Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Driver Update and Other "Unremovable" Programs


  • This topic is locked This topic is locked
10 replies to this topic

#1 RevD

RevD

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 08 January 2016 - 04:25 PM

I have an open post here on a problem with a Windows 7 computer. That computer has no internet connection so I have been using my backup Vista machine in the meantime. I have learned a lot from troubleshooting the first computer, and that led me to understand that the "Driver Update" program on my Vista machine was an unwelcome resident. So I have followed the steps recommended for somebody else who had a similar problem, but before I did I first I turned off my wifi connection and then ran msconfig to temporarily turn all items in the startup list off so they would not run. Then I rebooted the computer. Then:

 

1. I ran SecurityCheck.exe. Here is the log:

 

 Results of screen317's Security Check version 1.014 --- 12/23/15  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Microsoft Security Essentials   
Emsisoft Anti-Malware           
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:````````` 
 Java 2 SDK Standard Edition v1.3.1 
 Java 8 Update 40  
 Java version 32-bit out of Date! 
  Adobe Flash Player 18.0.0.232 Flash Player out of Date!  
 Adobe Reader 9 Adobe Reader out of Date! 
 Mozilla Firefox 37.0.1 Firefox out of Date!  
 Google Chrome (44.0.2403.157) 
 Google Chrome (45.0.2454.85) 
 Google Chrome (47.0.2526.106) 
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Emsisoft Anti-Malware a2service.exe   
 EMSISOFT ANTI-MALWARE a2guard.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 6 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 
 
2. Then I ran the Farbar Service Scanner (FSS). Here is the log:
 

Farbar Service Scanner Version: 10-06-2014
Ran by RevD (administrator) on 07-01-2016 at 17:42:10
Running from "C:\Users\RevD\Desktop"
Microsoft® Windows Vista™ Business  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
Attempt to access Yahoo.com returned error: Other errors
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcsvc.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
 
 
**** End of log ****
 
3. Next, I ran the MiniToolBox. Here is the log:
 

MiniToolBox by Farbar  Version: 02-11-2015
Ran by RevD (administrator) on 07-01-2016 at 17:44:31
Running from "C:\Users\RevD\Desktop"
Microsoft® Windows Vista™ Business  Service Pack 2 (X86)
Model: Precision M4400 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
========================= FF Proxy Settings: ============================== 
 
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
Intel® 82567LM Gigabit Network Connection = Local Area Connection (Media disconnected)
Intel® WiFi Link 5100 AGN = Wireless Network Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Cirrus
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel® WiFi Link 5100 AGN
   Physical Address. . . . . . . . . : 00-24-D6-0F-64-E0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Intel® 82567LM Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-24-E8-C2-EB-15
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 6:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.{70AB023F-7E7B-43B8-873D-9ABB519D25AE}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 7:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 12:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.{548F4F97-E7E7-46A8-80F4-9A1EE17036E8}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host google.com. Please check the name and try again.Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host yahoo.com. Please check the name and try again.Pinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Reply from 127.0.0.1: bytes=32 time<1ms TTL=128Ping statistics for 127.0.0.1:    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds:    Minimum = 0ms, Maximum = 0ms, Average = 0ms===========================================================================
Interface List
  9 ...00 24 d6 0f 64 e0 ...... Intel® WiFi Link 5100 AGN
  8 ...00 24 e8 c2 eb 15 ...... Intel® 82567LM Gigabit Network Connection
  1 ........................... Software Loopback Interface 1
 14 ...00 00 00 00 00 00 00 e0  isatap.{70AB023F-7E7B-43B8-873D-9ABB519D25AE}
 15 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 13 ...00 00 00 00 00 00 00 e0  isatap.{548F4F97-E7E7-46A8-80F4-9A1EE17036E8}
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\system32\NLAapi.dll [48640] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (01/07/2016 03:38:46 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: 
Details:
AddWin32ServiceFiles: Unable to back up image of service DefaultTabUpdate since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
 
Error: (01/07/2016 02:03:10 PM) (Source: Application Hang) (User: )
Description: The program chrome.exe version 45.0.2454.85 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: c48
Start Time: 01d14984d092a00c
Termination Time: 0
 
Error: (01/07/2016 12:12:37 PM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070003
 
Error: (01/07/2016 11:32:23 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: -528
 
Error: (01/07/2016 11:32:23 AM) (Source: ESENT) (User: )
Description: Catalog Database (1700) Catalog Database: Error -1811 occurred while opening logfile C:\Windows\system32\CatRoot2\edb001AA.log.
 
Error: (01/07/2016 04:09:08 AM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Microsoft Security Client -- Error 1923. Service 'Microsoft Antimalware Service' (MsMpSvc) could not be installed.  Verify that you have sufficient privileges to install system services.
 
Error: (01/07/2016 04:09:04 AM) (Source: Application Error) (User: )
Description: Faulting application services.exe, version 6.0.6002.18005, time stamp 0x49e01a51, faulting module ntdll.dll, version 6.0.6002.19346, time stamp 0x55024174, exception code 0xc0000005, fault offset 0x00049273,
process id 0x2ac, application start time 0xservices.exe0.
 
Error: (01/07/2016 03:53:28 AM) (Source: .NET Runtime Optimization Service) (User: )
Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_32) - 1>Failed to compile: mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070003
 
Error: (01/07/2016 03:53:14 AM) (Source: LoadPerf) (User: )
Description: 삄⥵⡨䨻橐贃뢍遨䨻橐贅뢍凩 昀鶉匀薍褸16
 
Error: (01/07/2016 03:52:53 AM) (Source: LoadPerf) (User: )
Description: MSDTC Bridge 4.0.0.0MSDTC Bridge 4.0.0.08
 
 
System errors:
=============
Error: (01/07/2016 02:04:01 PM) (Source: Microsoft Antimalware) (User: )
Description: %%860 Real-Time Protection feature has encountered an error and failed.
 
Feature: %%886
 
Error Code: 0x80070020
 
Error description: The process cannot access the file because it is being used by another process. 
 
Reason: %%892
 
Error: (01/07/2016 01:50:31 PM) (Source: Dhcp) (User: )
Description: The IP address lease 192.168.43.69 for the Network Card with network address 0024D60F64E0 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
 
Error: (01/07/2016 01:29:22 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY51
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\NETWORK SERVICE
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (01/07/2016 01:29:22 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY51
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\NETWORK SERVICE
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (01/07/2016 01:29:22 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY51
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\NETWORK SERVICE
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (01/07/2016 01:29:22 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (01/07/2016 01:27:02 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY51
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\NETWORK SERVICE
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (01/07/2016 01:27:02 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY51
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\NETWORK SERVICE
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (01/07/2016 01:27:02 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY51
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\NETWORK SERVICE
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (01/07/2016 01:27:02 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 0.0.0.0
 
Update Source: %NT AUTHORITY51
 
Update Stage: 4.8.0204.00
 
Source Path: 4.8.0204.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\NETWORK SERVICE
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
 
Microsoft Office Sessions:
=========================
Error: (01/06/2016 01:13:53 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 9, Application Name: Microsoft Office Project, Application Version: 12.0.6735.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 73802 seconds with 1380 seconds of active time.  This session ended with a crash.
 
 
CodeIntegrity Errors:
===================================
  Date: 2015-03-12 13:29:28.149
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:29:27.931
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:29:27.681
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:29:27.416
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:29:01.021
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:29:00.787
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:29:00.569
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:29:00.335
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:28:59.867
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-03-12 13:28:59.648
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys because the set of per-page image hashes could not be found on the system.
 
