Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detected c.APWH trojan horse


  • This topic is locked This topic is locked
20 replies to this topic

#1 novice3

novice3

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 13 February 2016 - 12:32 AM

HP 2000 Notebook x64 based PC

Microsoft Windows 8.1 version 6.3.9600 Build 9600

AVG AntiVirus Free Edition
Program file version: 2016.0.7442
AVG Framework version: 1.52.1.51612
AVG Setup Version: 1.52.1.51612
Security Information:
Virus database version: 4522/11612(2/12/2016, 10:09 AM)
LinkScanner version: 2829
Anti-Spam Version: N/A
 

I was attempting to update drivers through HP driver/software website and AVG stopped the setup file from finishing (auto detect drivers..).

 

AVG report:

Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIEC54.tmp Secured 2/10/2016, 9:06:53 PM File or Directory c:\Windows\SysWOW64\msiexec.exe Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSI75B3.tmp Unresolved 2/10/2016, 8:27:36 AM File or Directory c:\Windows\SysWOW64\msiexec.exe Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIA7BE.tmp Unresolved 2/10/2016, 8:26:43 AM File or Directory c:\Windows\SysWOW64\msiexec.exe Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSI3B3C.tmp Secured 2/10/2016, 8:24:05 AM File or Directory c:\Windows\SysWOW64\msiexec.exe Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIAE7.tmp Secured 2/10/2016, 8:18:25 AM File or Directory c:\Windows\SysWOW64\msiexec.exe Found MalSign.Generic.139, c:\Users\Administrator\AppData\Local\Temp\is-ITFND.tmp\OCSetupHlp.dll Added to exceptions 2/5/2016, 1:13:07 AM File or Directory c:\Users\ADMINI~1\AppData\Local\Temp\is-OPM2V.tmp\burnaware_free.tmp Found MalSign.Generic.139, c:\Users\Administrator\AppData\Local\Temp\is-JPRA4.tmp\OCSetupHlp.dll Secured 2/4/2016, 10:48:45 PM File or Directory c:\Users\ADMINI~1\AppData\Local\Temp\is-L61IG.tmp\burnaware_free.tmp Found MalSign.Generic.885, c:\Users\Administrator\Downloads\SetupImgBurn_2.5.8.0.exe Secured 2/4/2016, 8:32:17 PM File or Directory c:\Windows\System32\SearchProtocolHost.exe Found MalSign.OpenCandy.BD0, c:\Users\Administrator\AppData\Local\Temp\is-GM4IR.tmp\OCSetupHlp.dll Secured 2/4/2016, 4:39:23 PM File or Directory c:\Users\ADMINI~1\AppData\Local\Temp\is-SDAFV.tmp\cdbxp_setup_4.5.6.5931.tmp Found MalSign.Generic.879, f:\MSFT Windows OS\Software - free\Bloatware remover\pc-decrapifier-3.0.0-68748154.exe Secured 12/5/2015, 12:08:25 PM File or Directory c:\Windows\explorer.exe Adware ProInstall.A, c:\Users\Guest\Desktop\masteamdemo-63031076.exe Secured 10/22/2015, 5:39:18 PM File or Directory c:\Windows\explorer.exe Found MalSign.Generic.95A, c:\Users\Guest\Desktop\multiplyroi_age-of-empires.exe Secured 10/22/2015, 5:28:09 PM File or Directory c:\Windows\explorer.exe

 

Thank you for any support.

 

Attached:

  Addition.txt

  FRST.txt

 

Attached Files



BC AdBot (Login to Remove)

 


#2 RayS

RayS

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 AM

Posted 13 February 2016 - 02:20 AM

Hello novice3,

My name is Ray and I'll be assisting you with your issue. Please give me about a day to review your logs and prepare a reply. Since I'm still a trainee, all my posts have to be reviewed by my instructor prior to being posted to make sure that you receive the best assistance possible.

Thank you for your understanding, I'll be with you shortly!

RayS


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#3 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 14 February 2016 - 03:20 AM

Thank you for the support.

 

I analyzed the logs for the network router and found the following:

 

[DoS attack: FIN Scan] attack packets in last 20 sec from ip [173.241.244.220], Thursday, Feb 11,2016 12:26:20

 

I think DoS is an acronym for Denial of Service and it originated from ip 173.241.244.220

None of the devices connected to this network have that IP address.

 

The following, is a trace route through command prompt:

Microsoft Windows [Version 6.3.9600]
© 2013 Microsoft Corporation. All rights reserved.

C:\Users\Administrator>tracert 173.241.244.220

Tracing route to ox-173-241-244-220.lc.dc.openx.org [173.241.244.220]
over a maximum of 30 hops:

  1     3 ms     1 ms     1 ms  ****************Removed private information
  2    13 ms    17 ms    14 ms  **************Removed private information
  3     9 ms    10 ms     9 ms  ****************Removed private information
  4     9 ms    11 ms    11 ms ****************Removed private information
  5    15 ms    12 ms    19 ms****************Removed private information
  6    12 ms    14 ms    13 ms****************Removed private information
  7    24 ms    12 ms    13 ms****************Removed private information
  8    25 ms    30 ms    28 ms****************Removed private information
  9    24 ms    26 ms    29 ms****************Removed private information
 10    43 ms    40 ms    40 ms  **************Removed private information
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13    90 ms    87 ms    89 ms  OPENX-TECHN.ear2.Chicago2.Level3.net [4.71.248.198]
 14  1038 ms   313 ms   172 ms  ox-69-6-88-7.openx.org [69.6.88.7]
 15    93 ms    88 ms    89 ms  ox-173-241-244-220.lc.dc.openx.org [173.241.244.220]

Trace complete.


Edited by novice3, 14 February 2016 - 06:47 PM.


#4 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 14 February 2016 - 03:31 AM

whois 173.241.244.220

Whois v1.12 - Domain information lookup utility
Sysinternals - www.sysinternals.com
Copyright © 2005-2014 Mark Russinovich

Connecting to ORG.whois-servers.net...

Domain ID: D2559228-LROR
WHOIS Server:
Referral URL: http://www.tucows.com
Updated Date: 2016-01-27T01:53:18Z
Creation Date: 1998-11-26T05:00:00Z
Registry Expiry Date: 2019-11-25T05:00:00Z
Sponsoring Registrar: Tucows Inc.
Sponsoring Registrar IANA ID: 69
Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransfer
Prohibited
Domain Status: clientUpdateProhibited https://www.icann.org/epp#clientUpdateProh
ibited
Registrant ID: tulWtcpsai7uH7HO
Registrant Name: Domain Administrator
Registrant Organization: OpenX Limited
Registrant Street: 888 East Walnut Street
Registrant Street: Floor 2
Registrant City: Pasadena
Registrant State/Province: CA
Registrant Postal Code: 91101
Registrant Country: US
Registrant Phone: +1.6264661141
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: systems@openx.org
Admin ID: tuW74Oad5u9bR4h1
Admin Name: Domain Administrator
Admin Organization: OpenX Limited
Admin Street: 888 East Walnut Street
Admin Street: Floor 2
Admin City: Pasadena
Admin State/Province: CA
Admin Postal Code: 91101
Admin Country: US
Admin Phone: +1.6264661141
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: abuse-poc@openx.org
Tech ID: tuVZNjG4DaaHivjN
Tech Name: Domain Administrator
Tech Organization: OpenX Technologies
Tech Street: 888 East Walnut Street
Tech Street: Floor 2
Tech City: pasadena
Tech State/Province: ca
Tech Postal Code: 91101
Tech Country: US
Tech Phone: +1.6264661141
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: systems@openx.org
Name Server: DNS1.P06.NSONE.NET
Name Server: DNS2.P06.NSONE.NET
Name Server: DNS3.P06.NSONE.NET
Name Server: DNS4.P06.NSONE.NET
DNSSEC: unsigned
>>> Last update of WHOIS database: 2016-02-11T13:28:36Z <<<

"For more information on Whois status codes, please visit https://icann.org/epp"


Access to Public Interest Registry WHOIS information is provided to assist perso
ns in determining the contents of a domain name registration record in the Publi
c Interest Registry registry database. The data in this record is provided by Pu
blic Interest Registry for informational purposes only, and Public Interest Regi
stry does not guarantee its accuracy. This service is intended only for query-ba
sed access. You agree that you will use this data only for lawful purposes and t
hat, under no circumstances will you use this data to(a) allow, enable, or other
wise support the transmission by e-mail, telephone, or facsimile of mass unsolic
ited, commercial advertising or solicitations to entities other than the data re
cipient's own existing customers; or (B) enable high volume, automated, electron
ic processes that send queries or data to the systems of Registry Operator, a Re
gistrar, or Afilias except as reasonably necessary to register domain names or m
odify existing registrations. All rights reserved. Public Interest Registry rese
rves the right to modify these terms at any time. By submitting this query, you
agree to abide by this policy.
 



#5 RayS

RayS

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 AM

Posted 14 February 2016 - 06:07 PM

Hello again novice3, and welcome to Bleeping Computer.


Let's Work Together

  • Please do not attach any log files to your replies unless specifically requested. Instead, please copy and paste the entire text of the logs without any changes into the body of your reply. Use separate posts if that's easier for you.
  • Please give complete descriptions of any unusual symptoms including verbatim copies of all error messages and codes.
  • Please do not try to fix anything without being asked.
  • It may be helpful for you to print my instructions for easy reference.
  • Any fixes I provide are for this specific problem on this machine only.
  • Removing malware is hazardous. I will not knowingly advise actions that will damage your computer, but it is impossible to guarantee the safety of your system. It may even become necessary to re-format and re-install your operating system. Before we proceed, you should back up all your data -- preferably to a different computer or to off-line storage.


Source of HP drivers

 

I would like to examine the HP drivers you were trying to install. Please give me the address (URL) of the web page containing the HP drivers.

 

Unrecognized Files and folders

Do you recognize the following files and folders?

C:\Users\Administrator\Documents\hpdrivertooltrojan.csv

RCO compromise

UmpquaHealthAlliance20151101

egbert

termination of rental agreement
 


Let's Clean Some Unneeded Entries From Your PC

  • Press the windows key Windows_Logo_key.gif+ R on your keyboard at the same time. This will open the Run dialog box.
  • Type Notepad into the Run box and click OK.
  • Please copy the entire contents of the code box below into a new file.
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File
Toolbar: HKU\S-1-5-21-3817485168-1237566219-314415453-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-3817485168-1237566219-314415453-500 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.9.0\\npsitesafety.dll [No File]

  • Save the file as fixlist.txt into the same folder where the Farbar tool is running from. The location is listed in the 3rd line of the FRST.txt log you have submitted.
  • Run FRST64.exe and click Fix only once and wait until the program completes execution.
  • Restart the computer normally to reset the registry.
  • The tool will create a log (Fixlog.txt). Please post it into your reply.


 

Preserve detected files

 

In order to prevent automatic deletion of possible false positive detentions, let's temporarily extend the retention period of detected files in the AVG Virus Vault.

  • Launch AVG Antivirus.
  • Click Options > Advanced Settings > Virus Vault.
  • In the Delete files older than window, increase to 999 days.
  • Click OK.

 

Scan Using AdwCleaner by Xplode

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait a bit.
  • Click on I agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[S#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Re-scan using Farbar Recovery Scan Tool

 

Launch FRST64.exe again and checkmark all the boxes in the Whitelist section and the both the List BCD and the Addition.txt boxes in the Optional Scan section. If you have already deleted the FRST tool, get a fresh copy from Farbar Recovery Scan Tool.


In your next reply...

  • Please tell me whether you have backed up all your important data.
  • Please tell me whether you recognize the files and folders I listed.
  • Please copy and paste the entire contents of the FIX.log file into the body of your post.
  • Copy and paste the contents of AdwCleaner[S#].txt into your reply. Tell me which entries (if any) you want to keep.
  • Copy and paste the entire contents of both the FRST.txt file and the Addition.txt file into the body of your reply.
  • Re-read your message before sending it. Avoid ambiguity.

Tell me how your PC is running now.

Thank you,

RayS


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#6 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 14 February 2016 - 09:06 PM

Source of HP drivers

 

I would like to examine the HP drivers you were trying to install. Please give me the address (URL) of the web page containing the HP drivers.

 

Unrecognized Files and folders

Do you recognize the following files and folders?

C:\Users\Administrator\Documents\hpdrivertooltrojan.csv

RCO compromise

UmpquaHealthAlliance20151101

egbert

termination of rental agreement

 

It is a java script button labeled Identify, located at http://support.hp.com/us-en/drivers

 

A download dialog box for HPSupportSolutionsFramework-12.0.30.473.exe

It is located in the downloads directory under the administrator account.

 

The file hpdrivertooltrojan.csv is an exported file from AVG, under the local administrator account for Windows 8.1.  I recognize the other four files/directories from the Windows 8.1 Guest account (RCO compromise, UmpquaHealthAlliance20151101, egbert, termination of rental agreement).

 

Fix result of Farbar Recovery Scan Tool (x64) Version:07-02-2016
Ran by Administrator (2016-02-14 15:52:26) Run:1
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Owner & Administrator (Available Profiles: Owner & Administrator & Guest)
Boot Mode: Normal
==============================================

fixlist content:
*****************
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll => No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File
Toolbar: HKU\S-1-5-21-3817485168-1237566219-314415453-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-3817485168-1237566219-314415453-500 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.9.0\\npsitesafety.dll [No File]
*****************

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}" => key removed successfully
"HKCR\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully
HKU\S-1-5-21-3817485168-1237566219-314415453-1002\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => key removed successfully
HKU\S-1-5-21-3817485168-1237566219-314415453-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin" => key removed successfully

==== End of Fixlog 15:52:26 ====

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:07-02-2016
Ran by Administrator (administrator) on LOUIEROSE (14-02-2016 16:25:33)
Running from C:\Users\Administrator\Desktop
Loaded Profiles: Owner & Administrator (Available Profiles: Owner & Administrator & Guest)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
() C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
() C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(AVG Secure Search) C:\Program Files (x86)\AVG Web TuneUp\avgcefrend.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766688 2014-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXRCV] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXRCV.exe [642664 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [FUFAXSTM] => C:\Program Files (x86)\Epson Software\FAX Utility\FUFAXSTM.exe [863848 2013-12-24] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [475448 2014-03-26] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirnx.exe [179624 2016-01-12] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3873704 2016-02-01] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Web TuneUp\vprot.exe [3177872 2015-10-05] ()
HKU\S-1-5-21-3817485168-1237566219-314415453-1002\...\Run: [EPLTarget\P0000000000000000] => C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE [241280 2012-07-12] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-3817485168-1237566219-314415453-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8591272 2015-11-16] (Piriform Ltd)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{FF250B31-F36F-4883-9FE9-59DD638F764D}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT13/1
HKU\S-1-5-21-3817485168-1237566219-314415453-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT13/1
HKU\S-1-5-21-3817485168-1237566219-314415453-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT13/1
HKU\S-1-5-21-3817485168-1237566219-314415453-1002\Software\Microsoft\Internet Explorer\Main,First Home Page = hxxp://g.msn.com/HPNOT13/1
HKU\S-1-5-21-3817485168-1237566219-314415453-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT13/1
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-3817485168-1237566219-314415453-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-3817485168-1237566219-314415453-500 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: AVG Web TuneUp -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files\AVG Web TuneUp\4.6.0.153\AVG Web TuneUp.dll [2015-10-05] (AVG)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2015-05-06] (Hewlett-Packard)

