Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files cleaned by JRT keep returning


  • Please log in to reply
22 replies to this topic

#1 bomber1712

bomber1712

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 17 February 2016 - 11:12 PM

I have a computer that was so infected, I had to use a Linux Live boot disc to run an initial scan (Clam AV using Elementary OS).  I have a photo of the results of that scan (https://drive.google.com/file/d/0B2kA6Kv6JlDkeXR2U2lzQjMwZHM/view?usp=sharing)

 

Once Clam AV cleaned these, I was able to boot and run several other scans.  MBAM, Rkill, KVRT, JRT.  Some results were reported and cleaned.  I thought I had gotten everything, but decided to run MBAM and JRT one more time to make sure.  MBAM returned with a PUP (Google toolbar of some kind), so I had it clean that up.  Then, I ran JRT and it found and deleted several entries.  These entries looked very much like the ones that had been removed earlier.  I ran JRT, again, and it found several entries, again.  So I came here.

 

I am hoping someone can help me with some more advanced scans to make sure I have this computer clean.  It seems I have one of those that continues to come back, and I don't know what to do.

 

Thanks.



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 18 February 2016 - 08:00 AM

Hi bomber1712 :)

Most of these entries are false positives. I wouldn't use ClamAV to scan Windows files, since it isn't the best Antivirus for that task if you ask me. There's only 2 detections that I would call "legitimate" and even there, I'm sure they are just triggered because of the file extensions.

Can you tell me more about the initial infection on the system? What was going on to make you say that you were indeed infected?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 18 February 2016 - 07:40 PM

The computer was basically unusable.  It would boot to windows (Vista).  Once booted, however, I could not do anything.  The browsers (IE9 and Firefox) would not load.  Tried opening file explorer - nothing.  Tried opening Windows update, nothing. It was basically frozen.  Once I ran Clam on the drive and cleaned the infections it showed, I was able to boot and run some things.  Ran Rkill first, then MBAM, then JRT (plus KVRT and adwcleaner).  I also ran Eset.  Let me know if you would like to see any of the logs.  I didn't keep most of them, but I have a few.  Most of the scans eventually came back clean, but I continue to get a couple of files in the Temporary Internet Files folder that JRT finds.

 

The computer seems to be working pretty nicely at this time, but I am concerned with the continuous findings in JRT.



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 18 February 2016 - 07:42 PM

Can you post the logs of all the scans you ran so I can review them?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 18 February 2016 - 07:54 PM

Here's all I can find (1 MBAM and 3 JRT):

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/13/2016
Scan Time: 2:51:34 PM
Logfile: MBAM 20160213.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.09.22.05
Rootkit Database: v2015.09.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Liz

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 396759
Time Elapsed: 2 hr, 5 min, 2 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
Adware.Minibug, HKU\S-1-5-21-2813526145-2934307200-3463856451-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}, Quarantined, [c92485ad216a7eb8a31a7e483bc7aa56],
Rogue.WinAntiVirus, HKU\S-1-5-21-2813526145-2934307200-3463856451-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}, Quarantined, [19d4161c3655fd391ed4e4e8bc46cd33],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.MyFreeze, C:\Program Files\My.Freeze.com NetAssistant, Quarantined, [8c6187ab365582b45bbc0f128281fc04],

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows Vista ™ Home Basic x86
Ran by Liz (Administrator) on Tue 02/16/2016 at  8:10:09.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 4

Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O6H0C6X (Folder)
Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ICQEZTPU (Folder)
Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y5Z176NK (Folder)
Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YB1BMGBZ (Folder)

Deleted the following from C:\Users\Liz.Steve-PC\AppData\Roaming\Mozilla\Firefox\Profiles\u1cpk70w.default\prefs.js
user_pref(browser.urlbar.suggest.searches, true);



Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/16/2016 at  8:14:01.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows Vista ™ Home Basic x86
Ran by Liz (Administrator) on Wed 02/17/2016 at 21:26:51.73
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 8

Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8DOBB6T (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXVLP0WR (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZV1HB7C (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMPZ1LN1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C8DOBB6T (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXVLP0WR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZV1HB7C (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VMPZ1LN1 (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 02/17/2016 at 21:30:28.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows Vista ™ Home Basic x86
Ran by Liz (Administrator) on Thu 02/18/2016 at  7:28:56.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\Users\Liz.Steve-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O6H0C6X (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0O6H0C6X (Temporary Internet Files Folder)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 02/18/2016 at  7:32:42.01
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 18 February 2016 - 08:10 PM

The only deletions of interest I can see are these:
Adware.Minibug, HKU\S-1-5-21-2813526145-2934307200-3463856451-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}, Quarantined, [c92485ad216a7eb8a31a7e483bc7aa56],
Rogue.WinAntiVirus, HKU\S-1-5-21-2813526145-2934307200-3463856451-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A}, Quarantined, [19d4161c3655fd391ed4e4e8bc46cd33],
The rest are cache folders for Internet Explorer, so nothing really malicious. Follow the instructions below please.

