Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svc Host Running at 1,000,000k, Have a FRST report


  • This topic is locked This topic is locked
14 replies to this topic

#1 Kozzy13

Kozzy13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 22 March 2016 - 06:44 PM

Hi, I am having issues with my laptop using a lot of memory and overheating and shutting down when doing simple tasks. I checked the task manager and found a svchost running at 1,000,000k +, did a search on it and it led me to another tread in this site which had a link to FRST. I downloaded it and scanned and have the reports, not quite sure what I am looking at.
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by moonbat (administrator) on MOONBAT-HP (22-03-2016 17:41:29)
Running from C:\Users\moonbat\Downloads
Loaded Profiles: moonbat (Available Profiles: moonbat)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
(Hewlett-Packard Development Company L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpCaslNotification.exe
(Almico Software (almico.com)) C:\Program Files (x86)\SpeedFan\speedfan.exe
(Almico Software (almico.com)) C:\Program Files (x86)\SpeedFan\speedfan.exe
(Blizzard Entertainment) C:\Program Files (x86)\Battle.net\Battle.net.6890\Battle.net.exe
(Blizzard Entertainment) C:\ProgramData\Battle.net\Agent\Agent.4835\Agent.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_182.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_21_0_0_182.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2281256 2012-04-29] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6489704 2012-04-29] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-06-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [948672 2009-12-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35760 2009-12-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKU\S-1-5-21-1812937233-829621150-4232323728-1000\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [4290240 2016-03-01] (Disc Soft Ltd)
HKU\S-1-5-21-1812937233-829621150-4232323728-1000\...\MountPoints2: {6eccd454-829c-11e1-933a-806e6f6e6963} - E:\autorun.exe
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2016-03-16] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 10.11.12.1
Tcpip\..\Interfaces\{766870AF-D9C3-4570-9D45-4765886636E0}: [DhcpNameServer] 10.11.12.1
Tcpip\..\Interfaces\{C05AD519-926E-46DA-A286-D6B3A0E85834}: [DhcpNameServer] 40.1.1.100

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
HKU\S-1-5-21-1812937233-829621150-4232323728-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM -> {411BA52A-1ED9-476B-BA8A-E119294974B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {B6358A7D-60ED-4262-9B37-46531A5E4E84} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM -> {FC364792-9C75-4BDA-99A6-99F609F83958} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {411BA52A-1ED9-476B-BA8A-E119294974B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {B6358A7D-60ED-4262-9B37-46531A5E4E84} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 -> {FC364792-9C75-4BDA-99A6-99F609F83958} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> {411BA52A-1ED9-476B-BA8A-E119294974B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> {B6358A7D-60ED-4262-9B37-46531A5E4E84} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> {FC364792-9C75-4BDA-99A6-99F609F83958} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-03-12] (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-07-10] (Sun Microsystems, Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21] (Adobe Systems Incorporated)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll [2012-06-07] (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL [2011-03-30] (Symantec Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-03-08] (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-07-10] (Sun Microsystems, Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-03-12] (Google Inc.)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll [2012-06-07] (Symantec Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2016-03-08] (Google Inc.)
Toolbar: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2016-03-12] (Google Inc.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-16] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2012-04-19] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2012-04-19] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2012-04-19] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2012-04-19] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\moonbat\AppData\Roaming\Mozilla\Firefox\Profiles\jcvahxjg.default
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_182.dll [2016-03-15] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-15] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll [2010-05-05] (Adobe Systems, Inc.)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.50401.0\npctrl.dll [2010-04-01] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-17] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-03-08] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-03-08] (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn
FF Extension: Symantec Intrusion Prevention - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\IPSFFPlgn [2012-04-16] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn_2011_7_13_2
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\coFFPlgn_2011_7_13_2 [2016-03-20] [not signed]

Chrome:
=======
CHR Profile: C:\Users\moonbat\AppData\Local\Google\Chrome\User Data\Default

