Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Emisoft found "Application.Win32.WSearch(A) Key:HKey_Users\....


  • This topic is locked This topic is locked
20 replies to this topic

#1 A_BeautifulMess

A_BeautifulMess

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 01 July 2016 - 04:22 PM

Manufacturer: Hewlett-Packard
Re: Model: 23-b320
Running from "C:\Users\Mom\Desktop"

Microsoft Windows 8.1  (X64)
Boot Mode: Normal

 
Emsisoft Emergency Kit - Version 11.0
Last update: 7/1/2016 12:57:58 AM
User account: LIVINGROOM-PC\Mom
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 7/1/2016 8:46:51 AM
Key: HKEY_USERS\S-1-5-21-3493290847-1453576955-1801232407-1006\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} detected: Application.Win32.WSearch (A)
Key: HKEY_USERS\S-1-5-21-3493290847-1453576955-1801232407-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} detected: Application.Win32.WSearch (A)
Key: HKEY_USERS\S-1-5-21-3493290847-1453576955-1801232407-501\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} detected: Application.Win32.WSearch (A)
 
Scanned 103256
Found 3
 
Scan end: 7/1/2016 9:07:33 AM
Scan time: 0:20:42
Attached File  emisoft.JPG   79.16KB   0 downloads

Edited by A_BeautifulMess, 01 July 2016 - 04:24 PM.


BC AdBot (Login to Remove)

 


#2 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 04 July 2016 - 04:01 PM

Is it SAFE to Remove or Quarantine the found objects?


Edited by A_BeautifulMess, 04 July 2016 - 04:02 PM.


#3 polskamachina

polskamachina

  • Malware Response Team
  • 3,896 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 05 July 2016 - 04:48 PM

Hi A_BeautifulMess :)

 

My name is polskamachina and I would like to welcome you to the Malware Removal Forum. I will be helping you with your malware issues.

What follows below are some ground rules for this forum.
 

I will reply as soon as possible (typically within 24-48 hours). In turn, I ask that you please respond within 72 hours. If you know you will be away longer than that, please let me know. I am in California at GMT-7 hours (Pacific Standard Time). If I do not respond to you within 48 hours, feel free to send me a private message.

Some points for you to keep in mind:

  • Do NOT run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine. Running any additional tools may detect false positives, interfere with our tools, cause unforeseen damage, or system instability.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • I cannot see your computer. Periodically update me on the condition of your computer, and provide as much detail as you can in every post.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end.
  • NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a flash drive, anywhere except on the computer.
  • NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. Please remember to copy the entire post so you do not miss any instructions.

Please give me some time to review your situation and I will get back to you with further instructions.

 

In the meantime, please do the following:

  • Please visit this preparation guide and follow the directions in step step6.gif
  • If you are able to run FRST64, please copy and paste the logs, FRST.txt and Addition.txt, into your next reply to me.
  • If your computer is unable to run the FRST64 program as instructed, please let me know.
  • Does your computer have any other issues other than the found objects in the scan?

 

Let me know if you have any questions.

 

polskamachina



#4 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 07 July 2016 - 11:06 PM

Hi Polskamachina,

I'm in California myself so we're in the same time zone. Thanks for your help. I previously did try to do the malware preparation steps before I posted http://www.bleepingcomputer.com/forums/t/614358/help-securing-wifi-with-stdlib-comodo-norton-others-removal/ but I'm not sure the XML backup was right and for a time, there was a new Z drive that I didn't have access to on my machine. Which seems to have disappeared now (sorry, no screenshot of it as I didn't expect it to vanish).

Right now, I'm backing up my duplicating the backup of my photos since that's really the only thing I value on my computer. In addition to the HP23 AIO with Windows 8.1, I have several iPhones, two 3-in-1 printers, several iPads and currently or recently on my wifi network. I mention this only because nothing seems to run like it feel it should. Examples? This iPad I'm typing on now is an older one on ios 5. In an effort to get some apps I use on my iPhone 6S with ios 9.3.2 running, I got the following error message; "...requires ios 10" - umm, I'm not beta testing iOS 10. Wtheck? I'll try to come back within an hour and post the logs requested. Btw, I do have some of those logs from before at the topic linked above although changes have been done since way back then. But all of those tools downloaded in that thread remain on my PC. I'll assume I should overwrite them before running.