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Winsock Entries;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      OQmAcqS.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 18 February 2016 - 08:23 PM

Thanks for your help!

 

MiniToolBox by Farbar  Version: 07-02-2016 01
Ran by Liz (administrator) on 18-02-2016 at 19:20:53
Running from "C:\Users\Liz.Steve-PC\Desktop"
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86)
Model: Dell DM061 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

========================= FF Proxy Settings: ==============================


"Reset FF Proxy Settings": Firefox Proxy settings were reset.

========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================

Intel® 82562V 10/100 Network Connection = Local Area Connection (Connected)


# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global icmpredirects=enabled


popd
# End of IPv4 configuration



Windows IP Configuration

   Host Name . . . . . . . . . . . . : Steve-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : PK5001Z

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : PK5001Z
   Description . . . . . . . . . . . : Intel® 82562V 10/100 Network Connection
   Physical Address. . . . . . . . . : 00-19-D1-41-D8-28
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::31fe:d177:6dd4:2d7f%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.45(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, February 17, 2016 10:31:31 PM
   Lease Expires . . . . . . . . . . : Friday, February 19, 2016 10:31:31 AM
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 201333201
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0D-AC-40-89-00-19-D1-41-D8-28
   DNS Servers . . . . . . . . . . . : 10.0.0.1
                                       205.171.202.166
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Connection-specific DNS Suffix  . : PK5001Z
   Description . . . . . . . . . . . : isatap.PK5001Z
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:10.0.0.45%20(Preferred)
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.0.0.1
                                       205.171.202.166
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{3A59C072-AF37-43C1-BF9D-0A1B2B5959C9}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{3A59C072-AF37-43C1-BF9D-0A1B2B5959C9}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 13:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : 6TO4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 15:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{3A59C072-AF37-43C1-BF9D-0A1B2B5959C9}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  PK5001Z.PK5001Z
Address:  10.0.0.1

Name:    google.com
Addresses:  2607:f8b0:4009:80b::200e
      216.58.216.110



Pinging google.com [216.58.216.238] with 32 bytes of data:

Reply from 216.58.216.238: bytes=32 time=36ms TTL=56

Reply from 216.58.216.238: bytes=32 time=38ms TTL=56



Ping statistics for 216.58.216.238:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 36ms, Maximum = 38ms, Average = 37ms

Server:  PK5001Z.PK5001Z
Address:  10.0.0.1

Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
      2001:4998:58:c02::a9
      2001:4998:c:a06::2:4008
      206.190.36.45
      98.139.183.24
      98.138.253.109



Pinging yahoo.com [98.138.253.109] with 32 bytes of data:

Reply from 98.138.253.109: bytes=32 time=55ms TTL=52

Reply from 98.138.253.109: bytes=32 time=55ms TTL=52



Ping statistics for 98.138.253.109:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 55ms, Maximum = 55ms, Average = 55ms



Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
  9 ...00 19 d1 41 d8 28 ...... Intel® 82562V 10/100 Network Connection
  1 ........................... Software Loopback Interface 1
  8 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
 20 ...00 00 00 00 00 00 00 e0  isatap.PK5001Z
 13 ...00 00 00 00 00 00 00 e0  isatap.{3A59C072-AF37-43C1-BF9D-0A1B2B5959C9}
 15 ...00 00 00 00 00 00 00 e0  isatap.{3A59C072-AF37-43C1-BF9D-0A1B2B5959C9}
 14 ...00 00 00 00 00 00 00 e0  6TO4 Adapter
 17 ...00 00 00 00 00 00 00 e0  isatap.{3A59C072-AF37-43C1-BF9D-0A1B2B5959C9}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1        10.0.0.45     20
         10.0.0.0    255.255.255.0         On-link         10.0.0.45    276
        10.0.0.45  255.255.255.255         On-link         10.0.0.45    276
       10.0.0.255  255.255.255.255         On-link         10.0.0.45    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         10.0.0.45    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         10.0.0.45    276
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  9    276 fe80::/64                On-link
 20    281 fe80::5efe:10.0.0.45/128 On-link
  9    276 fe80::31fe:d177:6dd4:2d7f/128
                                    On-link
  1    306 ff00::/8                 On-link
  9    276 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\system32\NLAapi.dll [48640] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 27 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 28 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 29 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 30 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/18/2016 07:18:29 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (02/18/2016 07:18:29 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (02/18/2016 07:18:29 AM) (Source: QuickBooks) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (02/18/2016 07:18:22 AM) (Source: Perflib) (User: )
Description: WmiApRplC:\Windows\system32\wbem\wmiaprpl.dll4

Error: (02/18/2016 07:18:21 AM) (Source: Perflib) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4

Error: (02/18/2016 07:18:20 AM) (Source: Perflib) (User: )
Description: MSDTCC:\Windows\system32\msdtcuiu.DLL4

Error: (02/18/2016 07:18:19 AM) (Source: Perflib) (User: )
Description: LsaC:\Windows\system32\Secur32.dll4

