Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is my computer really clean?


  • This topic is locked This topic is locked
18 replies to this topic

#1 GataPandu

GataPandu

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 26 January 2016 - 05:47 PM

Description of the case: Several weeks ago, Windows Defender detected a VirTool:JS/Obfuscator.HG in an attachment to Windows Mail. I did not click on the attachment. Windows Defender quarantined it with the recommendation to immediately remove it, which I did. Windows Defender immediately changed its red color to green. I sent the samples to Microsoft, and I obviously deleted the email.

 

Several days thereafter, in an apparent 2-stage attack, the attacker (under a different name) sent a second email to Windows Mail with a Troj/HacDef-DJ in the attachment. Again, I did not click on the attachment, Windows Defender detected it, quarantined it, recommended to immediately remove it, which I did. Window Defender immediately changed its red color to green. I sent the samples to Microsoft, and I deleted the second email as well.

 

What was affected: A desktop (running Windows 8.1 Pro) and a laptop (running Windows 8.1) that can access the same Windows Mail account at issue were affected in the two incidents. The other computers on the LAN cannot access the Windows Mail account at issue and were apparently not affected.

 

Apparently clean? I ran multiple full scans with Windows Defender (or with Microsoft Security Essentials in case of a Windows 7 computer) as well as multiple scans with MBAM with rootkit detection enabled, on all Windows computer on the LAN, but I found nothing. I did not check the Apple computers on the LAN. All computers on the LAN behave normally, like they did before the two incidents, at least there is no noticeable change from a user perspective.

 

Paranoid? Yes, I am definitely still a bit paranoid, especially with regard to the desktop with its backups (File History, System Image Backup) on external USB HDDs. I have thus been reading up on malware, and that's when I discovered this forum.

 

I wonder if I can get help to make sure that my computers/systems are really clean?



BC AdBot (Login to Remove)

 


#2 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 27 January 2016 - 06:03 PM

Hello GataPandu, welcome to Bleeping Computer's Malware Removal forum!
 
My name is Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • I will notify you when I believe your computer is free of malware. Please bear in mind, absence of symptoms does not necessarily correlate to absence of malware, so please wait until the "All Clean". 
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 

======================================================
 

I wonder if I can get help to make sure that my computers/systems are really clean?

Please run the following diagnostic scan so I can ascertain the state of your computer. We can start with one machine, and move onto the next - ensure you stick with the same one machine until given the all clean. 
 
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe or FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 

Edited by LiquidTension, 27 January 2016 - 06:03 PM.

Posted Image

#3 GataPandu

GataPandu
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 28 January 2016 - 02:35 PM

Hi Adam,

 

Sure, call me Gata :-) I am very happy to get help in getting to the bottom of things :-)

 

I ran FRST64.exe on my Desktop (name of computer). Desktop has a File History backup, which is stored on Storage Spaces which in turn consists of two external, identical USB HDDs in a two-way mirror configuration. The USB HDDs were attached to the Desktop during the FRST64. exe scan. This may or may not have any bearing on the scan, but I thought I should mention it anyway. 

 

Edit: I think I should also mention that the system (Desktop and the USB HDDs) are BitLocker encrypted. The BitLocker keys are on the USB stick BLKEY which was also attached to Desktop during the scan.

 

I am surprised that the scan itself only took two minutes or so, and still generated the two long logs. Here are the two logs:

============================

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by gata_000 (administrator) on DESKTOP (28-01-2016 13:28:51)
Running from C:\Users\gata_000\Desktop
Loaded Profiles: UpdatusUser & gata_000 (Available Profiles: UpdatusUser & gata_000 & Administrator)
Platform: Windows 8.1 Pro with Media Center (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Adobe Systems, Incorporated) C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe
(Windows ® Win 7 DDK provider) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSYNC.EXE
(Qualcomm®Atheros®) C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
() C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Dell Inc.) C:\Program Files (x86)\Dell Customer Connect\DCCService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpService.exe
(Dell Inc.) C:\Program Files (x86)\Dell Update\DellUpTray.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Secunia) C:\Program Files (x86)\Secunia\PSI\sua.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7202520 2013-08-13] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-07] (Realtek Semiconductor)
HKLM\...\Run: [IAStorIcon] => C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [287592 2013-08-07] (Intel Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508104 2015-10-30] (Adobe Systems Incorporated)
HKLM\...\Run: [EssentialsTrayApp] => C:\WINDOWS\System32\Essentials\EssentialsTrayApp.exe -autostart
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe [3498720 2015-12-17] (Adobe Systems Inc.)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1075296 2013-04-25] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [LifeCam] => C:\Program Files (x86)\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\BtvStack.exe [132736 2013-07-31] (Qualcomm®Atheros®)
HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\...\Run: [Google Update] => C:\Users\gata_000\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-06-02] (Google Inc.)
HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\...\MountPoints2: L - "L:\IronKey.exe"
HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\...\MountPoints2: {f037999a-6f74-11e4-8261-b01041ba9196} - "D:\IronKey.exe"
Startup: C:\Users\gata_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-01-28]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{BBDD120C-04F3-4079-A21D-1828C12D7E55}: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{BBDD120C-04F3-4079-A21D-1828C12D7E55}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{BE0516C9-2D5D-4FFF-B9B7-97EB53492369}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ca/
HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://dell13.msn.com/?pc=DCJB
URLSearchHook: [S-1-5-21-3899613305-1892091159-3862587331-1001] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002 -> DefaultScope {1AA9AA32-9FD6-46EE-B560-CAB262DAA870} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002 -> {1AA9AA32-9FD6-46EE-B560-CAB262DAA870} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-01-07] (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll [2013-07-31] (Qualcomm®Atheros®)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-18] (Google Inc.)
BHO: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-01-07] (Microsoft Corporation)
BHO: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\ssv.dll [2016-01-21] (Oracle Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-18] (Google Inc.)
BHO-x32: Adobe Acrobat Create PDF Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2015-05-01] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\jp2ssv.dll [2016-01-21] (Oracle Corporation)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2015-05-01] (Adobe Systems Incorporated)
Toolbar: HKLM - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\x64\AcroIEFavClient.dll [2015-12-17] (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-12-18] (Google Inc.)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll [2015-05-01] (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-12-18] (Google Inc.)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\gata_000\AppData\Roaming\Mozilla\Firefox\Profiles\sy7tr5r5.default
FF Plugin: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\Win64Plugin\npAdobeExManDetectX64.dll [2013-12-02] (Adobe Systems)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-02-19] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-02-19] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\dtplugin\npDeployJava1.dll [2016-01-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.71.2 -> C:\Program Files (x86)\Java\jre1.8.0_71\bin\plugin2\npjp2.dll [2016-01-21] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-01-07] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-02-16] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-02-16] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-04] (Google Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll [2015-12-17] (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeExManDetect -> C:\Program Files (x86)\Adobe\Adobe Extension Manager CS6\npAdobeExManDetectX86.dll [2013-12-02] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3899613305-1892091159-3862587331-1002: @talk.google.com/GoogleTalkPlugin -> C:\Users\gata_000\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3899613305-1892091159-3862587331-1002: @talk.google.com/O1DPlugin -> C:\Users\gata_000\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3899613305-1892091159-3862587331-1002: @tools.google.com/Google Update;version=3 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-06] (Google Inc.)
FF Plugin HKU\S-1-5-21-3899613305-1892091159-3862587331-1002: @tools.google.com/Google Update;version=9 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-06] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\gata_000\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\gata_000\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2016-01-12]