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 Disc Soft Lite Bus Service; C:\Program Files\DAEMON Tools Lite\DiscSoftBusService.exe [1444544 2016-03-01] (Disc Soft Ltd)
R2 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-05-19] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [130008 2011-04-16] (Symantec Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 RtVOsdService; C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [315392 2010-06-24] (Realtek Semiconductor Corp.) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\BASHDefs\20120531.001\BHDrvx64.sys [1160824 2012-04-03] (Symantec Corporation)
R3 dtlitescsibus; C:\Windows\System32\DRIVERS\dtlitescsibus.sys [30264 2016-03-14] (Disc Soft Ltd)
R3 dtliteusbbus; C:\Windows\System32\DRIVERS\dtliteusbbus.sys [47672 2016-03-14] (Disc Soft Ltd)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2012-05-30] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\IPSDefs\20120608.001\IDSvia64.sys [488568 2012-04-27] (Symantec Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2015-10-05] (Malwarebytes Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20120608.033\ENG64.SYS [120440 2012-05-15] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.0.0.128\Definitions\VirusDefs\20120608.033\EX64.SYS [2068600 2012-05-15] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-27] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2012-04-12] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-26] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-22 17:41 - 2016-03-22 17:42 - 00017558 _____ C:\Users\moonbat\Downloads\FRST.txt
2016-03-22 17:41 - 2016-03-22 17:41 - 00000000 ____D C:\FRST
2016-03-22 17:39 - 2016-03-22 17:40 - 02374144 _____ (Farbar) C:\Users\moonbat\Downloads\FRST64.exe
2016-03-21 22:59 - 2010-02-04 10:01 - 00024920 _____ (Microsoft Corporation) C:\Windows\system32\X3DAudio1_7.dll
2016-03-21 22:59 - 2010-02-04 10:01 - 00022360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\X3DAudio1_7.dll
2016-03-21 22:59 - 2007-04-04 18:54 - 00107368 _____ (Microsoft Corporation) C:\Windows\system32\xinput1_3.dll
2016-03-21 22:59 - 2007-04-04 18:53 - 00081768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\xinput1_3.dll
2016-03-21 22:55 - 2016-03-21 23:01 - 00000000 ____D C:\Program Files (x86)\R.G. Mechanics
2016-03-21 21:50 - 2016-03-21 21:58 - 05423104 _____ C:\Users\moonbat\Downloads\torbrowser-install-5.5.4_en-US.exe.part
2016-03-20 13:01 - 2016-03-22 17:28 - 00000000 ____D C:\Program Files (x86)\SpeedFan
2016-03-20 13:01 - 2016-03-20 13:01 - 00001007 _____ C:\Users\moonbat\Desktop\SpeedFan.lnk
2016-03-20 13:01 - 2016-03-20 13:01 - 00000045 _____ C:\Windows\SysWOW64\initdebug.nfo
2016-03-20 13:01 - 2016-03-20 13:01 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpeedFan
2016-03-20 12:59 - 2016-03-20 13:01 - 02218504 _____ C:\Users\moonbat\Downloads\instspeedfan451.exe
2016-03-19 12:43 - 2014-05-14 10:23 - 02477536 _____ (Microsoft Corporation) C:\Windows\system32\wuaueng.dll
2016-03-19 12:43 - 2014-05-14 10:23 - 00058336 _____ (Microsoft Corporation) C:\Windows\system32\wuauclt.exe
2016-03-19 12:43 - 2014-05-14 10:23 - 00044512 _____ (Microsoft Corporation) C:\Windows\system32\wups2.dll
2016-03-19 12:43 - 2014-05-14 10:21 - 02620928 _____ (Microsoft Corporation) C:\Windows\system32\wucltux.dll
2016-03-19 12:42 - 2014-05-14 10:23 - 00700384 _____ (Microsoft Corporation) C:\Windows\system32\wuapi.dll
2016-03-19 12:42 - 2014-05-14 10:23 - 00581600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2016-03-19 12:42 - 2014-05-14 10:23 - 00038880 _____ (Microsoft Corporation) C:\Windows\system32\wups.dll
2016-03-19 12:42 - 2014-05-14 10:23 - 00036320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2016-03-19 12:42 - 2014-05-14 10:20 - 00097792 _____ (Microsoft Corporation) C:\Windows\system32\wudriver.dll
2016-03-19 12:42 - 2014-05-14 10:17 - 00092672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2016-03-19 12:42 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\Windows\system32\wuwebv.dll
2016-03-19 12:42 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2016-03-19 12:42 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\wuapp.exe
2016-03-19 12:42 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2016-03-16 12:35 - 2016-03-16 12:35 - 00000000 ____D C:\Windows\system32\SPReview
2016-03-16 12:34 - 2016-03-16 12:34 - 00000000 ____D C:\Windows\system32\EventProviders
2016-03-15 17:15 - 2016-03-15 17:15 - 00002195 _____ C:\Users\Public\Desktop\Sid Meier's Pirates!.lnk
2016-03-15 17:15 - 2016-03-15 17:15 - 00000000 ____D C:\Users\moonbat\Documents\My Games
2016-03-15 17:15 - 2016-03-15 17:15 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firaxis Games
2016-03-15 17:15 - 2016-03-15 17:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firaxis Games
2016-03-15 17:13 - 2016-03-15 17:13 - 00000000 ____D C:\Program Files (x86)\Firaxis Games
2016-03-15 16:28 - 2016-03-15 16:28 - 00002267 _____ C:\Users\Public\Desktop\Play Civilization III.lnk
2016-03-15 16:28 - 2016-03-15 16:28 - 00000000 _____ C:\Windows\PowerReg.dat
2016-03-15 16:20 - 2016-03-15 16:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Infogrames Interactive
2016-03-15 16:20 - 2016-03-15 16:20 - 00000000 ____D C:\Program Files (x86)\Infogrames Interactive
2016-03-15 14:03 - 2016-03-22 16:44 - 00000000 ____D C:\Users\moonbat\Downloads\Donnie Darko DIRECTORS CUT (2001) [1080p]
2016-03-15 13:47 - 2016-03-15 13:47 - 00000000 ____D C:\Users\moonbat\Downloads\Zoo Tycoon Complete Collection
2016-03-15 13:40 - 2016-03-15 20:34 - 1333475023 _____ C:\Users\moonbat\Downloads\Warcraft III RoC + TFT v1.26 Complete -IceBlitz.rar
2016-03-15 13:32 - 2016-03-21 22:34 - 00000000 ____D C:\Users\moonbat\Downloads\[R.G. Mechanics] Goat Simulator
2016-03-15 13:30 - 2016-03-15 13:30 - 00000000 ____D C:\Users\moonbat\Downloads\rzr-skrm
2016-03-15 00:28 - 2016-03-15 00:30 - 00000000 ____D C:\Users\moonbat\.gimp-2.8
2016-03-15 00:28 - 2016-03-15 00:28 - 00000000 ____D C:\Users\moonbat\AppData\Local\gegl-0.2
2016-03-15 00:28 - 2016-03-15 00:28 - 00000000 ____D C:\Users\moonbat\AppData\Local\fontconfig
2016-03-15 00:27 - 2016-03-15 00:27 - 00000894 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GIMP 2.lnk
2016-03-15 00:27 - 2016-03-15 00:27 - 00000000 ____D C:\Program Files\GIMP 2
2016-03-14 23:38 - 2016-03-14 23:38 - 00000000 ____D C:\Users\moonbat\AppData\Local\Adobe
2016-03-14 23:36 - 2016-03-14 23:36 - 00000000 ____D C:\Users\moonbat\AppData\Local\Disc_Soft_Ltd
2016-03-14 23:04 - 2016-03-15 16:41 - 00000000 ____D C:\Users\Public\Documents\Daemon Tools Images
2016-03-14 23:02 - 2016-03-14 23:02 - 00047672 _____ (Disc Soft Ltd) C:\Windows\system32\Drivers\dtliteusbbus.sys
2016-03-14 23:01 - 2016-03-14 23:05 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\DAEMON Tools Lite
2016-03-14 23:01 - 2016-03-14 23:02 - 00000000 ____D C:\Program Files\DAEMON Tools Lite
2016-03-14 23:01 - 2016-03-14 23:01 - 00030264 _____ (Disc Soft Ltd) C:\Windows\system32\Drivers\dtlitescsibus.sys
2016-03-14 23:01 - 2016-03-14 23:01 - 00001773 _____ C:\Users\Public\Desktop\DAEMON Tools Lite.lnk
2016-03-14 23:01 - 2016-03-14 23:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DAEMON Tools Lite
2016-03-14 23:00 - 2016-03-14 23:00 - 00000000 ____D C:\ProgramData\DAEMON Tools Lite
2016-03-14 22:46 - 2016-03-14 22:46 - 00692072 _____ (Disc Soft Ltd.) C:\Users\moonbat\Downloads\DTLiteInstaller(1).exe
2016-03-14 22:38 - 2016-03-20 20:37 - 00000000 ____D C:\Windows\System32\Tasks\Remediation
2016-03-14 22:37 - 2016-03-14 22:37 - 00000000 ____D C:\Program Files\Common Files\AV
2016-03-14 22:37 - 2016-03-14 22:37 - 00000000 ____D C:\Program Files (x86)\The Learning Company
2016-03-14 22:31 - 2016-03-14 22:31 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\PowerISO
2016-03-14 22:22 - 2016-03-14 22:28 - 03758992 _____ (Power Software Ltd) C:\Users\moonbat\Downloads\PowerISO6.exe
2016-03-14 20:13 - 2016-03-14 23:59 - 00000000 ____D C:\Users\moonbat\Downloads\Sid Meiers's Pirates!
2016-03-14 19:15 - 2016-03-14 19:15 - 00573322 _____ C:\Users\moonbat\Downloads\redcliff1892.jpg.bmp
2016-03-14 17:39 - 2016-03-14 17:39 - 00000000 ____D C:\Users\moonbat\AppData\LocalLow\Google
2016-03-14 17:38 - 2016-03-14 17:38 - 00002156 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Earth.lnk
2016-03-14 17:13 - 2016-03-14 21:34 - 00000000 ____D C:\Users\moonbat\AppData\Local\Microsoft Games
2016-03-14 16:59 - 2016-03-15 00:25 - 96823808 _____ (The GIMP Team ) C:\Users\moonbat\Downloads\gimp-2.8.16-setup-1.exe
2016-03-14 16:58 - 2016-03-14 17:00 - 00987728 _____ (Google Inc.) C:\Users\moonbat\Downloads\GoogleEarthSetup.exe
2016-03-14 16:17 - 2016-03-14 16:17 - 00007601 _____ C:\Users\moonbat\AppData\Local\Resmon.ResmonCfg
2016-03-13 17:45 - 2016-03-15 17:16 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2016-03-13 16:18 - 2016-03-18 13:45 - 00000000 ___SD C:\Windows\system32\CompatTel