Error: (02/18/2016 07:18:19 AM) (Source: Perflib) (User: )
Description: ESENTC:\Windows\system32\esentprf.dll4

Error: (02/18/2016 07:18:15 AM) (Source: Perflib) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (02/18/2016 07:18:14 AM) (Source: Perflib) (User: )
Description: BITSC:\Windows\system32\bitsperf.dll4


System errors:
=============
Error: (02/17/2016 10:31:35 PM) (Source: Print) (User: NT AUTHORITY)
Description: Windows could not initialize printer Fax Dell AIO Printer 946 because the print processor PrintFax2000 could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

Error: (02/17/2016 07:45:49 AM) (Source: Print) (User: NT AUTHORITY)
Description: Windows could not initialize printer Fax Dell AIO Printer 946 because the print processor PrintFax2000 could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

Error: (02/16/2016 07:23:55 AM) (Source: Print) (User: NT AUTHORITY)
Description: Windows could not initialize printer Fax Dell AIO Printer 946 because the print processor PrintFax2000 could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

Error: (02/15/2016 02:56:12 PM) (Source: Print) (User: NT AUTHORITY)
Description: Windows could not initialize printer Fax Dell AIO Printer 946 because the print processor PrintFax2000 could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

Error: (02/14/2016 06:34:00 PM) (Source: Print) (User: NT AUTHORITY)
Description: Windows could not initialize printer Fax Dell AIO Printer 946 because the print processor PrintFax2000 could not be found. Please obtain and install a new version of the driver from the manufacturer (if available), or choose an alternate driver that works with this print device.

Error: (02/14/2016 11:48:12 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:48:08 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:48:00 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:47:30 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:47:27 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.


Microsoft Office Sessions:
=========================
Error: (02/18/2016 07:18:29 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (02/18/2016 07:18:29 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (02/18/2016 07:18:29 AM) (Source: QuickBooks)(User: )
Description: QuickBooksReturning NULL QBWinInstance Handle

Error: (02/18/2016 07:18:22 AM) (Source: Perflib)(User: )
Description: WmiApRplC:\Windows\system32\wbem\wmiaprpl.dll4

Error: (02/18/2016 07:18:21 AM) (Source: Perflib)(User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4

Error: (02/18/2016 07:18:20 AM) (Source: Perflib)(User: )
Description: MSDTCC:\Windows\system32\msdtcuiu.DLL4

Error: (02/18/2016 07:18:19 AM) (Source: Perflib)(User: )
Description: LsaC:\Windows\system32\Secur32.dll4

Error: (02/18/2016 07:18:19 AM) (Source: Perflib)(User: )
Description: ESENTC:\Windows\system32\esentprf.dll4

Error: (02/18/2016 07:18:15 AM) (Source: Perflib)(User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (02/18/2016 07:18:14 AM) (Source: Perflib)(User: )
Description: BITSC:\Windows\system32\bitsperf.dll4