 
=========================== Installed Programs ============================
 
ABBYY FineReader 9.0 Sprint (HKLM\...\{F9000000-0018-0000-0000-074957833700}) (Version: 9.01.513.58212 - ABBYY) Hidden
ABBYY FineReader 9.0 Sprint (HKLM\...\ABBYY FineReader 9.0 Sprint) (Version: 9.01.513.58212 - ABBYY)
AC3Filter 1.63b (HKLM\...\AC3Filter_is1) (Version: 1.63b - Alexander Vigovsky)
Acrobat.com (HKLM\...\{6421F085-1FAA-DE13-D02A-CFB412C522A4}) (Version: 2.0.0 - Adobe Systems Incorporated) Hidden
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 2.0.0.0 - Adobe Systems Incorporated)
Adobe AIR (HKLM\...\{A2BCA9F1-566C-4805-97D1-7FDC93386723}) (Version: 1.5.3.9130 - Adobe Systems Inc.) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.267 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
Advertising Center (HKLM\...\{B2EC4A38-B545-4A00-8214-13FE0E915E6D}) (Version: 0.0.0.2 - Nero AG) Hidden
Ambient Light Sensor (HKLM\...\{5AF4F4C5-C71C-418F-B0B1-3903A345BD71}) (Version: 1.0.7 - Dell Inc.)
Apple Application Support (HKLM\...\{122ADF8C-DDA1-480C-9936-C88F2825B265}) (Version: 2.1.9 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{8F1ADE4D-EFAC-4F5A-B346-23C2687FAF50}) (Version: 5.2.0.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ASPCA Reminder by We-Care.com v4.1.18.1 (HKLM\...\{B618B8E1-FB71-4237-8361-C3EA3EF15EF7}) (Version: 4.1.18.1 - We-Care.com)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Box Sync (HKLM\...\{F89A2517-03FA-47DE-B702-6F09F6B7CC45}) (Version: 3.4.25.0 - Box, Inc)
CANON iMAGE GATEWAY Task for ZoomBrowser EX (HKLM\...\CANON iMAGE GATEWAY Task) (Version: 1.7.2.11 - Canon Inc.)
Canon Internet Library for ZoomBrowser EX (HKLM\...\Canon Internet Library for ZoomBrowser EX) (Version: 1.6.3.9 - Canon Inc.)
Canon MOV Decoder (HKLM\...\Canon MOV Decoder) (Version: 1.5.0.7 - Canon Inc.)
Canon MP160 (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160) (Version:  - )
Canon Utilities Digital Photo Professional 3.8 (HKLM\...\DPP) (Version: 3.8.1.0 - Canon Inc.)
Canon Utilities EOS Utility (HKLM\...\EOS Utility) (Version: 2.8.1.0 - Canon Inc.)
Canon Utilities Original Data Security Tools (HKLM\...\Original Data Security Tools) (Version: 1.8.0.1 - Canon Inc.)
Canon Utilities PhotoStitch (HKLM\...\PhotoStitch) (Version: 3.1.22.46 - Canon Inc.)
Canon Utilities Picture Style Editor (HKLM\...\Picture Style Editor) (Version: 1.7.0.0 - Canon Inc.)
Canon Utilities WFT Utility (HKLM\...\WFTK) (Version: 3.5.1.1 - Canon Inc.)
Canon Utilities ZoomBrowser EX (HKLM\...\ZoomBrowser EX) (Version: 6.5.1.15 - Canon Inc.)
Canon ZoomBrowser EX Memory Card Utility (HKLM\...\ZoomBrowser EX Memory Card Utility) (Version: 1.3.0.4 - Canon Inc.)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.3.7.2356 - CDBurnerXP)
Citrix Online Launcher (HKLM\...\{DB014C85-A264-4BCA-A66F-6DD1FCF8EC36}) (Version: 1.0.335 - Citrix)
Code Composer Studio v4.2.4 (HKLM\...\Code Composer Studio v4.2.4) (Version: 4.2.4 - Texas Instruments)
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
Debug Server (HKLM\...\4F9A85D9-5F0E-E538-D71C-621DF59F81FA) (Version: 4.0 - Texas Instruments)
Dell Driver Download Manager (HKCU\...\bd4d3a0508d364f5) (Version: 3.0.0.0 - Dell Inc)
Dell Edoc Viewer (HKLM\...\{3138EAD3-700B-4A10-B617-B3F8096EE30D}) (Version: 1.0.0 - Dell Inc)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.2.101.216 - Alps Electric)
Dia (remove only) (HKLM\...\Dia) (Version:  - )
DivX Setup (HKLM\...\DivX Setup) (Version: 2.6.0.34 - DivX, LLC)
DolbyFiles (HKLM\...\{B1ADF008-E898-4FE2-8A1F-690D9A06ACAF}) (Version: 0.1 - Nero AG) Hidden
DraftSight 2015 SP1 (HKLM\...\{FA2DA057-6711-4830-9D29-8F7C9BA77BAD}) (Version: 13.1.1091 - Dassault Systemes)
DriverUpdate (HKLM\...\{B6F57EFA-7F52-4349-B7C9-2E6AB01353B7}) (Version: 2.4.2 - SlimWare Utilities, Inc.)
DWG TrueView 2011 (HKLM\...\{5783F2D7-9028-0409-0000-0060B0CE6BBA}) (Version: 18.1.49.0 - Autodesk) Hidden
DWG TrueView 2011 (HKLM\...\DWG TrueView 2011) (Version: 18.1.49.0 - Autodesk)
Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 10.0 - Emsisoft Ltd.)
Epson CreativeZone (HKLM\...\{E6C82F8F-2031-4825-8CC3-98C5960875C1}) (Version:  - )
Epson Easy Photo Print 2 (HKLM\...\{C1A0A3F9-C302-4A18-A2E0-71C927D24652}) (Version: 2.2.3.1 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print Plug-in for PMB(Picture Motion Browser) (HKLM\...\{B2D55EB8-32C5-4B43-9006-9E97DECBA178}) (Version: 1.00.0000 - SEIKO EPSON CORPORATION)
Epson Easy Photo Print Plug-in for Windows Live Photo Gallery (HKLM\...\EEPPPlugIn) (Version:  - SEIKO EPSON Corporation)
Epson Easy Photo Print Plug-in for Windows Live Photo Gallery Setup (HKLM\...\{7B7044AE-6D1F-456D-B2BA-28BFFFAF3F71}) (Version: 1.00.0000 - SEIKO EPSON Corporation) Hidden
Epson Event Manager (HKLM\...\{089EC7B5-6480-4478-ACF0-DEFD4047343C}) (Version: 2.40.0004 - SEIKO EPSON CORPORATION)
Epson FAX Utility (HKLM\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.10.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WorkForce 840 Series Printer Uninstall (HKLM\...\EPSON WorkForce 840 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4i - SEIKO EPSON CORPORATION)
EpsonNet Setup 3.3 (HKLM\...\{C9D8A041-2963-4B31-8FFC-1500F3DB9293}) (Version: 3.3b - SEIKO EPSON CORPORATION)
Git version 1.7.4-preview20110204 (HKLM\...\Git_is1) (Version: 1.7.4-preview20110204 - )
Google Chrome (HKLM\...\Google Chrome) (Version: 45.0.2454.85 - Google Inc.)
Google Update Helper (HKLM\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.1 - Google Inc.) Hidden
Google Update Helper (HKLM\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.22.5 - Google Inc.) Hidden
GoToMeeting 7.2.3.3019 (HKCU\...\GoToMeeting) (Version: 7.2.3.3019 - CitrixOnline)
ImagXpress (HKLM\...\{A8F2089B-1F79-4BF6-B385-A2C2B0B9A74D}) (Version: 7.0.74.0 - Nero AG) Hidden
InstallIQ Updater (HKLM\...\{8E1CB0F1-67BF-4052-AA23-FA22E94804C1}) (Version: 1.4.3.0 - W3i, LLC)
Intel® Network Connections 14.6.7.0 (HKLM\...\PROSetDX) (Version: 14.6.7.0 - Dell)
Intel® PRO Alerting Agent (HKLM\...\{6EA8A52B-8EA1-4A59-85AB-48132299061A}) (Version: 12.0.3 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iTunes (HKLM\...\{6AD9F5F3-5BD0-4000-BD9C-B536CF86D988}) (Version: 10.6.3.25 - Apple Inc.)
Japanese Fonts Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5760-0000-900000000003}) (Version: 9.0.0 - Adobe Systems Incorporated)
Java 2 SDK Standard Edition v1.3.1 (HKLM\...\Java 2 SDK Standard Edition v1.3.1) (Version:  - )
Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)
Java Auto Updater (HKLM\...\{4A03706F-666A-4037-7777-5F2748764D10}) (Version: 2.8.40.25 - Oracle Corporation) Hidden
Johnson Controls HVACPRO Performance Support System (HKLM\...\{333D43B6-2F3F-40EC-A01A-FE91D8009E0F}) (Version: 2.00.0000 - Upstream Development LLC)
Lernout & Hauspie TruVoice American English TTS Engine (HKLM\...\tv_enua) (Version:  - )
MATLAB Family of Products Release 14 (HKLM\...\MatlabR14) (Version:  - )
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Project 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-003A-0000-0000-0000000FF1CE}_PRJSTDR_{8446EB22-A746-46DC-B1BD-E0DFA1F3CDDA}) (Version:  - Microsoft)
Microsoft Office Project Standard 2007 (HKLM\...\PRJSTDR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41105.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
Microsoft XML Parser (HKLM\...\{2A0E6C1F-0304-4A34-979F-6C3983E1B2DA}) (Version: 1 - Microsoft Corporation)