Chrome:
=======
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.823\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.111\PepperFlash\pepflashplayer.dll ()
CHR Profile: C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-02]
CHR Extension: (Google Drive) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-11-17]
CHR Extension: (YouTube) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-11-17]
CHR Extension: (Google Search) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-11-17]
CHR Extension: (Adobe Acrobat) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2015-11-17]
CHR Extension: (Google Docs Offline) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-08-20]
CHR Extension: (Gmail) - C:\Users\gata_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-02]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2015-12-17]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2016448 2015-11-25] (Adobe Systems, Incorporated)
R2 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\adminservice.exe [312448 2013-07-31] (Windows ® Win 7 DDK provider) [File not signed]
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2762936 2016-01-07] (Microsoft Corporation)
R2 Dell Customer Connect; C:\Program Files (x86)\Dell Customer Connect\DCCService.exe [137968 2015-09-22] (Dell Inc.)
R2 DellUpdate; C:\Program Files (x86)\Dell Update\DellUpService.exe [237272 2015-08-27] (Dell Inc.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [15720 2013-08-07] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [131544 2014-02-19] (Intel Corporation)
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [178312 2015-09-25] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-02-19] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-18] (Realtek Semiconductor)
S3 Secunia PSI Agent; C:\Program Files (x86)\Secunia\PSI\PSIA.exe [1572056 2015-12-01] (Secunia)
R2 Secunia Update Agent; C:\Program Files (x86)\Secunia\PSI\sua.exe [839384 2015-12-01] (Secunia)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3837440 2013-08-08] (Qualcomm Atheros Communications, Inc.)
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-07-30] (Qualcomm Atheros)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 LcUvcUpper; C:\Windows\system32\DRIVERS\LcUvcUpper.sys [34424 2015-02-09] (Microsoft Corporation)
R1 mbamchameleon; C:\WINDOWS\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-28] (Malwarebytes)
R3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [116736 2014-02-19] (Intel Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2015-12-01] (Secunia)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-28 13:28 - 2016-01-28 13:29 - 00021426 _____ C:\Users\gata_000\Desktop\FRST.txt
2016-01-28 13:26 - 2016-01-28 13:28 - 00000000 ____D C:\FRST
2016-01-28 12:09 - 2016-01-28 12:09 - 02370560 _____ (Farbar) C:\Users\gata_000\Desktop\FRST64.exe
2016-01-28 10:55 - 2016-01-28 10:55 - 00000020 ___SH C:\Users\TEMP\ntuser.ini
2016-01-28 10:55 - 2016-01-28 10:55 - 00000000 _SHDL C:\Users\TEMP\My Documents
2016-01-28 10:55 - 2016-01-28 10:55 - 00000000 _SHDL C:\Users\TEMP\Documents\My Videos
2016-01-28 10:55 - 2016-01-28 10:55 - 00000000 _SHDL C:\Users\TEMP\Documents\My Pictures
2016-01-28 10:55 - 2016-01-28 10:55 - 00000000 _SHDL C:\Users\TEMP\Documents\My Music
2016-01-28 10:55 - 2016-01-28 10:55 - 00000000 ____D C:\Users\TEMP
2016-01-28 10:55 - 2016-01-21 21:51 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Sun
2016-01-28 10:55 - 2015-06-01 17:30 - 00000000 ____D C:\Users\TEMP\AppData\Roaming\Media Center Programs
2016-01-28 10:55 - 2014-03-18 04:54 - 00000369 _____ C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Pictures.lnk
2016-01-28 10:55 - 2014-03-18 04:54 - 00000369 _____ C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Documents.lnk
2016-01-21 21:51 - 2016-01-21 21:51 - 00097888 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2016-01-21 21:51 - 2016-01-21 21:51 - 00000000 ____D C:\Users\Default\AppData\Roaming\Sun
2016-01-21 21:51 - 2016-01-21 21:51 - 00000000 ____D C:\Users\Default User\AppData\Roaming\Sun
2016-01-21 21:51 - 2016-01-21 21:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2016-01-16 19:26 - 2016-01-16 19:26 - 01191936 _____ C:\Users\gata_000\Downloads\TinyWallInstaller.msi
2016-01-12 22:33 - 2015-12-10 23:38 - 25837568 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-01-12 22:33 - 2015-12-10 22:55 - 06051328 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-01-12 22:33 - 2015-12-10 22:50 - 20367360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-01-12 22:33 - 2015-12-10 21:43 - 04610560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-01-12 22:32 - 2015-12-10 23:00 - 00571904 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-01-12 22:32 - 2015-12-10 22:45 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2016-01-12 22:32 - 2015-12-10 22:21 - 00496640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-01-12 22:32 - 2015-12-10 22:18 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2016-01-12 22:32 - 2015-12-10 22:09 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2016-01-12 22:32 - 2015-12-10 22:09 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2016-01-12 22:32 - 2015-12-10 22:03 - 14456832 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-01-12 22:32 - 2015-12-10 21:59 - 00798208 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-01-12 22:32 - 2015-12-10 21:43 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2016-01-12 22:32 - 2015-12-10 21:38 - 02487808 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-01-12 22:32 - 2015-12-10 21:37 - 00687104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-01-12 22:32 - 2015-12-10 21:35 - 12856320 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-01-12 22:32 - 2015-12-10 21:26 - 01546752 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-01-12 22:32 - 2015-12-10 21:14 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-01-12 22:32 - 2015-12-10 21:12 - 02011136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-01-12 22:32 - 2015-12-10 21:08 - 01311744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-01-12 22:32 - 2015-12-10 21:07 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 02745184 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVDECOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 02528784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVDECOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 02450240 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVENCOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 02447136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVENCOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 02334104 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 02324744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 01877504 _____ (Microsoft Corporation) C:\WINDOWS\system32\msmpeg2adec.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 01798480 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMALFXGFXDSP.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 01484888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msmpeg2adec.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 01288128 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 01210200 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 01150232 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOE.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 01115640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 01037680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00914672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOE.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00850680 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00735496 _____ (Microsoft Corporation) C:\WINDOWS\system32\evr.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00700360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00629600 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP4SDECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00584656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\evr.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00557856 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVSDECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00498472 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsvr.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00492736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVSDECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00463776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP4SDECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00399776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00299080 _____ (Microsoft Corporation) C:\WINDOWS\system32\VIDRESZR.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00275312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MPG4DECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00274280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP43DECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00250520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPG4DECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00248432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP43DECD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00246856 _____ (Microsoft Corporation) C:\WINDOWS\system32\RESAMPLEDMO.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00244296 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00229272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\RESAMPLEDMO.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00203016 _____ (Microsoft Corporation) C:\WINDOWS\system32\COLORCNV.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00184912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\COLORCNV.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00183856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VIDRESZR.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00116720 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP3DMOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00110544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00099136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP3DMOD.DLL
2016-01-12 22:31 - 2015-12-05 00:58 - 00090904 _____ (Microsoft Corporation) C:\WINDOWS\system32\devenum.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00090392 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfvdsp.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00081032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\devenum.dll
2016-01-12 22:31 - 2015-12-05 00:58 - 00076936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfvdsp.dll
2016-01-12 22:31 - 2015-12-03 14:42 - 00561952 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-01-12 22:31 - 2015-12-03 14:42 - 00397224 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcryptprimitives.dll
2016-01-12 22:31 - 2015-12-03 14:42 - 00137968 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncrypt.dll
2016-01-12 22:31 - 2015-12-03 14:42 - 00106960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncryptsslp.dll
2016-01-12 22:31 - 2015-12-03 14:41 - 00177488 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-01-12 22:31 - 2015-12-03 13:52 - 00340872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcryptprimitives.dll
2016-01-12 22:31 - 2015-12-03 13:52 - 00120376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncrypt.dll
2016-01-12 22:31 - 2015-12-03 13:52 - 00091416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncryptsslp.dll
2016-01-12 22:31 - 2015-12-03 13:28 - 00401920 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2016-01-12 22:31 - 2015-12-03 13:28 - 00202240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2016-01-12 22:31 - 2015-12-03 13:07 - 00340992 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
2016-01-12 22:31 - 2015-12-03 13:07 - 00289792 _____ (Microsoft Corporation) C:\WINDOWS\system32\ksproxy.ax
2016-01-12 22:31 - 2015-12-03 13:05 - 00644608 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVXENCD.DLL
2016-01-12 22:31 - 2015-12-03 13:02 - 01664000 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOE.DLL
2016-01-12 22:31 - 2015-12-03 13:00 - 00451072 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVSENCD.DLL
2016-01-12 22:31 - 2015-12-03 12:58 - 00378880 ____C (Microsoft Corporation) C:\WINDOWS\system32\SysFxUI.dll
2016-01-12 22:31 - 2015-12-03 12:51 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2016-01-12 22:31 - 2015-12-03 12:36 - 01697792 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
2016-01-12 22:31 - 2015-12-03 12:30 - 00468480 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFWMAAEC.DLL
2016-01-12 22:31 - 2015-12-03 12:28 - 00519680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
2016-01-12 22:31 - 2015-12-03 12:28 - 00245760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ksproxy.ax
2016-01-12 22:31 - 2015-12-03 12:27 - 00736256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVXENCD.DLL
2016-01-12 22:31 - 2015-12-03 12:24 - 01411584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOE.DLL
2016-01-12 22:31 - 2015-12-03 12:23 - 00402432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVSENCD.DLL
2016-01-12 22:31 - 2015-12-03 12:16 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2016-01-12 22:31 - 2015-12-03 12:13 - 01441280 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-01-12 22:31 - 2015-12-03 12:07 - 00432128 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2016-01-12 22:31 - 2015-12-03 12:06 - 01501184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll
2016-01-12 22:31 - 2015-12-03 12:01 - 00743936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFWMAAEC.DLL
2016-01-12 22:31 - 2015-12-03 11:45 - 00357888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2016-01-12 22:31 - 2015-12-03 11:40 - 01010688 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOD.DLL
2016-01-12 22:31 - 2015-12-03 11:29 - 00887296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOD.DLL
2016-01-12 22:31 - 2015-12-02 10:04 - 00670208 _____ (Microsoft Corporation) C:\WINDOWS\system32\qedit.dll
2016-01-12 22:31 - 2015-12-02 10:01 - 00561664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qedit.dll
2016-01-12 22:30 - 2015-12-30 14:32 - 07453016 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-01-12 22:30 - 2015-12-30 14:32 - 01735000 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2016-01-12 22:30 - 2015-12-30 14:32 - 01499912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2016-01-12 22:30 - 2015-12-10 19:13 - 01164800 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-01-12 22:30 - 2015-12-10 19:13 - 00505344 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-01-12 22:30 - 2015-12-10 19:13 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-01-12 22:30 - 2015-12-07 05:56 - 01380600 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-01-12 22:30 - 2015-12-04 10:00 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-01-12 22:29 - 2015-12-08 14:08 - 00685432 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2016-01-12 22:29 - 2015-12-08 14:07 - 00507176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll
2016-01-09 23:07 - 2015-12-04 15:02 - 00283704 _____ C:\Users\gata_000\Desktop\WorksheetFor#207.pdf
2016-01-09 23:07 - 2015-12-04 14:56 - 00268902 _____ C:\Users\gata_000\Desktop\WorksheetMaster4December2015SavedNotEnabled.pdf
2016-01-09 20:21 - 2016-01-09 20:21 - 00001096 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Secunia PSI.lnk
2016-01-09 20:21 - 2016-01-09 20:21 - 00000000 ____D C:\Program Files (x86)\Secunia
2016-01-09 20:15 - 2016-01-09 20:15 - 04010016 _____ (Secunia) C:\Users\gata_000\Downloads\PSISetup.exe
2016-01-09 16:37 - 2016-01-25 13:01 - 00003186 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForgata_000
2016-01-09 16:37 - 2016-01-25 13:01 - 00000364 _____ C:\WINDOWS\Tasks\HPCeeScheduleForgata_000.job
2016-01-09 12:44 - 2016-01-09 13:12 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-01-08 16:11 - 2016-01-08 16:11 - 00002227 _____ C:\Users\Public\Desktop\HP Officejet Pro 6830.lnk
2016-01-08 16:11 - 2016-01-08 16:11 - 00001179 _____ C:\Users\Public\Desktop\Shop for Supplies - HP Officejet Pro 6830.lnk
2016-01-08 16:11 - 2016-01-08 16:11 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2016-01-08 16:11 - 2016-01-08 16:11 - 00000000 ____D C:\Program Files\HP
2016-01-08 16:11 - 2016-01-08 16:11 - 00000000 ____D C:\Program Files (x86)\HP
2016-01-08 16:11 - 2014-07-18 19:48 - 00763968 ____N (Hewlett-Packard Development Company, LP) C:\WINDOWS\system32\HPDiscoPM7212.dll
2016-01-08 16:04 - 2016-01-08 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2016-01-08 15:59 - 2016-01-09 16:37 - 00000000 ____D C:\WINDOWS\System32\Tasks\Hewlett-Packard
2016-01-08 15:59 - 2016-01-08 16:08 - 00000000 ____D C:\Users\gata_000\Downloads\HP Downloads
2015-12-29 22:07 - 2016-01-09 13:14 - 00000000 ___RD C:\Users\gata_000\Creative Cloud Files
2015-12-29 22:07 - 2016-01-09 13:14 - 00000000 ____D C:\ProgramData\boost_interprocess
2015-12-29 21:32 - 2015-12-29 21:32 - 00001557 _____ C:\Users\Public\Desktop\Adobe Application Manager.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-28 13:19 - 2015-06-02 09:47 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-01-28 13:17 - 2014-03-18 04:53 - 00865408 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-01-28 13:17 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\Inf
2016-01-28 13:14 - 2015-06-23 12:47 - 00000940 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3899613305-1892091159-3862587331-1002UA.job
2016-01-28 13:09 - 2015-06-01 19:11 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-01-28 12:07 - 2012-12-20 20:40 - 00000000 ____D C:\Users\gata_000\Documents\Outlook Files
2016-01-28 11:03 - 2015-06-02 09:40 - 00000000 ____D C:\Users\gata_000\AppData\Local\Adobe
2016-01-28 10:55 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-01-28 10:54 - 2015-06-02 09:47 - 00000918 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-01-28 10:54 - 2014-11-18 12:52 - 00000000 ___DO C:\Users\gata_000\OneDrive
2016-01-28 10:53 - 2014-09-25 13:48 - 00000000 ____D C:\ProgramData\NVIDIA
2016-01-28 10:53 - 2013-08-22 09:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-01-27 08:26 - 2013-08-22 08:25 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-01-26 17:14 - 2015-06-23 12:47 - 00000888 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3899613305-1892091159-3862587331-1002Core.job
2016-01-26 13:32 - 2015-06-01 13:44 - 00000000 ____D C:\Users\gata_000\AppData\Roaming\LockAP
2016-01-23 19:45 - 2015-06-01 13:47 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3899613305-1892091159-3862587331-1002
2016-01-23 11:28 - 2015-06-02 15:49 - 00000000 ____D C:\Users\gata_000\AppData\Local\CrashDumps
2016-01-22 18:15 - 2009-04-20 20:54 - 00000000 ____D C:\Users\gata_000\Documents\CIPO
2016-01-21 21:53 - 2015-08-31 11:58 - 00000000 ____D C:\Users\gata_000\.oracle_jre_usage
2016-01-21 21:51 - 2015-06-02 16:54 - 00000000 ____D C:\Program Files (x86)\Java
2016-01-20 11:50 - 2015-06-06 21:15 - 00000000 ____D C:\Users\gata_000\AppData\Roaming\KeePass
2016-01-19 21:08 - 2014-11-18 12:51 - 00000000 ____D C:\Users\gata_000\AppData\Local\Packages
2016-01-18 11:46 - 2015-12-08 13:53 - 00007608 _____ C:\Users\gata_000\AppData\Local\resmon.resmoncfg
2016-01-13 21:46 - 2013-08-22 10:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-01-13 21:44 - 2014-09-25 13:49 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-01-13 21:41 - 2015-06-02 09:47 - 00003886 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2016-01-13 21:40 - 2015-06-02 09:47 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-01-13 10:34 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\rescache
2016-01-13 01:24 - 2013-08-22 10:20 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-01-12 23:23 - 2015-06-03 10:59 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-01-12 23:21 - 2015-06-03 10:59 - 143671360 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-01-12 14:40 - 2015-06-02 15:54 - 00002469 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat XI Pro.lnk
2016-01-12 14:40 - 2015-06-02 15:54 - 00002237 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe FormsCentral.lnk
2016-01-12 14:40 - 2015-06-02 15:54 - 00002076 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat Distiller XI.lnk
2016-01-12 10:31 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-01-10 13:06 - 2015-06-01 13:40 - 00000000 ____D C:\Users\gata_000\AppData\Local\PackageStaging
2016-01-09 23:13 - 2015-06-01 13:36 - 00000000 ____D C:\Users\gata_000
2016-01-09 16:38 - 2015-06-02 09:46 - 00000000 ____D C:\ProgramData\Adobe
2016-01-09 16:38 - 2015-06-02 09:46 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-01-09 16:38 - 2015-06-01 13:39 - 00000000 ____D C:\Users\gata_000\AppData\Roaming\Adobe
2016-01-09 16:37 - 2015-12-11 22:55 - 00000000 ____D C:\Users\gata_000\AppData\Local\Hewlett-Packard
2016-01-09 16:37 - 2015-12-11 22:54 - 00000000 ____D C:\ProgramData\Hewlett-Packard
2016-01-09 13:12 - 2015-06-01 18:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-01-08 21:09 - 2011-01-17 12:16 - 00000000 ____D C:\Users\gata_000\Documents\IPIC
2016-01-08 16:11 - 2015-06-01 13:34 - 00000000 ____D C:\ProgramData\HP
2016-01-08 16:04 - 2015-12-11 22:51 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2016-01-08 16:04 - 2014-09-25 13:40 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-01-07 11:05 - 2013-08-22 10:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-01-05 15:04 - 2013-08-22 10:38 - 00826872 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-01-05 15:04 - 2013-08-22 10:38 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-03 23:01 - 2015-06-22 18:52 - 00053248 _____ C:\Users\gata_000\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-01-03 13:28 - 2015-06-02 09:47 - 00000000 ____D C:\Users\gata_000\AppData\Local\Google
2015-12-30 21:50 - 2014-11-18 12:50 - 00000000 ____D C:\Users\gata_000\AppData\LocalLow
2015-12-29 21:59 - 2014-09-25 13:39 - 00000000 ____D C:\ProgramData\Package Cache
2015-12-29 21:32 - 2015-06-02 16:14 - 00001569 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Application Manager.lnk