CodeIntegrity Errors:
===================================
  Date: 2016-02-18 18:43:47.716
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-18 18:43:44.408
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-18 18:43:41.663
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-18 18:43:39.338
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-18 18:43:37.201
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-18 18:43:34.814
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-17 22:03:43.437
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-17 22:03:41.565
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-17 22:03:39.724
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2016-02-17 22:03:37.883
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (HKLM\...\{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}) (Version: 1.0.0 - Hewlett-Packard) Hidden
4G Mobile Hotspot (HKLM\...\{AEFF9E60-3E93-41EE-9895-311F7D1C5FFD}) (Version: 1.0.0.2 - ZTE Corporation)
ABBYY FineReader 6.0 Sprint (HKLM\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.1784.41616 - ABBYY Software House)
Adobe Flash Player 20 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 20.0.0.306 - Adobe Systems Incorporated)
Adobe Reader X (10.1.16) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.16 - Adobe Systems Incorporated)
Adobe Shockwave Player (HKLM\...\Adobe Shockwave Player) (Version: 10.3.0.24 - Adobe Systems, Inc.)
Adobe® Photoshop® Album Starter Edition 3.2 (HKLM\...\{A654A805-41D9-40C7-AA46-4AF04F044D61}) (Version: 3.2.0 - Adobe Systems, Inc.) Hidden
Adobe® Photoshop® Album Starter Edition 3.2 (HKLM\...\Adobe® Photoshop® Album Starter Edition 3.2) (Version: 3.2.0 - http://www.adobe.com)
AIO_Scan (HKLM\...\{0D2E9DCB-9938-475E-B4DD-8851738852FF}) (Version: 82.0.203.000 - Hewlett-Packard) Hidden
BufferChm (HKLM\...\{BE77A81F-B315-4666-9BF3-AE70C0ADB057}) (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Citrix Presentation Server Web Client for Win32 (HKLM\...\Citrix ICA Web Client) (Version:  - )
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Conexant D850 PCI V.92 Modem (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1) (Version:  - )
Copy (HKLM\...\{A3B7C670-4A1E-4EE2-950E-C875BC1965D0}) (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Corel Paint Shop Pro Photo XI (HKLM\...\{93A1B09E-BAFA-4628-A5B6-921CB026955A}) (Version: 11.003.0000 - Corel Inc)
Corel Snapfire Plus (HKLM\...\{7ADE3A47-B425-45E9-8FF6-11BE2B775645}) (Version: 1.003.0000 - Corel)
CustomerResearchQFolder (HKLM\...\{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}) (Version: 1.00.0000 - Hewlett-Packard) Hidden
Destinations (HKLM\...\{9B1FD9CE-0776-4f0b-A6F5-C6AB7B650CDF}) (Version: 82.0.173.000 - Hewlett-Packard) Hidden
DeviceManagementQFolder (HKLM\...\{AB5D51AE-EBC3-438D-872C-705C7C2084B0}) (Version: 1.00.0000 - Hewlett-Packard) Hidden
Digital Line Detect (HKLM\...\{E646DCF0-5A68-11D5-B229-002078017FBF}) (Version: 1.20 - BVRP Software, Inc)
Diva Starz™ CD-ROM (HKLM\...\Diva Starz™ CD-ROM) (Version:  - )
DJ_AIO_ProductContext (HKLM\...\{657F8B33-CBBB-45F4-9087-274F22C89400}) (Version: 82.0.203.000 - Hewlett-Packard) Hidden
DJ_AIO_Software (HKLM\...\{9ECB4705-B9CB-405A-B6D4-33BDF707308E}) (Version: 82.0.203.000 - Hewlett-Packard) Hidden
DJ_AIO_Software_min (HKLM\...\{DC83F417-8068-4074-BA2F-C4F8AB872556}) (Version: 82.0.203.000 - Hewlett-Packard) Hidden
Documentation & Support Launcher (HKLM\...\{89CEAE14-DD0F-448E-9554-15781EC9DB24}) (Version: 1.00.0000 - Dell Inc.)
Dora Backpack (HKLM\...\{D859D35F-E947-4F2A-8591-C76A4D116178}) (Version:  - )
eSupportQFolder (HKLM\...\{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}) (Version: 1.00.0000 - Hewlett-Packard) Hidden
F4100 (HKLM\...\{7DDEABFB-0621-4321-B385-CB86D3A6F90F}) (Version: 82.0.203.000 - Hewlett-Packard) Hidden
F4100_Help (HKLM\...\{ACE22C48-49D7-4531-BE20-5C3D03393AB6}) (Version: 82.0.203.000 - Hewlett-Packard) Hidden
Games, Music, & Photos Launcher (HKLM\...\{3E25E350-949F-4DB7-8288-2A60E018B4C1}) (Version: 1.00.0000 - Dell Inc.)
Greeting Card Factory Photo Card Maker (HKLM\...\{9C627F78-DBB9-4293-AA89-E83119C39CE9}) (Version: 1.0.0.5 - Nova Development)
HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP)
HP Deskjet All-In-One Software 8.0 (HKLM\...\{24557DC0-0839-496f-82F9-C4EB72EFE4FA}) (Version: 8.0 - HP)
HP Imaging Device Functions 8.0 (HKLM\...\HP Imaging Device Functions) (Version: 8.0 - HP)
HP Officejet 4620 series Basic Device Software (HKLM\...\{928E9793-43FD-458D-B87B-6376BD4E4DA5}) (Version: 26.0.784.0 - Hewlett-Packard Co.)
HP Officejet 4620 series Help (HKLM\...\{606C37AB-EB04-4270-A592-201A03C2DB36}) (Version: 6.0.0 - Hewlett Packard)
HP Officejet 4620 series Product Improvement Study (HKLM\...\{FC831F3D-66AE-4C6D-B36B-F7B178218342}) (Version: 26.0.784.0 - Hewlett-Packard Co.)
HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP)
HP Solution Center 8.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 8.0 - HP)
HP Update (HKLM\...\{85DF2EED-08BC-46FB-90DA-28B0D0A8E8A8}) (Version: 5.003.000.004 - Hewlett-Packard)
HPDiagnosticCoreDll (HKLM\...\{9262B08F-E183-4FED-A2BD-23FF1A84EB67}) (Version: 1.0.3.0 - Hewlett Packard)
HPProductAssistant (HKLM\...\{67D3F1A0-A1F2-49b7-B9EE-011277B170CD}) (Version: 82.0.173.000 - Hewlett-Packard) Hidden
HPSSupply (HKLM\...\{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}) (Version: 2.1.3.0000 - Hewlett Packard Development Company L.P.)
I.R.I.S. OCR (HKLM\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - )
InterActual Player (HKLM\...\InterActual Player) (Version:  - )
Java 8 Update 73 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218073F0}) (Version: 8.0.730.2 - Oracle Corporation)