Mozilla Firefox 37.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 37.0.1 (x86 en-US)) (Version: 37.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 37.0.1 - Mozilla)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nero 9 Essentials (HKLM\...\{143a9e0b-c5b3-4fc2-9b04-314bda97af54}) (Version:  - Nero AG)
Nero BurnRights (HKLM\...\{7829DB6F-A066-4E40-8912-CB07887C20BB}) (Version: 3.4.13.100 - Nero AG) Hidden
Nero BurnRights Help (HKLM\...\{F6BDD7C5-89ED-4569-9318-469AA9732572}) (Version: 3.4.4.100 - Nero AG) Hidden
Nero ControlCenter (HKLM\...\{BD5CA0DA-71AD-43DA-B19E-6EEE0C9ADC9A}) (Version: 9.0.0.1 - Nero AG) Hidden
Nero ControlCenter (HKLM\...\{F4041DCE-3FE1-4E18-8A9E-9DE65231EE36}) (Version: 9.0.0.1 - Nero AG) Hidden
Nero CoverDesigner (HKLM\...\{62AC81F6-BDD3-4110-9D36-3E9EAAB40999}) (Version: 4.4.15.100 - Nero AG) Hidden
Nero CoverDesigner Help (HKLM\...\{CE96F5A5-584D-4F8F-AA3E-9BAED413DB72}) (Version: 4.4.9.100 - Nero AG) Hidden
Nero Disc Copy Gadget (HKLM\...\{F1861F30-3419-44DB-B2A1-C274825698B3}) (Version: 2.4.34.0 - Nero AG) Hidden
Nero Disc Copy Gadget Help (HKLM\...\{60C731FB-C951-41CE-AD41-8E54C8594609}) (Version: 2.4.34.0 - Nero AG) Hidden
Nero DiscSpeed (HKLM\...\{869200DB-287A-4DC0-B02B-2B6787FBCD4C}) (Version: 5.4.13.100 - Nero AG) Hidden
Nero DiscSpeed Help (HKLM\...\{CC019E3F-59D2-4486-8D4B-878105B62A71}) (Version: 5.4.4.100 - Nero AG) Hidden
Nero DriveSpeed (HKLM\...\{33CF58F5-48D8-4575-83D6-96F574E4D83A}) (Version: 4.4.12.100 - Nero AG) Hidden
Nero DriveSpeed Help (HKLM\...\{E5C7D048-F9B4-4219-B323-8BDB01A2563D}) (Version: 4.4.4.100 - Nero AG) Hidden
Nero Express Help (HKLM\...\{83202942-84B3-4C50-8622-B8C0AA2D2885}) (Version: 9.4.27.100 - Nero AG) Hidden
Nero InfoTool (HKLM\...\{FBCDFD61-7DCF-4E71-9226-873BA0053139}) (Version: 6.4.12.100 - Nero AG) Hidden
Nero InfoTool Help (HKLM\...\{20400DBD-E6DB-45B8-9B6B-1DD7033818EC}) (Version: 6.4.4.100 - Nero AG) Hidden
Nero Installer (HKLM\...\{E8A80433-302B-4FF1-815D-FCC8EAC482FF}) (Version: 4.4.9.0 - Nero AG) Hidden
Nero Online Upgrade (HKLM\...\{C81A2FE0-3574-00A9-CED4-BDAA334CBE8E}) (Version: 1.3.0.0 - Nero AG) Hidden
Nero PhotoSnap (HKLM\...\{9E82B934-9A25-445B-B8DF-8012808074AC}) (Version: 2.4.28.0 - Nero AG) Hidden
Nero PhotoSnap Help (HKLM\...\{1C00C7C5-E615-4139-B817-7F4003DE68C0}) (Version: 2.4.28.0 - Nero AG) Hidden
Nero Recode (HKLM\...\{359CFC0A-BEB1-440D-95BA-CF63A86DA34F}) (Version: 4.4.38.1 - Nero AG) Hidden
Nero Recode Help (HKLM\...\{AD6BC5CC-2EF0-49C4-B33D-CDC8B2C4DC80}) (Version: 4.4.38.1 - Nero AG) Hidden
Nero ShowTime (HKLM\...\{02627EE5-EACA-4742-A9CC-E687631773E4}) (Version: 5.4.0.100 - Nero AG) Hidden
Nero ShowTime (HKLM\...\{D9DCF92E-72EB-412D-AC71-3B01276E5F8B}) (Version: 5.4.24.100 - Nero AG) Hidden
Nero StartSmart (HKLM\...\{7748AC8C-18E3-43BB-959B-088FAEA16FB2}) (Version: 9.4.19.100 - Nero AG) Hidden
Nero StartSmart Help (HKLM\...\{2348B586-C9AE-46CE-936C-A68E9426E214}) (Version: 9.4.19.100 - Nero AG) Hidden
Nero StartSmart OEM (HKLM\...\{4D43D635-6FDA-4FA5-AA9B-23CF73D058EA}) (Version: 9.4.10.100 - Nero AG) Hidden
Nero Vision (HKLM\...\{43E39830-1826-415D-8BAE-86845787B54B}) (Version: 6.4.16.100 - Nero AG) Hidden
Nero Vision Help (HKLM\...\{5D9BE3C1-8BA4-4E7E-82FD-9F74FA6815D1}) (Version: 6.4.15.100 - Nero AG) Hidden
NeroExpress (HKLM\...\{595A3116-40BB-4E0F-A2E8-D7951DA56270}) (Version: 9.4.27.100 - Nero AG) Hidden
neroxml (HKLM\...\{56C049BE-79E9-4502-BEA7-9754A3E60F9B}) (Version: 1.0.0 - Nero AG) Hidden
Notepad++ (HKLM\...\Notepad++) (Version: 6.1.6 - )
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.3 - NVIDIA Corporation)
NVIDIA nView Desktop Manager (HKLM\...\nView Desktop Manager) (Version:  - )
NVIDIA Performance Drivers (HKLM\...\{4C0A8D65-4286-4B58-87FE-18AD24289285}) (Version: 2.0.0.18 - NVIDIA Corporation)
Octoshape add-in for Adobe Flash Player (HKCU\...\Octoshape add-in for Adobe Flash Player) (Version:  - )
OpenOffice.org 3.2 (HKLM\...\{6ADD0603-16EF-400D-9F9E-486432835002}) (Version: 3.2.9483 - OpenOffice.org)
PandoraRecovery (Remove Only) (HKLM\...\PandoraRecovery) (Version:  - )
Plantronics MyHeadset Updater (x86) (HKLM\...\{23ECA59B-EBD2-4BE5-9BBC-D3659AABFCAE}) (Version: 2.8.19416.0 - Plantronics, Inc.)
PowerDVD DX (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.2.5024 - Dell Corp.)
Rhapsody (HKLM\...\Rhapsody) (Version:  - )
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{8FA53ACE-B718-4FAE-B7BF-95B0FCB320C8}) (Version: 1.3.800.0 - SAMSUNG Electronics CO., LTD.)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0015-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0016-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0018-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0019-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-001A-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-001B-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-001F-0409-0000-0000000FF1CE}_Office14.SingleImage_{09A9DF49-DA06-4093-A2FD-F339211E39EA}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-001F-040C-0000-0000000FF1CE}_Office14.SingleImage_{ECC1D579-DC17-4B90-929C-B4A0BB35F7B3}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.SingleImage_{8C5A05B6-FF56-480F-A0E6-9F4BCA4B4CAC}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-002C-0409-0000-0000000FF1CE}_Office14.SingleImage_{945F1D43-451D-4383-9BBE-241F37950B15}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version:  - Microsoft)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-006E-0409-0000-0000000FF1CE}_Office14.SingleImage_{8DD50F3B-E0BD-4E39-AF1F-2F316B4FC528}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-00A1-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0115-0409-0000-0000000FF1CE}_Office14.SingleImage_{8DD50F3B-E0BD-4E39-AF1F-2F316B4FC528}) (Version:  - Microsoft) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0117-0409-0000-0000000FF1CE}_Office14.SingleImage_{D6A2CD7F-C90C-4B90-BBA7-2BADE2E08610}) (Version:  - Microsoft) Hidden
SolidWorks 2012 Document Manager API (HKLM\...\{3F084E0E-E7D3-439D-9AC3-8312B2184347}) (Version: 20.00.5022 - SolidWorks Corporation)
SolidWorks eDrawings 2010 (HKLM\...\{AFEA2EBC-E0CA-4A0D-BAB6-03B663B753AD}) (Version: 10.4.126 - Dassault Systèmes SolidWorks Corp.)
SolidWorks eDrawings 2012 (HKLM\...\{9DE2BE42-7B90-4440-8954-89D9CDC8D4D2}) (Version: 12.1.130 - Dassault Systèmes SolidWorks Corp.)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-003A-0000-0000-0000000FF1CE}_PRJSTDR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VC80CRTRedist - 8.0.50727.6195 (HKLM\...\{933B4015-4618-4716-A828-5289FC03165F}) (Version: 1.2.0 - DivX, Inc) Hidden
Virtual Account Numbers (HKLM\...\{9C411DC9-B8B8-45F3-B688-073BF4B59094}) (Version: 1.0.1.0 - Citi) Hidden
Virtual Account Numbers (HKLM\...\{DE700910-58F7-4D2E-B7E6-3BA2DA1B6806}) (Version: 3.7.11.0 - Citi)
VLC media player 1.1.11 (HKLM\...\VLC media player) (Version: 1.1.11 - VideoLAN)
WebEx (HKCU\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Windows Driver Package - Cambridge Silicon Radio (CSRBC) USB  (08/15/2010 2.1.0.2) (HKLM\...\0799181C3332EF8BCBD444BC080F9CA0737F8279) (Version: 08/15/2010 2.1.0.2 - Cambridge Silicon Radio)
Windows Driver Package - Spectrum Digital (sdusb2em) SDUSBEmulators  (03/25/2011 6.0.999.2) (HKLM\...\22794B1D2C0BB36E523BAF6ED24EF94EB1A84443) (Version: 03/25/2011 6.0.999.2 - Spectrum Digital)
Xvid Video Codec (HKLM\...\Xvid Video Codec 1.3.2) (Version: 1.3.2 - Xvid Team)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 54%
Total physical RAM: 3571.02 MB
Available physical RAM: 1631.33 MB
Total Virtual: 7327 MB
Available Virtual: 5534.52 MB
 