==================== Files in the root of some directories =======

2015-10-16 21:46 - 2015-10-16 21:56 - 225111747 _____ () C:\Users\gata_000\AppData\Local\ACCCx3_3_0_151.zip.aamdownload
2015-10-16 21:46 - 2015-10-16 21:56 - 0002615 _____ () C:\Users\gata_000\AppData\Local\ACCCx3_3_0_151.zip.aamdownload.aamd
2015-06-22 18:52 - 2016-01-03 23:01 - 0053248 _____ () C:\Users\gata_000\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-12-08 13:53 - 2016-01-18 11:46 - 0007608 _____ () C:\Users\gata_000\AppData\Local\resmon.resmoncfg
2015-12-11 23:28 - 2015-12-11 23:28 - 0000057 _____ () C:\ProgramData\Ament.ini
2014-09-25 13:26 - 2014-09-25 13:26 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-10-20 12:46 - 2014-10-20 12:46 - 0000032 _____ () C:\ProgramData\Temp.log
2014-09-25 13:48 - 2014-09-25 13:48 - 0000121 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2014-09-25 13:45 - 2014-09-25 13:46 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2014-09-25 13:46 - 2014-09-25 13:47 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2014-09-25 13:47 - 2014-09-25 13:47 - 0000108 _____ () C:\ProgramData\{B46BEA36-0B71-4A4E-AE41-87241643FA0A}.log
2014-09-25 13:45 - 2014-09-25 13:45 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log

Some files in TEMP:
====================
C:\Users\gata_000\AppData\Local\Temp\AAMHelper.exe
C:\Users\gata_000\AppData\Local\Temp\ACLMInstaller.exe
C:\Users\gata_000\AppData\Local\Temp\AdobeApplicationManager.exe
C:\Users\gata_000\AppData\Local\Temp\jre-8u51-windows-au.exe
C:\Users\gata_000\AppData\Local\Temp\jre-8u60-windows-au.exe
C:\Users\gata_000\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\gata_000\AppData\Local\Temp\jre-8u66-windows-au.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-01-23 11:59

