windows Key + X to get to the Control Panel
  • Click Manage Another Account
  • Click Create a new account
  • Type BC as the User name then click Next
  • Select Computer administrator then click Create Account
  • Close the User Accounts window
  • Click Start, then click the arrow to the right of Shut down
  • Click Switch user and log in as BC
  • Check your computer behavior
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Were you able to create a new User Profile
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 337stat

337stat
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 18 December 2015 - 12:42 PM

Followed your instructions, in order.  FRST took a little while to run, and started from the saved desktop icon so am sure it was pointing to the new version I saved yesterday, but got me a message telling me to restart, and I did. 

 

But, neither before that restart nor after did I see a Fixlog.txt on the desktop.  I saw no other files or icons added to the desktop.  I used Windows Explorer to search for that file, and found it that way.  (The search actually found four different listings, but the same timestamp for today's date.)  It's copied below.

 

I created a new account BC with Administrator rights.  There were some slight variations in how my Windows 7 options presented themselves.  For example, selecting admin rights was on the same page as the field asking me to create a new account name.  I continued, believing the process was essentially the same.

 

I switched user as you requested.  After selecting the BC account, it came up and took perhaps under a minute to get setup done, probably what I would have expected for a new account without a ton of overhead.  (Because of the restarts and account switches, FRST is now no longer on the desktop.)  I opened Opera as my browser to make this reply, but haven't done anything else so far (other than that search for Fixlog.txt).  Where I might add something to the taskbar to test how things are running, I've no clue whether it would remain there or not until after another reboot, and I'm trying to hold off adding steps that may be unwanted, even if we've fixed something important. When I last created another administrator account and tried that (as I reported, and prior to the FRST runs), it failed, as a part of the problem I've been having.  

 

While not digging in too intensely to contents, there does seem to be a cluster of folders and files for BC in the C:\\Users directory, and a cursory look in a couple shows what I would believe is default setup.  That seems to match what I'm seeing in the taskbar for quick links to tools.  So, at this point, I'm seeing expected behavior, but have confined what I'm doing while waiting your further instructions.  I'm not entirely sure where you're going to take this next, so, after copying in the requested log, I'll let you tell me....

 

 

============> Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version:17-12-2015
Ran by Michael (2015-12-18 11:34:08) Run:5
Running from C:\AdwCleaner
Loaded Profiles: Michael (Available Profiles: Michael)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
HKLM-x32\...\Run: [{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}] => C:\ProgramData\Microsoft\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}.exe [251447 2014-06-30] ()
C:\ProgramData\Microsoft\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}
HKLM\...\Policies\Explorer\Run: [{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}] => C:\ProgramData\Microsoft\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}.exe [251447 2014-06-30] ( ())
HKU\S-1-5-21-3401309329-141017374-686467349-1001\...\Run: [InterruptDisk] => C:\Windows\system32\rundll32.exe "C:\Users\Michael\AppData\Local\InterruptDisk\InterruptDisk.dll",DllRegisterServer <===== ATTENTION
2014-08-16 18:01 - 2014-08-16 18:01 - 00000000 ____D () C:\Users\Michael\AppData\Local\InterruptDisk
2014-08-12 11:33 - 2014-08-12 11:33 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2014-08-04 23:20 - 2014-08-04 23:20 - 00000000 ____D () C:\Users\Michael\AppData\Local\3933617794
2014-08-03 16:46 - 2014-08-05 05:27 - 49308698 _____ () C:\Users\Michael\AppData\Roaming\3454439321
2014-08-03 05:06 - 2014-08-12 11:36 - 00000004 _____ () C:\Users\Michael\AppData\Roaming\520495603
2014-08-03 05:06 - 2014-08-12 11:36 - 00000000 ____D () C:\Users\Michael\AppData\Local\9a49b2
2014-08-03 05:06 - 2014-08-12 11:31 - 00000004 _____ () C:\Users\Michael\AppData\Roaming\3854614011
2014-08-03 05:06 - 2014-08-12 11:23 - 00000030 _____ () C:\Users\Michael\AppData\Roaming\3578279348
2014-08-03 05:06 - 2014-08-12 05:46 - 00000004 _____ () C:\Users\Michael\AppData\Roaming\3753296274
2014-08-03 05:06 - 2014-08-04 23:47 - 00000004 _____ () C:\Users\Michael\AppData\Roaming\1782062052
2014-08-03 05:06 - 2014-08-03 05:06 - 00000000 ____D () C:\Users\Michael\AppData\Roaming\9a49b2
EmptyTemp:
Reboot:
 