========================= Partitions: =====================================
 
1 Drive c: (OS) (Fixed) (Total:146.92 GB) (Free:42.75 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:2 GB) (Free:1.37 GB) NTFS
4 Drive l: (IJK_SHARE) (Removable) (Total:7.45 GB) (Free:6.31 GB) FAT32
 
========================= Users: ========================================
 
User accounts for \\CIRRUS
 
Administrator            Guest                    RevD                    
 
========================= Restore Points ==================================
 
07-01-2016 09:02:01 Windows Update
07-01-2016 17:40:11 Windows Update
07-01-2016 21:38:40 Removed Johnson Controls HVACPRO Performance Support System
 
**** End of log ****
 
4. Next, I ran the Emsisoft "Quick Scan"
 
It identified 45 suspicious items. Here is the log:
 
 
 

Emsisoft Anti-Malware - Version 10.0.0.5735
Last update: 1/7/2016 2:36:01 PM
Initiated by: Cirrus\RevD
 
Scan settings:
 
Scan type: Quick Scan
Objects: Rootkits, Memory, Traces
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 1/7/2016 2:36:45 PM
C:\Windows\Tasks\driverupdate startup.job Application.AdTask (A)
C:\Users\RevD\AppData\Local\Temp\APN-Stub Application.Win32.WebToolbar (A)
C:\Users\RevD\AppData\Roaming\DefaultTab Application.AppInstall (A)
C:\ProgramData\w3i Application.AppInstall (A)
C:\ProgramData\wecarereminder Application.AppInstall (A)
C:\Program Files\w3i Application.AppInstall (A)
C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm Application.InstallExt (A)
C:\Program Files\DriverUpdate Application.InstallDrive (A)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate Application.InstallDrive (A)
C:\Users\RevD\AppData\Local\SlimWare Utilities Inc\DriverUpdate Application.InstallDrive (A)
C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\Searchplugins\search-here.xml Application.SearchPlug (A)
C:\Users\Public\Desktop\DriverUpdate.lnk Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\FREEZE.COM Adware.Win32.Mostofate (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\YAHOOPARTNERTOOLBAR Application.Win32.YTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3} Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSER Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSER.1 Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSERACTIVEX Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSERACTIVEX.1 Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IEHELPERV250.WECAREREMINDER Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IEHELPERV250.WECAREREMINDER.1 Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{F773BB94-6C19-4643-A570-0E429103D1C3} Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE} Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DEFAULTTABUPDATE Application.AdServ (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{7F6AFBF1-E065-4627-A2FD-810366367D01} Application.BHO (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} Application.BHO (A)
Key: HKEY_USERS\.DEFAULT\SOFTWARE\DEFAULTTAB Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\DEFAULTTAB Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-18\SOFTWARE\DEFAULTTAB Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\W3I Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\WECAREREMINDER Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\FREEZE.COM Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DEFAULTTAB Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} Application.InstallTab (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{4FBBF769-ECEB-420A-B536-133B1D505C36} Application.InstallTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\IPPKOMAAONOKJNFJOIKAEMIDANOJKFMM Application.WebExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{38495740-0035-4471-851E-F5BBB86AB085} Application.WebTab (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{7F6AFBF1-E065-4627-A2FD-810366367D01} Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Application.AdTool (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\SLIMWARE UTILITIES INC\DRIVERUPDATE Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\SLIMWARE UTILITIES INC\DRIVERUPDATE Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\SLIMWARE UTILITIES, INC.\DRIVERAPP Application.InstallDrive (A)
 
Scanned 61381
Found 45
 
Scan end: 1/7/2016 2:37:38 PM
Scan time: 0:00:53
 
Key: HKEY_LOCAL_MACHINE\SOFTWARE\SLIMWARE UTILITIES, INC.\DRIVERAPP Quarantined: Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\SLIMWARE UTILITIES INC\DRIVERUPDATE Quarantined: Application.InstallDrive (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\SLIMWARE UTILITIES INC\DRIVERUPDATE Quarantined: Application.InstallDrive (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Quarantined: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{7F6AFBF1-E065-4627-A2FD-810366367D01} Quarantined: Application.AdTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{38495740-0035-4471-851E-F5BBB86AB085} Quarantined: Application.WebTab (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\IPPKOMAAONOKJNFJOIKAEMIDANOJKFMM Quarantined: Application.WebExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{4FBBF769-ECEB-420A-B536-133B1D505C36} Quarantined: Application.InstallTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} Quarantined: Application.InstallTab (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DEFAULTTAB Quarantined: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\WECAREREMINDER Quarantined: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\W3I Quarantined: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-18\SOFTWARE\DEFAULTTAB Quarantined: Application.InstallAd (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\DEFAULTTAB Quarantined: Application.InstallAd (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} Quarantined: Application.BHO (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{7F6AFBF1-E065-4627-A2FD-810366367D01} Quarantined: Application.BHO (A)
Key: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\DEFAULTTABUPDATE Quarantined: Application.AdServ (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TYPELIB\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE} Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\INTERFACE\{F773BB94-6C19-4643-A570-0E429103D1C3} Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IEHELPERV250.WECAREREMINDER.1 Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IEHELPERV250.WECAREREMINDER Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSERACTIVEX.1 Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSERACTIVEX Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSER.1 Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DEFAULTTABBHO.DEFAULTTABBROWSER Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3} Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Quarantined: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} Quarantined: Application.AdReg (A)
Key: HKEY_USERS\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\YAHOOPARTNERTOOLBAR Quarantined: Application.Win32.YTool (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\FREEZE.COM Quarantined: Adware.Win32.Mostofate (A)
C:\Users\Public\Desktop\DriverUpdate.lnk Quarantined: Application.InstallDrive (A)
C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\Searchplugins\search-here.xml Quarantined: Application.SearchPlug (A)
C:\Windows\Tasks\driverupdate startup.job Quarantined: Application.AdTask (A)
 
Quarantined: 34
 
5. Then I ran the Emsisoft "Malware Scan"
 
Note that there are ten items that could not be quarantined. Here is the log:
 
 
Emsisoft Anti-Malware - Version 10.0.0.5735

Last update: 1/7/2016 2:36:01 PM
Initiated by: Cirrus\RevD
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 1/7/2016 2:38:32 PM
C:\Users\RevD\AppData\Local\Temp\APN-Stub Application.Win32.WebToolbar (A)
C:\Users\RevD\AppData\Roaming\DefaultTab Application.AppInstall (A)
C:\ProgramData\w3i Application.AppInstall (A)
C:\ProgramData\wecarereminder Application.AppInstall (A)
C:\Program Files\w3i Application.AppInstall (A)
C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm Application.InstallExt (A)
C:\Program Files\DriverUpdate Application.InstallDrive (A)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate Application.InstallDrive (A)
C:\Users\RevD\AppData\Local\SlimWare Utilities Inc\DriverUpdate Application.InstallDrive (A)
C:\Users\RevD\AppData\Roaming\DefaultTab\DefaultTab\update.exe Applicaiton.Win32.InstallTab (A)
 
Scanned 87900
Found 10
 
Scan end: 1/7/2016 2:57:14 PM
Scan time: 0:18:42
 
6. Next, I installed the rkill tool. Here is the log:
 

Rkill 2.8.3 by Lawrence Abrams (Grinler)
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 01/07/2016 05:48:47 PM in x86 mode.
Windows Version: Windows Vista ™ Business Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\RevD\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe (PID: 2152) [UP-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * WPCSvc [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
  127.0.0.1       localhost
  ::1             localhost
 
Program finished at: 01/07/2016 05:49:33 PM
Execution time: 0 hours(s), 0 minute(s), and 46 seconds(s)
 
7. I reran Emsisoft
 
Since rkill found one process to kill, I reran Emsisoft. It removed (quarantined) one of the ten files that could not be removed previously but not the other nine. Here is the log for the Malware Scan:
 

Emsisoft Anti-Malware - Version 10.0.0.5735
Last update: 1/7/2016 2:36:01 PM
Initiated by: Cirrus\RevD
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 1/8/2016 2:39:39 PM
C:\Users\RevD\AppData\Local\Temp\APN-Stub Application.Win32.WebToolbar (A)
C:\Users\RevD\AppData\Roaming\DefaultTab Application.AppInstall (A)
C:\ProgramData\w3i Application.AppInstall (A)
C:\ProgramData\wecarereminder Application.AppInstall (A)
C:\Program Files\w3i Application.AppInstall (A)
C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm Application.InstallExt (A)
C:\Program Files\DriverUpdate Application.InstallDrive (A)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate Application.InstallDrive (A)
C:\Users\RevD\AppData\Local\SlimWare Utilities Inc\DriverUpdate Application.InstallDrive (A)
 
Scanned 87853
Found 9
 
Scan end: 1/8/2016 2:53:17 PM
Scan time: 0:13:38
 
 
8. What next?
 
For what it is worth, here is the list of startup files reported by msconfig with settings as currently showed (everything off but Emsisoft):
 
Attached File  msconfig startup 01.JPG   80.19KB   0 downloads
 
Attached File  msconfig startup 02.JPG   80.34KB   0 downloads
 
Attached File  msconfig startup 03.JPG   75.78KB   0 downloads
 
Any guidance on what to do next would be greatly appreciated. 
 
Rev D
 
 
 


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 09 January 2016 - 09:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download this tool to a CD or Flash drive using a good computer.

Copy the FRST file to the Desktop of the compromised computer.
Before you run the program enable all applications using the MSCONFIG program then run the tool. Leave the programs enable until advise otherwise.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Wait for further instructions.