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by gata_000 (2016-01-28 13:29:27)
Running from C:\Users\gata_000\Desktop
Windows 8.1 Pro with Media Center (X64) (2015-06-01 18:39:03)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-3899613305-1892091159-3862587331-500 - Administrator - Disabled) => C:\Users\Administrator
Guest (S-1-5-21-3899613305-1892091159-3862587331-501 - Limited - Disabled)
gata_000 (S-1-5-21-3899613305-1892091159-3862587331-1002 - Administrator - Enabled) => C:\Users\gata_000
UpdatusUser (S-1-5-21-3899613305-1892091159-3862587331-1001 - Limited - Enabled) => C:\Users\TEMP

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20056 - Adobe Systems Incorporated)
Adobe Acrobat XI Pro (HKLM-x32\...\{AC76BA86-1033-FFFF-7760-000000000006}) (Version: 11.0.14 - Adobe Systems)
Adobe Dreamweaver CS6 (HKLM-x32\...\{A4ED5E53-7AA0-11E1-BF04-B2D4D4A5360E}) (Version: 12.0.3 - Adobe Systems Incorporated)
Adobe Photoshop Elements 8.0 (HKLM-x32\...\Adobe Photoshop Elements 8.0) (Version: 8.0 - Adobe Systems Incorporated)
CyberLink Media Suite Essentials (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 10.0 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dell Customer Connect (HKLM-x32\...\{124DE80C-9BFE-4D04-A8D9-69C5019DEEBF}) (Version: 1.3.28.0 - Dell Inc.)
Dell Update (HKLM-x32\...\{DB82968B-57A4-4397-81A5-ECAB21B5DFCD}) (Version: 1.7.1015.0 - Dell Inc.)
Dell WLAN and Bluetooth Client Installation (HKLM-x32\...\{28006915-2739-4EBE-B5E8-49B25D32EB33}) (Version: 10.0 - Dell Inc.)
Extended Asian Language font pack for Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-2530-0000-AC0F074E4100}) (Version: 15.007.20033 - Adobe Systems Incorporated)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 47.0.2526.111 - Google Inc.)
Google Talk Plugin (HKLM-x32\...\{F9B579C2-D854-300A-BE62-A09EB9D722E4}) (Version: 5.41.3.0 - Google)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7210.1528 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.24.7 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.29.1 - Google Inc.) Hidden
HP Officejet Pro 6830 Basic Device Software (HKLM\...\{98040AB6-D667-409C-81E7-DB65836B3EE0}) (Version: 33.1.73.49987 - Hewlett-Packard Co.)
HP Support Assistant (HKLM-x32\...\{79C54A05-F146-4EA0-8A70-D4EFE6181E52}) (Version: 8.1.40.3 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{55065080-504F-43BB-BE00-36B80D7D39A5}) (Version: 12.0.30.219 - Hewlett-Packard Company)
Intel® Chipset Device Software (x32 Version: 10.0.13 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1168 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.0.1016 - Intel Corporation)
Intel® Update Manager (HKLM-x32\...\{B991A1BC-DE0F-41B3-9037-B2F948F706EC}) (Version: 3.1.1228 - Intel Corporation)
Java 8 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218071F0}) (Version: 8.0.710.15 - Oracle Corporation)
Junk Mail filter update (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft LifeCam (HKLM\...\{5CE7E3F5-9803-4F32-AA89-2D8848A80109}) (Version: 3.60.253.0 - Microsoft Corporation)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.6366.2056 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\...\OneDriveSetup.exe) (Version: 17.3.6281.1202 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 43.0.4 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 43.0.4 (x86 en-US)) (Version: 43.0.4 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 43.0.4.5848 - Mozilla)
NVIDIA 3D Vision Controller Driver 332.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 332.21 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 332.66 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 332.66 - NVIDIA Corporation)
NVIDIA Graphics Driver 332.66 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 332.66 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.30.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.30.1 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
NVIDIA Update 1.15.2 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.15.2 - NVIDIA Corporation)
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6326.1019 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.6326.1019 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6326.1019 - Microsoft Corporation) Hidden
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.1.232 - Qualcomm Atheros Communications)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.30164 - Realtek Semiconductor Corp.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7016 - Realtek Semiconductor Corp.)
Secunia PSI (3.0.0.11003) (HKLM-x32\...\Secunia PSI) (Version: 3.0.0.11003 - Secunia)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3899613305-1892091159-3862587331-1002_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\gata_000\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll (Google Inc.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {227A65B1-5969-4D2B-8174-2AA332D7A384} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2015-11-04] (Hewlett-Packard)
Task: {4BA24D0C-4921-4F72-A95C-9EBB3CDFDD52} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-3899613305-1892091159-3862587331-1002 => C:\Users\gata_000\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2015-12-13] (Microsoft Corporation)
Task: {4C1DB5F1-7415-4860-A484-1268556EF36D} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)
Task: {553C09E6-726A-4A1B-91D7-408E9ABB25F9} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2015-09-27] (Hewlett-Packard)
Task: {601855C2-9C32-410F-86CB-DFD5A0B8CDC6} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-01-07] (Microsoft Corporation)
Task: {62FC5E2C-E1E5-47D7-98B5-5A735F893E59} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {63AEFB48-B2BD-42FA-A0FE-07A14E6B184B} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-01-07] (Microsoft Corporation)
Task: {6A89A2C1-2BC1-4757-B561-22BC89B43D00} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473 => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {6EA2585C-6A39-43C5-8FF2-B81DBB58B555} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Active Health Launcher => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2015-11-04] (Hewlett-Packard)
Task: {9485ADC8-B241-4CD1-AFD4-26C9EBC5670E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-31] (Google Inc.)
Task: {AB02B5A5-4D3D-4C07-9D9E-D13E1675CA73} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-gata@.... => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2015-10-30] (Adobe Systems Incorporated)
Task: {ADEC80AD-B6D2-4E89-9ACB-EE83FDB9F348} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-13] (Adobe Systems Incorporated)
Task: {ADF08091-3241-444D-B3B1-77B15C7DD9AD} - System32\Tasks\HPCeeScheduleForgata_000 => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {AEBF871B-101F-4FBF-B5B7-CAF24CD93144} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3899613305-1892091159-3862587331-1002Core => C:\Users\gata_000\AppData\Local\Google\Update\GoogleUpdate.exe [2015-06-02] (Google Inc.)
Task: {BA48FCCD-F364-42BF-B684-E7B4DCC4D3D1} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {C450F967-209B-44A8-AF7D-871D20922A54} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2016-01-08] (Microsoft Corporation)
Task: {C45E4C75-DE24-4819-A700-8D609AF8BA51} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)
Task: {D0C5FD23-93B4-40B0-9AB5-04E08C828264} - System32\Tasks\IUM-F1E24CA0-B63E-4F13-A9E3-4ADE3BFF3473-Logon => C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [2015-09-25] (Intel Corporation)
Task: {D7B99643-680C-48FE-B2B6-0BD1A4490892} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3899613305-1892091159-3862587331-1002UA => C:\Users\gata_000\AppData\Local\Google\Update\GoogleUpdate.exe [2015-06-02] (Google Inc.)
Task: {EA13D027-BA51-49DF-8E86-051E38703DDE} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-01-12] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3899613305-1892091159-3862587331-1002Core.job => C:\Users\gata_000\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3899613305-1892091159-3862587331-1002UA.job => C:\Users\gata_000\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForgata_000.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2014-09-25 13:48 - 2014-02-16 03:35 - 00117536 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-12-04 13:29 - 2016-01-07 06:13 - 00162472 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll
2016-01-13 21:06 - 2016-01-07 09:14 - 08903848 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2013-07-30 23:59 - 2013-07-30 23:59 - 00011264 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-07-30 23:55 - 2013-07-30 23:55 - 00086016 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\Modules\Map\MAP.dll
2013-07-31 00:04 - 2013-07-31 00:04 - 00012928 _____ () C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\ActivateDesktop.exe
2014-02-19 20:51 - 2014-02-19 20:51 - 01241560 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\gata_000\AppData\Local\Microsoft\Windows\Themes\Logo (3)\DesktopBackground\logo.jpg
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "IAStorIcon"
HKLM\...\StartupApproved\Run32: => "Adobe Creative Cloud"
HKU\S-1-5-21-3899613305-1892091159-3862587331-1002\...\StartupApproved\StartupFolder: => "Send to OneNote.lnk"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{E3D237AF-09CB-42DF-985A-467DAE13CB6F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A4DBCACB-07A7-48D8-AE62-397BBA6B7868}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{60ED3028-370B-4EB6-93E4-988926298E42}C:\users\gata_000\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe] => (Allow) C:\users\gata_000\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe
FirewallRules: [UDP Query User{7FF9B8F5-8114-47E8-8F5E-0E24D6694E07}C:\users\gata_000\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe] => (Allow) C:\users\gata_000\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe
FirewallRules: [{3C9F6D5F-F828-47BC-9C81-38DF37FEF2EC}] => (Block) C:\users\gata_000\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe
FirewallRules: [{C8CACB79-EE44-4D97-B416-69C19F9FA097}] => (Block) C:\users\gata_000\desktop\tl-wpa4220kit_v1_utility\tl-wpa2220_v1_utility\powerline scan.exe
FirewallRules: [{97D64869-EE56-4B0B-B963-C76FC5B62CFB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4319FB04-A3F3-4D71-96C8-D73FA628B674}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E792B635-E346-4A52-9352-6577B120D890}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{F4001A1C-4197-4F3A-AEBD-596243F7172D}] => (Allow) C:\Program Files\HP\HP Officejet Pro 6830\bin\FaxApplications.exe
FirewallRules: [{FFE5471C-CE28-466F-9EEB-E557D2CDEFF9}] => (Allow) C:\Program Files\HP\HP Officejet Pro 6830\bin\DigitalWizards.exe
FirewallRules: [{BAA37EA9-0ACB-474A-991A-C2F4888CA890}] => (Allow) C:\Program Files\HP\HP Officejet Pro 6830\bin\SendAFax.exe
FirewallRules: [{44FA995D-2B71-477A-97A6-8E8BE0F75CD8}] => (Allow) C:\Program Files\HP\HP Officejet Pro 6830\Bin\DeviceSetup.exe
FirewallRules: [{9EAF6F1C-B1B3-489F-BAAD-68346622C50A}] => (Allow) LPort=5357
FirewallRules: [{C3575CF9-5430-45D7-AAAA-4457A6226475}] => (Allow) C:\Program Files\HP\HP Officejet Pro 6830\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{2620FC6C-958F-4B84-A83C-976D1089E415}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Restore Points =========================