FireFox:
========
FF ProfilePath: C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ruigvbx4.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_20_0_0_306.dll [2016-02-10] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_20_0_0_306.dll [2016-02-10] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll [2012-08-08] (Adobe Systems, Inc.)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2012-10-12] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-07-04] (Advanced Micro Devices, Inc.) [File not signed]
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [604144 2016-02-01] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3881184 2016-02-01] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1048488 2016-01-12] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [561104 2016-02-01] (AVG Technologies CZ, s.r.o.)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
R2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [469304 2014-03-26] (Hewlett-Packard Development Company, L.P.)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [239176 2013-03-04] (Realtek Semiconductor)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 WtuSystemSupport; C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe [1196432 2015-10-05] ()

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [4265984 2014-12-22] (Qualcomm Atheros Communications, Inc.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [94208 2013-02-14] (Advanced Micro Devices)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [21632 2016-01-07] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [184240 2015-11-06] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [315312 2016-01-05] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [272304 2016-01-08] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [284080 2015-10-21] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [260528 2016-01-22] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-12-04] (AVG Technologies CZ, s.r.o.)
R0 Avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [23472 2016-01-08] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [315840 2015-12-16] (AVG Technologies CZ, s.r.o.)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290520 2015-12-28] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [29424 2013-05-07] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [33008 2013-05-07] (Synaptics Incorporated)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30544 2015-08-13] (HP)
R3 WirelessButtonDriver64; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30544 2015-08-13] (HP)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-14 16:25 - 2016-02-14 16:26 - 00012741 _____ C:\Users\Administrator\Desktop\FRST.txt
2016-02-14 16:22 - 2016-02-14 16:22 - 00002417 _____ C:\Users\Administrator\Documents\AdwCleaner[S1].txt
2016-02-14 15:57 - 2016-02-14 15:57 - 00002310 _____ C:\Users\Administrator\Documents\Fixlog.txt
2016-02-14 15:56 - 2016-02-14 15:56 - 01508352 _____ C:\Users\Administrator\Desktop\AdwCleaner.exe
2016-02-14 15:52 - 2016-02-14 15:52 - 00002310 _____ C:\Users\Administrator\Desktop\Fixlog.txt
2016-02-14 15:51 - 2016-02-14 15:51 - 00151712 _____ C:\Users\Administrator\Documents\AVG detected c.APWH trojan horse - Virus, Trojan, Spyware, and Malware Removal Logs.htm
2016-02-14 15:51 - 2016-02-14 15:51 - 00000000 ____D C:\Users\Administrator\Documents\AVG detected c.APWH trojan horse - Virus, Trojan, Spyware, and Malware Removal Logs_files
2016-02-13 22:38 - 2016-02-13 22:38 - 00024185 _____ C:\Users\Administrator\Documents\routerlog[1].txt
2016-02-12 21:13 - 2016-02-12 21:15 - 00051429 _____ C:\Users\Administrator\Documents\Addition.txt
2016-02-12 21:11 - 2016-02-12 21:15 - 00051027 _____ C:\Users\Administrator\Documents\FRST.txt
2016-02-12 21:10 - 2016-02-12 18:27 - 02370560 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe
2016-02-12 15:09 - 2016-02-12 15:12 - 00000265 _____ C:\Users\Administrator\Documents\untitled.txt
2016-02-12 15:01 - 2016-02-12 15:01 - 00004496 _____ C:\Users\Administrator\Documents\hpdrivertooltrojan.csv
2016-02-12 15:00 - 2016-02-12 15:01 - 03762808 _____ (Oleg N. Scherbakov) C:\Users\Administrator\Downloads\HPSupportSolutionsFramework-12.0.30.473.exe
2016-02-12 14:31 - 2016-02-12 14:31 - 00338575 _____ C:\Users\Administrator\Documents\HP PCs - Creating a Recovery Image on Discs or Saving a Recovery Image to a USB Flash Drive (Windows 8) _ HP® Customer Support.htm
2016-02-12 14:31 - 2016-02-12 14:31 - 00000000 ____D C:\Users\Administrator\Documents\HP PCs - Creating a Recovery Image on Discs or Saving a Recovery Image to a USB Flash Drive (Windows 8) _ HP® Customer Support_files
2016-02-12 13:53 - 2016-02-12 15:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-02-11 16:33 - 2016-02-11 16:34 - 00000000 ____D C:\Users\Administrator\Documents\Family Tree Maker backups
2016-02-11 16:30 - 2016-02-11 16:30 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\FamilyTreeMaker
2016-02-11 16:19 - 2016-02-11 16:19 - 00000000 ____D C:\Users\Administrator\Documents\Family Tree Maker
2016-02-11 16:19 - 2016-02-11 16:19 - 00000000 ____D C:\Users\Administrator\AppData\Local\IsolatedStorage
2016-02-11 16:17 - 2016-02-11 16:17 - 00000000 ____D C:\Users\Administrator\AppData\Local\Ancestry.com
2016-02-11 16:04 - 2016-02-11 16:04 - 00000995 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Family Tree Maker 2012.lnk
2016-02-11 16:04 - 2016-02-11 16:04 - 00000989 _____ C:\Users\Public\Desktop\Family Tree Maker 2012.lnk
2016-02-11 16:01 - 2016-02-11 16:19 - 00000000 ____D C:\Program Files (x86)\Family Tree Maker 2012
2016-02-11 16:01 - 2016-02-11 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Family Tree Maker 2012
2016-02-11 16:01 - 2016-02-11 16:01 - 00000000 ___HD C:\WINDOWS\msdownld.tmp
2016-02-11 16:01 - 2016-02-11 16:01 - 00000000 ____D C:\WINDOWS\RegisteredPackages
2016-02-11 16:01 - 2016-02-11 16:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media
2016-02-11 16:01 - 2016-02-11 16:01 - 00000000 ____D C:\Program Files (x86)\Windows Media Components
2016-02-11 16:01 - 2016-02-11 16:01 - 00000000 ____D C:\Program Files (x86)\BCL Technologies
2016-02-11 16:01 - 2016-02-11 16:01 - 00000000 ____D C:\IExp1.tmp
2016-02-11 16:01 - 2016-02-11 16:01 - 00000000 ____D C:\IExp0.tmp
2016-02-11 15:57 - 2016-02-11 16:05 - 00000000 ___HD C:\ProgramData\{982A4E58-61DC-40A1-80D8-04D45DE9A86E}
2016-02-11 15:56 - 2016-02-11 15:56 - 00000000 ____D C:\Users\Administrator\AppData\Local\PackageAware
2016-02-11 14:58 - 2016-02-11 14:58 - 00001211 _____ C:\Users\Guest\Desktop\RCO compromise - Shortcut.lnk
2016-02-11 14:57 - 2016-02-11 14:57 - 00001337 _____ C:\Users\Guest\Desktop\UmpquaHealthAlliance20151101 - Shortcut.lnk
2016-02-11 14:56 - 2016-02-11 14:56 - 00001006 _____ C:\Users\Guest\Desktop\egbert - Shortcut.lnk
2016-02-11 14:55 - 2016-02-11 14:55 - 00001233 _____ C:\Users\Guest\Desktop\termination of rental agreement - Shortcut.lnk
2016-02-10 17:48 - 2016-02-10 17:49 - 00072581 _____ C:\Users\Administrator\Documents\sfcdetails.txt
2016-02-10 09:05 - 2016-02-11 15:37 - 00000384 _____ C:\WINDOWS\Tasks\HPCeeScheduleForAdministrator.job
2016-02-10 09:05 - 2016-02-10 21:03 - 00003214 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForAdministrator
2016-02-10 08:06 - 2016-02-10 08:06 - 12812600 _____ (Microsoft Corporation) C:\Users\Administrator\Downloads\ApplicationCompatibilityToolkitSetup.exe
2016-02-10 08:06 - 2016-02-10 08:06 - 03423390 _____ C:\Users\Administrator\Downloads\Quick Start Guides.zip
2016-02-10 08:06 - 2016-02-10 08:06 - 01376935 _____ C:\Users\Administrator\Downloads\ACT 5.6 Deployment Guide.zip
2016-02-10 08:06 - 2016-02-10 08:06 - 00806507 _____ C:\Users\Administrator\Downloads\Step-By-Step Guide.zip
2016-02-10 08:06 - 2016-02-10 08:06 - 00556191 _____ C:\Users\Administrator\Downloads\ACT_FAQ.zip
2016-02-10 08:06 - 2016-02-10 08:06 - 00505703 _____ C:\Users\Administrator\Downloads\ACT 5.6 ReadMe.zip
2016-02-10 07:41 - 2016-02-10 07:43 - 00000000 ____D C:\WINDOWS\LastGood.Tmp
2016-02-10 01:25 - 2015-12-16 09:11 - 01200128 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Globalization.dll
2016-02-10 01:25 - 2015-12-16 08:51 - 00868864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Globalization.dll
2016-02-10 01:25 - 2015-10-22 09:43 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\kbdgeoqw.dll
2016-02-10 01:25 - 2015-10-22 09:43 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDAZST.DLL
2016-02-10 01:25 - 2015-10-22 09:43 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDAZEL.DLL
2016-02-10 01:25 - 2015-10-22 09:43 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\system32\KBDAZE.DLL
2016-02-10 01:25 - 2015-10-22 08:59 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kbdgeoqw.dll
2016-02-10 01:25 - 2015-10-22 08:59 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDAZST.DLL
2016-02-10 01:25 - 2015-10-22 08:59 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDAZEL.DLL
2016-02-10 01:25 - 2015-10-22 08:59 - 00007168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KBDAZE.DLL
2016-02-10 01:25 - 2015-10-22 08:21 - 00323072 _____ (Microsoft Corporation) C:\WINDOWS\system32\GlobCollationHost.dll
2016-02-10 01:25 - 2015-10-22 07:58 - 00200704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\GlobCollationHost.dll
2016-02-10 01:25 - 2015-10-22 06:08 - 00513456 _____ C:\WINDOWS\SysWOW64\locale.nls
2016-02-10 01:25 - 2015-10-22 06:08 - 00513456 _____ C:\WINDOWS\system32\locale.nls
2016-02-10 01:25 - 2015-01-05 19:01 - 00072192 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ndproxy.sys
2016-02-10 01:25 - 2015-01-05 18:59 - 00080896 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\wanarp.sys
2016-02-10 01:25 - 2015-01-05 17:12 - 00185856 _____ (Microsoft Corporation) C:\WINDOWS\system32\rascfg.dll
2016-02-10 01:25 - 2015-01-05 17:02 - 00164864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\rascfg.dll
2016-02-10 01:24 - 2015-04-30 17:13 - 06521800 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppsvc.exe
2016-02-10 01:24 - 2015-04-30 17:13 - 01488000 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2016-02-10 01:24 - 2015-04-30 17:13 - 00261376 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppwinob.dll
2016-02-10 00:11 - 2016-02-10 18:00 - 00000000 ____D C:\Users\Administrator\AppData\Local\ElevatedDiagnostics
2016-02-09 23:16 - 2016-02-06 02:48 - 25839104 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-02-09 23:16 - 2016-02-06 02:24 - 02887680 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-02-09 23:16 - 2016-02-06 02:01 - 20366848 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-02-09 23:16 - 2016-02-06 01:43 - 02280448 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-02-09 23:16 - 2016-02-06 01:32 - 14458368 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-02-09 23:16 - 2016-02-06 01:16 - 12857856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-02-09 23:16 - 2016-02-06 01:09 - 01547264 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-02-09 23:16 - 2016-02-06 00:54 - 01312256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-02-09 20:41 - 2016-01-14 17:42 - 00033472 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-02-09 20:41 - 2016-01-14 12:44 - 01362944 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-02-09 20:41 - 2016-01-14 12:44 - 01162240 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-02-09 20:41 - 2016-01-14 12:44 - 00696320 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-02-09 20:41 - 2016-01-14 12:44 - 00677376 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-02-09 20:41 - 2016-01-14 12:44 - 00499200 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-02-09 20:41 - 2016-01-14 12:44 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-02-09 20:41 - 2016-01-10 11:37 - 00442720 _____ (Microsoft Corporation) C:\WINDOWS\system32\msv1_0.dll
2016-02-09 20:41 - 2016-01-10 10:39 - 00332640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msv1_0.dll
2016-02-09 20:41 - 2016-01-10 10:15 - 00401920 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb.sys
2016-02-09 20:41 - 2016-01-10 10:15 - 00202240 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxsmb20.sys
2016-02-09 20:41 - 2016-01-10 09:50 - 00062464 _____ (Microsoft Corporation) C:\WINDOWS\system32\cfgbkend.dll
2016-02-09 20:41 - 2016-01-10 09:43 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2016-02-09 20:41 - 2016-01-10 09:31 - 00162304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msorcl32.dll
2016-02-09 20:41 - 2016-01-10 09:16 - 00898048 _____ (Microsoft Corporation) C:\WINDOWS\system32\CPFilters.dll
2016-02-09 20:41 - 2016-01-10 09:14 - 00048640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\cfgbkend.dll
2016-02-09 20:41 - 2016-01-10 09:12 - 00532480 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDec.dll
2016-02-09 20:41 - 2016-01-10 09:09 - 01442304 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2016-02-09 20:41 - 2016-01-10 09:09 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2016-02-09 20:41 - 2016-01-10 09:02 - 00987648 _____ (Microsoft Corporation) C:\WINDOWS\system32\kerberos.dll
2016-02-09 20:41 - 2016-01-10 08:58 - 00166400 _____ (Microsoft Corporation) C:\WINDOWS\system32\mtxoci.dll
2016-02-09 20:41 - 2016-01-10 08:56 - 00186880 _____ (Microsoft Corporation) C:\WINDOWS\system32\dpapisrv.dll
2016-02-09 20:41 - 2016-01-10 08:51 - 00702976 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\CPFilters.dll
2016-02-09 20:41 - 2016-01-10 08:49 - 00443392 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\EncDec.dll
2016-02-09 20:41 - 2016-01-10 08:43 - 00801792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kerberos.dll
2016-02-09 20:41 - 2016-01-10 08:40 - 00116736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mtxoci.dll
2016-02-09 20:41 - 2016-01-07 10:34 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2016-02-09 20:41 - 2015-12-29 07:45 - 07783936 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-02-09 20:41 - 2015-12-29 07:45 - 07075328 _____ (Microsoft Corporation) C:\WINDOWS\system32\glcndFilter.dll
2016-02-09 20:41 - 2015-12-29 07:43 - 05267968 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\glcndFilter.dll
2016-02-09 20:41 - 2015-12-29 07:42 - 05264384 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-02-09 20:40 - 2016-01-22 00:01 - 22365992 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2016-02-09 20:40 - 2016-01-21 23:11 - 19794896 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2016-02-09 20:40 - 2016-01-21 21:25 - 14467072 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-02-09 20:40 - 2016-01-21 21:14 - 12879360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-02-09 20:40 - 2016-01-21 21:07 - 02778624 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2016-02-09 20:40 - 2016-01-21 20:58 - 02464256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2016-02-09 20:40 - 2016-01-19 11:14 - 07453024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2016-02-09 20:40 - 2016-01-19 11:13 - 02175008 _____ (Microsoft Corporation) C:\WINDOWS\system32\combase.dll
2016-02-09 20:40 - 2016-01-19 11:13 - 01063464 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinTypes.dll
2016-02-09 20:40 - 2016-01-19 11:12 - 01737088 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2016-02-09 20:40 - 2016-01-19 11:12 - 01133744 _____ (Microsoft Corporation) C:\WINDOWS\system32\KernelBase.dll
2016-02-09 20:40 - 2016-01-19 10:23 - 01564496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\combase.dll
2016-02-09 20:40 - 2016-01-19 10:23 - 01501496 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2016-02-09 20:40 - 2016-01-19 10:23 - 00548024 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinTypes.dll
2016-02-09 20:40 - 2016-01-19 10:15 - 00246784 _____ (Microsoft Corporation) C:\WINDOWS\system32\microsoft-windows-system-events.dll
2016-02-09 20:40 - 2016-01-19 09:30 - 00862720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\KernelBase.dll
2016-02-09 20:40 - 2016-01-19 08:37 - 00267776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wincorlib.dll
2016-02-09 20:40 - 2016-01-06 10:25 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2016-02-09 20:39 - 2016-01-21 22:40 - 00571904 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-02-09 20:39 - 2016-01-21 22:29 - 06052352 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-02-09 20:39 - 2016-01-21 22:28 - 00108544 _____ (Microsoft Corporation) C:\WINDOWS\system32\hlink.dll