#3 RevD

RevD
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 11 January 2016 - 01:11 PM

Hello Nasdaq and thank you for your help. Here is the FRST.txt log. The addition.txt file is attached.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:10-01-2015 01
Ran by RevD (administrator) on CIRRUS (11-01-2016 11:58:10)
Running from C:\Users\RevD\Desktop
Loaded Profiles: RevD (Available Profiles: RevD)
Platform: Microsoft® Windows Vista™ Business  Service Pack 2 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\stacsv.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2service.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
(ABBYY) C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Intel Corporation) C:\Program Files\Intel\ASF Agent\ASFAgent.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Dassault Systèmes) C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE
(Nero AG) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
() C:\Program Files\CDBurnerXP\NMSAccessU.exe
() C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
(Dell Inc.) C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Emsisoft Ltd) C:\Program Files\Emsisoft Anti-Malware\a2guard.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray.exe
(Plantronics) C:\Program Files\Plantronics\MyHeadsetUpdater\MyHeadsetUpdater.exe
(CyberLink Corp.) C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Epson Software\Event Manager\EEventManager.exe
() C:\Program Files\DivX\DivX Update\DivXUpdate.exe
(Orbiscom Ltd. All rights reserved.) C:\Program Files\Virtual Account Numbers\CitiVAN.exe
(Box, Inc.) C:\Program Files\Box Sync\BoxSyncHelper.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\w32x86\3\E_FATIGMA.EXE
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(W3i, LLC) C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
(Box, Inc.) C:\Program Files\Box Sync\BoxSync.exe
(Orbiscom Ltd.) C:\Windows\System32\OBroker.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [emsisoft anti-malware] => c:\program files\emsisoft anti-malware\a2guard.exe [5836888 2015-09-18] (Emsisoft Ltd)
HKLM\...\Run: [Windows Defender] => C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-19] (Microsoft Corporation)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray.exe [458844 2009-07-31] (IDT, Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => "C:\Program Files\Java\jre1.8.0_40\bin\jusched.exe"
HKLM\...\Run: [Plantronics MyHeadset Updater] => C:\Program Files\Plantronics\MyHeadsetUpdater\MyHeadsetUpdater.exe [76288 2012-12-12] (Plantronics)
HKLM\...\Run: [PDVDDXSrv] => C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128232 2009-02-04] (CyberLink Corp.)
HKLM\...\Run: [nwiz] => nwiz.exe /install
HKLM\...\Run: [NVHotkey] => rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
HKLM\...\Run: [NvCplDaemon] => RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [981688 2015-04-29] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-02-11] (Intel Corporation)
HKLM\...\Run: [FUFAXSTM] => C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe [847872 2009-12-02] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [976832 2009-12-17] (SEIKO EPSON CORPORATION)
HKLM\...\Run: [DivXUpdate] => C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1259376 2011-07-28] ()
HKLM\...\Run: [Citi Virtual Account Numbers] => C:\Program Files\Virtual Account Numbers\CitiVAN.exe [372736 2009-07-10] (Orbiscom Ltd. All rights reserved.)
HKLM\...\Run: [BoxSyncHelper] => C:\Program Files\Box Sync\BoxSyncHelper.exe [393216 2013-06-07] (Box, Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [200704 2009-02-22] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\Run: [Xvid] => C:\Program Files\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\Run: [WorkForce 840(Network)] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATIGMA.EXE [201216 2010-01-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\Run: [InstallIQUpdater] => C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe [1179648 2011-10-11] (W3i, LLC)
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\MountPoints2: {54a2c043-0de3-11e0-95d5-0024e8c2eb15} - F:\urDrive.exe
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\MountPoints2: {564babab-eaf9-11df-b9b0-0024e8c2eb15} - G:\LaunchU3.exe -a
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\MountPoints2: {c6a41876-0006-11e1-a5d2-0024e8c2eb15} - J:\LaunchU3.exe -a
SSODL: EldosMountNotificator - {5FF49FE8-B332-4CB9-B102-FB6951629E55} - C:\Windows\system32\CbFsMntNtf3.dll (EldoS Corporation)
ShellIconOverlayIdentifiers: [000BoxDesktopFileLocked] -> {C253B817-3A00-475f-A5A3-6F2DD704B48D} => C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [000BoxDesktopNotSynced] -> {19ACC806-F7AA-46AA-A80A-726A07CA6637} => C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [000BoxDesktopNotSyncedCollabs] -> {337D9DE0-3F8B-4430-AF0F-FFC24A95AE8F} => C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [000BoxDesktopSynced] -> {B7AC9C6D-F15B-4B1A-A88D-F518D13861D9} => C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [000BoxDesktopSyncedCollab] -> {9E48C232-F601-4E41-BB3E-16CBAF317AA4} => C:\Windows\system32\mscoree.dll [2009-11-08] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll [2010-02-09] (Autodesk, Inc.)
ShellIconOverlayIdentifiers: [EldosIconOverlay] -> {5BB532A2-BF14-4CCC-86B7-71B81EF6F8BC} => C:\Windows\system32\CbFsMntNtf3.dll [2010-11-30] (EldoS Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Box Sync.lnk [2013-08-10]
ShortcutTarget: Box Sync.lnk -> C:\Program Files\Box Sync\BoxSync.exe (Box, Inc.)
GroupPolicyScripts: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-30] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{548F4F97-E7E7-46A8-80F4-9A1EE17036E8}: [DhcpNameServer] 209.18.47.61 209.18.47.62
Tcpip\..\Interfaces\{70AB023F-7E7B-43B8-873D-9ABB519D25AE}: [DhcpNameServer] 4.2.2.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-386463824-3466316030-366047749-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/?pc=MSSE
HKU\S-1-5-21-386463824-3466316030-366047749-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.dell.com
HKU\S-1-5-21-386463824-3466316030-366047749-1000\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://go.microsoft.com/fwlink/?LinkID=226786&Mkt=en-US&Src=MSE&Tid=000328B9&OHP=http%3A%2F%2Fwww.dell.com&OSP=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3D%7BsearchTerms%7D%26rls%3Dcom.microsoft%3A%7Blanguage%7D%26ie%3D%7BinputEncoding%7D%26oe%3D%7BoutputEncoding%7D%26startIndex%3D%7BstartIndex%3F%7D%26startPage%3D%7BstartPage%7D
SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> DefaultScope {67120919-5960-403B-98BA-5B41E5607A6B} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> {3270B611-6929-4E2A-B808-E91FDCA1C9ED} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> {67120919-5960-403B-98BA-5B41E5607A6B} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> {7C5FB7FC-785D-4417-A9C2-B9B854410477} URL = hxxp://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&camp=1789&creative=9325&keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> {DB3C7389-BA58-4C39-B5B4-AC9808B17E84} URL = hxxp://www.mysearchresults.com/search?&c=2633&t=03&q={searchTerms}
SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> {F12A132A-E6F0-4AAD-80B4-61704686E873} URL = hxxp://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
BHO: Virtual Account Numbers Helper -> {17424104-1444-4810-85D7-B4DA413C5A9A} -> C:\Program Files\Virtual Account Numbers\CitiVANHelper.dll [2009-07-10] (Orbiscom Ltd. All rights reserved.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2013-05-08] (Adobe Systems Incorporated)
BHO: Virtual Storage Mount Notification -> {5FF49FE8-B332-4CB9-B102-FB6951629E55} -> C:\Windows\system32\CbFsMntNtf3.dll [2010-11-30] (EldoS Corporation)
BHO: SSVHelper Class -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_40\bin\ssv.dll [2015-03-12] (Oracle Corporation)
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll [2008-03-30] (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-12] (Oracle Corporation)
Toolbar: HKLM - Virtual Account Numbers - {7A21A046-B886-4A62-9D69-EF2059B0A27B} - C:\Program Files\Virtual Account Numbers\CitiVANToolbar.dll [2009-07-10] (Orbiscom Ltd. All rights reserved.)
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll [2008-03-30] (SEIKO EPSON CORPORATION / CyCom Technology Corp.)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_40-windows-i586.cab
DPF: {CAFEEFAC-0018-0000-0040-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_40-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.8.0/jinstall-1_8_0_40-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
 
FireFox:
========
FF ProfilePath: C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default
FF DefaultSearchEngine.US: Search Here
FF Homepage: hxxp://www.mysearchresults.com/?c=9001&t=03
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-13] ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2012-04-05] ()
FF Plugin: @canon.com/MycameraPlugin -> C:\Program Files\Canon\ZoomBrowser EX\Program\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll [2011-06-20] (DivX, LLC.)
FF Plugin: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-12] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-12] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41105.0\npctrl.dll [2015-11-04] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-29] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-07] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-07] (Google Inc.)
FF Plugin: @videolan.org/vlc,version=1.1.11 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2011-07-14] (the VideoLAN Team)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-386463824-3466316030-366047749-1000: @citrixonline.com/appdetectorplugin -> C:\Users\RevD\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-08-13] (Citrix Online)
FF user.js: detected! => C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\user.js [2012-08-16]
FF Plugin ProgramFiles/Appdata: C:\Users\RevD\AppData\Roaming\mozilla\plugins\npatgpc.dll [2012-05-08] (Cisco WebEx LLC)
FF Extension: Default Tab - C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi [2015-04-20] [not signed]
FF Extension: Microsoft .NET Framework Assistant - C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-06-11] [not signed]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2016-01-06] [not signed]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2016-01-06] [not signed]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2010-02-20] [not signed]
FF HKLM\...\Firefox\Extensions: [citius@orbiscom] - C:\Program Files\Virtual Account Numbers
FF Extension: Virtual Account Numbers - C:\Program Files\Virtual Account Numbers [2010-12-29] [not signed]
 