08-01-2016 15:56:18 Removed HP Officejet Pro 6830 Basic Device Software
12-01-2016 23:21:07 Windows Update
14-01-2016 23:26:15 Windows Backup
22-01-2016 20:19:17 Scheduled Checkpoint
28-01-2016 12:37:52 Windows Backup

==================== Faulty Device Manager Devices =============

Name: Dell Wireless 1703 Bluetooth
Description: Dell Wireless 1703 Bluetooth
Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Manufacturer: Qualcomm Atheros Communications
Service: BTHUSB
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Dell Wireless 1703 802.11b/g/n (2.4GHz)
Description: Dell Wireless 1703 802.11b/g/n (2.4GHz)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Atheros Communications Inc.
Service: athr
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/28/2016 01:15:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/28/2016 01:15:18 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-3899613305-1892091159-3862587331-1001.bak).  hr = 0x80070539, The security ID structure is invalid.
.

Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {ba46937b-b0e3-48c6-abf1-8b87b35e2c4d}

Error: (01/28/2016 12:37:53 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/28/2016 12:37:53 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-3899613305-1892091159-3862587331-1001.bak).  hr = 0x80070539, The security ID structure is invalid.
.

Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {ba46937b-b0e3-48c6-abf1-8b87b35e2c4d}

Error: (01/28/2016 12:37:47 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/28/2016 12:37:46 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-3899613305-1892091159-3862587331-1001.bak).  hr = 0x80070539, The security ID structure is invalid.
.

Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {ba46937b-b0e3-48c6-abf1-8b87b35e2c4d}

Error: (01/28/2016 12:37:42 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/28/2016 12:37:42 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-3899613305-1892091159-3862587331-1001.bak).  hr = 0x80070539, The security ID structure is invalid.
.

Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {ba46937b-b0e3-48c6-abf1-8b87b35e2c4d}

Error: (01/28/2016 12:37:07 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (01/28/2016 12:36:58 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine ConvertStringSidToSid(S-1-5-21-3899613305-1892091159-3862587331-1001.bak).  hr = 0x80070539, The security ID structure is invalid.
.

Operation:
   OnIdentify event
   Gathering Writer Data

Context:
   Execution Context: Shadow Copy Optimization Writer
   Writer Class Id: {4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f}
   Writer Name: Shadow Copy Optimization Writer
   Writer Instance ID: {ba46937b-b0e3-48c6-abf1-8b87b35e2c4d}

System errors:
=============
Error: (01/28/2016 01:14:59 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume28'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (01/28/2016 01:14:59 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume28'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (01/28/2016 12:39:43 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume26'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (01/28/2016 12:39:43 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume26'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

Error: (01/28/2016 12:37:01 PM) (Source: Virtual Disk Service) (EventID: 9) (User: )
Description: Unexpected provider failure. Restarting the service may fix the problem. Error code: 8007001F@02000014

Error: (01/28/2016 12:37:01 PM) (Source: Virtual Disk Service) (EventID: 9) (User: )
Description: Unexpected provider failure. Restarting the service may fix the problem. Error code: 8007001F@02000014

Error: (01/28/2016 12:37:00 PM) (Source: Virtual Disk Service) (EventID: 9) (User: )
Description: Unexpected provider failure. Restarting the service may fix the problem. Error code: 8007001F@02000014

Error: (01/28/2016 12:36:59 PM) (Source: Virtual Disk Service) (EventID: 9) (User: )
Description: Unexpected provider failure. Restarting the service may fix the problem. Error code: 8007001F@02000014

Error: (01/15/2016 12:29:37 PM) (Source: Ntfs) (EventID: 138) (User: )
Description: The transaction resource manager at C:\ encountered a fatal error and was shut down.  The data contains the error code.

Error: (01/14/2016 11:28:02 PM) (Source: Microsoft-Windows-FilterManager) (EventID: 3) (User: NT AUTHORITY)
Description: Filter Manager failed to attach to volume '\Device\HarddiskVolume26'.  This volume will be unavailable for filtering until a reboot.  The final status was 0xc03a001c.

==================== Memory info ===========================

Processor: Intel® Core™ i7-4790 CPU @ 3.60GHz
Percentage of memory in use: 15%
Total physical RAM: 16335.19 MB
Available physical RAM: 13784.45 MB
Total Virtual: 18767.19 MB
Available Virtual: 15563.82 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:919.03 GB) (Free:826.22 GB) NTFS
Drive d: (BLKEY) (Removable) (Total:7.21 GB) (Free:7.21 GB) FAT32
Drive l: (Storage space) (Fixed) (Total:929.87 GB) (Free:733.9 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: DDD8F447)

Partition: GPT.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)

Partition: GPT.

========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 7.2 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=7.2 GB) - (Type=0B)

========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 00000000)

Partition: GPT.
Attempted reading MBR returned 0 bytes.
 Could not read MBR for disk 9.

==================== End of Addition.txt ============================


Edited by GataPandu, 29 January 2016 - 01:09 PM.


#4 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 28 January 2016 - 09:31 PM

Hi Gata,
 

This may or may not have any bearing on the scan, but I thought I should mention it anyway. 
 
Edit: I think I should also mention that the system (Desktop and the USB HDDs) are BitLocker encrypted. The BitLocker keys are on the USB stick BLKEY which was also attached to Desktop during the scan.

Thank you for the information. Your FRST logs are clean. 

 

Let's run a few additional scans to double-check - however, malware does not appear to be present. 

 
STEP 1
7D2ig3K.png Emsisoft Emergency Kit (Portable)

  • Please download Emsisoft Emergency Kit and save the file to a your Desktop.
  • Double-click EmsisoftEmergencyKit.exe.
  • Click Extract.
  • Upon completion, double-click the Emsisoft Emergency Kit shortcut on your Desktop to start the programme.
  • Click Yes to update the programme definitions.
  • Click Yes to detect Potentially Unwanted Programs (PUPs).
  • Click Scan now.
  • Select Full Scan and click Scan.
  • Close any High Risk notification screen that may appear.
  • When the scan is finished click Quarantine selected objects if malicious objects were found.
  • Click View Report, and open the most recent log. 
  • Copy the contents of the log and paste in your next reply.
     

STEP 2
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to KN1w2nv.png and click SzOC1p0.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

STEP 3
mlEX1wH.png RogueKiller

  • Please download RogueKiller (x64) and save the file to your Desktop.
  • Close any running programmes.
  • Right-Click RogueKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the programme. Do not fix anything!
  • A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Emsisoft Scan Log
  • ESET Online Scan Log
  • RKreport.txt

Posted Image

#5 GataPandu

GataPandu
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 29 January 2016 - 04:33 PM

Adam,

 

As to Step 1, I notice that the Emsisoft Emergency Kit quarantined 2 files that may be harmless or even useful.

 

As to Step 2, and upon 'uninstall application on close', there is indeed no Esetanything in the 'Program and Features' control panel. However, there is still a esetsmartinstaller_enu.exe icon on the desktop. Moreover, Step 2 found a PUP that I don't need.

 

As to Step 3, the anchortext RogueKiller(x64) has an underlying URL that leads to a 404 Page Not Found error. Out of fear of doing the wrong thing, I did not do Step 3, please advise.

 

Here are the two logs from Step 1 and Step 2

============================================

Emsisoft Emergency Kit - Version 11.0

Last update: 1/29/2016 1:39:24 PM

User account: DESKTOP\gata_000

 

Scan settings:

 

Scan type: Malware Scan

Objects: Rootkits, Memory, Traces, Files

 

Detect PUPs: On

Scan archives: Off

ADS Scan: On

File extension filter: Off

Advanced caching: On

Direct disk access: Off

 

Scan start:        1/29/2016 1:41:33 PM

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO         detected: Application.AdReg (A)

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO         detected: Application.AdReg (A)

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1         detected: Application.AdReg (A)

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1         detected: Application.AdReg (A)

 

Scanned        92189

Found        4

 

Scan end:        1/29/2016 1:48:20 PM

Scan time:        0:06:47

 

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO.1         Application.AdReg (A)

Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\PROTECTOR_DLL.PROTECTORBHO         Application.AdReg (A)

 

Quarantined        2

============================================

MyEsetScan

C:\Installers\winzip160.exe        a variant of Win32/Systweak.L potentially unwanted application

 



#6 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 29 January 2016 - 06:19 PM

Hello Gata, 

 

Please use the following link to download RogueKiller: 

http://www.bleepingcomputer.com/download/roguekiller/dl/121/

 

We can address the items flagged by Emsisoft and ESET afterwards. 


Posted Image

#7 GataPandu

GataPandu
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 30 January 2016 - 10:50 AM

Hi Adam,

 

Thanks for the new download URL, but I couldn't finish Step 3. At about halfway (about 55% - 60%) through the scan, the following error message window appeared.