2016-03-13 16:18 - 2016-03-18 13:45 - 00000000 ____D C:\Windows\system32\appraiser
2016-03-13 15:34 - 2016-03-13 15:38 - 00000000 ____D C:\Windows\system32\MRT
2016-03-13 15:33 - 2016-03-13 15:34 - 143659408 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-03-13 15:27 - 2016-02-19 13:02 - 00038336 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2016-03-13 15:27 - 2016-02-19 12:54 - 01168896 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2016-03-13 15:27 - 2016-02-19 08:07 - 01373184 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2016-03-13 15:27 - 2016-02-11 08:07 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2016-03-13 15:27 - 2016-02-05 08:07 - 00696832 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2016-03-13 15:27 - 2016-02-05 08:07 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2016-03-13 15:27 - 2016-02-05 08:07 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2016-03-13 15:27 - 2015-11-16 08:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2016-03-13 15:27 - 2015-01-27 17:23 - 01239720 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2016-03-13 14:58 - 2016-03-13 14:58 - 00274432 _____ C:\Windows\Minidump\031316-32058-01.dmp
2016-03-13 13:28 - 2016-03-18 22:16 - 00003198 _____ C:\Windows\System32\Tasks\HPCeeScheduleFormoonbat
2016-03-13 13:28 - 2016-03-18 22:16 - 00000340 _____ C:\Windows\Tasks\HPCeeScheduleFormoonbat.job
2016-03-13 11:55 - 2016-03-15 21:43 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-03-13 11:54 - 2016-03-13 11:54 - 00001102 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-03-13 11:54 - 2016-03-13 11:54 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-03-13 11:54 - 2016-03-13 11:54 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-03-13 11:54 - 2016-03-13 11:54 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-03-13 11:54 - 2015-10-05 09:50 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-03-13 11:54 - 2015-10-05 09:50 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-03-13 11:54 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-03-13 11:46 - 2016-03-13 11:49 - 22908888 _____ (Malwarebytes ) C:\Users\moonbat\Downloads\mbam-setup-2.2.0.1024.exe
2016-03-13 10:30 - 2016-03-13 10:31 - 00274432 _____ C:\Windows\Minidump\031316-24398-01.dmp
2016-03-12 22:59 - 2016-03-12 22:59 - 00001236 _____ C:\Users\Public\Desktop\World of Warcraft.lnk
2016-03-12 22:59 - 2016-03-12 22:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Warcraft
2016-03-12 22:06 - 2016-03-21 19:37 - 00000000 ____D C:\Program Files (x86)\World of Warcraft
2016-03-12 21:57 - 2016-03-22 17:39 - 00000000 ____D C:\Users\moonbat\AppData\Local\Battle.net
2016-03-12 21:57 - 2016-03-12 21:57 - 00000000 ____D C:\Users\moonbat\AppData\Local\Blizzard Entertainment
2016-03-12 21:57 - 2016-03-12 21:57 - 00000000 ____D C:\ProgramData\Blizzard Entertainment
2016-03-08 21:56 - 2016-03-22 17:29 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-03-08 21:54 - 2016-03-12 22:01 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\Battle.net
2016-03-08 21:53 - 2016-03-08 21:54 - 00000000 ____D C:\ProgramData\Battle.net
2016-03-08 21:52 - 2016-03-08 21:52 - 02993208 _____ (Blizzard Entertainment) C:\Users\moonbat\Downloads\World-of-Warcraft-Setup.exe
2016-03-08 20:17 - 2016-03-14 22:24 - 565116928 _____ C:\Users\moonbat\Downloads\The Oregon Trail 5th.iso
2016-03-08 20:14 - 2016-03-21 19:36 - 00000000 ____D C:\Users\moonbat\AppData\LocalLow\uTorrent
2016-03-08 20:13 - 2016-03-08 20:13 - 00002611 _____ C:\Users\moonbat\Desktop\µTorrent.lnk
2016-03-08 20:13 - 2016-03-08 20:13 - 00002611 _____ C:\Users\moonbat\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk
2016-03-08 20:09 - 2016-03-08 20:09 - 00690448 _____ (Disc Soft Ltd.) C:\Users\moonbat\Downloads\DTLiteInstaller.exe
2016-03-08 20:07 - 2016-03-22 17:28 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\uTorrent
2016-03-08 20:06 - 2016-03-08 20:06 - 02094080 _____ (BitTorrent Inc.) C:\Users\moonbat\Downloads\uTorrent.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-22 17:37 - 2012-04-13 23:29 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-03-22 17:33 - 2012-04-13 23:28 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-03-22 16:41 - 2009-07-13 23:13 - 00726316 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-22 16:41 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2016-03-21 21:09 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\rescache
2016-03-21 20:55 - 2009-07-13 22:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-21 20:55 - 2009-07-13 22:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-21 19:37 - 2012-04-13 23:29 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-03-20 20:34 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-20 13:01 - 2012-04-15 16:41 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-03-18 14:07 - 2010-07-10 22:29 - 00000000 ____D C:\ProgramData\Adobe
2016-03-18 14:07 - 2009-07-13 23:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2016-03-18 14:00 - 2009-07-13 22:45 - 00285448 _____ C:\Windows\system32\FNTCACHE.DAT
2016-03-18 13:51 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2016-03-18 13:51 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2016-03-18 13:51 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2016-03-18 13:51 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-03-18 13:50 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-03-18 13:50 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-03-18 13:50 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files\Windows Defender
2016-03-18 13:50 - 2009-07-13 23:32 - 00000000 ____D C:\Program Files\DVD Maker
2016-03-18 13:50 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\servicing
2016-03-18 13:50 - 2009-07-13 21:20 - 00000000 ____D C:\Program Files\Common Files\System
2016-03-18 13:49 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2016-03-18 13:49 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2016-03-18 13:49 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2016-03-18 13:49 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2016-03-18 13:49 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2016-03-18 13:49 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2016-03-18 13:46 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-03-18 13:45 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\Setup
2016-03-18 13:45 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\oobe
2016-03-18 13:45 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\migwiz
2016-03-18 13:45 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\manifeststore
2016-03-18 13:45 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\Dism
2016-03-18 13:45 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2016-03-18 13:37 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\PLA
2016-03-16 23:45 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\NDF
2016-03-16 12:51 - 2009-07-13 20:36 - 00175616 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2016-03-16 12:51 - 2009-07-13 20:36 - 00152576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2016-03-15 20:33 - 2012-04-21 22:19 - 00000000 ____D C:\Users\moonbat\AppData\Local\CrashDumps
2016-03-15 17:16 - 2010-07-10 21:10 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-03-15 00:36 - 2012-04-13 23:28 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-03-15 00:36 - 2012-04-13 23:28 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-03-15 00:36 - 2012-04-13 23:28 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-03-15 00:28 - 2012-04-10 13:24 - 00000000 ____D C:\Users\moonbat
2016-03-15 00:18 - 2010-11-20 03:01 - 00000000 ____D C:\ProgramData\WildTangent
2016-03-14 23:38 - 2012-04-12 18:49 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\Adobe
2016-03-14 17:38 - 2012-04-13 23:29 - 00000000 ____D C:\Program Files (x86)\Google
2016-03-14 17:12 - 2012-04-15 13:03 - 00000000 ____D C:\Windows\System32\Tasks\Games
2016-03-14 17:00 - 2012-04-12 18:54 - 00000000 ____D C:\Users\Public\CyberLink
2016-03-14 17:00 - 2012-04-12 18:53 - 00000000 ____D C:\Users\moonbat\AppData\Roaming\CyberLink
2016-03-14 14:06 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\AppCompat
2016-03-13 14:58 - 2012-04-15 08:37 - 00000000 ____D C:\Windows\Minidump
2016-03-13 14:57 - 2012-04-15 08:37 - 506720384 _____ C:\Windows\MEMORY.DMP
2016-03-13 12:10 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\Web
2016-03-13 11:51 - 2012-04-13 23:29 - 00000000 ____D C:\Users\moonbat\AppData\Local\Google
2016-03-08 20:32 - 2012-04-13 23:29 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-03-08 20:32 - 2012-04-13 23:29 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-03-08 19:35 - 2010-11-20 03:07 - 00000000 ____D C:\Program Files (x86)\Bing Bar Installer