2016-02-09 20:39 - 2016-01-21 22:27 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2016-02-09 20:39 - 2016-01-21 22:02 - 00496640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-02-09 20:39 - 2016-01-21 21:55 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2016-02-09 20:39 - 2016-01-21 21:52 - 00099328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\hlink.dll
2016-02-09 20:39 - 2016-01-21 21:51 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2016-02-09 20:39 - 2016-01-21 21:50 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2016-02-09 20:39 - 2016-01-21 21:48 - 00718336 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2016-02-09 20:39 - 2016-01-21 21:48 - 00372224 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-02-09 20:39 - 2016-01-21 21:47 - 00798208 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-02-09 20:39 - 2016-01-21 21:46 - 02123264 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-02-09 20:39 - 2016-01-21 21:35 - 04611072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-02-09 20:39 - 2016-01-21 21:31 - 02597376 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-02-09 20:39 - 2016-01-21 21:31 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2016-02-09 20:39 - 2016-01-21 21:28 - 02880000 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2016-02-09 20:39 - 2016-01-21 21:27 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2016-02-09 20:39 - 2016-01-21 21:25 - 00687104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-02-09 20:39 - 2016-01-21 21:25 - 00325632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2016-02-09 20:39 - 2016-01-21 21:24 - 02050560 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-02-09 20:39 - 2016-01-21 21:08 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-02-09 20:39 - 2016-01-21 21:07 - 02120704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-02-09 20:39 - 2016-01-21 21:02 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-02-09 20:39 - 2016-01-10 11:37 - 00136912 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2016-02-09 20:39 - 2016-01-10 08:51 - 03707392 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2016-02-09 20:39 - 2016-01-10 08:39 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2016-02-09 20:39 - 2016-01-10 08:38 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2016-02-09 20:39 - 2016-01-10 08:36 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2016-02-09 20:39 - 2016-01-10 08:36 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2016-02-09 20:39 - 2016-01-10 08:35 - 02243584 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2016-02-09 20:39 - 2016-01-10 08:35 - 00897024 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2016-02-09 20:39 - 2016-01-10 08:29 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2016-02-09 20:39 - 2016-01-10 08:29 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2016-02-09 20:39 - 2016-01-10 08:27 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2016-02-09 20:39 - 2016-01-10 08:26 - 00726528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2016-02-09 20:39 - 2015-12-28 13:42 - 00713216 _____ (Microsoft Corporation) C:\WINDOWS\system32\WinSync.dll
2016-02-09 20:39 - 2015-12-28 12:31 - 00578048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WinSync.dll
2016-02-09 20:39 - 2015-12-17 10:29 - 00131584 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpudd.dll
2016-02-09 20:39 - 2015-12-17 08:17 - 03547648 _____ (Microsoft Corporation) C:\WINDOWS\system32\rdpcorets.dll
2016-02-09 13:03 - 2016-02-09 13:03 - 02769537 _____ C:\Users\Administrator\Documents\HP2000notebookUserGuide.pdf
2016-02-09 12:56 - 2016-02-09 12:56 - 02736350 _____ C:\Users\Administrator\Documents\HP2000notebook Maintenance and service.pdf
2016-02-09 11:51 - 2016-02-09 11:51 - 00012760 _____ C:\Users\Administrator\Documents\xp recovery contents2.txt
2016-02-09 11:47 - 2016-02-09 11:47 - 00012668 _____ C:\Users\Administrator\Documents\xp recovery contents.txt
2016-02-09 01:56 - 2016-02-09 01:56 - 01081949 _____ C:\Users\Administrator\Documents\partedmagicscanresultshp2000.txt
2016-02-08 10:57 - 2016-02-08 10:57 - 00000000 ____D C:\bootmedium
2016-02-08 10:40 - 2016-02-08 10:40 - 00000000 ____D C:\boot-sav
2016-02-06 14:26 - 2016-02-06 16:05 - 00004465 _____ C:\Users\Administrator\Documents\chrystina, keyboard mouse issue.txt
2016-02-05 21:58 - 2016-02-05 21:58 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\TuneUp Software
2016-02-05 03:18 - 2016-02-05 03:18 - 00072331 _____ C:\Users\Administrator\Documents\DxDiag.txt
2016-02-05 01:14 - 2016-02-05 01:14 - 00000000 ____D C:\Program Files (x86)\BurnAware Free
2016-02-05 00:35 - 2016-02-05 00:35 - 00000000 ____D C:\ProgramData\install_clap
2016-02-05 00:29 - 2016-02-05 00:32 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\DeepBurner
2016-02-05 00:28 - 2016-02-05 01:12 - 00000000 ____D C:\Program Files (x86)\Astonsoft
2016-02-04 22:49 - 2016-02-05 13:33 - 00000699 _____ C:\Users\Administrator\AppData\Roaming\burnaware.ini
2016-02-04 20:39 - 2016-02-04 20:39 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\InfraRecorder
2016-02-04 19:50 - 2016-02-04 19:51 - 00240128 _____ C:\Users\Administrator\Documents\The Best, Free Alternatives to Nero CD_DVD Burner.htm
2016-02-04 19:50 - 2016-02-04 19:51 - 00000000 ____D C:\Users\Administrator\Documents\The Best, Free Alternatives to Nero CD_DVD Burner_files
2016-02-04 16:41 - 2016-02-04 16:41 - 00000000 ____D C:\ProgramData\Canneverbe Limited
2016-02-04 16:40 - 2016-02-04 16:40 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Canneverbe Limited
2016-02-03 21:17 - 2016-02-04 22:48 - 00000258 __RSH C:\ProgramData\ntuser.pol
2016-02-03 21:17 - 2016-02-03 21:17 - 00867752 _____ (Akeo Consulting (hxxp://akeo.ie)) C:\Users\Administrator\Documents\rufus-2.6.exe
2016-02-03 14:45 - 2016-02-03 14:46 - 00000125 _____ C:\Users\Guest\Desktop\Umpqua Health Allaince.url
2016-02-03 14:43 - 2016-02-03 14:45 - 00000146 _____ C:\Users\Guest\Desktop\find a provider-Umpqua Health Allaince.url
2016-02-03 14:37 - 2016-02-03 14:37 - 00011514 _____ C:\Users\Guest\Desktop\Pulmonology doc.htm
2016-02-03 14:30 - 2016-02-03 14:30 - 04975325 _____ C:\Users\Guest\Documents\UmpquaHealthAlliance20151101.pdf
2016-02-03 13:50 - 2016-02-03 13:50 - 01936538 _____ C:\Users\Guest\Downloads\OHP handbook.pdf
2016-02-03 10:25 - 2016-02-03 10:25 - 00001733 _____ C:\Users\Guest\Desktop\2015_UTCR - Shortcut.lnk
2016-01-28 12:15 - 2016-01-28 12:15 - 00008421 _____ C:\Users\Guest\Documents\RCO compromise.pdf
2016-01-27 14:16 - 2016-01-27 14:19 - 00000000 ____D C:\Users\Guest\Documents\Family Tree Maker
2016-01-26 12:10 - 2016-01-26 12:10 - 00002255 _____ C:\Users\Guest\Desktop\Douglas_SLR_2015 - Shortcut.lnk
2016-01-26 11:59 - 2016-01-26 11:59 - 00002228 _____ C:\Users\Guest\Desktop\2015 ORCP amendments - Shortcut.lnk
2016-01-25 21:44 - 2016-01-25 21:44 - 00000133 _____ C:\Users\Guest\Desktop\E-Clerk.url
2016-01-25 21:40 - 2016-01-25 21:40 - 00040268 _____ C:\Users\Guest\Documents\Douglas County Oregon e-Government - Clerks Office.htm
2016-01-25 21:40 - 2016-01-25 21:40 - 00000000 ____D C:\Users\Guest\Documents\Douglas County Oregon e-Government - Clerks Office_files
2016-01-25 21:27 - 2016-01-25 21:27 - 00019965 _____ C:\Users\Guest\Documents\2012-016695.htm
2016-01-25 21:26 - 2016-01-25 21:26 - 00023685 _____ C:\Users\Guest\Documents\2006-002656.htm
2016-01-25 20:14 - 2016-01-25 20:26 - 00000192 _____ C:\Users\Guest\Documents\filewithco.txt
2016-01-25 14:56 - 2016-01-25 14:57 - 00000000 ____D C:\Users\Guest\Documents\#13cv2055cc 2016
2016-01-24 18:25 - 2016-01-24 18:25 - 00000953 _____ C:\Users\Guest\Desktop\Dad - Shortcut.lnk
2016-01-24 18:18 - 2016-01-24 18:18 - 01816728 _____ C:\Users\Administrator\Downloads\Case#13cv2055cc.zip
2016-01-23 22:09 - 2016-01-23 22:09 - 00385730 _____ C:\Users\Guest\Downloads\douglas_county_prob.pdf
2016-01-23 17:47 - 2016-02-14 00:28 - 00000000 ____D C:\SysinternalsSuite
2016-01-22 15:15 - 2016-01-22 15:15 - 00260528 _____ (AVG Technologies CZ, s.r.o.) C:\WINDOWS\system32\Drivers\avgmfx64.sys
2016-01-16 12:52 - 2015-12-10 19:18 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 02745184 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVDECOD.DLL
2016-01-16 12:50 - 2015-12-04 21:58 - 02528784 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVDECOD.DLL
2016-01-16 12:50 - 2015-12-04 21:58 - 02450240 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVENCOD.DLL
2016-01-16 12:50 - 2015-12-04 21:58 - 02447136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVENCOD.DLL
2016-01-16 12:50 - 2015-12-04 21:58 - 02334104 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfcore.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 02324744 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfcore.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 01877504 _____ (Microsoft Corporation) C:\WINDOWS\system32\msmpeg2adec.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 01484888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msmpeg2adec.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 01288128 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetsrc.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 01210200 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOD.DLL
2016-01-16 12:50 - 2015-12-04 21:58 - 01115640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetsrc.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 01037680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOD.DLL
2016-01-16 12:50 - 2015-12-04 21:58 - 00850680 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfnetcore.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 00735496 _____ (Microsoft Corporation) C:\WINDOWS\system32\evr.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 00700360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfnetcore.dll
2016-01-16 12:50 - 2015-12-04 21:58 - 00498472 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfsvr.dll
2016-01-16 12:50 - 2015-12-03 09:36 - 01697792 _____ (Microsoft Corporation) C:\WINDOWS\system32\quartz.dll
2016-01-16 12:50 - 2015-12-03 08:40 - 01010688 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOD.DLL
2016-01-16 12:50 - 2015-12-03 08:29 - 00887296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOD.DLL
2016-01-16 12:50 - 2015-12-02 07:04 - 00670208 _____ (Microsoft Corporation) C:\WINDOWS\system32\qedit.dll
2016-01-16 12:50 - 2015-12-02 07:01 - 00561664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qedit.dll
2016-01-16 12:49 - 2015-12-10 16:13 - 00210432 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepic.dll
2016-01-16 12:49 - 2015-12-07 02:56 - 01380600 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 01798480 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMALFXGFXDSP.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 01150232 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMADMOE.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00914672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMADMOE.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00629600 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP4SDECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00584656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\evr.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 00557856 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVSDECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00492736 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVSDECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00463776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP4SDECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00399776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfsvr.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 00299080 _____ (Microsoft Corporation) C:\WINDOWS\system32\VIDRESZR.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00275312 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MPG4DECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00274280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP43DECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00250520 _____ (Microsoft Corporation) C:\WINDOWS\system32\MPG4DECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00248432 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP43DECD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00246856 _____ (Microsoft Corporation) C:\WINDOWS\system32\RESAMPLEDMO.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00244296 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfps.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 00229272 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\RESAMPLEDMO.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00203016 _____ (Microsoft Corporation) C:\WINDOWS\system32\COLORCNV.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00184912 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\COLORCNV.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00183856 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\VIDRESZR.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00116720 _____ (Microsoft Corporation) C:\WINDOWS\system32\MP3DMOD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00110544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfps.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 00099136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MP3DMOD.DLL
2016-01-16 12:49 - 2015-12-04 21:58 - 00090904 _____ (Microsoft Corporation) C:\WINDOWS\system32\devenum.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 00090392 _____ (Microsoft Corporation) C:\WINDOWS\system32\mfvdsp.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 00081032 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\devenum.dll
2016-01-16 12:49 - 2015-12-04 21:58 - 00076936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mfvdsp.dll
2016-01-16 12:49 - 2015-12-04 07:00 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-01-16 12:49 - 2015-12-03 11:42 - 00397224 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcryptprimitives.dll
2016-01-16 12:49 - 2015-12-03 11:42 - 00137968 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncrypt.dll
2016-01-16 12:49 - 2015-12-03 11:42 - 00106960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncryptsslp.dll
2016-01-16 12:49 - 2015-12-03 10:52 - 00340872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcryptprimitives.dll
2016-01-16 12:49 - 2015-12-03 10:52 - 00120376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncrypt.dll
2016-01-16 12:49 - 2015-12-03 10:52 - 00091416 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ncryptsslp.dll
2016-01-16 12:49 - 2015-12-03 10:07 - 00340992 _____ (Microsoft Corporation) C:\WINDOWS\system32\qdvd.dll
2016-01-16 12:49 - 2015-12-03 10:07 - 00289792 _____ (Microsoft Corporation) C:\WINDOWS\system32\ksproxy.ax
2016-01-16 12:49 - 2015-12-03 10:05 - 00644608 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVXENCD.DLL
2016-01-16 12:49 - 2015-12-03 10:02 - 01664000 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMSPDMOE.DLL
2016-01-16 12:49 - 2015-12-03 10:00 - 00451072 _____ (Microsoft Corporation) C:\WINDOWS\system32\WMVSENCD.DLL
2016-01-16 12:49 - 2015-12-03 09:58 - 00378880 ____C (Microsoft Corporation) C:\WINDOWS\system32\SysFxUI.dll
2016-01-16 12:49 - 2015-12-03 09:30 - 00468480 _____ (Microsoft Corporation) C:\WINDOWS\system32\MFWMAAEC.DLL
2016-01-16 12:49 - 2015-12-03 09:28 - 00519680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\qdvd.dll
2016-01-16 12:49 - 2015-12-03 09:28 - 00245760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ksproxy.ax
2016-01-16 12:49 - 2015-12-03 09:27 - 00736256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVXENCD.DLL
2016-01-16 12:49 - 2015-12-03 09:24 - 01411584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMSPDMOE.DLL
2016-01-16 12:49 - 2015-12-03 09:23 - 00402432 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WMVSENCD.DLL
2016-01-16 12:49 - 2015-12-03 09:07 - 00432128 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2016-01-16 12:49 - 2015-12-03 09:06 - 01501184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\quartz.dll
2016-01-16 12:49 - 2015-12-03 09:01 - 00743936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MFWMAAEC.DLL
2016-01-16 12:49 - 2015-12-03 08:45 - 00357888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2016-01-16 12:48 - 2015-12-08 11:08 - 00685432 _____ (Microsoft Corporation) C:\WINDOWS\system32\advapi32.dll
2016-01-16 12:48 - 2015-12-08 11:07 - 00507176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\advapi32.dll