---------------------------------------------

RogueKiller.exe - No Disk

There is no disk in the drive. Please insert a disk into drive J:.

---------------------------------------------

I pressed the buttons Cancel, Try Again, Continue and finally clicked the red X in the top right corner, but the error message window did not disappear and I was stuck. I had to use Task Manager to end the task which closed the main window. The error message window was still open, but I clicked the red X and it closed.

 

I am a bit worried having to resort to Task Manager, please advise.

 

Gata



#8 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 30 January 2016 - 07:51 PM

Hi Gata, 
 
This is unusual behaviour from RogueKiller, but likely due to interference from BitLocker. We can skip RogueKiller. 
 
Concerning the items flagged by Emisosft - these are registry keys related to BProtect adware, and not of particular concern. The file flagged by ESET is an installer for WinZip, and does not require removal. ESET is flagging the file due to bundling of potentially unwanted programmes (PUPs) inside the installer. 
 
The bottom line - malware does not appear to be present on this computer. Please run the following programme to remove the tools used. If there are no ESET-related items in your Programs and Features, you need only delete the installer (esetsmartinstaller_enu.exe) from your Desktop.
 
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore (this option will create a new Restore Point, and delete all but the most recent)
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
Please advise when you wish to move onto the next computer.


Edited by LiquidTension, 30 January 2016 - 07:52 PM.

Posted Image

#9 GataPandu

GataPandu
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 30 January 2016 - 09:53 PM

Hi Adam,

I downloaded DelFix but I found http://www.herdprotect.com/delfix_1.011.exe-e94836bbc6ac25d128d2db220ed6da5749582c93.aspx  and it scares me. I wonder if I can manually remove the tools. I have on my C: drive a FRST folder and an EEK folder from Emsisoft with the Quarantine subfolder containing the 2 quarantined files. On the desktop are esetsmartinstaller_enu.exe , RogueKiller.exe and delfix_1.011.exe The 'Program and Features' control panel does not list anything related, but there may of course be fragments elsewhere, please advise.

 

Yes, please, I would like to have the laptop done too, which is the one that can access (and had accessed) the same email account that received the 2 emails with the attachments (that I did not click on). If the laptop too turns out to be clean, then I will have regained my peace of mind.



#10 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 30 January 2016 - 11:34 PM

Hello Gata,

 

Delfix is perfectly safe. You can see the programme is also hosted here at BleepingComputer: 

http://www.bleepingcomputer.com/download/delfix/

 

Those detections are false-positives, and not uncommon for tools used in malware removal. However, I understand your concern. If you do not wish to download and run Delfix, you can manually delete the FRST folder in your root (C:\) directory, as well as the EEK folder and downloaded executables (.exe) on your Desktop. 

 

Using your laptop, please repeat the instructions from Post #2:

http://www.bleepingcomputer.com/forums/t/603438/is-my-computer-really-clean/#entry3920081


Posted Image

#11 GataPandu

GataPandu
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 31 January 2016 - 10:16 AM

Hi Adam,

 

I did the manual removals, the machine behaves normally as before, at least in the short time since the removals. I am relieved as far as this machine goes :-)

 

Here are the FRST scans of the laptop.

=========================================

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-01-2016
Ran by Gata (administrator) on LENOVO16 (31-01-2016 09:39:22)
Running from C:\Users\Gata\Desktop
Loaded Profiles: Gata (Available Profiles: Gata)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKU\S-1-5-21-1337851226-1434512050-3979927188-1001\...\MountPoints2: {96edb07e-afce-11e5-8253-2089849a0c4b} - "E:\IronKey.exe"
Startup: C:\Users\Gata\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-01-02]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\root\Office16\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{99B0E97B-1374-45D4-8DD8-8C2D644448C0}: [DhcpNameServer] 192.168.2.1

Internet Explorer:
==================
HKU\S-1-5-21-1337851226-1434512050-3979927188-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.ca/
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-01-07] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-01-07] (Microsoft Corporation)
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-01-07] (Microsoft Corporation)