==================== Files in the root of some directories =======

2012-04-14 12:57 - 2012-04-14 12:57 - 0007168 _____ () C:\Users\moonbat\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-03-14 16:17 - 2016-03-14 16:17 - 0007601 _____ () C:\Users\moonbat\AppData\Local\Resmon.ResmonCfg
2010-11-20 02:53 - 2010-11-20 02:53 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2010-07-10 22:57 - 2010-07-10 22:57 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2010-11-20 02:52 - 2010-11-20 02:52 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2010-07-10 22:51 - 2010-07-10 22:52 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-11-20 02:52 - 2010-11-20 02:52 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2010-11-20 02:53 - 2010-11-20 02:53 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2010-07-10 22:50 - 2010-07-10 22:51 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2010-07-10 22:52 - 2010-07-10 22:56 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2010-11-20 02:53 - 2010-11-20 02:53 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log

Some files in TEMP:
====================
C:\Users\moonbat\AppData\Local\Temp\Extract.exe
C:\Users\moonbat\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\moonbat\AppData\Local\Temp\HPQSi.exe
C:\Users\moonbat\AppData\Local\Temp\MSN270.exe
C:\Users\moonbat\AppData\Local\Temp\sfamcc00001.dll
C:\Users\moonbat\AppData\Local\Temp\sfamcc00002.dll
C:\Users\moonbat\AppData\Local\Temp\sfamcc00003.dll
C:\Users\moonbat\AppData\Local\Temp\sfareca00001.dll
C:\Users\moonbat\AppData\Local\Temp\sfareca00002.dll
C:\Users\moonbat\AppData\Local\Temp\sfextra.dll
C:\Users\moonbat\AppData\Local\Temp\SP50498.exe
C:\Users\moonbat\AppData\Local\Temp\SP50718.exe
C:\Users\moonbat\AppData\Local\Temp\SP50720.exe
C:\Users\moonbat\AppData\Local\Temp\SP51650.exe
C:\Users\moonbat\AppData\Local\Temp\SP51976.exe
C:\Users\moonbat\AppData\Local\Temp\SP52131.exe
C:\Users\moonbat\AppData\Local\Temp\SP52407.exe
C:\Users\moonbat\AppData\Local\Temp\SP52509.exe
C:\Users\moonbat\AppData\Local\Temp\sp54620.exe
C:\Users\moonbat\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\moonbat\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\moonbat\AppData\Local\Temp\vcredist_x64.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-03-12 21:24

==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by moonbat (2016-03-22 17:43:23)
Running from C:\Users\moonbat\Downloads
Windows 7 Home Premium Service Pack 1 (X64) (2012-04-10 19:24:42)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1812937233-829621150-4232323728-500 - Administrator - Disabled)
Guest (S-1-5-21-1812937233-829621150-4232323728-501 - Limited - Disabled)
moonbat (S-1-5-21-1812937233-829621150-4232323728-1000 - Administrator - Enabled) => C:\Users\moonbat