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-02-14 16:25 - 2015-05-22 17:01 - 00000000 ____D C:\FRST
2016-02-14 16:16 - 2015-04-17 16:36 - 00000000 ____D C:\AdwCleaner
2016-02-14 16:05 - 2015-07-17 11:58 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-02-14 16:05 - 2013-08-22 06:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-02-14 15:52 - 2015-09-17 10:06 - 00000000 ____D C:\ProgramData\MFAData
2016-02-14 00:54 - 2015-07-17 14:30 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-02-14 00:40 - 2015-09-29 20:30 - 00000000 ____D C:\Users\Guest\AppData\Local\CrashDumps
2016-02-14 00:40 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-02-12 21:33 - 2015-12-28 21:31 - 00000352 _____ C:\WINDOWS\Tasks\HPCeeScheduleForOwner.job
2016-02-12 21:11 - 2014-11-21 00:44 - 00956476 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-02-12 21:11 - 2013-08-22 05:36 - 00000000 ____D C:\WINDOWS\Inf
2016-02-11 16:53 - 2016-01-09 13:45 - 00000000 ____D C:\Users\Administrator\AppData\Local\CrashDumps
2016-02-11 16:09 - 2015-07-12 11:18 - 00003596 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3817485168-1237566219-314415453-500
2016-02-11 13:32 - 2015-09-17 10:16 - 00000959 _____ C:\Users\Public\Desktop\AVG Protection.lnk
2016-02-11 13:32 - 2015-09-17 10:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2016-02-11 13:32 - 2012-07-26 00:12 - 00000000 ___HD C:\WINDOWS\ELAMBKUP
2016-02-10 20:31 - 2015-08-04 13:31 - 00003208 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForLOUIEROSE$
2016-02-10 20:31 - 2015-08-04 13:31 - 00000372 _____ C:\WINDOWS\Tasks\HPCeeScheduleForLOUIEROSE$.job
2016-02-10 09:05 - 2016-01-06 16:24 - 00000000 ____D C:\Users\Administrator\AppData\Local\Hewlett-Packard
2016-02-10 07:41 - 2013-08-22 06:44 - 00364912 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-02-10 06:57 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\rescache
2016-02-10 01:54 - 2015-07-17 14:30 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-02-10 01:28 - 2012-07-25 23:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-02-10 00:15 - 2015-07-30 09:49 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-02-10 00:15 - 2013-08-22 07:36 - 00000000 ___RD C:\WINDOWS\ToastData
2016-02-10 00:02 - 2014-11-21 00:25 - 00000000 ____D C:\Program Files\Windows Journal
2016-02-09 23:32 - 2015-07-14 16:57 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-02-09 23:23 - 2015-07-14 16:57 - 146614896 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-02-09 20:32 - 2015-11-11 17:14 - 00561952 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-02-09 20:32 - 2015-11-11 17:14 - 00177496 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-02-09 02:31 - 2013-08-22 07:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-02-09 01:59 - 2013-06-01 10:40 - 00000000 ____D C:\Users\Administrator\AppData\Local\Windows Live
2016-02-08 18:52 - 2013-08-22 05:25 - 00262144 ___SH C:\WINDOWS\system32\config\ELAM
2016-02-08 18:06 - 2013-08-22 05:25 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-02-05 00:46 - 2013-10-08 04:49 - 00000000 ____D C:\Program Files (x86)\CyberLink
2016-02-05 00:46 - 2013-06-01 10:33 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Productivity and Tools
2016-02-05 00:45 - 2013-10-08 04:48 - 00000000 ____D C:\ProgramData\Temp
2016-02-05 00:44 - 2013-06-01 10:48 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-02-05 00:43 - 2013-10-08 04:54 - 00000000 ____D C:\ProgramData\CyberLink
2016-02-05 00:43 - 2013-10-08 04:49 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Music, Photos and Videos
2016-02-04 11:18 - 2015-07-26 01:00 - 00000000 ____D C:\Users\Administrator
2016-02-03 22:07 - 2015-09-17 13:27 - 00003886 _____ C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
2016-02-03 22:07 - 2015-09-17 13:27 - 00002457 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-02-03 21:17 - 2013-08-22 07:36 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2016-02-03 21:17 - 2013-08-22 07:36 - 00000000 ____D C:\WINDOWS\SysWOW64\GroupPolicy
2016-02-03 20:22 - 2015-09-17 13:12 - 00000000 ____D C:\Users\Guest
2016-02-01 18:37 - 2014-11-21 08:03 - 00828920 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-02-01 18:37 - 2014-11-21 08:03 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-02-01 17:31 - 2013-08-22 07:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-01-26 15:44 - 2015-09-17 13:13 - 00000000 ____D C:\Users\Guest\AppData\Roaming\Epson
2016-01-26 11:58 - 2015-09-17 13:16 - 00000000 ____D C:\Users\Guest\Documents\Dad
2016-01-24 17:02 - 2015-07-26 01:10 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2016-01-23 14:09 - 2014-11-21 07:56 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2016-01-22 12:47 - 2015-11-27 15:13 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-01-22 12:47 - 2015-11-27 15:13 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-01-21 18:16 - 2015-11-27 15:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-01-20 21:29 - 2016-01-06 16:17 - 00000000 ____D C:\Users\Administrator\AppData\Local\Avg

==================== Files in the root of some directories =======

2016-02-04 22:49 - 2016-02-05 13:33 - 0000699 _____ () C:\Users\Administrator\AppData\Roaming\burnaware.ini

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== BCD ================================

Firmware Boot Manager
---------------------
identifier              {fwbootmgr}
displayorder            {bootmgr}
                        {ce88474d-28d2-11e5-b245-aafcc998eb17}
                        {ce88474a-28d2-11e5-b245-aafcc998eb17}
                        {ce88474b-28d2-11e5-b245-aafcc998eb17}
timeout                 0

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume2
path                    \EFI\Microsoft\Boot\bootmgfw.efi
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
integrityservices       Enable
default                 {current}
resumeobject            {ce88475b-28d2-11e5-b245-aafcc998eb17}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Firmware Application (101fffff)
-------------------------------
identifier              {a6ac1f9a-3013-11e3-be6e-806e6f6e6963}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {a9b952ec-fb41-11e3-a25a-fc533ef15343}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {ce88474a-28d2-11e5-b245-aafcc998eb17}
description             USB Drive (UEFI)

Firmware Application (101fffff)
-------------------------------
identifier              {ce88474b-28d2-11e5-b245-aafcc998eb17}
description             Internal CD/DVD ROM Drive (UEFI)

Firmware Application (101fffff)
-------------------------------
identifier              {ce88474c-28d2-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {ce88474d-28d2-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {ce88474e-28d2-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {ce88474f-28d2-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {ce884755-28d2-11e5-b245-aafcc998eb17}
description             USB Drive (UEFI)

Firmware Application (101fffff)
-------------------------------
identifier              {ce884757-28d2-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {daba9465-28ce-11e5-b245-aafcc998eb17}
description             USB Drive (UEFI)

Firmware Application (101fffff)
-------------------------------
identifier              {daba9467-28ce-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {daba9468-28ce-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {daba9469-28ce-11e5-b245-aafcc998eb17}
description             Internal Hard Disk or Solid State Disk

Firmware Application (101fffff)
-------------------------------
identifier              {f9f0f2d1-301b-11e3-a3e6-d01012e78f8d}
description             USB Drive (UEFI)

Firmware Application (101fffff)
-------------------------------
identifier              {f9f0f2d4-301b-11e3-a3e6-d01012e78f8d}
description             Internal Hard Disk or Solid State Disk

Windows Boot Loader
-------------------
identifier              {a9b952ee-fb41-11e3-a25a-fc533ef15343}
device                  ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{a9b952ef-fb41-11e3-a25a-fc533ef15343}
path                    \windows\system32\winload.efi
description             Windows Recovery Environment
locale                  en-US
inherit                 {bootloadersettings}
displaymessage          Recovery
displaymessageoverride  Recovery
osdevice                ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{a9b952ef-fb41-11e3-a25a-fc533ef15343}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {ce884758-28d2-11e5-b245-aafcc998eb17}
device                  ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{ce884759-28d2-11e5-b245-aafcc998eb17}
path                    \windows\system32\winload.efi
description             Windows Recovery Environment
locale                  en-US
inherit                 {bootloadersettings}
displaymessage          Recovery
displaymessageoverride  Recovery
osdevice                ramdisk=[\Device\HarddiskVolume1]\Recovery\WindowsRE\Winre.wim,{ce884759-28d2-11e5-b245-aafcc998eb17}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \WINDOWS\system32\winload.efi
description             Windows 8.1
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {ce88475d-28d2-11e5-b245-aafcc998eb17}
integrityservices       Enable
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \WINDOWS
resumeobject            {ce88475b-28d2-11e5-b245-aafcc998eb17}
nx                      OptIn
bootmenupolicy          Standard

Windows Boot Loader
-------------------
identifier              {ce88475d-28d2-11e5-b245-aafcc998eb17}
device                  ramdisk=[\Device\HarddiskVolume5]\Recovery\WindowsRE\Winre.wim,{ce88475e-28d2-11e5-b245-aafcc998eb17}
path                    \windows\system32\winload.efi
description             Windows Recovery Environment
locale                  en-US
inherit                 {bootloadersettings}
displaymessage          Recovery
osdevice                ramdisk=[\Device\HarddiskVolume5]\Recovery\WindowsRE\Winre.wim,{ce88475e-28d2-11e5-b245-aafcc998eb17}
systemroot              \windows
nx                      OptIn
bootmenupolicy          Standard
winpe                   Yes

Resume from Hibernate
---------------------
identifier              {ce88475b-28d2-11e5-b245-aafcc998eb17}
device                  partition=C:
path                    \WINDOWS\system32\winresume.efi
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {ce88475d-28d2-11e5-b245-aafcc998eb17}
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
bootmenupolicy          Standard
debugoptionenabled      No

Resume from Hibernate
---------------------
identifier              {daba946c-28ce-11e5-b245-aafcc998eb17}
device                  partition=C:
path                    \WINDOWS\system32\winresume.efi
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {ce884758-28d2-11e5-b245-aafcc998eb17}
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
bootmenupolicy          Standard
debugoptionenabled      No

Resume from Hibernate
---------------------
identifier              {f9f0f2d5-301b-11e3-a3e6-d01012e78f8d}
device                  partition=C:
path                    \Windows\system32\winresume.efi
description             Windows Resume Application
locale                  en-US
inherit                 {resumeloadersettings}
recoverysequence        {a9b952ee-fb41-11e3-a25a-fc533ef15343}
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
filedevice              partition=C:
filepath                \hiberfil.sys
bootmenupolicy          Standard
debugoptionenabled      No

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume2
path                    \EFI\Microsoft\Boot\memtest.efi
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

EMS Settings
------------
identifier              {emssettings}
bootems                 No

Debugger Settings
-----------------
identifier              {dbgsettings}
debugtype               Serial
debugport               1
baudrate                115200

RAM Defects
-----------
identifier              {badmemory}

Global Settings
---------------
identifier              {globalsettings}
inherit                 {dbgsettings}
                        {emssettings}
                        {badmemory}

Boot Loader Settings
--------------------
identifier              {bootloadersettings}
inherit                 {globalsettings}
                        {hypervisorsettings}

Hypervisor Settings
-------------------
identifier              {hypervisorsettings}
hypervisordebugtype     Serial
hypervisordebugport     1
hypervisorbaudrate      115200

Resume Loader Settings
----------------------
identifier              {resumeloadersettings}
inherit                 {globalsettings}

Device options
--------------
identifier              {a9b952ef-fb41-11e3-a25a-fc533ef15343}
description             Windows Recovery
ramdisksdidevice        partition=\Device\HarddiskVolume1
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

Device options
--------------
identifier              {a9b952f0-fb41-11e3-a25a-fc533ef15343}
description             Windows Setup
ramdisksdidevice        partition=C:
ramdisksdipath          \$WINDOWS.~BT\Sources\SafeOS\boot.sdi

Device options
--------------
identifier              {ce884759-28d2-11e5-b245-aafcc998eb17}
description             Windows Recovery
ramdisksdidevice        partition=\Device\HarddiskVolume1
ramdisksdipath          \Recovery\WindowsRE\boot.sdi

Device options
--------------
identifier              {ce88475a-28d2-11e5-b245-aafcc998eb17}
description             Windows Setup
ramdisksdidevice        partition=C:
ramdisksdipath          \$WINDOWS.~BT\Sources\SafeOS\boot.sdi

Device options
--------------
identifier              {ce88475e-28d2-11e5-b245-aafcc998eb17}
description             Windows Recovery
ramdisksdidevice        partition=\Device\HarddiskVolume5
ramdisksdipath          \Recovery\WindowsRE\boot.sdi



LastRegBack: 2016-02-11 16:09

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:07-02-2016
Ran by Administrator (2016-02-14 16:27:54)
Running from C:\Users\Administrator\Desktop
Windows 8.1 (X64) (2015-07-26 09:33:02)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-3817485168-1237566219-314415453-500 - Administrator - Enabled) => C:\Users\Administrator
Guest (S-1-5-21-3817485168-1237566219-314415453-501 - Limited - Enabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-3817485168-1237566219-314415453-1006 - Limited - Enabled)
Owner (S-1-5-21-3817485168-1237566219-314415453-1002 - Administrator - Enabled) => C:\Users\Owner

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: AVG AntiVirus Free Edition (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}
FW: AVG update module (Disabled) {757AB44A-78C2-7D1A-E37F-CA42A037B368}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