FireFox:
========
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-01-07] (Microsoft Corporation)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2762936 2016-01-07] (Microsoft Corporation)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [330136 2015-08-27] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R1 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [109272 2015-10-05] (Malwarebytes)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-31] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-31 09:39 - 2016-01-31 09:39 - 00006168 _____ C:\Users\Gata\Desktop\FRST.txt
2016-01-31 09:38 - 2016-01-31 09:39 - 00000000 ____D C:\FRST
2016-01-31 09:34 - 2016-01-31 09:34 - 02370560 _____ (Farbar) C:\Users\Gata\Desktop\FRST64.exe
2016-01-23 19:52 - 2015-12-10 23:38 - 25837568 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2016-01-23 19:52 - 2015-12-10 22:55 - 06051328 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2016-01-23 19:51 - 2015-12-10 23:00 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2016-01-23 19:51 - 2015-12-10 22:50 - 20367360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2016-01-23 19:51 - 2015-12-10 22:45 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2016-01-23 19:51 - 2015-12-10 22:21 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2016-01-23 19:51 - 2015-12-10 22:18 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2016-01-23 19:51 - 2015-12-10 22:09 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2016-01-23 19:51 - 2015-12-10 22:09 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2016-01-23 19:51 - 2015-12-10 22:03 - 14456832 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2016-01-23 19:51 - 2015-12-10 21:59 - 00798208 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2016-01-23 19:51 - 2015-12-10 21:43 - 04610560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2016-01-23 19:51 - 2015-12-10 21:43 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2016-01-23 19:51 - 2015-12-10 21:38 - 02487808 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2016-01-23 19:51 - 2015-12-10 21:37 - 00687104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2016-01-23 19:51 - 2015-12-10 21:35 - 12856320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2016-01-23 19:51 - 2015-12-10 21:26 - 01546752 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2016-01-23 19:51 - 2015-12-10 21:14 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2016-01-23 19:51 - 2015-12-10 21:12 - 02011136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2016-01-23 19:51 - 2015-12-10 21:08 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2016-01-23 19:51 - 2015-12-10 21:07 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2016-01-23 19:48 - 2015-12-30 14:32 - 07453016 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-01-23 19:48 - 2015-12-30 14:32 - 01735000 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2016-01-23 19:48 - 2015-12-30 14:32 - 01499912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2016-01-23 19:48 - 2015-12-07 05:56 - 01380600 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 02745184 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 02528784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 02450240 _____ (Microsoft Corporation) C:\Windows\system32\WMVENCOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 02447136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVENCOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 02334104 _____ (Microsoft Corporation) C:\Windows\system32\mfcore.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 02324744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfcore.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 01877504 _____ (Microsoft Corporation) C:\Windows\system32\msmpeg2adec.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 01798480 _____ (Microsoft Corporation) C:\Windows\system32\WMALFXGFXDSP.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 01484888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msmpeg2adec.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 01288128 _____ (Microsoft Corporation) C:\Windows\system32\mfnetsrc.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 01210200 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 01150232 _____ (Microsoft Corporation) C:\Windows\system32\WMADMOE.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 01115640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfnetsrc.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 01037680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMADMOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00914672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMADMOE.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00850680 _____ (Microsoft Corporation) C:\Windows\system32\mfnetcore.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00735496 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00700360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfnetcore.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00629600 _____ (Microsoft Corporation) C:\Windows\system32\MP4SDECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00584656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\evr.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00557856 _____ (Microsoft Corporation) C:\Windows\system32\WMVSDECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00498472 _____ (Microsoft Corporation) C:\Windows\system32\mfsvr.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00492736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVSDECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00463776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MP4SDECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00399776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfsvr.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00299080 _____ (Microsoft Corporation) C:\Windows\system32\VIDRESZR.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00275312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MPG4DECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00274280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MP43DECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00250520 _____ (Microsoft Corporation) C:\Windows\system32\MPG4DECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00248432 _____ (Microsoft Corporation) C:\Windows\system32\MP43DECD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00246856 _____ (Microsoft Corporation) C:\Windows\system32\RESAMPLEDMO.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00244296 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00229272 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RESAMPLEDMO.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00203016 _____ (Microsoft Corporation) C:\Windows\system32\COLORCNV.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00184912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\COLORCNV.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00183856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\VIDRESZR.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00116720 _____ (Microsoft Corporation) C:\Windows\system32\MP3DMOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00110544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfps.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00099136 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MP3DMOD.DLL
2016-01-23 19:48 - 2015-12-05 00:58 - 00090904 _____ (Microsoft Corporation) C:\Windows\system32\devenum.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00090392 _____ (Microsoft Corporation) C:\Windows\system32\mfvdsp.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00081032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\devenum.dll
2016-01-23 19:48 - 2015-12-05 00:58 - 00076936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfvdsp.dll
2016-01-23 19:48 - 2015-12-04 10:00 - 01097216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2016-01-23 19:48 - 2015-12-03 14:42 - 00561952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2016-01-23 19:48 - 2015-12-03 14:42 - 00397224 _____ (Microsoft Corporation) C:\Windows\system32\bcryptprimitives.dll
2016-01-23 19:48 - 2015-12-03 14:42 - 00137968 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2016-01-23 19:48 - 2015-12-03 14:42 - 00106960 _____ (Microsoft Corporation) C:\Windows\system32\ncryptsslp.dll
2016-01-23 19:48 - 2015-12-03 14:41 - 00177488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2016-01-23 19:48 - 2015-12-03 13:52 - 00340872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\bcryptprimitives.dll
2016-01-23 19:48 - 2015-12-03 13:52 - 00120376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2016-01-23 19:48 - 2015-12-03 13:52 - 00091416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncryptsslp.dll
2016-01-23 19:48 - 2015-12-03 13:28 - 00401920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2016-01-23 19:48 - 2015-12-03 13:28 - 00202240 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2016-01-23 19:48 - 2015-12-03 13:07 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2016-01-23 19:48 - 2015-12-03 13:07 - 00289792 _____ (Microsoft Corporation) C:\Windows\system32\ksproxy.ax
2016-01-23 19:48 - 2015-12-03 13:05 - 00644608 _____ (Microsoft Corporation) C:\Windows\system32\WMVXENCD.DLL
2016-01-23 19:48 - 2015-12-03 13:02 - 01664000 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOE.DLL
2016-01-23 19:48 - 2015-12-03 13:00 - 00451072 _____ (Microsoft Corporation) C:\Windows\system32\WMVSENCD.DLL
2016-01-23 19:48 - 2015-12-03 12:58 - 00378880 _____ (Microsoft Corporation) C:\Windows\system32\SysFxUI.dll
2016-01-23 19:48 - 2015-12-03 12:51 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll
2016-01-23 19:48 - 2015-12-03 12:36 - 01697792 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2016-01-23 19:48 - 2015-12-03 12:30 - 00468480 _____ (Microsoft Corporation) C:\Windows\system32\MFWMAAEC.DLL
2016-01-23 19:48 - 2015-12-03 12:28 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2016-01-23 19:48 - 2015-12-03 12:28 - 00245760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ksproxy.ax
2016-01-23 19:48 - 2015-12-03 12:27 - 00736256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVXENCD.DLL
2016-01-23 19:48 - 2015-12-03 12:24 - 01411584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMSPDMOE.DLL
2016-01-23 19:48 - 2015-12-03 12:23 - 00402432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVSENCD.DLL
2016-01-23 19:48 - 2015-12-03 12:16 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll
2016-01-23 19:48 - 2015-12-03 12:13 - 01441280 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2016-01-23 19:48 - 2015-12-03 12:07 - 00432128 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2016-01-23 19:48 - 2015-12-03 12:06 - 01501184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\quartz.dll
2016-01-23 19:48 - 2015-12-03 12:01 - 00743936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MFWMAAEC.DLL
2016-01-23 19:48 - 2015-12-03 11:45 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2016-01-23 19:48 - 2015-12-03 11:40 - 01010688 _____ (Microsoft Corporation) C:\Windows\system32\WMSPDMOD.DLL
2016-01-23 19:48 - 2015-12-03 11:29 - 00887296 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMSPDMOD.DLL
2016-01-23 19:48 - 2015-12-02 10:04 - 00670208 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2016-01-23 19:48 - 2015-12-02 10:01 - 00561664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qedit.dll
2016-01-23 19:46 - 2015-12-08 14:08 - 00685432 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2016-01-23 19:46 - 2015-12-08 14:07 - 00507176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2016-01-02 12:25 - 2016-01-02 12:25 - 00000000 ____D C:\Users\Gata\Documents\OneNote Notebooks
2016-01-02 12:23 - 2016-01-23 19:47 - 00003096 _____ C:\Windows\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-1337851226-1434512050-3979927188-1001
2016-01-02 12:22 - 2016-01-02 12:22 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2016-01-02 12:22 - 2015-07-17 08:51 - 00984448 _____ (Microsoft Corporation) C:\Windows\system32\ucrtbase.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00063840 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-private-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00020832 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-math-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00019808 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-string-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00017760 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00016224 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00015712 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-convert-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00014176 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-time-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00013664 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-process-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-heap-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00012640 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-conio-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-utility-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-locale-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:51 - 00012128 _____ (Microsoft Corporation) C:\Windows\system32\api-ms-win-crt-environment-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00901264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ucrtbase.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00066400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-private-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00022368 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-math-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00019808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-multibyte-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-string-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00017760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-stdio-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00016224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-runtime-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00015712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-convert-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00014176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-time-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00013664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-filesystem-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-process-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-heap-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00012640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-conio-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-utility-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-locale-l1-1-0.dll
2016-01-02 12:22 - 2015-07-17 08:47 - 00012128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-crt-environment-l1-1-0.dll
2016-01-02 11:59 - 2016-01-02 11:59 - 00002436 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk
2016-01-02 11:59 - 2016-01-02 11:59 - 00002435 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk
2016-01-02 11:59 - 2016-01-02 11:59 - 00002399 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk
2016-01-02 11:59 - 2016-01-02 11:59 - 00002398 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk
2016-01-02 11:59 - 2016-01-02 11:59 - 00002392 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk
2016-01-02 11:59 - 2016-01-02 11:59 - 00002386 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk
2016-01-02 11:59 - 2016-01-02 11:59 - 00002378 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk
2016-01-02 11:59 - 2016-01-02 11:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2016-01-02 11:41 - 2016-01-23 19:58 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-01-02 11:41 - 2016-01-02 11:41 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-01-01 21:10 - 2016-01-31 09:31 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-01-01 21:10 - 2016-01-01 21:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-01-01 21:10 - 2016-01-01 21:10 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-01-01 21:10 - 2016-01-01 21:10 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-01-01 21:10 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-01-01 21:10 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-01-01 21:10 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-01-01 20:58 - 2016-01-01 20:59 - 22908888 _____ (Malwarebytes ) C:\Users\Gata\Downloads\mbam-setup-2.2.0.1024.exe
2016-01-01 17:10 - 2016-01-05 15:04 - 00826872 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-01-01 17:10 - 2016-01-05 15:04 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-01-01 17:03 - 2016-01-01 17:04 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-01-01 13:59 - 2016-01-23 20:01 - 00000000 ____D C:\Windows\system32\MRT
2016-01-01 13:59 - 2016-01-23 20:00 - 143671360 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-01-01 13:32 - 2015-07-07 04:40 - 00270168 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdFilter.sys
2016-01-01 13:32 - 2015-07-07 04:40 - 00114520 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdNisDrv.sys
2016-01-01 13:32 - 2015-07-07 04:40 - 00044560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdBoot.sys
2016-01-01 13:32 - 2015-02-02 18:53 - 00014848 _____ (Microsoft Corporation) C:\Windows\system32\winshfhc.dll
2016-01-01 13:32 - 2015-02-02 18:53 - 00012800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winshfhc.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-01-31 09:37 - 2014-03-18 05:03 - 00818732 _____ C:\Windows\system32\PerfStringBackup.INI
2016-01-31 09:37 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Inf
2016-01-31 09:31 - 2015-12-31 08:52 - 00000000 __SHD C:\Users\Gata\IntelGraphicsProfiles
2016-01-31 09:31 - 2015-12-31 08:52 - 00000000 __RDO C:\Users\Gata\OneDrive
2016-01-31 09:30 - 2013-08-22 09:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-01-23 21:02 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\rescache
2016-01-23 20:45 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-01-23 20:04 - 2013-08-22 10:20 - 00000000 ____D C:\Windows\CbsTemp
2016-01-23 20:01 - 2013-08-22 10:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-01-23 19:57 - 2015-12-31 08:16 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1337851226-1434512050-3979927188-1001
2016-01-23 19:55 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\AppReadiness
2016-01-23 19:46 - 2015-12-31 08:10 - 00000000 ____D C:\Users\Gata\AppData\Local\Packages
2016-01-02 13:23 - 2013-08-22 09:44 - 00472712 _____ C:\Windows\system32\FNTCACHE.DAT
2016-01-02 11:41 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2016-01-02 11:36 - 2015-12-31 10:01 - 00000000 ____D C:\Users\Gata\AppData\Roaming\LockAP
2016-01-01 20:56 - 2015-12-31 08:28 - 00000000 __SHD C:\Users\Gata\AppData\Local\EmieUserList
2016-01-01 20:56 - 2015-12-31 08:28 - 00000000 __SHD C:\Users\Gata\AppData\Local\EmieSiteList
2016-01-01 20:55 - 2015-12-31 08:28 - 00000000 __SHD C:\Users\Gata\AppData\LocalLow\EmieUserList
2016-01-01 20:55 - 2015-12-31 08:28 - 00000000 __SHD C:\Users\Gata\AppData\LocalLow\EmieSiteList
2016-01-01 17:24 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-01-01 17:04 - 2014-03-18 04:45 - 00000000 ____D C:\Program Files\Windows Journal
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ___SD C:\Windows\system32\dsc
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ___RD C:\Windows\ToastData
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ___RD C:\Windows\ImmersiveControlPanel
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\WinStore
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\SysWOW64\setup
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\SysWOW64\Com
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\WinBioPlugIns
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\SystemResetPlatform
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\setup
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\SecureBootUpdates
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\migwiz
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\Com
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\MediaViewer
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\IME
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\FileManager
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\Camera
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Multimedia Platform
2016-01-01 17:04 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Common Files\System
2016-01-01 17:04 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\SysWOW64\oobe
2016-01-01 17:04 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\SysWOW64\Dism
2016-01-01 17:04 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\Sysprep
2016-01-01 17:04 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\oobe
2016-01-01 17:04 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\Dism
2016-01-01 17:04 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\servicing
2016-01-01 17:03 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\SysWOW64\InputMethod
2016-01-01 17:03 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files\Windows Defender
2016-01-01 17:03 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2016-01-01 17:03 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-01-01 17:03 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files (x86)\Windows Multimedia Platform
2016-01-01 17:03 - 2013-08-22 10:36 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-01-01 13:46 - 2013-08-22 10:36 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2016-01-01 13:46 - 2013-08-22 10:36 - 00195072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2016-01-01 13:37 - 2015-12-31 03:11 - 00000000 ____D C:\Windows\Panther