*****************
 
[2568] C:\Windows\System32\rundll32.exe => process closed successfully.
C:\Windows\SysWOW64\svchost.exe => No running process found
C:\Windows\SysWOW64\svchost.exe => No running process found
C:\Windows\SysWOW64\rundll32.exe => No running process found
C:\Windows\SysWOW64\rundll32.exe => No running process found
C:\Windows\SysWOW64\svchost.exe => No running process found
C:\Windows\SysWOW64\svchost.exe => No running process found
C:\Windows\SysWOW64\svchost.exe => No running process found
C:\Windows\SysWOW64\svchost.exe => No running process found
C:\Windows\SysWOW64\svchost.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb} => value not found.
"C:\ProgramData\Microsoft\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb}" => not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{79df1e60-8a2a-6b5c-fd39-cfadf58052eb} => value not found.
HKU\S-1-5-21-3401309329-141017374-686467349-1001\Software\Microsoft\Windows\CurrentVersion\Run\\InterruptDisk => value not found.
"C:\Users\Michael\AppData\Local\InterruptDisk" => not found.
"C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}" => not found.
"C:\Users\Michael\AppData\Local\3933617794" => not found.
"C:\Users\Michael\AppData\Roaming\3454439321" => not found.
"C:\Users\Michael\AppData\Roaming\520495603" => not found.
"C:\Users\Michael\AppData\Local\9a49b2" => not found.
"C:\Users\Michael\AppData\Roaming\3854614011" => not found.
"C:\Users\Michael\AppData\Roaming\3578279348" => not found.
"C:\Users\Michael\AppData\Roaming\3753296274" => not found.
"C:\Users\Michael\AppData\Roaming\1782062052" => not found.
"C:\Users\Michael\AppData\Roaming\9a49b2" => not found.
EmptyTemp: => 4 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 11:56:30 ====


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:17 PM

Posted 18 December 2015 - 02:35 PM

Please use your computer normally while logged in as BC and let me know if it functions properly.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 337stat

337stat
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 18 December 2015 - 04:01 PM

Gary:

 

Started to look at a few things with my browser, very public shopping sites I've visited before and not something I expect is a security issue.

 

Walked away after about 10 minutes, came back a half hour later to see if something was posted here, refreshed this page, and the system locked.  The only motion was the blue spinning wheel (used to be a clock in earlier systems) while nothing ran, the cursor moved but wouldn't toggle between tabs, control+alt+delete didn't do anything (I was getting prepared to kill processes if needed, and couldn't even do that)...had to power off and reboot the machine.  That's a very infrequent occurrence with this machine.

 

Logged back in with the original account here in safe mode.  About to reboot and try normal mode as BC.

 

Again in the original account, in safe mode, the profile seems to be here in tact, including e-mail with expected settings and associations using Thunderbird.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:17 PM

Posted 18 December 2015 - 04:13 PM

OK, unfortunately I will be away from the computer the rest of the day. I am having computer problems and am on a secondary computer but unfortunately I don't have all the information I need to properly post. Please boot into Clean Boot and let me know what happens. I probably won't be posting back before tomorrow. Sorry about that, it looks like my hard drive gave out.....


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 337stat

337stat
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 19 December 2015 - 07:02 PM

Trying to be thorough, I took some time in trying to use the computer "normally" and note any differences in behavior before proceeding with the Clean Boot.  (You seemed anyway to need a little time to handle other issues...not a problem.)  As I mentioned, I had also been using msconfig already to toggle between safe mode and a normal boot up, so wasn't entirely unfamiliar with it when reading over the Clean Boot instructions.  I'd done a fair bit with it in the last day or so, going between normal startup and safe mode, trying to find anything useful to report here.  This included a few times again rebooting and logging in via both safe mode (where I still saw my profile) and normal startup where the profile was still being hidden.

 

As I wanted to print out the Clean Boot pages, and safe mode won't let me access the print spooler to use a printer, I toggled back to a normal boot up in my normal account login.

 

And my profile was back.

 

I hadn't been able to access it via a normal startup in something like 9-10 days now.

 

But, I think you'll understand I'm looking this particular gift horse in the mouth, as I don't know whether this is a stable and reliable situation, or something that will go away again immediately.

 

While reading the Clean Boot information and instructions, I decided to post here again before trying a reboot of any kind or proceeding with anything else to ask if I should be running or testing anything else at a point where, for the moment, things are running as I would want...or should I proceed anyway with the Clean Boot and go from there?

 

I don't think I did anything that should have changed my environment to correct the profile issue.  msconfig was the only thing I think that could have had a bearing, and I believe I was accessing that exactly as I have done in the last week or so.  Otherwise, it's been a lot of stuff using browsers, mainly Opera, and no updates to that of which I'm aware.

 

I've opened e-mail and a few browsers now, and at the moment am not logging off if power and my internet connection allow me to stay on...would much prefer your input on where to go from here before I miss an opportunity or cause a problem.  In spite of getting back functionality, I'm still baffled.  Please advise.

 

 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:17 PM

Posted 19 December 2015 - 09:33 PM

I am not sure why it is working fine either. We are going to give it some time. Hold off on the Clean Boot unless you start having problems. In the meantime run these.