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Internet Security (Disabled - Out of date) {53C7D717-52E2-B95E-FA61-6F32ECC805DB}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Disabled - Out of date) {E8A636F3-74D8-B6D0-C0D1-5440974F4F66}
FW: Norton Internet Security (Disabled) {6BFC5632-188D-B806-D13E-C607121B42A0}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1812937233-829621150-4232323728-1000\...\uTorrent) (Version: 3.4.5.41865 - BitTorrent Inc.)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.182 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.182 - Adobe Systems Incorporated)
Adobe Reader 9.3 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.3.0 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM-x32\...\{9ECF7817-DB11-4FBA-9DF1-296A578D513A}) (Version: 11.5.7.609 - Adobe Systems, Inc)
Apple Mobile Device Support (HKLM\...\{6A76BEAF-6D1F-4273-A79B-DA8410A2E56B}) (Version: 5.2.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 9.2 - Atheros)
ATI Catalyst Install Manager (HKLM\...\{ECD0D4B5-FFA9-6E1B-A08D-58E82EA5EEB9}) (Version: 3.0.765.0 - ATI Technologies, Inc.)
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build-a-lot 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
ccc-core-static (x32 Version: 2010.0617.855.14122 - ATI) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
CinemaNow Media Manager (HKLM-x32\...\{6C122441-1861-4CD7-B1C5-A163A6984E12}) (Version: 1.9.1.105 - CinemaNow, Inc.)
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.)
Civilization III (HKLM-x32\...\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}) (Version: - )
CyberLink DVD Suite (HKLM-x32\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 7.0.3003 - CyberLink Corp.)
CyberLink MediaShow (HKLM-x32\...\InstallShield_{80E158EA-7181-40FE-A701-301CE6BE64AB}) (Version: 5.0.1616 - CyberLink Corp.)
CyberLink PowerDVD 9 (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.0.1.4217 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.0.2511 - CyberLink Corp.)
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 10.3.0.0152 - Disc Soft Ltd)
Diner Dash 2 Restaurant Rescue (x32 Version: 2.2.0.95 - WildTangent) Hidden
Dora's Carnival Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
Energy Star Digital Logo (HKLM-x32\...\{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}) (Version: 1.0.1 - Hewlett-Packard)
Escape Rosecliff Island (x32 Version: 2.2.0.95 - WildTangent) Hidden
ESU for Microsoft Windows 7 (HKLM-x32\...\{3877C901-7B90-4727-A639-B6ED2DD59D43}) (Version: 1.0.0 - Hewlett-Packard)
FATE (x32 Version: 2.2.0.95 - WildTangent) Hidden
Final Drive Nitro (x32 Version: 2.2.0.95 - WildTangent) Hidden
GIMP 2.8.16 (HKLM\...\GIMP-2_is1) (Version: 2.8.16 - The GIMP Team)
Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.7210.1528 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.21.115 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
Heroes of Hellas 2 - Olympia (x32 Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.1.2.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Advisor (HKLM-x32\...\{40FB8D7C-6FF8-4AF2-BC8B-0B1DB32AF04B}) (Version: 3.4.10262.3295 - Hewlett-Packard)
HP Documentation (HKLM-x32\...\{5E25081D-9CB4-4B17-AD2B-8DF2DC335E85}) (Version: 1.1.1.0 - Hewlett-Packard)
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.1.3 - WildTangent)
HP MediaSmart CinemaNow 2.0 (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.3611 - HP Photo Creations Powered by RocketLife)
HP Power Manager (HKLM-x32\...\{4B156358-CE9C-4E9F-8CAD-79AE86A68C60}) (Version: 1.0.3 - Hewlett-Packard Company)
HP Quick Launch (HKLM-x32\...\{EB58480C-0721-483C-B354-9D35A147999F}) (Version: 2.3.6 - Hewlett-Packard Company)
HP Setup (HKLM-x32\...\{72D90DB3-A16A-4545-B555-868471101833}) (Version: 8.1.4186.3400 - Hewlett-Packard)
HP Software Framework (HKLM-x32\...\{97174E88-52F9-445A-A28E-704A45332D19}) (Version: 4.0.108.1 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}) (Version: 6.1.12.1 - Hewlett-Packard Company)
HP Wireless Assistant (HKLM\...\{B5FC1E1B-E70D-45F1-8E40-A3C30698B323}) (Version: 4.0.9.0 - Hewlett-Packard Company)
Java™ 6 Update 20 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86416020FF}) (Version: 6.0.200 - Sun Microsystems, Inc.)
Java™ 6 Update 20 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216020FF}) (Version: 6.0.200 - Sun Microsystems, Inc.)
Jewel Quest 3 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Jewel Quest Solitaire 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 14.0.8117.416 - Microsoft Corporation) Hidden
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.2907 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.2907 - CyberLink Corp.) Hidden
LightScribe System Software (HKLM-x32\...\{46BA053F-57B3-4153-BDB6-D37EEC8B12D7}) (Version: 1.18.15.1 - LightScribe)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.50401.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052B-02A4-4627-81F2-1818DA5D550D}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Mozilla Firefox 14.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 14.0.1 (x86 en-US)) (Version: 14.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 14.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Norton Internet Security (HKLM-x32\...\NIS) (Version: 18.7.2.3 - Symantec Corporation)
Norton Online Backup (HKLM-x32\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.1.17869 - Symantec Corporation)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
PhotoNow! (HKLM-x32\...\InstallShield_{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.6904 - CyberLink Corp.)
PhotoNow! (x32 Version: 1.1.6904 - CyberLink Corp.) Hidden
Plants vs. Zombies (x32 Version: 2.2.0.95 - WildTangent) Hidden
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.4204 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.4204 - CyberLink Corp.) Hidden
PowerDirector (HKLM-x32\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 8.0.3003 - CyberLink Corp.)
PowerDirector (x32 Version: 8.0.3003 - CyberLink Corp.) Hidden
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.18.322.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6206 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30120 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.3023 - CyberLink Corp.) Hidden
RtVOsd (HKLM\...\{091A0130-A82F-4A6D-9C61-3BBBB3289030}) (Version: 1.0.6 - Realtek Semiconductor Corp.)
Sid Meier's Pirates! (HKLM-x32\...\InstallShield_{1632FD86-1BA4-4FC4-8B25-A8C655D63F68}) (Version: 2.00.0000 - Firaxis Games)
Sid Meier's Pirates! (x32 Version: 2.00.0000 - Firaxis Games) Hidden
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version: - )
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.1.6.64 - Synaptics Incorporated)
Virtual Families (x32 Version: 2.2.0.95 - WildTangent) Hidden
Virtual Villagers - The Secret City (x32 Version: 2.2.0.95 - WildTangent) Hidden
Wheel of Fortune 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite_Wave3) (Version: 14.0.8117.0416 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Live Upload Tool (HKLM-x32\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version: - Blizzard Entertainment)
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {09031E02-2E9A-42DA-8448-E86849A61124} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFMsgr.exe [2011-09-09] (Hewlett-Packard Company)
Task: {09754ABB-5634-45F8-9B30-86DAE9E284D3} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater\HPSFUpdater.exe [2013-02-19] (Hewlett-Packard)
Task: {130886DB-DA90-4FD9-ACBC-DF36A19512DE} - System32\Tasks\RecoveryCDWin7 => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-05-25] ()
Task: {17FFF7E0-75F9-42FA-80F7-AA5A817D568E} - System32\Tasks\HPCeeScheduleFormoonbat => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13] (Hewlett-Packard)
Task: {362FC66F-74B3-4CF0-9E03-C920320CC1E9} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-03-13] (Hewlett-Packard Company)
Task: {3C3CF800-D889-4052-8D3F-A8DB6911EF4F} - System32\Tasks\Games\UpdateCheck_S-1-5-21-1812937233-829621150-4232323728-1000
Task: {465C07BB-F0B3-4B6F-AE0F-E921CB2C9BCF} - System32\Tasks\Remediation\AntimalwareMigrationTask => C:\Program Files\Common Files\AV\Norton Internet Security\Upgrade.exe [2015-08-06] (Symantec Corporation)
Task: {4B63FF7C-4C1F-4708-AC7C-A38F190F2688} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-03-15] (Adobe Systems Incorporated)
Task: {5849AAE0-1867-483B-B3BB-3DEEB92397CF} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {6C180DF0-6C3D-49C6-B065-72525BB41A2A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Ghost Resign Task => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\HPResignFileLoader.exe [2016-03-15] (Microsoft)
Task: {712746B1-B2B5-4249-8A80-1DEED797DB81} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Total Care Tune-Up => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPTuneUp.exe [2011-03-22] (Hewlett-Packard Company)
Task: {9914A1DD-BF04-4361-A14B-C43DE98902C2} - System32\Tasks\Symantec\Norton Error Analyzer 18.7.2.3 => C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\SymErr.exe [2012-06-07] (Symantec Corporation)
Task: {9C30F4CF-A211-4645-960D-5125FF7AD948} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-03-08] (Google Inc.)
Task: {B9C54780-2574-412C-9153-C53B59EE5546} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Tuneup => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-03-13] (Hewlett-Packard Company)
Task: {C87D7543-096A-47BE-97E7-37FF425ACABE} - System32\Tasks\Symantec\Norton Error Processor 18.7.2.3 => C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\SymErr.exe [2012-06-07] (Symantec Corporation)
Task: {C9A7B9A7-B5E4-4432-8D7C-65A8B5593473} - System32\Tasks\Registration => C:\Program Files (x86)\Hewlett-Packard\HP Setup\RemEngine.exe [2010-05-25] ()
Task: {D1D2B984-461D-447D-B211-053C4E1335E2} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HPSAObjUtilTask => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\UtilTask.exe [2016-03-15] (Microsoft)
Task: {DA10B6EA-095F-4F5C-B574-C0CE2C75F9D3} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-03-08] (Google Inc.)
Task: {DC5B01E2-0D73-4EA4-AA7D-82A47461B960} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2016-02-22] (HP Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleFormoonbat.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