4 Elements II (x32 Version: 2.2.0.98 - WildTangent) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20056 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.6.636 - Adobe Systems, Inc.)
Airport Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
AMD Catalyst Install Manager (HKLM\...\{CB4C08E3-800F-65F6-9C00-06814A6B7CE7}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
AVG (Version: 16.41.7442 - AVG Technologies) Hidden
AVG 2016 (Version: 16.0.4522 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.41.7442 - AVG Technologies)
AVG Web TuneUp (HKLM-x32\...\AVG Web TuneUp) (Version: 4.6.0.153 - AVG Technologies)
Azteca (x32 Version: 2.2.0.97 - WildTangent) Hidden
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Big Fish: Game Manager (HKLM-x32\...\BFGC) (Version: 3.3.0.2 - )
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bosch Scanning Suite (HKLM-x32\...\{4F97F0C8-BDCF-40B1-B7B9-8BC712C877F4}) (Version: 4.000.0000 - BoschNA)
Bounce Symphony (x32 Version: 2.2.0.97 - WildTangent) Hidden
Build-a-lot (x32 Version: 2.2.0.98 - WildTangent) Hidden
BurnAware Free 8.8 (HKLM-x32\...\BurnAware Free_is1) (Version:  - Burnaware)
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
CCleaner (HKLM\...\CCleaner) (Version: 5.12 - Piriform)
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Curse at Twilight (x32 Version: 3.0.2.32 - WildTangent) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.6.6119 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Delicious: Emily's Childhood Memories Premium Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.0.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{FA9D303D-0FB2-49C7-9397-8E6B11EA892D}) (Version: 2.50.0001 - SEIKO EPSON CORPORATION)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.46.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WorkForce 645 Series Printer Uninstall (HKLM\...\EPSON WorkForce 645 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
Family Tree Maker 2012 (HKLM-x32\...\Family Tree Maker 2012) (Version: 21.0.704 - Ancestry.com, Inc.)
Family Tree Maker 2012 (x32 Version: 21.0.704 - Ancestry.com, Inc.) Hidden
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Fear for Sale: City of the Past Collector's Edition (HKLM-x32\...\BFG-Fear for Sale - City of the Past Collectors Edition) (Version:  - )
FMW 1 (Version: 1.52.1 - AVG Technologies) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Haunted Legends: The Secret of Life Collector's Edition (HKLM-x32\...\BFG-Haunted Legends - The Secret of Life Collector's Edition) (Version:  - )
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
House of 1000 Doors: Family Secrets (x32 Version: 2.2.0.98 - WildTangent) Hidden
HP Documentation (HKLM-x32\...\{8C1ADF61-4F87-44BC-804C-C20FC70D98BB}) (Version: 1.4.0.0 - Hewlett-Packard)
HP MyRoom (HKLM-x32\...\{9C35EDE5-4B0F-45E7-A438-314BA889948E}) (Version: 9.0.0.0 - Hewlett-Packard Company)
HP Quick Start (HKLM-x32\...\{574F0207-8E98-46CD-8F79-318348C98C46}) (Version: 1.0.4660.30220 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.6317.4309 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{79C54A05-F146-4EA0-8A70-D4EFE6181E52}) (Version: 8.1.40.3 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{55065080-504F-43BB-BE00-36B80D7D39A5}) (Version: 12.0.30.219 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{DEF23826-DB71-4654-BC00-D5D6C20802EA}) (Version: 1.1.4 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{73237EBB-B26F-4628-8754-4EFE563D72E9}) (Version: 2.1.5 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{941DE69D-6CEE-4171-8F1F-3D7E352AA498}) (Version: 1.0.6.1 - Hewlett-Packard Company)
HPDetect (HKLM-x32\...\{CCCDD476-98F9-4B06-91DB-23F27CEC3BE1}) (Version: 1.0.0.0 - HP)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Mahjong Epic Tiles (HKLM-x32\...\{32124905-B0BE-462A-AAF2-2343496E2447}) (Version: 1.0.0 - On Hand Software)
Mahjongg Dimensions Deluxe: Tiles in Time (x32 Version: 2.2.0.98 - WildTangent) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-3817485168-1237566219-314415453-500\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 44.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 44.0.2 (x86 en-US)) (Version: 44.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 44.0.2.5884 - Mozilla)
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
Myths of Orion: Light from the North (HKLM-x32\...\BFG-Myths of Orion - Light from the North) (Version:  - )
OEM Application Profile (HKLM-x32\...\{C89A97B6-F991-EBB5-77B7-927BCF420EBE}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
OpenOffice 4.1.2 (HKLM-x32\...\{E6AD67BB-1C33-4AB3-A387-E0D48137AB70}) (Version: 4.12.9782 - Apache Software Foundation)
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.29070 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.20.815.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6937 - Realtek Semiconductor Corp.)
Redemption Cemetery: Clock of Fate Collector's Edition (HKLM-x32\...\BFG-Redemption Cemetery - Clock of Fate Collectors Edition) (Version:  - )
Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Royal Envoy 2 Collector's Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
Software Updater (HKLM-x32\...\{6DFBE8A2-CDBF-453E-B34C-32F202FCEE4C}) (Version: 4.2.1 - SEIKO EPSON CORPORATION)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.13.1 - Synaptics Incorporated)
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Vacation Quest™ - Australia (x32 Version: 3.0.2.32 - WildTangent) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Where Angels Cry: Tears of the Fallen Collector's Edition (HKLM-x32\...\BFG-Where Angels Cry - Tears of the Fallen Collectors Edition) (Version:  - )
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (HP Games) (x32 Version: 4.0.10.5 - WildTangent) Hidden
WinCleaner OneClick Professional Version 12 (HKLM-x32\...\WinCleaner OneClick Professional_is1) (Version: 12.5.0.0 - Business Logic Corporation) <==== ATTENTION
Windows Driver Package - Bosch Automotive Service Solutions LLC (usbser) Ports  (01/07/2010 2.0.0) (HKLM\...\94A197CDF6D7AD62FFDF7DF6D707D12DE9940B52) (Version: 01/07/2010 2.0.0 - Bosch Automotive Service Solutions LLC)
Windows Driver Package - FTDI CDM Driver Package (07/12/2010 2.08.02) (HKLM\...\7A3873EEB4807FBDE9271D1C3DA50F100D5B8A7D) (Version: 07/12/2010 2.08.02 - FTDI)
Windows Driver Package - FTDI CDM Driver Package (07/12/2010 2.08.02) (HKLM\...\C6554C9DFBD939292E343034D2836B952A9D4B66) (Version: 07/12/2010 2.08.02 - FTDI)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
Windows Media Encoder 9 Series (HKLM-x32\...\Windows Media Encoder 9) (Version:  - )
Youda Jewel Shop (x32 Version: 3.0.2.32 - WildTangent) Hidden
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {154FA42B-D80B-4B72-ADA5-99D67C234061} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-01-12] (Hewlett-Packard Company)
Task: {3DE700E2-2F00-4032-BD6F-60E8DD856960} - System32\Tasks\HPCeeScheduleForLOUIEROSE$ => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {45A600E4-C37B-4061-9E72-EAA0FE9B34BD} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2015-07-30] (Synaptics Incorporated)
Task: {7057AC2D-AD37-4FCA-81FD-A4070E2DADD3} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [2015-07-27] (Symantec Corporation)
Task: {89AAAFF6-512D-40DD-98E1-9A9CEA24DE28} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-11-16] (Piriform Ltd)
Task: {9275F83B-B0F0-4C6E-97B9-AB165713DA5B} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-02-09] (Microsoft Corporation)
Task: {972E1C40-2FB0-4158-B4D5-9F60433D7BDA} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Active Health Launcher => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-01-20] (Hewlett-Packard)
Task: {A40E4A0E-0093-42D0-AE30-74B80AF8A614} - System32\Tasks\Adobe Flash Player Updater => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-02-10] (Adobe Systems Incorporated)
Task: {A674150D-37E4-4F6C-994C-48C0BE2FEBA0} - System32\Tasks\1015tbUpdateInfo => C:\ProgramData\Avg_Update_1015tb\1015tb_{12693A82-8176-45F8-9D18-DE9ABF0D9E7B}.exe [2015-10-25] ()
Task: {B0065856-8A76-49B8-9EBD-693A9FDADD30} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2015-12-04] (Microsoft Corporation)
Task: {B1A6B323-BA44-4D70-8121-1496C31ABF4B} - System32\Tasks\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => C:\Windows\system32\GWX\GWXUXWorker.exe [2015-12-04] (Microsoft Corporation)
Task: {B4568F57-5060-44D4-A5F0-4291E730A336} - System32\Tasks\HPCeeScheduleForAdministrator => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {B80DE4F0-9F0A-4336-AEE9-AE66A78E04B1} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [2015-07-15] (Realtek Semiconductor)
Task: {CD62D26D-3495-4E7F-84CD-23E3E596C3BA} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-01-06] (Hewlett-Packard)
Task: {D084C9DC-BA92-47C0-A458-78FBD0ABC114} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-13] (Adobe Systems Incorporated)
Task: {E73A10BB-8C5B-4BF6-BEDF-3590B3602E97} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
Task: {E7CB459F-F4BA-4411-B065-D3B4AC0177BB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater - Resources => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-01-06] (Hewlett-Packard)
Task: {EF002353-6784-4D9E-AD58-4AF9A063C89D} - System32\Tasks\HPCeeScheduleForOwner => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {F19A87B8-A235-4CC6-BAC7-800E38BCBCEF} - System32\Tasks\AVG-Secure-Search-Update_0615pit_RML => C:\ProgramData\Avg_Update_0615pit\AVG-Secure-Search-Update_0615pit.exe
Task: {F38B4118-6EE7-4445-9B88-D169552E3778} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)
Task: {F89B2B9A-6FB6-4997-A7A8-C56EBE9EF6EE} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2015-09-28] (Hewlett-Packard Company)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\1015tbUpdateInfo.job => C:\ProgramData\Avg_Update_1015tb\1015tb_{12693A82-8176-45F8-9D18-DE9ABF0D9E7B}.exe
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForAdministrator.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForLOUIEROSE$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForOwner.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2015-10-05 07:58 - 2015-10-05 07:58 - 01196432 ____N () C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe
2014-07-04 20:33 - 2014-07-04 20:33 - 00127488 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2015-10-05 07:58 - 2015-10-05 07:58 - 03177872 _____ () C:\Program Files (x86)\AVG Web TuneUp\vprot.exe
2014-07-04 20:33 - 2014-07-04 20:33 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2015-09-17 10:07 - 2015-09-17 10:07 - 40500224 _____ () C:\Program Files (x86)\AVG\UiDll\2171\libcef.dll
2015-10-05 07:58 - 2015-10-05 07:58 - 00528272 _____ () C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.9.0\log4cplusU.dll
2015-10-05 07:58 - 2015-10-05 07:58 - 40638864 _____ () C:\Program Files (x86)\AVG Web TuneUp\libcef.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:036B81D9
AlternateDataStreams: C:\ProgramData\Temp:0C98AF11
AlternateDataStreams: C:\ProgramData\Temp:14B00291
AlternateDataStreams: C:\ProgramData\Temp:1B506EA3
AlternateDataStreams: C:\ProgramData\Temp:2707D83A
AlternateDataStreams: C:\ProgramData\Temp:2CB9631F
AlternateDataStreams: C:\ProgramData\Temp:3153EA7B
AlternateDataStreams: C:\ProgramData\Temp:36AAD0E5
AlternateDataStreams: C:\ProgramData\Temp:36D38783
AlternateDataStreams: C:\ProgramData\Temp:3C18D47C
AlternateDataStreams: C:\ProgramData\Temp:41F95813
AlternateDataStreams: C:\ProgramData\Temp:4B6A9FDA
AlternateDataStreams: C:\ProgramData\Temp:4FA837B4
AlternateDataStreams: C:\ProgramData\Temp:629F8518
AlternateDataStreams: C:\ProgramData\Temp:693EF85C
AlternateDataStreams: C:\ProgramData\Temp:79EAEF54
AlternateDataStreams: C:\ProgramData\Temp:7FA0D639
AlternateDataStreams: C:\ProgramData\Temp:9A4D81ED
AlternateDataStreams: C:\ProgramData\Temp:9DA699C1
AlternateDataStreams: C:\ProgramData\Temp:A3F7C8F8
AlternateDataStreams: C:\ProgramData\Temp:B4DFBFB7
AlternateDataStreams: C:\ProgramData\Temp:B57B5F37
AlternateDataStreams: C:\ProgramData\Temp:B863466F
AlternateDataStreams: C:\ProgramData\Temp:C63BE5D0
AlternateDataStreams: C:\ProgramData\Temp:CA1F3AC3
AlternateDataStreams: C:\ProgramData\Temp:D3A82449
AlternateDataStreams: C:\ProgramData\Temp:DDA730F9
AlternateDataStreams: C:\ProgramData\Temp:E3C06B97

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 05:25 - 2013-08-22 05:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3817485168-1237566219-314415453-1002\Control Panel\Desktop\\Wallpaper -> C:\Users\Owner\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\backgrounddefault.jpg
HKU\S-1-5-21-3817485168-1237566219-314415453-500\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Windows\img0.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3817485168-1237566219-314415453-1002\...\StartupApproved\Run: => "CCleaner Monitoring"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [UDP Query User{CF467351-78B3-4B11-94E7-4E54D7643ED6}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [TCP Query User{B4AEAB86-91D9-4CB1-9098-145662389008}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Allow) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{083A5B23-B9BE-44BC-BF3C-53E3E13BC18D}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{755CCF9A-BA74-4CD6-8F3A-AAAFCFB51A56}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{4E3D3341-EA72-4A81-9944-BEC7A990687F}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C0F9E5E9-2A23-40E2-A922-FB48996D0400}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{828D7AF8-C985-4908-9735-8F15F94DEDF3}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{36AEB29C-2D98-4E5E-96A6-A891245F0391}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{A3D2BFA3-9BD9-474F-853C-E604963C89E5}] => (Allow) LPort=1900
FirewallRules: [{CBE3E77D-88FC-4F91-BF1E-610B4196FBA8}] => (Allow) LPort=2869
FirewallRules: [{AA213117-DCC7-4927-9E97-D8D1AC1D2E5A}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{24045D66-6AE0-4638-B7FA-1648E2209737}] => (Allow) C:\Users\Administrator\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [TCP Query User{AADDB36A-45C2-41E1-8701-B8E5E3E4DDD1}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [UDP Query User{67C8CD84-1817-4B01-AED1-27B9A39DC4A7}C:\program files (x86)\epson software\event manager\eeventmanager.exe] => (Block) C:\program files (x86)\epson software\event manager\eeventmanager.exe
FirewallRules: [{F656FB4D-DA1F-433A-B5DE-AC1B042DD752}] => (Allow) C:\Program Files (x86)\Business Logic Corporation\WinCleaner OneClick Pro\WCClean.exe
FirewallRules: [{7692616D-631F-4973-AC41-FEC7C9C3E2E0}] => (Allow) C:\Program Files (x86)\Business Logic Corporation\WinCleaner OneClick Pro\WCClean.exe
FirewallRules: [{7561C2A0-F2AB-4CB0-8D13-0C4CD83977DF}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A311ECE4-9C52-4FDB-A289-D0C19DB59364}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{FD148326-F00A-4128-A576-2B7230F325B2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{24AC33AD-8D0E-4087-A51F-16FE515D93D3}] => (Allow) C:\Program Files (x86)\AVG\Av\avgmfapx.exe
FirewallRules: [{AE2E2473-0722-428E-80A9-B0CE34377AA2}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{8CFFFB6A-CA9D-4325-9F45-150FFA1A6E9E}] => (Allow) C:\Program Files (x86)\AVG\Av\avgnsa.exe
FirewallRules: [{9CF45C54-CC9E-4161-B326-85EBA75263A1}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{D9EDA193-B958-4AED-A7D9-51625D004435}] => (Allow) C:\Program Files (x86)\AVG\Av\avgdiagex.exe
FirewallRules: [{22BD7768-EB2B-4978-843B-29A1CB216F93}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe
FirewallRules: [{003F1E83-5BC9-4538-9E85-08C1C814A07D}] => (Allow) C:\Program Files (x86)\AVG\Av\avgemca.exe