#5 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 07 July 2016 - 11:25 PM

Screenshot of iPad error stating need for iOS 10 or higher ??

Attached Files



#6 polskamachina

polskamachina

  • Malware Response Team
  • 3,896 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 08 July 2016 - 09:48 PM

Hi A_BeautifulMess :)
 
Thanks for your detailed reply and screenshot.  I'm a little confused here. Were you not able to run the FRST program on your Windows 8.1 machine?
 
Let me know if you have any questions.
 
polskamachina



#7 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 09 July 2016 - 01:26 PM

Hi Polksamachina,
 
I'm not following directions very well.  I was just trying to describe my issues a little more.  And during the preparation guide, my attempts to create a backup - not so much created.  My attempt to create a "File History, System Image" on an external drive or my ISP's cloud failed.  I saved my photos with Google Uploader but disappointed I can't back up in whole using Samba to the ISP Server or an external hard drive :(        Scan pasted and attached per preparation guide (I think).   Thanks Jen
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-07-2016
Ran by Mom (administrator) on HP23AIO (09-07-2016 11:07:36)
Running from C:\Users\Mom\Desktop
Loaded Profiles: Mom & DefaultAppPool (Available Profiles: Mom & pix4l_000 & ari & Administrator & Guest & DefaultAppPool)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(Google, Inc) C:\Users\Mom\AppData\Local\Programs\Google\Google Photos Backup\Google Photos Backup.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\SnippingTool.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(Farbar) C:\Users\Mom\Desktop\FRST64 (1).exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20911_x64__8wekyb3d8bbwe\livecomm.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7205592 2014-10-21] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-06-01] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642656 2013-02-06] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-11] (Oracle Corporation)
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [67384 2016-04-22] (Apple Inc.)
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\Run: [C77B34DEB73DE0849E4BE289D36231EA4CA83D43._service_run] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [941720 2016-06-15] (Google Inc.)
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\Run: [Google Update] => C:\Users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe [152216 2016-07-07] (Google Inc.)
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\Run: [Google Photos Backup] => C:\Users\Mom\AppData\Local\Programs\Google\Google Photos Backup\Google Photos Backup.exe [3790936 2016-04-08] (Google, Inc)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileSyncShell64.dll [2016-06-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileSyncShell64.dll [2016-06-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileSyncShell64.dll [2016-06-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileSyncShell.dll [2016-06-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileSyncShell.dll [2016-06-05] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileSyncShell.dll [2016-06-05] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled [2016-05-10] ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{4BD6EA9E-B6E9-4E14-9321-69B65B95935E}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
Tcpip\..\Interfaces\{97B656EA-7F12-46A7-A55B-17D75A400199}: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK13/1
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE07&ocid=UE07DHP
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK13/1
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?pc=UE07&ocid=UE07DHP
URLSearchHook: [S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM -> {E45871A4-64C5-4227-9F3A-A03913DFA06D} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {E45871A4-64C5-4227-9F3A-A03913DFA06D} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\.DEFAULT -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = 
SearchScopes: HKU\S-1-5-21-3493290847-1453576955-1801232407-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = 
SearchScopes: HKU\S-1-5-21-3493290847-1453576955-1801232407-1001 -> {E45871A4-64C5-4227-9F3A-A03913DFA06D} URL = 
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\OCHelper.dll [2016-06-26] (Microsoft Corporation)
BHO: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\GROOVEEX.DLL [2016-06-26] (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2016-02-25] (HP)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\root\Office16\OCHelper.dll [2016-06-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-07-22] (Oracle Corporation)
BHO-x32: Microsoft OneDrive for Business Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\root\Office16\GROOVEEX.DLL [2016-06-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-07-22] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2016-02-25] (HP)
DPF: HKLM-x32 {F9CD2233-6744-47C1-A6AE-00C30A35F73D} hxxp://myaccount.cox.net/internettools/scripts/Inspector.cab
Handler-x32: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-06-26] (Microsoft Corporation)
Handler-x32: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-06-26] (Microsoft Corporation)
Handler-x32: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-06-26] (Microsoft Corporation)
Handler-x32: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL [2016-06-26] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-07-22] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.65.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-07-22] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2016-06-26] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft Office\root\Office16\NPSPWRAP.DLL [2016-06-26] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin HKU\S-1-5-21-3493290847-1453576955-1801232407-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Mom\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-07-07] (Google Inc.)
FF Plugin HKU\S-1-5-21-3493290847-1453576955-1801232407-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Mom\AppData\Local\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-07-07] (Google Inc.)
FF HKLM\...\Firefox\Extensions: [{8A0D66E3-1C08-49A6-8F6C-7E024029D199}] - C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_3.4.0.43\coFFAddon => not found
FF HKLM-x32\...\Firefox\Extensions: [{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}] - C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_3.4.0.43\coFFFw => not found
FF HKLM-x32\...\Firefox\Extensions: [{8A0D66E3-1C08-49A6-8F6C-7E024029D199}] - C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_3.4.0.43\coFFAddon => not found
 