2010-06-10 18:42 - 2010-06-10 18:42 - 00016384 ____R () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2010-11-20 02:41 - 2010-11-20 02:41 - 00270336 _____ () C:\Windows\assembly\GAC_MSIL\CLI.Aspect.CrossDisplay.Graphics.Dashboard\1.0.0.0__90ba9c70f846762e\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2010-06-18 17:26 - 2010-06-18 17:26 - 00030264 _____ () C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_LogicLayer.dll
2010-06-18 17:26 - 2010-06-18 17:26 - 00052280 _____ () C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HardwareAccess.dll
2010-06-18 17:26 - 2010-06-18 17:26 - 00267832 _____ () C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPCommon.XmlSerializers.dll
2016-03-20 13:02 - 2016-03-21 21:47 - 00158720 _____ () C:\Users\moonbat\AppData\Local\Temp\sfareca00001.dll
2016-03-20 13:02 - 2016-03-21 21:47 - 00192512 _____ () C:\Users\moonbat\AppData\Local\Temp\sfamcc00001.dll
2016-03-22 17:28 - 2016-03-22 17:28 - 00158720 _____ () C:\Users\moonbat\AppData\Local\Temp\sfareca00002.dll
2016-03-20 13:15 - 2016-03-22 17:28 - 00192512 _____ () C:\Users\moonbat\AppData\Local\Temp\sfamcc00002.dll
2016-03-12 21:45 - 2016-03-12 21:48 - 26065408 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\libcef.dll
2016-03-12 21:48 - 2016-03-12 21:48 - 00739840 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\libGLESv2.dll
2016-03-12 21:57 - 2016-03-12 21:57 - 00293040 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\ortp.dll
2016-03-12 21:49 - 2016-03-12 21:49 - 00909312 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\platforms\qwindows.dll
2016-03-12 21:50 - 2016-03-12 21:50 - 00130048 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\libEGL.dll
2016-03-12 21:48 - 2016-03-12 21:48 - 00020992 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\imageformats\qgif.dll
2016-03-12 21:48 - 2016-03-12 21:48 - 00021504 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\imageformats\qico.dll
2016-03-12 21:48 - 2016-03-12 21:48 - 00205312 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\imageformats\qjpeg.dll
2016-03-12 21:48 - 2016-03-12 21:48 - 00225792 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\imageformats\qmng.dll
2016-03-12 21:48 - 2016-03-12 21:48 - 00015872 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\imageformats\qsvg.dll
2016-03-12 21:48 - 2016-03-12 21:48 - 00312832 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\imageformats\qtiff.dll
2016-03-12 21:50 - 2016-03-12 21:50 - 00010240 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\qml\QtQuick.2\qtquick2plugin.dll
2016-03-12 21:50 - 2016-03-12 21:50 - 00054272 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\qml\QtQuick\Layouts\qquicklayoutsplugin.dll
2016-03-12 21:50 - 2016-03-12 21:50 - 00010240 _____ () C:\Program Files (x86)\Battle.net\Battle.net.6890\qml\QtQml\Models.2\modelsplugin.dll
2012-04-15 16:41 - 2012-07-20 22:05 - 02003424 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2016-03-15 00:36 - 2016-03-15 00:36 - 19397824 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:34 - 2009-06-10 15:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1812937233-829621150-4232323728-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\moonbat\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.11.12.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{ECC83859-F826-4E60-8C70-2679218588B5}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\wlcsdk.exe
FirewallRules: [{2FD18DD4-08D1-44F4-90D1-0C71DB9B0B85}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{CACE2A3F-94D0-4A90-9C85-DE45A5BB75A9}] => (Allow) svchost.exe
FirewallRules: [{6E2A430E-41B8-4970-9896-E5137A06EF68}] => (Allow) C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe
FirewallRules: [{A3A4B663-7DAA-4562-A680-C47CAC7A17FC}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDirector\PDR8.EXE
FirewallRules: [{05286243-CB7A-40E8-9A32-F5C0499B5E6E}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\CinemaNow\CinemaNow.exe
FirewallRules: [{DB7B2A39-64C8-4E5C-99D4-AF79E6E5083A}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\MediaSmart\CinemaNow\CinemaNow.exe
FirewallRules: [{50180B44-74FB-4194-97EA-C3BCA42936F4}] => (Allow) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe
FirewallRules: [{6EB33EFE-CA46-4174-BB7E-02AC6CC7A46E}] => (Allow) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe
FirewallRules: [{A9409D8C-C6F3-4790-8042-43159C8F7D32}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD9\PowerDVD9.EXE
FirewallRules: [{75BDD6D4-AF77-4B3D-9D13-B3F47AC19C9F}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{2C2A3F1D-AFBE-4F55-B4C7-D9D769885DED}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{6DA78423-03B5-44B1-BE83-AF1872EE4B7D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{EF348851-CDCE-4C54-90F1-ADE63CC913CD}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{B64E501A-F092-4F26-86D2-3720200B199D}] => (Allow) C:\Users\moonbat\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{0AF440CC-C047-432C-AB75-F67740462955}] => (Allow) C:\Users\moonbat\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{3447A1FB-D6FA-4197-AB41-C69E3F66841D}] => (Allow) C:\Users\moonbat\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{B56E3BF9-EB13-495D-806F-CD8E34B8FDF2}] => (Allow) C:\Users\moonbat\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{B1D8DFA7-3012-4113-BE17-C3C016746FFD}] => (Allow) C:\Users\moonbat\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{8840FBF6-41D9-4661-8123-A47E46474AAB}] => (Allow) C:\Users\moonbat\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{E5F9B237-E42A-4043-B100-81267E221322}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe

==================== Restore Points =========================

14-03-2016 23:01:38 Device Driver Package Install: Disc Soft Ltd Storage controllers
14-03-2016 23:02:58 Device Driver Package Install: Disc Soft Ltd Universal Serial Bus controllers
15-03-2016 17:12:19 Installed Sid Meier's Pirates!
16-03-2016 12:33:12 Windows Update
19-03-2016 12:35:58 Windows Update
19-03-2016 12:41:55 Windows Update
21-03-2016 22:59:05 Installed DirectX

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/21/2016 10:51:47 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 406429

Error: (03/21/2016 10:51:47 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 406429

Error: (03/21/2016 10:51:47 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/21/2016 10:51:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 405431

Error: (03/21/2016 10:51:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 405431

Error: (03/21/2016 10:51:46 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/21/2016 10:51:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 404433

Error: (03/21/2016 10:51:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 404433

Error: (03/21/2016 10:51:45 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (03/21/2016 10:45:02 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 2246


System errors:
=============
Error: (03/22/2016 05:30:57 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Disc Soft Lite Bus Service service terminated unexpectedly. It has done this 1 time(s).

Error: (03/22/2016 05:30:45 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The CinemaNow Service service terminated unexpectedly. It has done this 1 time(s).

Error: (03/22/2016 04:41:07 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (03/22/2016 04:41:07 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (03/22/2016 04:41:07 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (03/22/2016 04:41:07 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (03/22/2016 04:41:07 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (03/22/2016 04:41:07 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (03/22/2016 04:41:04 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (03/22/2016 04:41:02 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.


==================== Memory info ===========================

Processor: AMD Athlon™ II P340 Dual-Core Processor
Percentage of memory in use: 76%
Total physical RAM: 3834.9 MB
Available physical RAM: 883.61 MB
Total Virtual: 7668 MB
Available Virtual: 3585.11 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:280.45 GB) (Free:218.29 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (RECOVERY) (Fixed) (Total:17.35 GB) (Free:2.51 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (CIV3) (CDROM) (Total:0.57 GB) (Free:0 GB) CDFS
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 82337274)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=280.4 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=17.3 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

==================== End of Addition.txt ============================

Attached Files


Edited by Oh My!, 23 March 2016 - 10:55 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 23 March 2016 - 10:59 AM

Greetings Kozzy13 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

I see you have installed SpeedFan. Do you have the temperature readings from the program?

Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed youi will see Pending. Please check elements you don't want to remove above the progress bar
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can also find the logfile at C:\AdwCleaner\AdwCleaner.txt
===================================================