==================== Restore Points =========================

20-01-2016 16:28:42 Windows Update
01-02-2016 17:29:29 Removed Microsoft Office
05-02-2016 00:21:34 Removed Bosch Scanning Suite.
09-02-2016 23:12:31 Windows Update
12-02-2016 15:02:07 Installed HP Support Solutions Framework

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/12/2016 03:04:27 PM) (Source: MsiInstaller) (EventID: 11723) (User: LOUIEROSE)
Description: Product: HP Support Solutions Framework -- Error 1723. There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor.  Action GatherReportMetrics, entry: GatherReportMetrics, library: C:\WINDOWS\Installer\MSI97E6.tmp

Error: (02/11/2016 04:34:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ftm.exe, version: 21.0.0.723, time stamp: 0x50b65783
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x143d1f3d
Faulting process id: 0x628
Faulting application start time: 0xftm.exe0
Faulting application path: ftm.exe1
Faulting module path: ftm.exe2
Report Id: ftm.exe3
Faulting package full name: ftm.exe4
Faulting package-relative application ID: ftm.exe5

Error: (02/11/2016 04:34:44 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: ftm.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.NullReferenceException
Stack:
   at FTM.Data.DB.DbScopeFilter.SetFilter(FTM.Data.DB.DdaTable)
   at FTM.Data.DB.DdaDatabaseManager.FindAll[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]](FTM.Data.DB.DdaDataFilter, FTM.Data.DB.IDbDataObject, System.Collections.Generic.IList`1<System.__Canon>)
   at FTM.Data.DB.DdaDatabaseManager.FTM.Data.DB.IFtmDatabase.GetRelationships(FTM.Data.DB.IDbPerson)
   at FTM.Data.DB.DbPerson.FTM.Data.DB.IDbPerson.get_Relationships()
   at FTM.Data.FtmPerson.MyFamily.Shared.Interfaces.IPerson.GetRelationship(MyFamily.Shared.Interfaces.RelationshipID)
   at FTM.Data.FtmPerson.MyFamily.Shared.Interfaces.IPerson.GetPreferredRelationship()
   at FTM.Data.FtmPerson.MyFamily.Shared.Interfaces.IPerson.get_Spouse()
   at FTM.People.Collection.PeopleCollectionListViewPresenter.BuildToolTip(Int32)
   at FTM.People.Collection.PeopleCollectionListView.ᙗ(System.Object, System.Windows.Forms.RetrieveVirtualItemEventArgs)
   at System.Windows.Forms.ListView.OnRetrieveVirtualItem(System.Windows.Forms.RetrieveVirtualItemEventArgs)
   at FTM.UI.Common.PersonListView.OnRetrieveVirtualItem(System.Windows.Forms.RetrieveVirtualItemEventArgs)
   at System.Windows.Forms.ListView.WmReflectNotify(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.ListView.WndProc(System.Windows.Forms.Message ByRef)
   at FTM.Shared.Controls.ThemedListView.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.SendMessage(System.Runtime.InteropServices.HandleRef, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.Control.SendMessage(Int32, IntPtr, IntPtr)
   at System.Windows.Forms.Control.ReflectMessageInternal(IntPtr, System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control.WmNotify(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.ScrollableControl.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.CallWindowProc(IntPtr, IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.NativeWindow.DefWndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control.DefWndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.ListView.WndProc(System.Windows.Forms.Message ByRef)
   at FTM.Shared.Controls.ThemedListView.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
   at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application.RunDialog(System.Windows.Forms.Form)
   at System.Windows.Forms.Form.ShowDialog(System.Windows.Forms.IWin32Window)
   at System.Windows.Forms.Form.ShowDialog()
   at FTM.UI.PlanModule.BackupFileWorker.DoBackup()
   at FTM.UI.PlanModule.BackupFileWorker.Run(FTM.Data.DB.IFtmDatabase, FTM.Shared.Services.ISyncService, System.String, System.String, Boolean, Boolean, Boolean, Boolean)
   at FTM.UI.PlanModule.BackupFilePresenter.BackupFile()
   at FTM.UI.PlanModule.BackupFileView.btnOK_Click(System.Object, System.EventArgs)
   at System.Windows.Forms.Control.OnClick(System.EventArgs)
   at System.Windows.Forms.Button.OnClick(System.EventArgs)
   at System.Windows.Forms.Button.OnMouseUp(System.Windows.Forms.MouseEventArgs)
   at System.Windows.Forms.Control.WmMouseUp(System.Windows.Forms.Message ByRef, System.Windows.Forms.MouseButtons, Int32)
   at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.ButtonBase.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Button.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
   at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application.RunDialog(System.Windows.Forms.Form)
   at System.Windows.Forms.Form.ShowDialog(System.Windows.Forms.IWin32Window)
   at Microsoft.Practices.CompositeUI.WinForms.WindowWorkspace.ShowForm(System.Windows.Forms.Form, Microsoft.Practices.CompositeUI.WinForms.WindowSmartPartInfo)
   at Microsoft.Practices.CompositeUI.WinForms.WindowWorkspace.OnShow(System.Windows.Forms.Control, Microsoft.Practices.CompositeUI.WinForms.WindowSmartPartInfo)
   at Microsoft.Practices.SmartClient.Library.Workspaces.WindowWorkspace.OnShow(System.Windows.Forms.Control, Microsoft.Practices.CompositeUI.WinForms.WindowSmartPartInfo)
   at Microsoft.Practices.CompositeUI.SmartParts.Workspace`2[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Show(System.Object, Microsoft.Practices.CompositeUI.SmartParts.ISmartPartInfo)
   at Microsoft.Practices.CompositeUI.SmartParts.Workspace`2[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Show(System.Object)
   at FTM.UI.PlanModule.BackupFileController.Run()
   at Microsoft.Practices.SmartClient.Library.ControlledWorkItem`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].OnRunStarted()
   at FTM.UI.PlanModule.ModuleController.LaunchBackupDialog(System.Object, System.EventArgs)
   at Microsoft.Practices.CompositeUI.Commands.Command.OnExecuteAction(System.Object, System.EventArgs)
   at Microsoft.Practices.CompositeUI.Commands.CommandAdapter.FireCommand()
   at Microsoft.Practices.CompositeUI.Commands.EventCommandAdapter`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].InvokerEventHandler(System.Object, System.EventArgs)
   at System.Windows.Forms.ToolStripItem.RaiseEvent(System.Object, System.EventArgs)
   at System.Windows.Forms.ToolStripMenuItem.OnClick(System.EventArgs)
   at System.Windows.Forms.ToolStripItem.HandleClick(System.EventArgs)
   at System.Windows.Forms.ToolStripItem.HandleMouseUp(System.Windows.Forms.MouseEventArgs)
   at System.Windows.Forms.ToolStripItem.FireEventInteractive(System.EventArgs, System.Windows.Forms.ToolStripItemEventType)
   at System.Windows.Forms.ToolStripItem.FireEvent(System.EventArgs, System.Windows.Forms.ToolStripItemEventType)
   at System.Windows.Forms.ToolStrip.OnMouseUp(System.Windows.Forms.MouseEventArgs)
   at System.Windows.Forms.ToolStripDropDown.OnMouseUp(System.Windows.Forms.MouseEventArgs)
   at System.Windows.Forms.Control.WmMouseUp(System.Windows.Forms.Message ByRef, System.Windows.Forms.MouseButtons, Int32)
   at System.Windows.Forms.Control.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.ScrollableControl.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.ToolStrip.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.ToolStripDropDown.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.OnMessage(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.Control+ControlNativeWindow.WndProc(System.Windows.Forms.Message ByRef)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr, Int32, IntPtr, IntPtr)
   at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG ByRef)
   at System.Windows.Forms.Application+ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(IntPtr, Int32, Int32)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoopInner(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application+ThreadContext.RunMessageLoop(Int32, System.Windows.Forms.ApplicationContext)
   at System.Windows.Forms.Application.Run(System.Windows.Forms.Form)
   at Microsoft.Practices.CompositeUI.WinForms.FormShellApplication`2[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Start()
   at FTM.FTMApplication.Start()
   at Microsoft.Practices.CompositeUI.CabApplication`1[[System.__Canon, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]].Run()
   at FTM.FTMApplication.ᙄ(System.String[])

Error: (02/11/2016 04:34:44 PM) (Source: Family Tree Maker) (EventID: 100) (User: )
Description: Timestamp: 2/12/2016 12:34:44 AM
Message: HandlingInstanceID: 273bb2c7-5056-4caf-93ff-27479ae887c5
An exception of type 'System.NullReferenceException' occurred and was caught.
-----------------------------------------------------------------------------
02/11/2016 16:34:43
Type : System.NullReferenceException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
Message : Object reference not set to an instance of an object.
Source : FTM.Data.DB
Help link :
Data : System.Collections.ListDictionaryInternal
TargetSite : Void SetFilter(FTM.Data.DB.DdaTable)
HResult : -2147467261
Stack Trace :    at FTM.Data.DB.DbScopeFilter.SetFilter(DdaTable tbl)
   at FTM.Data.DB.DdaDatabaseManager.FindAll[T](DdaDataFilter filter, IDbDataObject obj, IList`1 objects)
   at FTM.Data.DB.DdaDatabaseManager.FTM.Data.DB.IFtmDatabase.GetRelationships(IDbPerson person)
   at FTM.Data.DB.DbPerson.FTM.Data.DB.IDbPerson.get_Relationships()
   at FTM.Data.FtmPerson.MyFamily.Shared.Interfaces.IPerson.GetRelationship(RelationshipID id)
   at FTM.Data.FtmPerson.MyFamily.Shared.Interfaces.IPerson.GetPreferredRelationship()
   at FTM.Data.FtmPerson.MyFamily.Shared.Interfaces.IPerson.get_Spouse()
   at FTM.People.Collection.PeopleCollectionListViewPresenter.BuildToolTip(Int32 index)
   at FTM.People.Collection.PeopleCollectionListView.ᙗ(Object ᙂ, RetrieveVirtualItemEventArgs )
   at System.Windows.Forms.ListView.OnRetrieveVirtualItem(RetrieveVirtualItemEventArgs e)
   at FTM.UI.Common.PersonListView.OnRetrieveVirtualItem(RetrieveVirtualItemEventArgs args)
   at System.Windows.Forms.ListView.WmReflectNotify(Message& m)
   at System.Windows.Forms.ListView.WndProc(Message& m)
   at FTM.Shared.Controls.ThemedListView.WndProc(Message& message)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
   at System.Windows.Forms.UnsafeNativeMethods.SendMessage(HandleRef hWnd, Int32 msg, IntPtr wParam, IntPtr lParam)
   at System.Windows.Forms.Control.SendMessage(Int32 msg, IntPtr wparam, IntPtr lparam)
   at System.Windows.Forms.Control.ReflectMessageInternal(IntPtr hWnd, Message& m)
   at System.Windows.Forms.Control.WmNotify(Message& m)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
   at System.Windows.Forms.UnsafeNativeMethods.CallWindowProc(IntPtr wndProc, IntPtr hWnd, Int32 msg, IntPtr wParam, IntPtr lParam)
   at System.Windows.Forms.NativeWindow.DefWndProc(Message& m)
   at System.Windows.Forms.Control.DefWndProc(Message& m)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ListView.WndProc(Message& m)
   at FTM.Shared.Controls.ThemedListView.WndProc(Message& message)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

Additional Info:

MachineName : LOUIEROSE
TimeStamp : 2/12/2016 12:34:43 AM
FullName : Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=2.0.0.0, Culture=neutral, PublicKeyToken=69cf5367912b86b4
AppDomainName : ftm.exe
ThreadIdentity : LOUIEROSE\Administrator
WindowsIdentity : LOUIEROSE\Administrator

Category: Exception
Priority: 0
EventId: 100
Severity: Error
Title:FTM Exception Handling
Machine: LOUIEROSE
Application Domain: ftm.exe
Process Id: 1576
Process Name: C:\Program Files (x86)\Family Tree Maker 2012\ftm.exe
Win32 Thread Id: 2420
Thread Name:
Extended Properties:

Error: (02/11/2016 04:01:25 PM) (Source: MsiInstaller) (EventID: 11311) (User: LOUIEROSE)
Description: Product: Microsoft Primary Interoperability Assemblies 2005 -- Error 1311.Source file not found(cabinet): C:\Users\ADMINI~1\AppData\Local\Temp\mia1\VS_20051.cab.  Verify that the file exists and that you can access it.

Error: (02/10/2016 09:11:15 PM) (Source: MsiInstaller) (EventID: 11723) (User: LOUIEROSE)
Description: Product: HP Support Solutions Framework -- Error 1723. There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor.  Action GatherReportMetrics, entry: GatherReportMetrics, library: C:\WINDOWS\Installer\MSIEC54.tmp

Error: (02/10/2016 08:38:47 PM) (Source: MsiInstaller) (EventID: 1013) (User: LOUIEROSE)
Description: Product: HP Support Solutions Framework -- HP Support Assistant is currently running.  Please wait for it to finish before trying to install the Support Solutions Framework.

Error: (02/10/2016 07:54:10 PM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: LOUIEROSE)
Description: Activation of app FileManager_cw5n1h2txyewy:Microsoft.Windows.PhotoManager failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (02/10/2016 09:01:38 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1843094

Error: (02/10/2016 09:01:38 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1843094


System errors:
=============
Error: (02/14/2016 04:04:22 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Superfetch service terminated with the following error:
%%1062

Error: (02/14/2016 04:04:09 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Group Policy Client service failed to start due to the following error:
%%1053

Error: (02/14/2016 03:59:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Group Policy Client service failed to start due to the following error:
%%1053

Error: (02/14/2016 03:59:00 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Group Policy Client service failed to start due to the following error:
%%1053

Error: (02/14/2016 03:58:59 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Group Policy Client service failed to start due to the following error:
%%1053

Error: (02/14/2016 03:53:59 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Group Policy Client service failed to start due to the following error:
%%1053

Error: (02/14/2016 03:47:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Group Policy Client service failed to start due to the following error:
%%1053

Error: (02/14/2016 03:47:50 PM) (Source: Service Control Manager) (EventID: 7046) (User: )
Description: The following service has repeatedly stopped responding to service control requests: Server

Contact the service vendor or the system administrator about whether to disable this service until the problem is identified.