Chrome: 
=======
CHR Profile: C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-05-14]
CHR Extension: (Google Docs) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-05-14]
CHR Extension: (Google Drive) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-05-14]
CHR Extension: (YouTube) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-05-14]
CHR Extension: (Google Search) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-22]
CHR Extension: (Google Sheets) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-05-14]
CHR Extension: (Google Docs Offline) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-14]
CHR Extension: (Google Photos) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcglmfcclpfgljeaiahehebeoaiicbko [2016-07-07]
CHR Extension: (Norton™ Family) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\napjheenlliimoedooldaalpjfidlidp [2016-06-21]
CHR Extension: (Gmail) - C:\Users\Mom\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-05-14]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R2 ClickToRunSvc; C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe [2944768 2016-06-10] (Microsoft Corporation)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [28552 2016-04-26] (Hewlett-Packard Company)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2014-10-21] (Realtek Semiconductor)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [4265984 2014-12-22] (Qualcomm Atheros Communications, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-10] (Apple, Inc.) [File not signed]
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-09 11:07 - 2016-07-09 11:08 - 00017506 _____ C:\Users\Mom\Desktop\FRST.txt
2016-07-09 11:02 - 2016-07-09 11:03 - 02390016 _____ (Farbar) C:\Users\Mom\Desktop\FRST64 (1).exe
2016-07-09 10:08 - 2016-07-09 10:08 - 00000000 ____D C:\WINDOWS\System32\Tasks\Event Viewer Tasks
2016-07-07 01:01 - 2016-07-09 10:13 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001UA.job
2016-07-07 01:01 - 2016-07-09 01:12 - 00000864 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001Core.job
2016-07-07 01:01 - 2016-07-07 01:07 - 00003858 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001UA
2016-07-07 01:01 - 2016-07-07 01:07 - 00003478 _____ C:\WINDOWS\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001Core
2016-07-07 01:01 - 2016-07-07 01:01 - 00000000 ____D C:\Users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Photos Backup
2016-07-07 00:41 - 2016-07-07 00:41 - 02662800 _____ (Google) C:\Users\Mom\Downloads\gpautobackup_setup.exe
2016-07-04 14:06 - 2016-07-04 14:06 - 11374528 _____ (VS Revo Group ) C:\Users\Mom\Downloads\RevoUninProSetup.exe
2016-07-03 01:59 - 2016-07-03 01:59 - 00000690 _____ C:\Users\Mom\Desktop\RalinkLinuxClient - Shortcut.lnk
2016-07-02 02:09 - 2016-07-02 02:09 - 00001772 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-07-02 02:09 - 2016-07-02 02:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-07-02 02:09 - 2016-07-02 02:09 - 00000000 ____D C:\Program Files\iTunes
2016-07-02 02:09 - 2016-07-02 02:09 - 00000000 ____D C:\Program Files\iPod
2016-07-02 02:09 - 2016-07-02 02:09 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-07-02 02:06 - 2016-07-02 02:06 - 170473288 _____ (Apple Inc.) C:\Users\Mom\Downloads\iTunes6464Setup.exe
2016-07-02 01:42 - 2016-07-02 01:42 - 00100864 ___SH C:\Users\Mom\Downloads\Thumbs.db
2016-06-28 22:24 - 2016-06-30 18:21 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2016-06-28 21:13 - 2016-07-01 14:26 - 00000000 ____D C:\EEK
2016-06-28 21:12 - 2016-06-28 21:13 - 238934816 _____ C:\Users\Mom\Downloads\EmsisoftEmergencyKit.exe
2016-06-28 21:05 - 2016-06-28 21:05 - 00852798 _____ C:\Users\Mom\Downloads\SecurityCheck.exe