Chrome: 
=======
CHR Profile: C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (AdBlock) - C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-01-01]
CHR Extension: (We-Care.com Reminder) - C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm [2016-01-07] [UpdateUrl: hxxp://plugin.we-care.com/chrome-updates.xml] <==== ATTENTION
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2016-01-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-01-06]
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path\update_url>
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [7084784 2015-09-18] (Emsisoft Ltd)
R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 alssvc; C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe [382232 2008-06-03] (Dell Inc.)
R2 ASFAgent; C:\Program Files\Intel\ASF Agent\ASFAgent.exe [133968 2007-04-19] (Intel Corporation)
R2 DraftSight API Service; C:\Program Files\Dassault Systemes\DraftSight\bin\dsHttpApiService.exe [95232 2015-01-14] (Dassault Systèmes) [File not signed]
R2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION) [File not signed]
R2 EPSON_EB_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50ST7.EXE [153600 2009-09-13] (SEIKO EPSON CORPORATION)
R2 EPSON_PM_RPCV4_04; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RP7.EXE [121856 2009-09-13] (SEIKO EPSON CORPORATION)
S3 FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [1074480 2015-03-12] (Flexera Software LLC)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2015-04-30] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [284504 2015-04-30] (Microsoft Corporation)
R2 NMSAccess; C:\Program Files\CDBurnerXP\NMSAccessU.exe [71096 2010-03-04] ()
R2 NVIDIA Performance Driver Service; C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [4440064 2009-05-14] () [File not signed]
S3 SolidWorks Licensing Service; C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2010-09-07] (SolidWorks) [File not signed]
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_d2df6701\STacSV.exe [221266 2009-07-31] (IDT, Inc.)
S2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-18] (Microsoft Corporation)
R1 cbfs3; C:\Windows\system32\drivers\cbfs3.sys [273552 2010-11-30] (EldoS Corporation)
S3 CSRBC; C:\Windows\System32\Drivers\csrbcx86.sys [27136 2012-12-12] (CSR/PLT)
R3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [33832 2009-06-26] (Broadcom Corporation)
R1 epp32; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\epp32.sys [114200 2015-08-27] (Emsisoft GmbH)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [245096 2015-03-04] (Microsoft Corporation)
S3 NAL; C:\Windows\system32\Drivers\iqvw32.sys [28632 2009-09-21] (Intel Corporation ) [File not signed]
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [14736 2009-05-09] (Microsoft Corporation)
S4 risdpcie; C:\Windows\system32\drivers\risdpe86.sys [48640 2009-04-03] (REDC)
S4 rixdpcie; C:\Windows\system32\drivers\rixdpe86.sys [38400 2009-04-03] (REDC)
S3 StarOpen; C:\Windows\system32\Drivers\StarOpen.sys [7168 2009-11-12] () [File not signed]
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [13368 2016-01-07] (SlimWare Utilities, Inc.)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-11 11:58 - 2016-01-11 11:59 - 00022293 _____ C:\Users\RevD\Desktop\FRST.txt
2016-01-11 11:57 - 2016-01-11 11:58 - 00000000 ____D C:\FRST
2016-01-11 11:57 - 2016-01-11 11:55 - 01721856 _____ (Farbar) C:\Users\RevD\Desktop\FRST.exe
2016-01-07 17:48 - 2016-01-07 17:28 - 02032072 _____ (Bleeping Computer, LLC) C:\Users\RevD\Desktop\rkill.exe
2016-01-07 17:43 - 2016-01-05 11:29 - 00891392 _____ (Farbar) C:\Users\RevD\Desktop\MiniToolBox.exe
2016-01-07 17:41 - 2016-01-01 15:26 - 00415744 _____ (Farbar) C:\Users\RevD\Desktop\FSS.exe
2016-01-07 17:33 - 2016-01-07 17:26 - 00852798 _____ C:\Users\RevD\Desktop\SecurityCheck.exe
2016-01-07 14:30 - 2016-01-07 14:30 - 00000890 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2016-01-07 14:30 - 2016-01-07 14:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2016-01-07 14:24 - 2015-11-12 14:39 - 01814528 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-01-07 14:24 - 2015-11-12 14:37 - 12389376 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-01-07 14:24 - 2015-11-12 14:36 - 00367616 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2016-01-07 14:24 - 2015-11-12 14:34 - 09753088 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-01-07 14:24 - 2015-11-12 14:34 - 01140224 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-01-07 14:24 - 2015-11-12 14:33 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 01804288 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2016-01-07 14:24 - 2015-11-12 14:32 - 00718848 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2016-01-07 14:24 - 2015-11-12 14:32 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll
2016-01-07 14:24 - 2015-11-12 14:32 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe
2016-01-07 14:24 - 2015-11-12 14:31 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2016-01-07 14:24 - 2015-11-12 14:31 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2016-01-07 14:24 - 2015-11-12 14:31 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2016-01-07 14:24 - 2015-11-12 14:31 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2016-01-07 14:24 - 2015-11-12 14:31 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-01-07 14:24 - 2015-11-12 14:31 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe
2016-01-07 14:19 - 2016-01-07 14:25 - 183629232 _____ (Emsisoft Ltd. ) C:\Users\RevD\Downloads\EmsisoftAntiMalwareXPSetup.exe
2016-01-07 13:52 - 2016-01-07 14:03 - 73643782 _____ (Emsisoft Ltd. ) C:\Users\RevD\Downloads\Unconfirmed 665035.crdownload
2016-01-07 12:23 - 2015-08-13 08:15 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srv.sys
2016-01-07 12:23 - 2015-08-13 08:15 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\srvnet.sys
2016-01-07 12:22 - 2015-09-02 15:26 - 01402368 _____ (Microsoft Corporation) C:\Windows\system32\msxml6.dll
2016-01-07 12:22 - 2015-09-02 15:26 - 01253376 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2016-01-07 12:18 - 2015-11-06 11:05 - 00627712 _____ (Microsoft Corporation) C:\Windows\system32\user32.dll
2016-01-07 12:18 - 2015-11-06 10:32 - 01029120 _____ (Microsoft Corporation) C:\Windows\system32\d3d10.dll
2016-01-07 12:18 - 2015-11-06 10:32 - 00219648 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1core.dll
2016-01-07 12:18 - 2015-11-06 10:32 - 00189952 _____ (Microsoft Corporation) C:\Windows\system32\d3d10core.dll
2016-01-07 12:18 - 2015-11-06 10:32 - 00160768 _____ (Microsoft Corporation) C:\Windows\system32\d3d10_1.dll
2016-01-07 12:18 - 2015-11-06 09:27 - 01172480 _____ (Microsoft Corporation) C:\Windows\system32\d3d10warp.dll
2016-01-07 12:18 - 2015-11-06 09:26 - 00486400 _____ (Microsoft Corporation) C:\Windows\system32\d3d10level9.dll
2016-01-07 12:18 - 2015-11-06 09:24 - 02068480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2016-01-07 12:18 - 2015-11-06 09:20 - 01073152 _____ (Microsoft Corporation) C:\Windows\system32\DWrite.dll
2016-01-07 12:18 - 2015-11-06 09:20 - 00682496 _____ (Microsoft Corporation) C:\Windows\system32\d2d1.dll
2016-01-07 12:18 - 2015-11-06 09:19 - 00802304 _____ (Microsoft Corporation) C:\Windows\system32\FntCache.dll
2016-01-07 12:17 - 2015-11-02 11:04 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\els.dll
2016-01-07 12:17 - 2015-10-13 08:31 - 00273408 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2016-01-07 12:17 - 2015-10-13 08:31 - 00072192 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2016-01-07 12:15 - 2015-10-17 10:01 - 00501248 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2016-01-07 12:14 - 2015-09-02 15:26 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2016-01-07 12:14 - 2015-09-02 13:54 - 00297472 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00901264 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00066400 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00022368 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00015200 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-2-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-2-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-eventing-provider-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l2-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-timezone-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l2-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-2-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011616 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011104 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2016-01-07 12:14 - 2015-07-18 07:14 - 00011104 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2016-01-07 12:07 - 2015-08-05 09:59 - 00602112 _____ (Microsoft Corporation) C:\Windows\system32\schedsvc.dll
2016-01-07 12:06 - 2015-10-14 14:22 - 01206192 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-01-07 12:06 - 2015-10-14 10:01 - 03606464 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2016-01-07 12:06 - 2015-10-14 10:01 - 03554752 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-01-07 12:06 - 2015-07-28 18:46 - 11588096 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2016-01-07 11:55 - 2015-11-05 01:26 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2016-01-07 11:47 - 2015-10-10 10:02 - 00526272 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ndis.sys
2016-01-07 11:46 - 2015-11-10 11:03 - 01208832 _____ (Microsoft Corporation) C:\Windows\system32\comsvcs.dll
2016-01-07 11:46 - 2015-11-10 11:03 - 00488448 _____ (Microsoft Corporation) C:\Windows\system32\catsrvut.dll
2016-01-07 11:46 - 2015-11-05 01:34 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rmcast.sys
2016-01-07 11:44 - 2015-09-26 10:05 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-01-07 11:44 - 2015-09-26 10:04 - 00206336 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-01-07 11:44 - 2015-09-26 07:21 - 00274432 _____ (Microsoft Corporation) C:\Windows\system32\bcrypt.dll
2016-01-07 11:44 - 2015-09-22 07:11 - 00440768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2016-01-07 04:08 - 2016-01-07 04:09 - 00000000 ____D C:\Windows\Temp7570C867-7821-E8BB-84CC-566A8E7530E6-Signatures
2016-01-07 04:08 - 2016-01-07 04:08 - 00000000 ____D C:\d4f84eb6ffa07e4c2d03dfc446
2016-01-06 20:09 - 2016-01-06 20:09 - 00000000 ____D C:\Program Files\Mozilla Firefox
2016-01-06 17:00 - 2016-01-11 11:41 - 00000000 ____D C:\Windows\pss
2016-01-06 14:58 - 2016-01-06 14:58 - 00000000 ____D C:\Users\RevD\AppData\Roaming\Sun
2016-01-06 14:58 - 2016-01-06 14:58 - 00000000 ____D C:\Users\RevD\.oracle_jre_usage
2016-01-06 14:15 - 2016-01-06 14:15 - 00000000 ____D C:\ProgramData\Emsisoft
2016-01-06 14:09 - 2016-01-11 11:47 - 00000000 ____D C:\Program Files\Emsisoft Anti-Malware
2016-01-01 12:41 - 2016-01-01 12:41 - 00022302 _____ C:\Users\RevD\Downloads\fixlist.txt
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-11 11:58 - 2006-11-02 05:18 - 00000000 ____D C:\Windows
2016-01-11 11:54 - 2006-11-02 06:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2016-01-11 11:54 - 2006-11-02 06:47 - 00003568 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2016-01-11 11:51 - 2015-08-13 16:06 - 00000658 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-386463824-3466316030-366047749-1000.job
2016-01-11 11:51 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\inf
2016-01-11 11:51 - 2006-11-02 04:33 - 00763586 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-11 11:47 - 2010-02-20 18:51 - 00844736 _____ C:\ProgramData\nvModes.001
2016-01-11 11:45 - 2014-02-06 20:32 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-11 11:44 - 2010-02-20 18:50 - 00844736 _____ C:\ProgramData\nvModes.dat
2016-01-11 11:44 - 2006-11-02 07:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-11 11:42 - 2014-02-06 20:32 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-11 11:42 - 2006-11-02 07:01 - 00032606 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-01-11 11:41 - 2015-08-13 16:06 - 00000562 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-386463824-3466316030-366047749-1000.job
2016-01-11 11:41 - 2012-08-22 09:54 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-01-08 03:44 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\rescache
2016-01-08 03:10 - 2013-11-23 03:02 - 00000000 ____D C:\Windows\system32\MRT
2016-01-07 15:39 - 2012-06-22 13:35 - 00000000 ____D C:\Windows\system32\appmgmt
2016-01-07 15:39 - 2010-09-24 10:22 - 00000000 ____D C:\Program Files\Johnson Controls
2016-01-07 13:29 - 2006-11-02 04:22 - 58720256 _____ C:\Windows\system32\config\software_previous
2016-01-07 13:28 - 2015-09-09 13:23 - 00013368 _____ (SlimWare Utilities, Inc.) C:\Windows\system32\Drivers\SWDUMon.sys
2016-01-07 13:27 - 2006-11-02 06:37 - 00000000 ____D C:\Windows\ShellNew
2016-01-07 13:27 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\system32\spool
2016-01-07 13:27 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\system32\Msdtc
2016-01-07 13:27 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\Help
2016-01-07 13:26 - 2015-09-09 13:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate
2016-01-07 13:26 - 2015-09-09 13:23 - 00000000 ____D C:\Program Files\DriverUpdate
2016-01-07 13:26 - 2014-02-06 20:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2016-01-07 13:26 - 2013-11-24 11:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java Development Kit
2016-01-07 13:26 - 2013-11-24 11:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-01-07 13:26 - 2011-11-10 08:38 - 00000000 ____D C:\Program Files\Microsoft Security Client
2016-01-07 13:26 - 2010-07-31 09:07 - 00000000 ____D C:\Users\RevD\AppData\Local\Microsoft Help
2016-01-07 13:26 - 2010-02-05 21:08 - 00000000 ____D C:\Program Files\Common Files\Java
2016-01-07 13:25 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\registration
2016-01-07 13:25 - 2006-11-02 05:18 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-01-07 13:09 - 2015-09-09 13:23 - 00000000 ____D C:\Users\Public\Documents\Downloaded Installers
2016-01-07 13:09 - 2006-11-02 06:47 - 00464640 _____ C:\Windows\system32\FNTCACHE.DAT
2016-01-07 13:08 - 2012-06-22 15:28 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-01-07 13:04 - 2006-11-02 04:22 - 27000832 _____ C:\Windows\system32\config\system_previous
2016-01-07 12:25 - 2006-11-02 06:37 - 00000000 ____D C:\Windows\system32\XPSViewer
2016-01-07 12:25 - 2006-11-02 06:37 - 00000000 ____D C:\Program Files\Windows Journal
2016-01-07 12:24 - 2010-07-31 09:07 - 00000000 ____D C:\ProgramData\Microsoft Help
2016-01-07 12:20 - 2012-06-22 15:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-07 12:04 - 2006-11-02 04:23 - 00000219 _____ C:\Windows\win.ini
2016-01-07 11:42 - 2011-11-21 15:07 - 00000000 ____D C:\ProgramData\FLEXnet
2016-01-07 11:32 - 2010-02-20 18:03 - 00000000 ____D C:\Users\RevD
2016-01-07 06:34 - 2006-11-02 04:22 - 49545216 _____ C:\Windows\system32\config\components_previous
2016-01-07 06:34 - 2006-11-02 04:22 - 00262144 _____ C:\Windows\system32\config\sam_previous
2016-01-07 04:33 - 2006-11-02 04:22 - 00786432 _____ C:\Windows\system32\config\default_previous
2016-01-07 04:33 - 2006-11-02 04:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2016-01-06 16:51 - 2010-02-05 20:59 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-06 16:47 - 2015-09-09 13:23 - 00000448 _____ C:\Windows\Tasks\DriverUpdate Scan.job
2016-01-06 16:08 - 2010-02-06 04:06 - 00000000 ____D C:\DELL
2016-01-06 16:08 - 2010-02-05 20:57 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2016-01-06 15:29 - 2012-02-25 12:26 - 00000000 ____D C:\Users\RevD\AppData\Local\Deployment
2016-01-06 14:57 - 2010-02-05 21:08 - 00000000 ____D C:\Program Files\Java
2016-01-06 13:33 - 2010-02-20 22:29 - 00008484 _____ C:\Users\RevD\AppData\Local\d3d9caps.dat
2016-01-04 22:10 - 2010-07-29 22:15 - 00000000 ____D C:\Users\RevD\AppData\Local\CutePDF Writer
2015-12-31 16:12 - 2012-03-29 09:14 - 00796864 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-12-31 16:12 - 2011-06-29 19:44 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
 