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-01-23 19:57

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by Gata (2016-01-31 09:39:51)
Running from C:\Users\Gata\Desktop
Windows 8.1 (X64) (2015-12-31 13:09:45)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1337851226-1434512050-3979927188-500 - Administrator - Disabled)
Guest (S-1-5-21-1337851226-1434512050-3979927188-501 - Limited - Disabled)
Gata (S-1-5-21-1337851226-1434512050-3979927188-1001 - Administrator - Enabled) => C:\Users\Gata

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4276 - Intel Corporation)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.6366.2056 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1337851226-1434512050-3979927188-1001\...\OneDriveSetup.exe) (Version: 17.3.6281.1202 - Microsoft Corporation)
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6326.1019 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.6326.1019 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6326.1019 - Microsoft Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1337851226-1434512050-3979927188-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {3C0BFF4D-F75E-47B2-A310-C4F49FD18EE7} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-01-07] (Microsoft Corporation)
Task: {53B2D217-958B-4A4B-84B6-49A64B4379A6} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2016-01-08] (Microsoft Corporation)
Task: {8910AF6E-4967-4F91-8ED7-16C3611A7F3A} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-1337851226-1434512050-3979927188-1001 => C:\Users\Gata\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2016-01-23] (Microsoft Corporation)
Task: {BA48FCCD-F364-42BF-B684-E7B4DCC4D3D1} - System32\Tasks\Microsoft\Windows\UPnP\UPnPHostConfig => config upnphost start= auto
Task: {D6235AAF-C91A-48CB-B995-0727212F979D} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-01-07] (Microsoft Corporation)
Task: {D9D27C37-EBA6-4DF8-B77C-06359AEA89B7} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2016-01-23] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2016-01-02 11:41 - 2016-01-07 06:13 - 00162472 _____ () C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll
2016-01-23 19:56 - 2016-01-07 09:14 - 08903848 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1337851226-1434512050-3979927188-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Gata\AppData\Local\Microsoft\Windows\Themes\Logo (2)\DesktopBackground\logo.jpg
DNS Servers: 192.168.2.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{95800C42-E9A0-4FF0-85BA-F49085838FC8}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{1C1BCA0C-DE46-4CC8-AA81-E4FA9A05EE15}] => (Allow) C:\Users\Gata\AppData\Local\Microsoft\OneDrive\OneDrive.exe

==================== Restore Points =========================

31-12-2015 07:46:42 Windows Modules Installer
23-01-2016 19:57:46 Windows Update

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: USB2.0-CRW
Description: USB2.0-CRW
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/23/2016 07:57:44 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: LENOVO16)
Description: Application or service 'Microsoft Office Document Cache Sync Client Interface' could not be shut down.

Error: (01/23/2016 07:49:07 PM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -1073418220

Error: (01/23/2016 07:40:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: WerFault.exe, version: 6.3.9600.17415, time stamp: 0x54503815
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18146, time stamp: 0x5650afd4
Exception code: 0xc0000142
Fault offset: 0x0009d572
Faulting process id: 0xebc
Faulting application start time: 0xWerFault.exe0
Faulting application path: WerFault.exe1
Faulting module path: WerFault.exe2
Report Id: WerFault.exe3
Faulting package full name: WerFault.exe4
Faulting package-relative application ID: WerFault.exe5

Error: (01/02/2016 11:13:51 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 2.3.125.0, time stamp: 0x5612a56b
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18146, time stamp: 0x5650afd4
Exception code: 0xc0000142
Fault offset: 0x0009d572
Faulting process id: 0x99c
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3
Faulting package full name: mbam.exe4
Faulting package-relative application ID: mbam.exe5

Error: (01/01/2016 09:40:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbam.exe, version: 2.3.125.0, time stamp: 0x5612a56b
Faulting module name: KERNELBASE.dll, version: 6.3.9600.18146, time stamp: 0x5650afd4
Exception code: 0xc0000142
Fault offset: 0x0009d572
Faulting process id: 0x988
Faulting application start time: 0xmbam.exe0
Faulting application path: mbam.exe1
Faulting module path: mbam.exe2
Report Id: mbam.exe3
Faulting package full name: mbam.exe4
Faulting package-relative application ID: mbam.exe5

System errors:
=============
Error: (01/02/2016 12:23:39 PM) (Source: DCOM) (EventID: 10010) (User: LENOVO16)
Description: {14286318-B6CF-49A1-81FC-D74AD94902F9}

Error: (01/01/2016 05:24:25 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070057: Microsoft.ZuneMusic.

Error: (01/01/2016 05:23:01 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070057: Microsoft.Office.OneNote.

Error: (01/01/2016 04:53:57 PM) (Source: DCOM) (EventID: 10010) (User: LENOVO16)
Description: {9BA05972-F6A8-11CF-A442-00A0C90A8F39}

Error: (12/31/2015 08:50:35 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (12/31/2015 03:12:29 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Network List Service service terminated with the following error:
%%21

Error: (12/31/2015 03:12:17 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The IP Helper service terminated with the following error:
%%1058

Error: (12/31/2015 03:11:31 AM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

==================== Memory info ===========================

Processor: Intel® Core™ i3-3120M CPU @ 2.50GHz
Percentage of memory in use: 19%
Total physical RAM: 8057.77 MB
Available physical RAM: 6484.26 MB
Total Virtual: 9337.77 MB
Available Virtual: 7887.32 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931 GB) (Free:903.85 GB) NTFS
Drive d: (IR3_CCSA_X64FRE_EN-US_DV9) (CDROM) (Total:3.83 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: CADA05DC)

Partition: GPT.

==================== End of Addition.txt ============================



#12 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 31 January 2016 - 03:39 PM

Hello Gata, 
 
You will be pleased to know that your FRST logs for the second machine are also free of malware. :)
 
I would suggest running through the same scans from Post #4 to double-check, but it does not appear malware is present on this machine either. 


Posted Image

#13 GataPandu

GataPandu
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 01 February 2016 - 03:10 PM

Hi Adam,

 

The ESET scan said "No threats found" and as per instructions I did not save the log file (I wish I had nonetheless looked at the log file). Copied below are the Emsisoft and the RogueKiller logs.

 

I found an empty file in my root directory C:\Recovery.txt

Is it safe to delete the file?

=======================================================

Emsisoft Emergency Kit - Version 11.0
Last update: 2/1/2016 9:42:58 AM
User account: LENOVO16\Gata

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 2/1/2016 9:44:25 AM

Scanned 73446
Found 0

Scan end: 2/1/2016 9:48:09 AM
Scan time: 0:03:44

=======================================================

RogueKiller V11.0.10.0 [Feb  1 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Gata [Administrator]
Started from : C:\Users\Gata\Desktop\RogueKiller.exe
Mode : Scan -- Date : 02/01/2016 14:47:34

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] fb57bf741fe8aebb0e41f210c63049bd
[BSP] 8f6a296aeae3192c4f06639444899419 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 616448 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 821248 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1083392 | Size: 953340 MB
User = LL1 ... OK
User = LL2 ... OK

=======================================================



#14 LiquidTension

LiquidTension

  • Malware Response Team
  • 1,278 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:10 AM

Posted 02 February 2016 - 02:07 AM

Hi Gata,
 

The ESET scan said "No threats found" and as per instructions I did not save the log file (I wish I had nonetheless looked at the log file).

Logs can be found in the following location: C:\Program Files (x86)\ESET\EsetOnlineScanner
 

I found an empty file in my root directory C:\Recovery.txt
Is it safe to delete the file?

I don't believe this file was created by any of the tools I've asked you to run. As the file is empty there should not be any issues with deletion, but l cannot say for certain as to what the origin of the file is - perhaps a backup-related programme.
 
Your logs for the second machine are clean as you've probably already gathered. :) 
 
At this point in time I can say with confidence I do not believe malware is present on either machine. As you do not wish to run Delfix, the following can be deleted manually, along with any other files/folders created during this process:

  • C:\FRST
  • C:\Users\Gata\Desktop\FRST64.exe
  • C:\Users\Gata\Desktop\FRST.txt
  • C:\Users\Gata\Desktop\Addition.txt
  • C:\Users\Gata\Desktop\RogueKiller.exe
  • C:\Users\Gata\Desktop\RKreport.txt
  • C:\Users\Gata\Desktop\EEK
  • C:\Users\Gata\Desktop\esetsmartinstaller_enu.exe
  • C:\Program Files (x86)\ESET (if still present)
     

Is there anything else I can help with at this moment in time?


Edited by LiquidTension, 02 February 2016 - 02:07 AM.

Posted Image

#15 GataPandu

GataPandu
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 02 February 2016 - 05:05 AM

Hi Adam,
 
The odd text file in the root directory may very well have been there for unrelated reasons, just that I did not notice it before. When I tried to delete it, UAC popped up, so I left it alone.
 
I have just deleted the other files and the second machine did not go up in smoke :-) On a more serious note, the first machine behaves normally after a couple of days, and the second machine will too. What a relief after a month of uneasy feelings!

 

The help that I have received here is perfect. There were two reasons I did not go to a local computer store. For one, the computers contain private information, and secondly, I am that kind of a person who likes to get involved myself.

 

I thank you personally :clapping: CLAP CLAP CLAP

 

I shall also make a donation to support this site http://www.bleepingcomputer.com/announcement/frivolous-lawsuits/help-bleepingcomputer-defend-freedom-of-speech/ 

 

I read quite a bit of scary things about computer security in the past weeks, and will likely post in the other sub-forums on this site.

 

Gata






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users