2016-06-27 15:48 - 2016-06-27 15:48 - 00000000 ____D C:\Users\Mom\Documents\Outlook Files
2016-06-27 15:11 - 2016-07-09 10:43 - 00000000 ____D C:\Users\Mom\Desktop\Screenshots
2016-06-27 15:11 - 2016-07-02 01:37 - 00036352 ___SH C:\Users\Mom\Desktop\Thumbs.db
2016-06-27 13:24 - 2016-06-27 13:24 - 00000000 ____D C:\Users\Mom\AppData\Local\Microsoft Help
2016-06-26 11:35 - 2016-06-26 11:35 - 00002248 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneDrive for Business.lnk
2016-06-26 11:35 - 2016-06-26 11:35 - 00002214 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business 2016.lnk
2016-06-26 11:16 - 2016-06-26 11:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools
2016-06-26 11:16 - 2016-06-26 11:16 - 00002403 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word 2016.lnk
2016-06-26 11:16 - 2016-06-26 11:16 - 00002402 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint 2016.lnk
2016-06-26 11:16 - 2016-06-26 11:16 - 00002366 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access 2016.lnk
2016-06-26 11:16 - 2016-06-26 11:16 - 00002365 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel 2016.lnk
2016-06-26 11:16 - 2016-06-26 11:16 - 00002359 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook 2016.lnk
2016-06-26 11:16 - 2016-06-26 11:16 - 00002353 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk
2016-06-26 11:16 - 2016-06-26 11:16 - 00002345 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote 2016.lnk
2016-06-26 11:14 - 2016-06-26 11:15 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-06-26 04:25 - 2016-06-26 04:25 - 00013341 _____ C:\Users\Mom\Downloads\GatewaySettings (1).bin
2016-06-26 04:24 - 2016-06-26 04:24 - 00013341 _____ C:\Users\Mom\Downloads\GatewaySettings.bin
2016-06-25 00:47 - 2016-06-25 00:47 - 00000046 _____ C:\WINDOWS\wininit.ini
2016-06-24 02:56 - 2016-06-24 02:56 - 00000000 ____D C:\Users\Mom\Documents\Custom Office Templates
2016-06-22 23:16 - 2016-06-14 10:13 - 00828408 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2016-06-22 23:16 - 2016-06-14 10:13 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2016-06-22 02:14 - 2016-06-22 02:14 - 00615478 _____ C:\Users\Mom\Downloads\Autoruns.zip
2016-06-22 00:57 - 2016-06-22 00:57 - 00058924 _____ C:\Users\Mom\Downloads\MTB  Full version 03212016.txt
2016-06-22 00:40 - 2016-06-22 00:40 - 00892416 _____ (Farbar) C:\Users\Mom\Desktop\MiniToolBox.exe
2016-06-21 19:10 - 2016-06-03 10:11 - 00472576 _____ (Microsoft Corporation) C:\WINDOWS\system32\pcasvc.dll
2016-06-21 19:10 - 2016-06-03 06:38 - 01413120 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2016-06-21 19:10 - 2016-06-02 10:51 - 00050352 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2016-06-21 19:10 - 2016-05-29 08:04 - 01204224 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2016-06-21 19:10 - 2016-05-29 08:04 - 00569856 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2016-06-21 19:10 - 2016-05-29 08:04 - 00544256 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2016-06-21 19:10 - 2016-05-29 08:04 - 00276480 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2016-06-21 19:10 - 2016-05-29 08:04 - 00265216 _____ (Microsoft Corporation) C:\WINDOWS\system32\centel.dll