Java Auto Updater (HKLM\...\{4A03706F-666A-4037-7777-5F2748764D10}) (Version: 2.8.73.2 - Oracle Corporation) Hidden
Java™ 7 Update 5 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217005FF}) (Version: 7.0.50 - Oracle)
JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
LeapFrog Connect (HKLM\...\{08BFB912-8D71-4E29-9A80-18BFB385F19B}) (Version: 5.2.4.18506 - LeapFrog) Hidden
LeapFrog Connect (HKLM\...\UPCShell) (Version: 5.2.4.18506 - LeapFrog)
LeapFrog My Pals Plugin (HKLM\...\{9155DB04-A032-491A-88B2-7C19B9E9F945}) (Version: 5.1.26.18340 - LeapFrog) Hidden
Learning Lodge™ (HKLM\...\VTechDownloadManager) (Version:  - VTech)
Little Bear Rainy Day Activities (HKLM\...\Little Bear Rainy Day Activities) (Version:  - )
Macrium Reflect Free Edition (HKLM\...\{B1D8A61F-F1F8-4C50-B0A9-C3C39517AA64}) (Version: 5.0.4694 - Paramount Software (UK) Ltd.)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
MarketResearch (HKLM\...\{95D08F4E-DFC2-4ce3-ACB7-8C8E206217E9}) (Version: 82.0.174.000 - Hewlett-Packard) Hidden
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Edition 2003 (HKLM\...\{90110409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.8.204.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation)
Mobile Broadband Generic Drivers (HKLM\...\{59A443A7-FFBF-41F1-B033-51D7B9A4AF5C}) (Version: 2.03.09.007.28 - Novatel Wireless) Hidden
Mobile Broadband Generic Drivers (HKLM\...\Mobile Broadband Generic Drivers) (Version: 2.03.09.007.28 - Novatel Wireless)
MobiLink 3 (HKLM\...\{8658F7BC-F76D-4B19-92F2-30C7FAF057A7}) (Version: 3.00.58.017 - Novatel Wireless Inc.) Hidden
MobiLink 3 (HKLM\...\MobiLink 3) (Version: 3.00.58.017 - Novatel Wireless)
Modem Diagnostic Tool (HKLM\...\{F63A3748-B93D-4360-9AD4-B064481A5C7B}) (Version: 1.0.17.8 - Dell)
Mozilla Firefox 44.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 44.0.2 (x86 en-US)) (Version: 44.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 44.0.2.5884 - Mozilla)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MyAttorney Business Forms (HKLM\...\{9D1D7858-6C6F-4F7D-B070-77783FA8F50D}) (Version: 1.01.000 - MySoftware) Hidden
MyAttorney Business Forms (HKLM\...\InstallShield_{9D1D7858-6C6F-4F7D-B070-77783FA8F50D}) (Version: 1.01.000 - MySoftware)
NetWaiting (HKLM\...\{3F92ABBB-6BBF-11D5-B229-002078017FBF}) (Version: 2.5.41 - BVRP Software, Inc)
Photo Editor (HKLM\...\{BE930EB7-9A56-47D4-88D0-90BE0CD8A2EA}) (Version: 1.00.0000 - ProVenture)
PowerDVD (HKLM\...\{281ECE39-F043-492B-8337-F2E546B5604A}) (Version: 7.0 - Dell)
ProVenture Business Cards (HKLM\...\{C43464E4-FE5B-4CC8-9D14-C04A7DCE5AC0}) (Version: 4.0.1.0 - Avanquest Publishing USA, Inc.)
QuickBooks (HKLM\...\{25E202D1-D8E7-46AF-B4B0-157D9993A93E}) (Version: 22.0.4009.2206 - Intuit Inc.) Hidden
QuickBooks Pro 2012 (HKLM\...\{22057D8D-7CC8-46FF-AD8C-9BD24F9014F3}) (Version: 22.0.4009.2206 - Intuit Inc.)
RangeMax Wireless-N USB Adapter WN111v2 (HKLM\...\InstallShield_{1C0E9C6B-D4D5-4D3C-8A10-F10A3E7BEEA5}) (Version: 2.00.0000 - NETGEAR)
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.3.0 - Roxio)
Roxio Creator BDAV Plugin (HKLM\...\{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}) (Version: 3.3.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.3.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.3.0 - Roxio)
Roxio Creator DE (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.3.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.3.0 - Roxio)
Roxio Express Labeler (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 2.1.0 - Roxio)
Roxio MyDVD DE (HKLM\...\{D639085F-4B6E-4105-9F37-A0DBB023E2FB}) (Version: 9.0.116 - Roxio, Inc.)
Roxio Update Manager (HKLM\...\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}) (Version: 3.0.0 - Roxio)
RTC Client API v1.2 (HKLM\...\{44CDBD1B-89FB-4E02-8319-2A4C550F664A}) (Version: 1.2.0000 - Microsoft)
Scan (HKLM\...\{1746EA69-DCB6-4408-B5A5-E75F55439CDF}) (Version: 8.1.0.0 - Hewlett-Packard) Hidden
Shrek Activity Center (HKLM\...\{E7417E3A-EC38-4566-83CC-92942466F4D1}) (Version:  - )
SigmaTel Audio (HKLM\...\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}) (Version: 5.10.5102.0 - SigmaTel)
SolutionCenter (HKLM\...\{A36CD345-625C-4d6c-B3E2-76E1248CB451}) (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Sonic Activation Module (HKLM\...\{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}) (Version: 1.0 - Sonic Solutions) Hidden
Status (HKLM\...\{978C25EE-5777-46e4-8988-732C297CBDBD}) (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Thomas & Friends - Trouble on the Tracks (HKLM\...\Thomas & Friends - Trouble on the Tracks) (Version:  - )
TONKA TOWN (HKLM\...\{73C7AD71-747F-4CCF-BD37-E3AE7C532C99}) (Version:  - )
Toolbox (HKLM\...\{C716522C-3731-4667-8579-40B098294500}) (Version: 82.0.173.000 - Hewlett-Packard) Hidden
TrayApp (HKLM\...\{FF075778-6E50-47ed-991D-3B07FD4E3250}) (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Type Stylist (HKLM\...\{CD507F08-BCE6-4EF0-BDBB-3E160CA35D0D}) (Version:  - )
UnloadSupport (HKLM\...\{E06F04B9-45E6-4AC0-8083-85F7515F40F7}) (Version: 1.00.0000 - Hewlett-Packard) Hidden
Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin) (HKLM\...\MyPalsPlugin) (Version:  - LeapFrog)
VTech Download Agent Library (HKLM\...\{40C4903E-EDFB-4CAE-A611-41FEBA585921}) (Version: 1.00.0000 - VTech) Hidden
WebReg (HKLM\...\{179C56A4-F57F-4561-8BBF-F911D26EB435}) (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (HKLM\...\8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D) (Version: 09/10/2009 02.03.05.012 - Leapfrog)
WN111v2 (HKLM\...\{1C0E9C6B-D4D5-4D3C-8A10-F10A3E7BEEA5}) (Version: 2.00.0000 - NETGEAR) Hidden