==================== Files in the root of some directories =======
 
2012-05-28 12:13 - 2013-03-23 20:42 - 0000121 _____ () C:\Users\RevD\AppData\Roaming\default.rss
2010-02-20 22:29 - 2016-01-06 13:33 - 0008484 _____ () C:\Users\RevD\AppData\Local\d3d9caps.dat
2010-04-08 14:05 - 2014-02-06 15:36 - 0022528 _____ () C:\Users\RevD\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2010-02-20 18:51 - 2016-01-11 11:47 - 0844736 _____ () C:\ProgramData\nvModes.001
2010-02-20 18:50 - 2016-01-11 11:44 - 0844736 _____ () C:\ProgramData\nvModes.dat
 
Some files in TEMP:
====================
C:\Users\RevD\AppData\Local\Temp\AcDeltree.exe
C:\Users\RevD\AppData\Local\Temp\converter.exe
C:\Users\RevD\AppData\Local\Temp\DivXSetup.exe
C:\Users\RevD\AppData\Local\Temp\ext25341.dll
C:\Users\RevD\AppData\Local\Temp\ext2984.dll
C:\Users\RevD\AppData\Local\Temp\ext41236.dll
C:\Users\RevD\AppData\Local\Temp\ext44574.dll
C:\Users\RevD\AppData\Local\Temp\ext47867.dll
C:\Users\RevD\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\RevD\AppData\Local\Temp\G2MInstallerExtractor.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\RevD\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\RevD\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\RevD\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\RevD\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\RevD\AppData\Local\Temp\jre-8u40-windows-au.exe
C:\Users\RevD\AppData\Local\Temp\npp.6.2.2.Installer.exe
C:\Users\RevD\AppData\Local\Temp\nvAppBar.exe
C:\Users\RevD\AppData\Local\Temp\nView.dll
C:\Users\RevD\AppData\Local\Temp\nViewSetup.exe
C:\Users\RevD\AppData\Local\Temp\nvShell.dll
C:\Users\RevD\AppData\Local\Temp\nvTaskBar.exe
C:\Users\RevD\AppData\Local\Temp\nvwdmcpl.dll
C:\Users\RevD\AppData\Local\Temp\nvwimg.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSAR.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSCS.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSDA.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSDE.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSEL.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSENG.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSENU.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSES.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSESM.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSFI.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSFR.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSHE.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSHU.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSIT.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSJA.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSKO.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSNL.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSNO.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSPL.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSPT.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSPTB.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSRU.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSSK.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSSL.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSSV.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSTH.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSTR.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSZHC.dll
C:\Users\RevD\AppData\Local\Temp\NVWRSZHT.dll
C:\Users\RevD\AppData\Local\Temp\nwiz.exe
C:\Users\RevD\AppData\Local\Temp\ose00000.exe
C:\Users\RevD\AppData\Local\Temp\WiseUpdX.exe
C:\Users\RevD\AppData\Local\Temp\xmlUpdater.exe
C:\Users\RevD\AppData\Local\Temp\_isFCDF.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-01-11 11:52
 