Junkware Removal Tool

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1812937233-829621150-4232323728-1000\...\MountPoints2: {6eccd454-829c-11e1-933a-806e6f6e6963} - E:\autorun.exe
SearchScopes: HKLM -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
2010-11-20 02:53 - 2010-11-20 02:53 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2010-07-10 22:57 - 2010-07-10 22:57 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2010-11-20 02:52 - 2010-11-20 02:52 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2010-07-10 22:51 - 2010-07-10 22:52 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-11-20 02:52 - 2010-11-20 02:52 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2010-11-20 02:53 - 2010-11-20 02:53 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2010-07-10 22:50 - 2010-07-10 22:51 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2010-07-10 22:52 - 2010-07-10 22:56 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2010-11-20 02:53 - 2010-11-20 02:53 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
C:\Users\moonbat\AppData\Local\Temp\Extract.exe
C:\Users\moonbat\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\moonbat\AppData\Local\Temp\HPQSi.exe
C:\Users\moonbat\AppData\Local\Temp\MSN270.exe
C:\Users\moonbat\AppData\Local\Temp\sfamcc00001.dll
C:\Users\moonbat\AppData\Local\Temp\sfamcc00002.dll
C:\Users\moonbat\AppData\Local\Temp\sfamcc00003.dll
C:\Users\moonbat\AppData\Local\Temp\sfareca00001.dll
C:\Users\moonbat\AppData\Local\Temp\sfareca00002.dll
C:\Users\moonbat\AppData\Local\Temp\sfextra.dll
C:\Users\moonbat\AppData\Local\Temp\SP50498.exe
C:\Users\moonbat\AppData\Local\Temp\SP50718.exe
C:\Users\moonbat\AppData\Local\Temp\SP50720.exe
C:\Users\moonbat\AppData\Local\Temp\SP51650.exe
C:\Users\moonbat\AppData\Local\Temp\SP51976.exe
C:\Users\moonbat\AppData\Local\Temp\SP52131.exe
C:\Users\moonbat\AppData\Local\Temp\SP52407.exe
C:\Users\moonbat\AppData\Local\Temp\SP52509.exe
C:\Users\moonbat\AppData\Local\Temp\sp54620.exe
C:\Users\moonbat\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\moonbat\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\moonbat\AppData\Local\Temp\vcredist_x64.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • SpeedFan information?
  • AdwCleaner log
  • Junkware log
  • Fixlog
  • System Summary Information
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 Kozzy13

Kozzy13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 23 March 2016 - 02:38 PM

Hi Gary, and thanks. My name is Elaina.

 

I uninstalled the P2P Program.

 

Not sure how to generate a log on speedfan for you, but the HD0 runs around 32C, and Temp1 and the core run between 59C-69C right now, with it saying the CPU is all over the place. I did disassemble the laptop and clean it of all dust, and it has been running a little cooler since that, and hasn't shut down from heat yet.

 

# AdwCleaner v5.105 - Logfile created 23/03/2016 at 12:03:23
# Updated 21/03/2016 by Xplode
# Database : 2016-03-23.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : moonbat - MOONBAT-HP
# Running from : C:\Users\moonbat\Downloads\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk

***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1AAF148D-8B31-4653-A72A-17A2E3E1936B}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1AAF148D-8B31-4653-A72A-17A2E3E1936B}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1AAF148D-8B31-4653-A72A-17A2E3E1936B}

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1271 bytes] - [23/03/2016 12:03:23]
C:\AdwCleaner\AdwCleaner[S1].txt - [1454 bytes] - [23/03/2016 11:59:00]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1417 bytes] ##########

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Home Premium x64
Ran by moonbat (Administrator) on Wed 03/23/2016 at 12:23:21.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 27

Failed to delete: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Failed to delete: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3JKPEVJV (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AP530QC9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLU131S4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQG75AAC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H23IN3XZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJNOZ7YX (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L4NKB1KK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MKBBKF0E (Temporary Internet Files Folder)
Successfully deleted: C:\Users\moonbat\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WR619QAK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\prefetch\GOOGLETOOLBARUSER_32.EXE-34B1B1C5.pf (File)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3JKPEVJV (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AP530QC9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DLU131S4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DQG75AAC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H23IN3XZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HJNOZ7YX (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L4NKB1KK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MKBBKF0E (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WR619QAK (Temporary Internet Files Folder)



Registry: 2

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 03/23/2016 at 12:26:15.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by moonbat (2016-03-23 12:30:19) Run:1
Running from C:\Users\moonbat\Desktop
Loaded Profiles: moonbat (Available Profiles: moonbat)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1812937233-829621150-4232323728-1000\...\MountPoints2: {6eccd454-829c-11e1-933a-806e6f6e6963} - E:\autorun.exe
SearchScopes: HKLM -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> {1AAF148D-8B31-4653-A72A-17A2E3E1936B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKU\S-1-5-21-1812937233-829621150-4232323728-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
2010-11-20 02:53 - 2010-11-20 02:53 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2010-07-10 22:57 - 2010-07-10 22:57 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2010-11-20 02:52 - 2010-11-20 02:52 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2010-07-10 22:51 - 2010-07-10 22:52 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-11-20 02:52 - 2010-11-20 02:52 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2010-11-20 02:53 - 2010-11-20 02:53 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2010-07-10 22:50 - 2010-07-10 22:51 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2010-07-10 22:52 - 2010-07-10 22:56 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2010-11-20 02:53 - 2010-11-20 02:53 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
C:\Users\moonbat\AppData\Local\Temp\Extract.exe
C:\Users\moonbat\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe
C:\Users\moonbat\AppData\Local\Temp\HPQSi.exe
C:\Users\moonbat\AppData\Local\Temp\MSN270.exe
C:\Users\moonbat\AppData\Local\Temp\sfamcc00001.dll
C:\Users\moonbat\AppData\Local\Temp\sfamcc00002.dll
C:\Users\moonbat\AppData\Local\Temp\sfamcc00003.dll
C:\Users\moonbat\AppData\Local\Temp\sfareca00001.dll
C:\Users\moonbat\AppData\Local\Temp\sfareca00002.dll
C:\Users\moonbat\AppData\Local\Temp\sfextra.dll
C:\Users\moonbat\AppData\Local\Temp\SP50498.exe
C:\Users\moonbat\AppData\Local\Temp\SP50718.exe
C:\Users\moonbat\AppData\Local\Temp\SP50720.exe
C:\Users\moonbat\AppData\Local\Temp\SP51650.exe
C:\Users\moonbat\AppData\Local\Temp\SP51976.exe
C:\Users\moonbat\AppData\Local\Temp\SP52131.exe
C:\Users\moonbat\AppData\Local\Temp\SP52407.exe
C:\Users\moonbat\AppData\Local\Temp\SP52509.exe
C:\Users\moonbat\AppData\Local\Temp\sp54620.exe
C:\Users\moonbat\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\moonbat\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\moonbat\AppData\Local\Temp\vcredist_x64.exe
*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-1812937233-829621150-4232323728-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6eccd454-829c-11e1-933a-806e6f6e6963}" => key removed successfully
HKCR\CLSID\{6eccd454-829c-11e1-933a-806e6f6e6963} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1AAF148D-8B31-4653-A72A-17A2E3E1936B} => key not found.
HKCR\CLSID\{1AAF148D-8B31-4653-A72A-17A2E3E1936B} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{1AAF148D-8B31-4653-A72A-17A2E3E1936B} => key not found.
HKCR\Wow6432Node\CLSID\{1AAF148D-8B31-4653-A72A-17A2E3E1936B} => key not found.
HKU\S-1-5-21-1812937233-829621150-4232323728-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1AAF148D-8B31-4653-A72A-17A2E3E1936B} => key not found.
HKCR\CLSID\{1AAF148D-8B31-4653-A72A-17A2E3E1936B} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found.
HKU\S-1-5-21-1812937233-829621150-4232323728-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log => moved successfully
C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log => moved successfully
C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log => moved successfully
C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log => moved successfully
C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log => moved successfully
C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log => moved successfully
C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log => moved successfully
C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log => moved successfully
C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log => moved successfully
C:\Users\moonbat\AppData\Local\Temp\Extract.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\GoogleToolbarInstaller_en32_signed.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\HPQSi.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\MSN270.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\sfamcc00001.dll => moved successfully
C:\Users\moonbat\AppData\Local\Temp\sfamcc00002.dll => moved successfully
C:\Users\moonbat\AppData\Local\Temp\sfamcc00003.dll => moved successfully
C:\Users\moonbat\AppData\Local\Temp\sfareca00001.dll => moved successfully
C:\Users\moonbat\AppData\Local\Temp\sfareca00002.dll => moved successfully
C:\Users\moonbat\AppData\Local\Temp\sfextra.dll => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP50498.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP50718.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP50720.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP51650.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP51976.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP52131.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP52407.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\SP52509.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\sp54620.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\UninstallHPSA.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\UninstallHPTCA.exe => moved successfully
C:\Users\moonbat\AppData\Local\Temp\vcredist_x64.exe => moved successfully


The system needed a reboot.