========================= Devices: ================================


========================= Memory info: ===================================

Percentage of memory in use: 50%
Total physical RAM: 2037.21 MB
Available physical RAM: 1010.07 MB
Total Virtual: 4313.43 MB
Available Virtual: 2623.93 MB

========================= Partitions: =====================================

1 Drive c: (OS) (Fixed) (Total:70.47 GB) (Free:22 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:4 GB) (Free:0.77 GB) NTFS

========================= Users: ========================================

User accounts for \\STEVE-PC

Administrator            Guest                    Liz                      
Steve                    


**** End of log ****
 



#8 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 18 February 2016 - 08:56 PM

I just realized that I did not run as admin.  Do you want me to re-run?



#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 18 February 2016 - 08:56 PM

This is what we should worry about now.
Error: (02/14/2016 11:48:12 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:48:08 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:48:00 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:47:30 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.

Error: (02/14/2016 11:47:27 AM) (Source: disk) (User: )
Description: The device, \Device\Harddisk1\DR2, has a bad block.
Before we run a chkdsk on the drive, let's see if it's failing.

S8ANNnz.pngGSmartControl
Follow the instructions below to test your hard drive health with GSmartControl:
  • Download GSmartControl and save it on your Desktop;
  • Extract the content of the GSmartControl .zip archive and execute gsmartcontrol.exe;
  • Identify your drive in the list, and double-click on it to bring up it's window (usually you'll find your drive by it's size or it's brand name);
  • Go in the Perform Tests tab, then select Extended Self-test in the Test type drop-down list and click on Execute (this test can take a few hours to complete);
  • Once the test is over, the results will be displayed at the bottom of the window. Please copy and paste these results in your next reply;
  • Also, go in the Attributes tab and if you have any entries highlighted in red or pink, copy and paste their name in your next reply (or take a screenshot of the GSmartControl window and attach it in your next reply);
    info_failing.png

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 18 February 2016 - 09:44 PM

OK, so it said "Estimated duration 27 minutes".  I started it and it ran for 36 minutes, so far.  I watched as the progress bar stated "test completion 10%: ETA 27 minutes".  Now, the progress bar says ""test completion 10%: ETA 0 minutes" and I am not sure it is doing anything (it has been saying this for 15 minutes or so).  I have not done anything with the window, just in case you think it is still running.