You may have to restart the computer in safe mode before you can disable the service.

Error: (02/14/2016 03:47:20 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanServer service.

Error: (02/14/2016 03:46:50 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.


CodeIntegrity:
===================================
  Date: 2016-02-14 16:24:11.938
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 16:24:10.843
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 16:14:48.719
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 16:14:47.432
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 16:06:23.076
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\AVG\Framework\1\avgnetclix.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 16:06:21.482
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\AVG\Framework\1\avgnetclix.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 16:06:18.826
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\AVG\Framework\Common\avgfmwbasex.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 15:53:21.682
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\AVG\Framework\1\avgnetclix.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 15:53:20.096
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\AVG\Framework\1\avgnetclix.dll that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2016-02-14 15:53:18.317
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\AVG\Av\avgidsagent.exe) attempted to load \Device\HarddiskVolume4\Program Files (x86)\AVG\Framework\Common\avgfmwbasex.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: AMD E-300 APU with Radeon™ HD Graphics
Percentage of memory in use: 36%
Total physical RAM: 3682.26 MB
Available physical RAM: 2355 MB
Total Virtual: 4322.26 MB
Available Virtual: 2876.06 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:274.92 GB) (Free:224.69 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (RECOVERY) (Fixed) (Total:21.96 GB) (Free:2.23 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (FileHisBckp) (Removable) (Total:59.48 GB) (Free:59.09 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 1E1F4777)

Partition: GPT.

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 59.5 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

 

# AdwCleaner v5.033 - Logfile created 14/02/2016 at 16:16:08
# Updated 07/02/2016 by Xplode
# Database : 2016-02-07.2 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Administrator - LOUIEROSE
# Running from : C:\Users\Administrator\Desktop\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

Folder Found : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Found : C:\ProgramData\AVG Secure Search
Folder Found : C:\ProgramData\Avg_Update_1015tb
Folder Found : C:\Users\Administrator\AppData\Local\PackageAware

***** [ Files ] *****


***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Found : HKCU\Software\APN PIP
Key Found : HKU\S-1-5-21-3817485168-1237566219-314415453-500\Software\APN PIP
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [ Web browsers ] *****


########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [2322 bytes] ##########
 



#7 RayS

RayS

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 AM

Posted 16 February 2016 - 02:02 PM

Hi novice3,

Thank you for the logs.

Please read this whole message before you implement the instructions. I'd like you to see the sequence of operations and our goals before you begin.


Let's back up your registry
 

  • Type system protection at the Start screen.
  • Click Settings then click Create a restore point.
  • Type a descriptive name for the restore point.
  • Click Create.
  • A progress bar labeled Creating a restore point… will change to The restore point was created successfully.
  • Click Close.



Re-run the AdwCleaner scan then run the Clean function

All of the entries in the supplied AdwCleaner log appear safe to remove. Please re-launch AdwCleaner.exe and click Scan as in my Post #5. Remove the checkmark from any entry you want to retain (if any). Then click the Clean button. Include the AdwCleaner log in your next reply.


Download and check a fresh copy of the HP drivers

I scanned the hpsupportsolutionsframework-12.0.30.473.exe file locally on my PC. Then I submitted it for analysis at VirusTotal. In both cases, analysis did not detect any malware. See the report at VirusTotal. It shows zero infections out of 54 scans. The SHA256 hash value for the file is:

   39d893eae536b0412551cf2d00fad185c038327a239bbb7b649937263842b488

Please download the file from HP again and compute the SHA256 hash checksum on your new copy.

You can use the free service at Online-Convert.com to generate the SHA256 checksum. Use the Browse button in the upload and generate a SHA-256 checksum of a file : section to navigate to the file on your local PC. Then click the Convert file button. After a brief time for uploading and calculating, you should see the following display:

 
hex: 39d893eae536b0412551cf2d00fad185c038327a239bbb7b649937263842b488

HEX: 39D893EAE536B0412551CF2D00FAD185C038327A239BBB7B649937263842B488

h:e:x: 39:d8:93:ea:e5:36:b0:41:25:51:cf:2d:00:fa:d1:85:c0:38:32:7a:23:9b:bb:7b:64:99:37:26:38:42:b4:88

base64: OdiT6uU2sEElUc8tAPrRhcA4Mnojm7t7ZJk3JjhCtIg=

 

 

If the SHA256 checksum (top line) is not exactly the same as 39d893eae536b0412551cf2d00fad185c038327a239bbb7b649937263842b488, stop right there and let me know of any circumstances or symptoms that indicate faulty downloading of the HP drivers. Include verbatim copies of error messages if any. If the checksums match, then continue with the steps below.


Install the HP drivers

Now, temporarily disable AVG antivirus protection and execute the driver file. With AVG antivirus protection still disabled, scan your system with Malwarebytes Anti-Malware (MBAM) and ESET in that order. Except for downloading MBAM and ESET, limit online use of your computer while protection is suspended.


Scan with Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.
 

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to its Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
  • Click on Update Now to download the current database definitions, then click the Scan Now >> button.
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button
  • The THREAT SCAN will automatically begin.
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
  • To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
  • After rebooting the computer, copy and paste the mbam.log in your next reply.

.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)

  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)

  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd


Run the ESET online scan

ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using another browser, please stop here and let me know!
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Click this link to open ESET OnlineScan.
  • Place a checkmark next to "Yes, I accept the Terms of Use", then click the greenstart.png button.
  • When prompted allow the Add-On/Active X to install.
  • In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else)
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Then click the shieldstart.png button and ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.



Re-enable your AVG antivirus when finished!


In your next reply...

  • Confirm successful creation of the restore point.
  • Copy and paste the entire AdwCleaner log into the body of your message.
  • Tell me whether the SHA256 checksums match. If they don't match, describe the circumstances of the download of the drivers.
  • Copy and paste the entire MBAM log into the body of your message.
  • Copy and paste the entire ESET log into the body of your message.
  • Confirm that you have re-enabled AVG antivirus.


How is your PC running now?

RayS


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#8 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 17 February 2016 - 02:43 AM

I created a restore point.  I have two complete back ups of the registry created February 2016 (used Registry Editor built in Windows 8.1). 

 

I exported the certificates attached to the installer, HP Support framework installer, through file properties.  I didn't know which type of export, so I choose PKCS #7 Certificates (.p7b).  It is saved to the desktop.

 

The SHA256 matched for hex, HEX, h:e:x, base64 for the HP framework installer.  AVG antivirus detected the installer as a trojan and I choose to click ignore and complete the installation.

 

I re-enabled AVG antivirus.

 

Thank you for the detailed instructions and support.  I think it might of been a false positive (HP framwork installer). 

 

# AdwCleaner v5.033 - Logfile created 16/02/2016 at 16:03:08
# Updated 07/02/2016 by Xplode
# Database : 2016-02-16.2 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Administrator - LOUIEROSE
# Running from : C:\Users\Administrator\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
[-] Folder Deleted : C:\ProgramData\AVG Secure Search
[-] Folder Deleted : C:\ProgramData\Avg_Update_1015tb
[-] Folder Deleted : C:\Users\Administrator\AppData\Local\PackageAware

***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key Deleted : HKCU\Software\APN PIP
[!] Key Not Deleted : HKU\S-1-5-21-3817485168-1237566219-314415453-500\Software\APN PIP
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2544 bytes] ##########
 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/16/2016
Scan Time: 5:02 PM
Logfile: mbam.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.16.07
Rootkit Database: v2016.02.08.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 438241
Time Elapsed: 1 hr, 4 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

ESET log follows:

C:\Users\All Users\{982A4E58-61DC-40A1-80D8-04D45DE9A86E}\setup.res    a variant of Win32/HiddenStart.A potentially unsafe application    
C:\ProgramData\{982A4E58-61DC-40A1-80D8-04D45DE9A86E}\setup.res    a variant of Win32/HiddenStart.A potentially unsafe application    deleted
 



#9 RayS

RayS

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 AM

Posted 18 February 2016 - 03:44 AM

Hi novice3,
 

I think it might of been a false positive (HP framwork installer).

I concur.

 

 

Report false positive

Please report false positive to AVG using the submission form at: http://www.avg.com/submit-sample.

 

Include the URL where you obtained the file as well as the detection report that AVG created. Also include a link to the VirusTotal report at:

 

https://www.virustotal.com/en/file/39d893eae536b0412551cf2d00fad185c038327a239bbb7b649937263842b488/analysis/

 

Tell AVG that the SHA256 checksum of your local copy agrees with the checksum reported on the VirusTotal site.

 

 

 

Ignore HP drivers in future scans by AVG

 

To protect AVG from interfering with the new HP drivers, follow the step-by-step instructions at:

https://support.avg.com/SupportArticleView?l=en_US&urlName=How-to-exclude-file-folder-or-website-from-AVG-scanning

Do this for the hpsupportsolutionsframework-12.0.30.473.exe file and any other file from HP with the same date.
 

 

 

Optionally delete tools and reports

 

You can optionally delete FRST64.exe and AdwCleaner.exe and any associated logs. You may want to retain MBAM and ESET and re-run them periodically in future. If you do, be sure to allow them to use the virus definitions that are current when you run them.



It was a real pleasure working with you. Here's some food for thought.


Please consider doing the following in order to keep your PC secure and running well:

Install and update the following programs regularly:

An outbound firewall
If you are connected to the internet through a router, you are already behind a hardware firewall, and, as such, you do not need an extra software firewall. However, a comprehensive tutorial and a list of possible firewalls can be found here.

AntiVirus Software
It is imperative that you update your AntiVirus Software on regular basis. If you do not update your AntiVirus Software, then it will not be able to catch the latest threats.

Anti-Spyware program
Malwarebyte's Anti-Malware is an excellent Anti-Spyware scanner. Its scan times are usually under ten minutes, and it has excellent detection and removal rates.
SUPERAntiSpyware is another good scanner with high detection and removal rates.
Both programs are free for non commercial home use and they can remain resident without nagging you to purchase the paid versions.

Spyware Blaster
A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

MVPs hosts file
A tutorial for MVPs HOSTS file can be found here. If you would like automatic updates, you might want to take a look at HostMan host file manager. For more information on the HOSTS file, and what it can do for you, please consult the Tutorial on the HOSTS file.



Keep Windows (and your other Microsoft software) up to date!

I cannot overstress this point. Holes are often found in Internet Explorer or Windows itself. Sometimes, these holes will allow an attacker unrestricted access to your computer. Therefore, please visit the Microsoft Update Website, and follow the on-screen instructions to set up Windows Update. It may be necessary to REBOOT several times until there are no more updates to install.

Keep your other software up to date as well
Malware can attack the software from any manufacturer. You can use the Secunia Personal Software Inspector occasionally to help you keep your software up-to-date.

Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then malware will always be one step ahead. That's not a good thing!




Some final closing thoughts and information for your consideration:

Lawrence Abrams, founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:

Simple and easy ways to keep your computer safe and secure on the Internet.

Here are some additional links you might find of interest:



Please reply to let us know we can close this topic.


Thank you for placing your trust in BleepingComputer. It was a pleasure serving you.

Best regards,

RayS


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#10 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 18 February 2016 - 05:30 AM

Thank you for assisting me with this false positive. 

 

I submitted the false positive to AVG.  I referenced the VirusTotal report, this bleepingcomputer thread, uploaded the HP Support Framework installer dated February 12th 2016, and expressed that the Sha256 matched. 

 

I ran into a BSD.  Text on screen (paraphrasing): Driver power failed.  I have the DMP file. I do have a list filter warning and error of event viewer using PsLogList by Mark Russinovich,

 

I am confused as to how to remove HP products from AVG, after clicking protect me on the detection dialog box. 

 

Resident Shield Results
"Threat Name"    "Status"    "Detection Time"    "Object Type"    "Process"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSIFBF5.tmp"    "Unresolved"    "2/16/2016, 4:44:39 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSI42FF.tmp"    "Unresolved"    "2/16/2016, 4:43:52 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSIEFDC.tmp"    "Secured"    "2/16/2016, 4:15:07 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSI97E6.tmp"    "Secured"    "2/12/2016, 3:03:39 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIEC54.tmp"    "Secured"    "2/10/2016, 9:06:53 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSI75B3.tmp"    "Unresolved"    "2/10/2016, 8:27:36 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIA7BE.tmp"    "Unresolved"    "2/10/2016, 8:26:43 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSI3B3C.tmp"    "Secured"    "2/10/2016, 8:24:05 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIAE7.tmp"    "Secured"    "2/10/2016, 8:18:25 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Found MalSign.Generic.139, c:\Users\Administrator\AppData\Local\Temp\is-ITFND.tmp\OCSetupHlp.dll"    "Added to exceptions"    "2/5/2016, 1:13:07 AM"    "File or Directory"    "c:\Users\ADMINI~1\AppData\Local\Temp\is-OPM2V.tmp\burnaware_free.tmp"
"Found MalSign.Generic.139, c:\Users\Administrator\AppData\Local\Temp\is-JPRA4.tmp\OCSetupHlp.dll"    "Secured"    "2/4/2016, 10:48:45 PM"    "File or Directory"    "c:\Users\ADMINI~1\AppData\Local\Temp\is-L61IG.tmp\burnaware_free.tmp"
"Found MalSign.Generic.885, c:\Users\Administrator\Downloads\SetupImgBurn_2.5.8.0.exe"    "Secured"    "2/4/2016, 8:32:17 PM"    "File or Directory"    "c:\Windows\System32\SearchProtocolHost.exe"
"Found MalSign.OpenCandy.BD0, c:\Users\Administrator\AppData\Local\Temp\is-GM4IR.tmp\OCSetupHlp.dll"    "Secured"    "2/4/2016, 4:39:23 PM"    "File or Directory"    "c:\Users\ADMINI~1\AppData\Local\Temp\is-SDAFV.tmp\cdbxp_setup_4.5.6.5931.tmp"
"Found MalSign.Generic.879, f:\MSFT Windows OS\Software - free\Bloatware remover\pc-decrapifier-3.0.0-68748154.exe"    "Secured"    "12/5/2015, 12:08:25 PM"    "File or Directory"    "c:\Windows\explorer.exe"
"Adware ProInstall.A, c:\Users\Guest\Desktop\masteamdemo-63031076.exe"    "Secured"    "10/22/2015, 5:39:18 PM"    "File or Directory"    "c:\Windows\explorer.exe"
"Found MalSign.Generic.95A, c:\Users\Guest\Desktop\multiplyroi_age-of-empires.exe"    "Secured"    "10/22/2015, 5:28:09 PM"    "File or Directory"    "c:\Windows\explorer.exe"
 


Edited by novice3, 18 February 2016 - 05:33 AM.