==== End of Fixlog 12:30:39 ====

 

 

Attached File  Summary.zip   144.09KB   1 downloads



#4 Kozzy13

Kozzy13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 23 March 2016 - 03:05 PM

Oh, and the svchost is now running at around 800,000k



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 23 March 2016 - 03:08 PM

Hi Elaina,

Cleaning out the computer can go a long way toward cooling things down. Let me know if you have a random shutdown.

Apart from the CPU spiking how is your computer running?

Please do this.

===================================================

Monitoring CPU Usage Using Process Explorer

--------------------
  • Please download Process Explorer.zip and save it to your Desktop
  • Right click the .zip folder and select Extract All...
  • If the default file location is not your Desktop click the Browse... button and select your Desktop
  • Click Extract
  • Extract the folder onto your Desktop
  • Double click the Process Explorer folder
  • Double click the precexp icon
  • If you do not see a User Name column, right click the column bar, click Select Columns..., check User Name, then OK
  • Left click on CPU (top of green column) so that the highest number is on top
  • Please monitor the CPU column and list the 5 highest CPU usage entries in your response, along with the User Name information
===================================================

Determining the Services Running Under a svchost.exe

--------------------
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type cmd and hit Enter
  • Copy and paste the following after the command prompt and then hit Enter

tasklist /svc /fi "imagename eq svchost.exe" >%userprofile%\desktop\svchost.txt

  • A svchost.txt document should be placed on your Desktop
  • Copy and paste the contents of that report in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • CPU information
  • svchost.exe information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Kozzy13

Kozzy13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 23 March 2016 - 03:49 PM

1. svchost.exe, <access denied>
2. System Idle Process, NT AUTHORITY\SYSTEM
3. procexp64.exe, moonbat-HP\moonbat
4. firefox.exe, moonbat-HP\moonbat
5. svchost.exe, <access denied>



These keep jumping around a lot, hard to keep tract of which is the top five but it seems that one svchost is always at the top.



Image Name                     PID Services                                    
========================= ======== ============================================
svchost.exe                    688 DcomLaunch, PlugPlay, Power                 
svchost.exe                    768 RpcEptMapper, RpcSs                         
svchost.exe                    900 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc   
svchost.exe                    940 AudioEndpointBuilder, Netman, PcaSvc,       
                                   SysMain, TrkWks, UxSms, Wlansvc, wudfsvc    
svchost.exe                    984 AeLookupSvc, Appinfo, BITS, EapHost, gpsvc,
                                   IKEEXT, iphlpsvc, LanmanServer, ProfSvc,    
                                   Schedule, SENS, ShellHWDetection, Themes,   
                                   Winmgmt, wuauserv                           
svchost.exe                    376 EventSystem, netprofm, nsi, WdiServiceHost,
                                   WinHttpAutoProxySvc                         
svchost.exe                   1112 CryptSvc, Dnscache, LanmanWorkstation,      
                                   NlaSvc                                      
svchost.exe                   1528 BFE, DPS, MpsSvc                            
svchost.exe                   1632 FontCache, SSDPSRV                          
svchost.exe                   2148 stisvc                                      
svchost.exe                   3100 WinDefend                                  



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 23 March 2016 - 05:59 PM

Thank you.

Nothing malicious there so we are going to dig a little deeper. Rerun procexp again as instructed. Identify the top most svchost.exe listed. Along the top where you previously clicked CPU look for the PID column. Identify the PID number for that entry. Rerun the svchost.txt step and post the results.

So I need the PID number for the top svchost.exe and the new svchost.exe report.

Edited by Oh My!, 23 March 2016 - 06:01 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Kozzy13

Kozzy13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 24 March 2016 - 01:14 PM

svchost.exe PID984





Image Name                     PID Services                                    
========================= ======== ============================================
svchost.exe                    688 DcomLaunch, PlugPlay, Power                 
svchost.exe                    768 RpcEptMapper, RpcSs                         
svchost.exe                    900 AudioSrv, Dhcp, eventlog, lmhosts, wscsvc   
svchost.exe                    940 AudioEndpointBuilder, Netman, PcaSvc,       
                                   SysMain, TabletInputService, TrkWks, UxSms,
                                   Wlansvc, wudfsvc                            
svchost.exe                    984 AeLookupSvc, Appinfo, BITS, EapHost, gpsvc,
                                   IKEEXT, iphlpsvc, LanmanServer, MMCSS,      
                                   ProfSvc, Schedule, SENS, ShellHWDetection,  
                                   Themes, Winmgmt, wuauserv                   
svchost.exe                    376 EventSystem, netprofm, nsi, WdiServiceHost,
                                   WinHttpAutoProxySvc                         
svchost.exe                   1112 CryptSvc, Dnscache, LanmanWorkstation,      
                                   NlaSvc                                      
svchost.exe                   1528 BFE, DPS, MpsSvc                            
svchost.exe                   1632 FontCache, SSDPSRV                          
svchost.exe                   2148 stisvc                                      
svchost.exe                   3100 WinDefend




I noticed that when I first started up my laptop there was no svchost running over 100,000k. After a few minutes, I noticed that there was one running at now over 2,000,000k. Didn't know if this was important or not. thanks



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 24 March 2016 - 04:44 PM

Greetings and thanks for the information.

Some troubleshooting please.

===================================================

Manually Troubleshooting System Services

--------------
  • Right click on the bottom Task bar and select Start Task Manager
  • Click the Process tab
  • Place a check mark in Show processes from all users
  • Click the Services tab then click Services...
  • Under the Name category locate Application Experience
  • Right click on the entry and select Properties
  • Click Stop then check your svchost.exe levels in Task Manager
  • Click Start then check your svchost.exe levels in Task Manager
  • Under the Name category locate Windows Update
  • Right click on the entry and select Properties
  • Click Stop then check your svchost.exe levels in Task Manager
  • Click Start then check your svchost.exe levels in Task Manager
  • Under the Name category locate Background Intellegent Transfer Service
  • Right click on the entry and select Properties
  • Click Stop then check your svchost.exe levels in Task Manager
  • Click Start then check your svchost.exe levels in Task Manager
  • Report your finding in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Kozzy13

Kozzy13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 25 March 2016 - 01:49 PM

It is definitely the windows update. the other two had no effect, but stopping windows update stopped that svchost from running that high.

So could I just turn that off Unless I needed to update the system?



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 25 March 2016 - 02:03 PM

Greetings Elaina,

Well at least we found the reason.

I would prefer to not leave it that way although that is an option if we can't resolve it.

Please download and attempt to run Update for Windows 7 for x64-based Systems (KB3102810) .

Let me know what happens.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Kozzy13

Kozzy13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:56 AM

Posted 27 March 2016 - 12:08 AM

Gary,

it has been searching for updates all day. I figured I'd let you know.



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 27 March 2016 - 09:19 AM

It is not uncommon to have difficulty downloading updates from Microsoft. Stop the attempted download and try it again. It may take time and/or several attempts.

If you are still unable to get the file let me know. I have downloaded it and can provide it via Mediafire if necessary.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 30 March 2016 - 08:39 AM

Greetings,

===================================================

3 Day Bump

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:56 AM

Posted 10 April 2016 - 09:06 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users