===================================================

Emsisoft Emergency Kit Scan

--------------------
  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program, this may take some time
  • Click on 2. Scan
  • Click Yes to detecting Potentially Unwanted Programs
  • Click Malware Scan
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Copy and paste or attach the report to your reply
  • Close the program then click Close
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Emsisoft report
  • Security Check report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 337stat

337stat
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 20 December 2015 - 03:16 PM

So far, I've run the Emsisoft Emergency Kit Scan ... about to run screen317's security check next, but felt best to post what results I have with some notes.

 

This didn't run exactly as expected, but think it's still fine.

 

I downloaded, ran the executable, did not get the icon you mentioned, but did quickly find the program in the C:\\EEK folder and ran it.  Updated the program, scanned as directed by you.

 

There was only 1 result showing, which related to a baidu (browser) program I had uninstalled (the browser actually seemed to be running as its own malware, MBAM kept showing me blocked sites while it was up and that activity made no sense, so I felt I needed to get rid of it quickly), so I deleted instead of quarantined...and hoping this wasn't a mistake, but knew I didn't want or need the program.

 

At that point, without showing a report, the machine had only an "OK" button, rebooted, and did NOT come back up with my profile settings visible in my account, as I feared.  That's why I am writing now, going to do the next steps in a moment.
 

From the EEK program, I have two files I was able to find related to the activity so far:

 

==========>  scan_151220_144800

 

Emsisoft Emergency Kit - Version 10.0

Last update: 12/20/2015 2:47:01 PM
User account: STANLEY\Michael
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 12/20/2015 2:48:00 PM
C:\Users\Michael\AppData\Roaming\baidu detected: Application.AppInstall (A)
 
Scanned 76805
Found 1
 
Scan end: 12/20/2015 2:55:03 PM
Scan time: 0:07:03
 
 
Deleted 0
 

=================>  Quarantine_151220_150039

 

Emsisoft Emergency Kit - Version 10.0
Quarantine log
 
Date Source Event Detection
12/20/2015 2:55:20 PM C:\Users\Michael\AppData\Roaming\baidu Deleted infection Application.AppInstall (A)
 


#12 337stat

337stat
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 20 December 2015 - 03:29 PM

screen317's Security Check ran.

 

Instead of an "OK" button within a GUI, got instead more like a DOS or command line screen and a "Press any key to continue," but otherwise no apparent incidents.

 

FireFox is seldom used here, so not a surprise it's out of date.  Can't see how that would be causing any of the issues here.

 

Have not rebooted since last post a few minutes ago, so still without the "normal" profile I would hope to have, and haven't tested whether Safe Mode would show the full profile if I went back to it here.

 

The report from screen317's security check reads:

 

 Results of screen317's Security Check version 1.013 --- 11/28/15  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Adobe Flash Player 20.0.0.235  
 Mozilla Firefox 32.0.3 Firefox out of Date!
 Mozilla Thunderbird (38.4.0) 
````````Process Check: objlist.exe by Laurent````````
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3% 
````````````````````End of Log``````````````````````

Edited by 337stat, 20 December 2015 - 03:31 PM.


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:17 PM

Posted 20 December 2015 - 03:52 PM

Can you tell me how the BC user profile works? Any current issues with that Profile?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 337stat

337stat
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:17 AM

Posted 20 December 2015 - 04:54 PM

Hi Gary:

 

I switched user while in Safe Mode, and BC opened with a bare-bones setup as I expected.  Restarted in normal mode, same thing.

 

From there, I pinned Opera (browser) to the task bar, re-started, and it was still there on normal startup.  There was no message in this account about being unable to use the profile.

 

Earlier, trying Safe Mode again, the original account showed task bar icons and connections consistent with the profile being there and working without issue.  For the moment, seems that original account is just having the profile blocked during normal startup for some reason, so far as I understand what's going on.



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:17 PM

Posted 20 December 2015 - 05:07 PM

Thank you. Let's do this.

===================================================

Creating a New User Profile Windows 8/7/Vista

--------------
  • Log in as BC
  • Click Start, Control Panel, then User Accounts
  • Click Manage Another Account
  • Type a new account name you want to use then click Next
  • Select Computer administrator then click Create Account
  • Click Start, click the arrow to the right of Shut Down, and click Switch user
  • Log into the new User Profile name and allow the desktop to appear
  • Click Start, click the arrow to the right of Shut Down, and click Switch user
  • Log into the BC User Profile
  • Click Start, Control Panel, then Folder Options
  • Click View, place a checkmark next to Show hidden files and folders, and uncheck Hide protected operating system files
  • Click OK
  • Hit the Windows Key + E at the same time then navigate to C:\Users\Dell (assuming this is the profile you want to fix)
  • Holding down the Ctrl key, left click each entry in the folder EXCEPT for the following, if they exist:

Ntuser.dat
Ntuser.dat.log
Ntuser.ini

  • Right click and select Copy
  • Left click on the new user account name you created
  • Right click on the screen to the right and select Paste
  • If asked, replace the existing folder/file
  • Ignore any error messages that folders/files can not be copied
  • Close any open windows, reboot your computer, and log into the new user name
  • Check to see if your computer is working properly
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users