#11 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 18 February 2016 - 05:37 AM

Some event viewer warnings and errors:

System log on \\LOUIEROSE:
[24140] Microsoft-Windows-Kernel-PnP
   Type:     WARNING
   Computer: LouieRose
   Time:     2/17/2016 11:38:10 PM   ID:       219
   User:     NT AUTHORITY\SYSTEM
The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_PCISTOR#Disk&Ven_REALSIL&Prod_RTS5208LUN0&Rev_1.00#0000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
[24137] DCOM
   Type:     ERROR
   Computer: LouieRose
   Time:     2/17/2016 11:38:01 PM   ID:       10010
   User:     NT AUTHORITY\SYSTEM
Message text not available.  Insertion strings:
    {DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}  

[24135] BugCheck
   Type:     ERROR
   Computer: LouieRose
   Time:     2/17/2016 11:36:09 PM   ID:       1001
Message text not available.  Insertion strings:
    0x0000009f (0x0000000000000004, 0x000000000000012c, 0xffffe001318f1880, 0xfffff803d749dac0) C:\WINDOWS\MEMORY.DMP 021716-69625-01  

[24103] Microsoft-Windows-DNS-Client
   Type:     WARNING
   Computer: LouieRose
   Time:     2/17/2016 11:11:44 PM   ID:       1014
   User:     NT AUTHORITY\NETWORK SERVICE
Name resolution for the name support.hp.com timed out after none of the configured DNS servers responded.
[24101] DCOM
   Type:     ERROR
   Computer: LouieRose
   Time:     2/17/2016 10:59:08 PM   ID:       10010
   User:     LOUIEROSE\Administrator
Message text not available.  Insertion strings:
    {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}  

[24089] Microsoft-Windows-Ntfs
   Type:     WARNING
   Computer: LouieRose
   Time:     2/17/2016 8:45:24 PM   ID:       140
   User:     NT AUTHORITY\SYSTEM
Message text not available.  Insertion strings:
    F: \Device\HarddiskVolume7 0xc000000e  

[24053] Virtual Disk Service
   Type:     ERROR
   Computer: LouieRose
   Time:     2/17/2016 10:03:50 AM   ID:       9
Unexpected provider failure. Restarting the service may fix the problem. Error code: 8007001F@02000014
[24036] Microsoft-Windows-Kernel-PnP
   Type:     WARNING
   Computer: LouieRose
   Time:     2/16/2016 11:53:00 PM   ID:       219
   User:     NT AUTHORITY\SYSTEM
The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_PCISTOR#Disk&Ven_REALSIL&Prod_RTS5208LUN0&Rev_1.00#0000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
[23998] Virtual Disk Service
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 11:13:25 PM   ID:       9
Unexpected provider failure. Restarting the service may fix the problem. Error code: 8007001F@02000014
[23988] Service Control Manager
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 6:47:33 PM   ID:       7000
The eapihdrv service failed to start due to the following error: %%1275
[23987] Application Popup
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 6:47:33 PM   ID:       1060
Message text not available.  Insertion strings:
     \??\C:\Users\ADMINI~1\AppData\Local\Temp\ehdrv.sys  

[23984] Service Control Manager
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 6:47:32 PM   ID:       7000
The eapihdrv service failed to start due to the following error: %%1275
[23983] Application Popup
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 6:47:32 PM   ID:       1060
Message text not available.  Insertion strings:
     \??\C:\Users\ADMINI~1\AppData\Local\Temp\ehdrv.sys  

[23980] Service Control Manager
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 6:47:32 PM   ID:       7000
The eapihdrv service failed to start due to the following error: %%1275
[23979] Application Popup
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 6:47:32 PM   ID:       1060
Message text not available.  Insertion strings:
     \??\C:\Users\ADMINI~1\AppData\Local\Temp\ehdrv.sys  

[23947] Microsoft-Windows-Kernel-PnP
   Type:     WARNING
   Computer: LouieRose
   Time:     2/16/2016 4:06:43 PM   ID:       219
   User:     NT AUTHORITY\SYSTEM
The driver \Driver\WudfRd failed to load for the device SWD\WPDBUSENUM\_??_PCISTOR#Disk&Ven_REALSIL&Prod_RTS5208LUN0&Rev_1.00#0000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
[23914] Service Control Manager
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 4:03:33 PM   ID:       7032
The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: %%1056
[23913] Service Control Manager
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 4:03:04 PM   ID:       7034
The HP Software Framework Service service terminated unexpectedly.  It has done this 1 time(s).
[23912] Service Control Manager
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 4:03:04 PM   ID:       7034
The HP Support Solutions Framework Service service terminated unexpectedly.  It has done this 1 time(s).
[23909] Service Control Manager
   Type:     ERROR
   Computer: LouieRose
   Time:     2/16/2016 4:03:03 PM   ID:       7031
The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.
 



#12 RayS

RayS

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 AM

Posted 19 February 2016 - 08:35 PM

Hi novice3,

Thank you for submitting the FP to AVG.

 
 

I ran into a BSD. Text on screen (paraphrasing): Driver power failed. I have the DMP file. I do have a list filter warning and error of event viewer using PsLogList by Mark Russinovich,

 
Please confirm that you are currently able to boot normally into your PC. If not, please explain how you were able to obtain the Resident Shield report and the Event logs.

 
 
 

I am confused as to how to remove HP products from AVG, after clicking protect me on the detection dialog box.

 

The Blue Screen of Death was caused when AVG quarantined the HP drivers. To prevent that, I asked you to follow the step-by-step instructions at Exclude file, folder or website from AVG scanning.

To help you decide which files and folders to exclude, create another copy of the Resident Shield log. Copy and paste the entire contents of that log into your next reply. Let's also export the names of all entries in your Virus Vault.

  • On the AVG Antivirus Free main screen, click Options > Virus Vault.
  • Click the Program menu option.
  • Select Export List to File.
  • Change the Save As Type selection to Formatted text (space delimited) (*.PRN, *.TXT).
  • Enter a file name like RAS_AVG_Vault.txt.
  • Select the Desktop and then click Save.
  • Copy and paste the contents of RAS_AVG_Vault.txt into your next reply.

 

 

In your next reply...

  • Tell me whether the BSOD happened only once? What is the current state of your PC?
  • Copy and paste the latest Resident Shield log into the body of your message.
  • Copy and paste the contents of RAS_AVG_Vault.txt into the body of your message.

Thank you.

RayS


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#13 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 19 February 2016 - 09:28 PM

The HP 2000 notebook rebooted to Windows 8.1 login screen, after creating a dump file.  After logging into Windows 8.1 , I made a copy of the dump file in the documents directory/library and then I proceeded to use command prompt to create a text file with Event viewer warnings/errors. 

 

Yes, I am able to boot into Windows 8.1 normally. 

 

AVG free antivirus doesn't have the program option or export option in the Virus Vault window.  I right clicked AVG tray icon, clicked Open AVG, clicked options, clicked Virus Vault.  There is no export/program button.

 

Thank you for any help or support.

 

Resident shield report:

 

Resident Shield Results
"Threat Name"    "Status"    "Detection Time"    "Object Type"    "Process"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSI3B3C.tmp"    "Secured"    "2/10/2016, 8:24:05 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSI42FF.tmp"    "Unresolved"    "2/16/2016, 4:43:52 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSIEFDC.tmp"    "Secured"    "2/16/2016, 4:15:07 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSI97E6.tmp"    "Secured"    "2/12/2016, 3:03:39 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIEC54.tmp"    "Secured"    "2/10/2016, 9:06:53 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSI75B3.tmp"    "Unresolved"    "2/10/2016, 8:27:36 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIA7BE.tmp"    "Unresolved"    "2/10/2016, 8:26:43 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\Windows\Installer\MSIAE7.tmp"    "Secured"    "2/10/2016, 8:18:25 AM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Trojan horse Crypt_c.APWH, c:\WINDOWS\Installer\MSIFBF5.tmp"    "Unresolved"    "2/16/2016, 4:44:39 PM"    "File or Directory"    "c:\Windows\SysWOW64\msiexec.exe"
"Found MalSign.OpenCandy.BD0, c:\Users\Administrator\AppData\Local\Temp\is-GM4IR.tmp\OCSetupHlp.dll"    "Secured"    "2/4/2016, 4:39:23 PM"    "File or Directory"    "c:\Users\ADMINI~1\AppData\Local\Temp\is-SDAFV.tmp\cdbxp_setup_4.5.6.5931.tmp"
"Found MalSign.Generic.95A, c:\Users\Guest\Desktop\multiplyroi_age-of-empires.exe"    "Secured"    "10/22/2015, 5:28:09 PM"    "File or Directory"    "c:\Windows\explorer.exe"
"Found MalSign.Generic.885, c:\Users\Administrator\Downloads\SetupImgBurn_2.5.8.0.exe"    "Secured"    "2/4/2016, 8:32:17 PM"    "File or Directory"    "c:\Windows\System32\SearchProtocolHost.exe"
"Found MalSign.Generic.879, f:\MSFT Windows OS\Software - free\Bloatware remover\pc-decrapifier-3.0.0-68748154.exe"    "Secured"    "12/5/2015, 12:08:25 PM"    "File or Directory"    "c:\Windows\explorer.exe"
"Found MalSign.Generic.139, c:\Users\Administrator\AppData\Local\Temp\is-JPRA4.tmp\OCSetupHlp.dll"    "Secured"    "2/4/2016, 10:48:45 PM"    "File or Directory"    "c:\Users\ADMINI~1\AppData\Local\Temp\is-L61IG.tmp\burnaware_free.tmp"
"Found MalSign.Generic.139, c:\Users\Administrator\AppData\Local\Temp\is-ITFND.tmp\OCSetupHlp.dll"    "Added to exceptions"    "2/5/2016, 1:13:07 AM"    "File or Directory"    "c:\Users\ADMINI~1\AppData\Local\Temp\is-OPM2V.tmp\burnaware_free.tmp"
"Adware ProInstall.A, c:\Users\Guest\Desktop\masteamdemo-63031076.exe"    "Secured"    "10/22/2015, 5:39:18 PM"    "File or Directory"    "c:\Windows\explorer.exe"
 



#14 RayS

RayS

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:30 AM

Posted 20 February 2016 - 03:24 AM

Hi novice3,

Thank you for the Resident Shield report and the confirmation about being able to boot into Windows normally. How many times did you get the BSOD since February 18th?

 

 
I right clicked AVG tray icon, clicked Open AVG, clicked options, clicked Virus Vault. There is no export/program button.

If you can't export the list of files and folders from the Virus Vault, copy the name of any file or folder that appears to be related to hpsupportsolutionsframework-12.0.30.473.exe. They should all begin with the letters "HP". If the date of detection is listed, copy all entries dated February 18th or later. I will want to see this list, and you will use it again in my instructions below in the Create a whitelist within AVG section.

Re-install the HP drivers

Please refer to my Post #7. There you will see detailed instructions to:

  • Temporarily disable AVG.
  • Execute the driver file hpsupportsolutionsframework-12.0.30.473.exe.
  • Scan your system with Malwarebytes Anti-Malware (MBAM).
  • Scan your system with ESET.


Create a whitelist within AVG

Here's the procedure again from Exclude file, folder or website from AVG scanning
(For your convenience, I'm showing those steps here with slight modifications.)


  1. Open your AVG program.
  2. From the Options menu select Advanced settings.
  3. In the left pane select Exceptions.
  4. In the right pane click Add exception.
  5. In the drop-down menu please select the exception type.
  6. Browse to the file or folder that you want to exclude (see separate list below).
  7. Make sure that you check Any Location – do not use full path.
  8. Click OK to save details of the exception.
  9. Click OK again to save the settings.

Step 6 is the key element in the procedure. The files and folders you add at that point will be excluded from AVG's scanning. Navigate separately to the following and add them to the Exceptions list:

  • c:\WINDOWS\Installer\
  • Each of the files and folders that you copied from the Virus Vault above.


Let's test our work



  • Re-enable your AVG antivirus when finished.
  • Reboot your PC.
  • Scan your whole computer with AVG AntiVirus Free.


In your next reply...


  • Copy and paste into the body of your message the list of file and folder names you copied from the Virus Vault at the top of these instructions.
  • Did hpsupportsolutionsframework-12.0.30.473.exe execute completely?
  • Copy and paste the entire contents of the MBAM report into the body of your message.
  • Copy and paste the entire contents of the ESET report (if any) into the body of your message.
  • Were you able to create the whitelist within AVG?
  • What was the result when you re-scanned your whole PC with AVG?
  • Have you seen the BSOD since you began the instructions in this post?


Tell me how your laptop is running now.

RayS


I don't accept payment for my help, but it would please me if you perform a kindness for your neighbor. You might also contact your local animal shelter. They can always use a bag of kibble or a few cans of pet food. Who knows... you might even find a life-long furry friend there.


#15 novice3

novice3
  • Topic Starter

  • Members
  • 99 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:30 AM

Posted 20 February 2016 - 11:25 PM

No BSOD.  I didn't add files to AVG white list from Windows directory.  I think it is a mistake on my part or will AVG ignore the false positive since the HP Support Frame work executable was added to exceptions (white list).  Thank you for being patient and support. 

 

Added hpsupportsolutionsframework-12.0.30.473.exe  to AVG exception list (aka white list):

C:\Users\Administrator\Downloads\HPSupportSolutionsFramework-12.0.30.473.exe

The executable listed above installed correctly.  Added to AVG exceptions with the following options: Type is Application or file, ignore this file even when the file is moved to a new location, use this exception for Resident Shield or Manual and Scheduled scan or identity Protection. 

 

AVG whole computer scan, found nothing:
"Whole Computer Scan"
"No infection was found during this scan"
"Scanned:";"Scan Whole Computer"
"Started:";"2/20/2016, 7:15:55 PM"
"Finished:";"2/20/2016, 7:57:39 PM"
"Number of items:";"179351"
"Launched by:";"Administrator"
 

AVG anti-virus Virus Vault:

"2/4/2016, 4:39:23 PM";"Found MalSign.OpenCandy.BD0, c:\Users\Administrator\AppData\Local\Temp\is-GM4IR.tmp\OCSetupHlp.dll";"Resident Shield";""
"2/4/2016, 8:32:17 PM";"Found MalSign.Generic.885, c:\Users\Administrator\Downloads\SetupImgBurn_2.5.8.0.exe";"Resident Shield";""
"2/4/2016, 10:48:45 PM";"Found MalSign.Generic.139, c:\Users\Administrator\AppData\Local\Temp\is-JPRA4.tmp\OCSetupHlp.dll";"Resident Shield";""
 

Results for Malwarebytes Anti-Malware:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/20/2016
Scan Time: 2:17 PM
Logfile: mbamrtksn02201016.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.20.04
Rootkit Database: v2016.02.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Administrator

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 439155
Time Elapsed: 45 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.WirelessNetworkTool, C:\Users\Administrator\Downloads\networktools.zip, , [dd17b7ab5a3fb6802c5a45cab74e44bc],
RiskWare.BulletsPassView, C:\Users\Administrator\Downloads\nirsoft_package_1.19.73.zip, , [bb39382a1683cd6920cce758ba469b65],

Physical Sectors: 0
(No malicious items detected)


(end)

 

ESET scan results (there is a file in the quarantine folder for ESET):

 

C:\Users\Administrator\Downloads\networktools.zip    a variant of Win32/Sniffer.SniffPass.B potentially unsafe application
C:\Users\Administrator\Downloads\nirsoft_package_1.19.73.zip    a variant of Win32/AdapterWatch.A potentially unsafe application
 


Edited by novice3, 20 February 2016 - 11:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users