==================== End of FRST.txt ============================

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 12 January 2016 - 10:16 AM

  • Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
    Type Notepad and and click the OK key.
    Please copy the entire contents of the code box below to the a new file.

    start
    
    CreateRestorePoint:
    EmptyTemp:
    CloseProcesses:
    CMD: netsh winsock reset all
    CMD: netsh int ipv4 reset
    CMD: netsh int ipv6 reset
    CMD: ipconfig /flushdns
    CMD: ipconfig /release
    CMD: ipconfig /renew
    
    (W3i, LLC) C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
    HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\Run: [InstallIQUpdater] => C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe [1179648 2011-10-11] (W3i, LLC)
    GroupPolicyScripts: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> {DB3C7389-BA58-4C39-B5B4-AC9808B17E84} URL = hxxp://www.mysearchresults.com/search?&c=2633&t=03&q={searchTerms}
    FF Homepage: hxxp://www.mysearchresults.com/?c=9001&t=03
    FF user.js: detected! => C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\user.js [2012-08-16]
    FF Extension: Default Tab - C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi [2015-04-20] [not signed]
    CHR Extension: (We-Care.com Reminder) - C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm [2016-01-07] [UpdateUrl: hxxp://plugin.we-care.com/chrome-updates.xml] <==== ATTENTION
    CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path\update_url>
    S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
    S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
    S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
    S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
    Task: {8BE44532-23BB-4255-A1B7-92373931ED9E} - System32\Tasks\DefaultReg => c:\Users\All Users\dtdata\R001.exe [2015-03-12] () <==== ATTENTION
    Task: {C86AD410-ECC4-4BC9-8498-369269A490E9} - System32\Tasks\DefaultCheck => c:\Users\All Users\dtdata\R002.exe [2015-03-12] () <==== ATTENTION
    C:\Program Files\W3i
    C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi
    C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm
    c:\Users\All Users\dtdata
    
    End
    
    Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
    The location is listed in the 3rd line of the Farbar log you have submitted.

    Run FRST and click Fix only once and wait.

    Restart the computer normally to reset the registry.

    The tool will create a log (Fixlog.txt) please post it to your reply.
    ===


    Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
    EXECUTE THESE UPDATES WHEN YOU HAVE RESTORED YOUR INTERNET.

    You can manually check your present version and update as recommended.
    https://www.java.com/en/download/installed.jsp

    Be careful not to install malware posing as Java update!
    Important read this blog.
    http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

    Quoted from the page.
    "In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

    How to disable Java in your browsers
    http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


    If present remove the old version(s) of Java using the Control Panel > Programs and Features applet.
    Java 2 SDK Standard Edition v1.3.1 (HKLM\...\Java 2 SDK Standard Edition v1.3.1) (Version: - )
    Java 8 Update 40 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)

    Please post the log and let me know if the problem with the Internet persists.


#5 RevD

RevD
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 12 January 2016 - 03:44 PM

I ran FRST with the fixlist as instructed. The fixlog is listed below. I then re-enabled my internet connection and updated Java. I then removed the old Java as instructed. Everything seems to be working fine now so I think I am good (please let me know if you it otherwise). I ran Emsisoft and it still sees six suspicious files that can't be quarantined, but it also says they are "low risk". I also noted while removing the old Java that Driver Update is still listed as a program on my computer. I see no evidence that it is actually running though so I will leave that alone. 

 

Thank you so much for your help, nasdaq. I really appreciated it. RevD

 

Here is the fixlog:

----------------------

 

Fix result of Farbar Recovery Scan Tool (x86) Version:10-01-2015 01
Ran by RevD (2016-01-12 13:01:42) Run:1
Running from C:\Users\RevD\Desktop
Loaded Profiles: RevD (Available Profiles: RevD)
Boot Mode: Normal
 
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
 
(W3i, LLC) C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
HKU\S-1-5-21-386463824-3466316030-366047749-1000\...\Run: [InstallIQUpdater] => C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe [1179648 2011-10-11] (W3i, LLC)
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-386463824-3466316030-366047749-1000 -> {DB3C7389-BA58-4C39-B5B4-AC9808B17E84} URL = hxxp://www.mysearchresults.com/search?&c=2633&t=03&q={searchTerms}
FF Homepage: hxxp://www.mysearchresults.com/?c=9001&t=03
FF user.js: detected! => C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\user.js [2012-08-16]
FF Extension: Default Tab - C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi [2015-04-20] [not signed]
CHR Extension: (We-Care.com Reminder) - C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm [2016-01-07] [UpdateUrl: hxxp://plugin.we-care.com/chrome-updates.xml] <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - <no Path\update_url>
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
Task: {8BE44532-23BB-4255-A1B7-92373931ED9E} - System32\Tasks\DefaultReg => c:\Users\All Users\dtdata\R001.exe [2015-03-12] () <==== ATTENTION
Task: {C86AD410-ECC4-4BC9-8498-369269A490E9} - System32\Tasks\DefaultCheck => c:\Users\All Users\dtdata\R002.exe [2015-03-12] () <==== ATTENTION
C:\Program Files\W3i
C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi
C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm
c:\Users\All Users\dtdata
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv4 reset =========
 
Reseting Echo Request, OK!
Reseting Global, OK!
Reseting Interface, OK!
A reboot is required to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv6 reset =========
 
Reseting Echo Request, OK!
A reboot is required to complete this action.
 
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  ipconfig /release =========
 
 
Windows IP Configuration
 
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
 
========= End of CMD: =========
 
 
=========  ipconfig /renew =========
 
 
Windows IP Configuration
 
No operation can be performed on Wireless Network Connection while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
 
========= End of CMD: =========
 
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe
C:\Program Files\W3i\InstallIQUpdater\InstallIQUpdater.exe => No running process found
HKU\S-1-5-21-386463824-3466316030-366047749-1000\Software\Microsoft\Windows\CurrentVersion\Run\\InstallIQUpdater => value removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-386463824-3466316030-366047749-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DB3C7389-BA58-4C39-B5B4-AC9808B17E84}" => key removed successfully.
HKCR\CLSID\{DB3C7389-BA58-4C39-B5B4-AC9808B17E84} => key not found. 
Firefox "homepage" removed successfully.
C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\user.js => moved successfully
C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi => moved successfully
C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi => path removed successfully.
C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm <==== ATTENTION => not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\nneajnkjbffgblleaoojgaacokifdkhm" => key removed successfully.
blbdrive => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8BE44532-23BB-4255-A1B7-92373931ED9E}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8BE44532-23BB-4255-A1B7-92373931ED9E}" => key removed successfully.
C:\Windows\System32\Tasks\DefaultReg => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DefaultReg" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C86AD410-ECC4-4BC9-8498-369269A490E9}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C86AD410-ECC4-4BC9-8498-369269A490E9}" => key removed successfully.
C:\Windows\System32\Tasks\DefaultCheck => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DefaultCheck" => key removed successfully.
C:\Program Files\W3i => moved successfully
"C:\Users\RevD\AppData\Roaming\Mozilla\Firefox\Profiles\xpmzfxcu.default\extensions\addon@defaulttab.com.xpi" => not found.
C:\Users\RevD\AppData\Local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm => moved successfully
c:\Users\All Users\dtdata => moved successfully
EmptyTemp: => 5.1 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 13:04:33 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 13 January 2016 - 08:51 AM

I ran Emsisoft and it still sees six suspicious files that can't be quarantined, but it also says they are "low risk".

Post the report if you can.

===

I also noted while removing the old Java that Driver Update is still listed as a program on my computer.

It's probably just an empty registry item. Nothing to worry about.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 RevD

RevD
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 13 January 2016 - 03:51 PM

Here is the scan report:

 

Emsisoft Anti-Malware - Version 10.0.0.5735
Last update: 1/12/2016 3:05:49 PM
Initiated by: Cirrus\RevD
 
Scan settings:
 
Scan type: Quick Scan
Objects: Rootkits, Memory, Traces
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 1/13/2016 2:45:28 PM
C:\Users\RevD\AppData\Roaming\DefaultTab Application.AppInstall (A)
C:\ProgramData\w3i Application.AppInstall (A)
C:\ProgramData\wecarereminder Application.AppInstall (A)
C:\Program Files\DriverUpdate Application.InstallDrive (A)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate Application.InstallDrive (A)
C:\Users\RevD\AppData\Local\SlimWare Utilities Inc\DriverUpdate Application.InstallDrive (A)
 
Scanned 61502
Found 6
 
Scan end: 1/13/2016 2:46:19 PM
Scan time: 0:00:51


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 14 January 2016 - 09:39 AM

These are entries in the registry and not referencing anything.

Your are safe.

#9 RevD

RevD
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:44 AM

Posted 14 January 2016 - 12:45 PM

Yea!! That's fantastic. Thanks again, nasdaq. I really appreciate your expertise and willingness to help. Best Regards, Rev D



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 15 January 2016 - 08:38 AM

Glad we could help.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:44 AM

Posted 21 January 2016 - 10:27 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users