 

I clicked the "View Output" button and this is what I have (not sure if this will tell you what you want to see):

 

smartctl 5.43 2012-06-30 r3573 [i686-w64-mingw32-vista-sp2] (sf-5.43-1)
Copyright © 2002-12 by Bruce Allen, http://smartmontools.sourceforge.net

=== START OF INFORMATION SECTION ===
Model Family:     Seagate Barracuda 7200.9
Device Model:     ST3808110AS
Serial Number:    9LR48SG0
Firmware Version: 3.ADJ
User Capacity:    80,000,000,000 bytes [80.0 GB]
Sector Size:      512 bytes logical/physical
Device is:        In smartctl database [for details use: -P show]
ATA Version is:   7
ATA Standard is:  Exact ATA specification draft version not indicated
Local Time is:    Thu Feb 18 20:04:47 2016 CST
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status:  (0x82)    Offline data collection activity
                    was completed without error.
                    Auto Offline Data Collection: Enabled.
Self-test execution status:      (   0)    The previous self-test routine completed
                    without error or no self-test has ever
                    been run.
Total time to complete Offline
data collection:         (  430) seconds.
Offline data collection
capabilities:              (0x5b) SMART execute Offline immediate.
                    Auto Offline data collection on/off support.
                    Suspend Offline collection upon new
                    command.
                    Offline surface scan supported.
                    Self-test supported.
                    No Conveyance Self-test supported.
                    Selective Self-test supported.
SMART capabilities:            (0x0003)    Saves SMART data before entering
                    power-saving mode.
                    Supports SMART auto save timer.
Error logging capability:        (0x01)    Error logging supported.
                    General Purpose Logging supported.
Short self-test routine
recommended polling time:      (   2) minutes.
Extended self-test routine
recommended polling time:      (  27) minutes.

SMART Attributes Data Structure revision number: 10
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME          FLAG     VALUE WORST THRESH TYPE      UPDATED  WHEN_FAILED RAW_VALUE
  1 Raw_Read_Error_Rate     0x000f   109   096   006    Pre-fail  Always       -       186331991
  3 Spin_Up_Time            0x0003   096   094   000    Pre-fail  Always       -       0
  4 Start_Stop_Count        0x0032   096   096   020    Old_age   Always       -       4327
  5 Reallocated_Sector_Ct   0x0033   100   100   036    Pre-fail  Always       -       0
  7 Seek_Error_Rate         0x000f   084   060   030    Pre-fail  Always       -       297814588
  9 Power_On_Hours          0x0032   095   095   000    Old_age   Always       -       5064
 10 Spin_Retry_Count        0x0013   100   100   097    Pre-fail  Always       -       0
 12 Power_Cycle_Count       0x0032   098   098   020    Old_age   Always       -       2721
187 Reported_Uncorrect      0x0032   100   100   000    Old_age   Always       -       0
189 High_Fly_Writes         0x003a   082   082   000    Old_age   Always       -       18
190 Airflow_Temperature_Cel 0x0022   065   056   045    Old_age   Always       -       35 (Min/Max 29/38)
194 Temperature_Celsius     0x0022   035   044   000    Old_age   Always       -       35 (0 14 0 0 0)
195 Hardware_ECC_Recovered  0x001a   050   046   000    Old_age   Always       -       192753288
197 Current_Pending_Sector  0x0012   100   100   000    Old_age   Always       -       0
198 Offline_Uncorrectable   0x0010   100   100   000    Old_age   Offline      -       0
199 UDMA_CRC_Error_Count    0x003e   200   200   000    Old_age   Always       -       0
200 Multi_Zone_Error_Rate   0x0000   100   253   000    Old_age   Offline      -       0
202 Data_Address_Mark_Errs  0x0032   100   253   000    Old_age   Always       -       0

SMART Error Log Version: 1
No Errors Logged

SMART Self-test log structure revision number 1
Num  Test_Description    Status                  Remaining  LifeTime(hours)  LBA_of_first_error
# 1  Short offline       Completed without error       00%         0         -

SMART Selective self-test log data structure revision number 1
 SPAN  MIN_LBA  MAX_LBA  CURRENT_TEST_STATUS
    1        0        0  Not_testing
    2        0        0  Not_testing
    3        0        0  Not_testing
    4        0        0  Not_testing
    5        0        0  Not_testing
Selective self-test flags (0x0):
  After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 18 February 2016 - 09:48 PM

Alright. Since the hard drive isn't failing, we'll need to run a CHKDSK /R to address the bad sectors.

EndqYRa.pngCheck Disk (chkdsk)
Follow the instructions below to run a CHKDSK scan on your Windows partition;
  • On Windows Vista & 7, click on the Windows Start Menu, then enter cmd in the search box, right-click on the cmd icon and select Run as Administrator
  • On Windows 8, drag your cursor in the bottom-left corner, and right-click on the metro menu preview, then select Command Prompt (Admin);
  • On Windows 8.1, right click on the Windows logo in the bottom-left corner and select Command Prompt (Admin);
  • Enter the command chkdsk /r (there's a space between "chkdsk" and "/r") and press on Enter;
  • A message will be returned, stating that the drive cannot be locked because it's already in use, and you'll be asked if you want to schedule the scan for the next restart. Enter y and press on Enter;
  • Restart your computer, and the chkdsk scan will be launched automatically;
  • Once the chkdsk scan is complete and you're back in Windows, find the log in the Event Viewer and copy/paste it in your next reply;
WARNING: Depending on your hard drive (specs, free space, fragmentation, etc.) this scan can be relatively long to complete. Give it all the time it needs to finish. Do not interrupt it for any reason there is, or you might be damaging your drive in the process and make your Windows unbootable. It's suggested to let this scan run overnight or when you leave the house for a few hours (when you go to work for example). If you are running this scan on a laptop, don't forget to leave it plugged in;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 18 February 2016 - 11:45 PM

I can't find the entry in the Event Viewer. I followed the instructions in the link to a T.  I know it ran, because I watched it for quite some time.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 19 February 2016 - 06:19 AM

In that case, download and run ListChkdskResult.exe. Once ran, a notepad will open with a log. Copy/paste that log here.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 bomber1712

bomber1712
  • Topic Starter

  • Members
  • 464 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wisconsin, USA
  • Local time:03:25 AM

Posted 19 February 2016 - 08:31 AM

ListChkdskResult by SleepyDude v0.1.7 Beta | 21-09-2013

------< Log generate on 2/19/2016 7:19:35 AM >------
Category: 0
Computer Name: STEVE-PC
Event Code: 1001
Record Number: 63389
Source Name: Microsoft-Windows-Wininit
Time Written: 02-19-2016 @ 05:49:02
Event Type: Information
User:
Message:

Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.                         
  211968 file records processed.                                  

  1041 large file records processed.                            

  0 bad file records processed.                              

  0 EA records processed.                                    

  63 reparse records processed.                               

  262384 index entries processed.                                 

  0 unindexed files processed.                               

  211968 security descriptors processed.                          

CHKDSK is compacting the security descriptor stream...
Cleaning up 14549 unused security descriptors.
  25209 data files processed.                                    

CHKDSK is verifying Usn Journal...
  36682672 USN bytes processed.                                     

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  211952 files processed.                                         

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  5812177 free clusters processed.                                 

Free space verification is complete.
Correcting errors in the master file table's (MFT) BITMAP attribute.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

  73890966 KB total disk space.
  50224476 KB in 139072 files.
     90840 KB in 25212 indexes.
         0 KB in bad sectors.
    326938 KB in use by the system.
     65536 KB occupied by the log file.
  23248712 KB available on disk.

      4096 bytes in each allocation unit.
  18472741 total allocation units on disk.
   5812178 allocation units available on disk.

Internal Info:
00 3c 03 00 c6 81 02 00 a6 67 04 00 00 00 00 00  .<.......g......
69 09 00 00 3f 00 00 00 00 00 00 00 00 00 00 00  i...?...........
42 00 00 00 a2 74 90 77 90 e9 42 00 90 e1 42 00  B....t.w..B...B.

Windows has finished checking your disk.
Please wait while your computer restarts.


Checking file system on C:
The type of the file system is NTFS.
Volume label is OS.

A disk check has been scheduled.
Windows will now check the disk.                         
  211968 file records processed.                                  

  1027 large file records processed.                            

  0 bad file records processed.                              

  0 EA records processed.                                    

  63 reparse records processed.                               

  262394 index entries processed.                                 

  0 unindexed files processed.                               

  211968 security descriptors processed.                          

Cleaning up 5 unused index entries from index $SII of file 0x9.
Cleaning up 5 unused index entries from index $SDH of file 0x9.
Cleaning up 5 unused security descriptors.
  25214 data files processed.                                    

CHKDSK is verifying Usn Journal...
  33735512 USN bytes processed.                                     

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
  211952 files processed.                                         

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
  5780465 free clusters processed.                                 

Free space verification is complete.
Windows has checked the file system and found no problems.

  73890966 KB total disk space.
  50353888 KB in 139204 files.
     90840 KB in 25215 indexes.
         0 KB in bad sectors.
    324378 KB in use by the system.
     65536 KB occupied by the log file.
  23121860 KB available on disk.

      4096 bytes in each allocation unit.
  18472741 total allocation units on disk.
   5780465 allocation units available on disk.

Internal Info:
00 3c 03 00 4f 82 02 00 ba 68 04 00 00 00 00 00  .<..O....h......
69 09 00 00 3f 00 00 00 00 00 00 00 00 00 00 00  i...?...........
42 00 00 00 a2 74 d4 77 90 e9 3f 00 90 e1 3f 00  B....t.w..?...?.

Windows has finished checking your disk.
Please wait while your computer restarts.

-----------------------------------------------------------------------
 



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:25 AM

Posted 19 February 2016 - 09:48 AM

Thank you :) Follow the instructions below please.

3DPGbxe.pngTemp File Cleaner (TFC)
  • Download Temp File Cleaner (TFC) and move it to your Desktop;
  • Right-click on TFC.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Simply click on Start to launch the clean-up and wait until it completes;
    s5yB2E8.png
  • Depending on which processes are running, all your programs will be closed and explorer.exe (your Windows shell) will be killed, it will however be relaunched shortly after so do not panic;
  • There's no log to give for this tool;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users