2016-06-21 19:10 - 2016-05-29 08:04 - 00076800 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2016-06-21 19:10 - 2016-05-21 10:28 - 25802752 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2016-06-21 19:10 - 2016-05-21 09:57 - 20341248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2016-06-21 19:10 - 2016-05-20 15:09 - 00572416 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2016-06-21 19:10 - 2016-05-20 15:08 - 02895360 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2016-06-21 19:10 - 2016-05-20 15:02 - 06051328 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2016-06-21 19:10 - 2016-05-20 14:57 - 00497664 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2016-06-21 19:10 - 2016-05-20 14:55 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2016-06-21 19:10 - 2016-05-20 14:54 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2016-06-21 19:10 - 2016-05-20 14:50 - 02287104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2016-06-21 19:10 - 2016-05-20 14:44 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2016-06-21 19:10 - 2016-05-20 14:29 - 13815808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2016-06-21 19:10 - 2016-05-20 14:27 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2016-06-21 19:10 - 2016-05-20 14:25 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2016-06-21 19:10 - 2016-05-20 14:25 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
2016-06-21 19:10 - 2016-05-20 14:21 - 00279040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2016-06-21 19:10 - 2016-05-20 14:21 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2016-06-21 19:10 - 2016-05-20 14:19 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2016-06-21 19:10 - 2016-05-20 14:16 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2016-06-21 19:10 - 2016-05-20 14:14 - 04610048 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2016-06-21 19:10 - 2016-05-20 14:12 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2016-06-21 19:10 - 2016-05-20 14:11 - 15420928 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2016-06-21 19:10 - 2016-05-20 14:11 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2016-06-21 19:10 - 2016-05-20 14:09 - 00693248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2016-06-21 19:10 - 2016-05-20 14:09 - 00379392 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2016-06-21 19:10 - 2016-05-20 14:08 - 02055680 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2016-06-21 19:10 - 2016-05-20 14:08 - 00806400 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2016-06-21 19:10 - 2016-05-20 14:06 - 02131968 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2016-06-21 19:10 - 2016-05-20 13:46 - 02597888 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2016-06-21 19:10 - 2016-05-20 13:42 - 02121216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2016-06-21 19:10 - 2016-05-20 13:38 - 01310208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2016-06-21 19:10 - 2016-05-20 13:38 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2016-06-21 19:10 - 2016-05-20 13:34 - 01544192 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2016-06-21 19:10 - 2016-05-20 13:23 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2016-06-21 19:10 - 2016-05-17 22:31 - 00372568 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\atmfd.dll
2016-06-21 19:10 - 2016-05-17 22:31 - 00315224 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\atmfd.dll
2016-06-21 19:10 - 2016-05-16 14:13 - 00563016 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2016-06-21 19:10 - 2016-05-16 14:13 - 00397224 _____ (Microsoft Corporation) C:\WINDOWS\system32\bcryptprimitives.dll
2016-06-21 19:10 - 2016-05-16 14:13 - 00340872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\bcryptprimitives.dll
2016-06-21 19:10 - 2016-05-16 14:13 - 00178008 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2016-06-21 19:10 - 2016-05-13 16:09 - 04169216 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2016-06-21 19:10 - 2016-05-13 16:07 - 00675328 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv2.sys
2016-06-21 19:10 - 2016-05-13 16:07 - 00416768 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srv.sys
2016-06-21 19:10 - 2016-05-13 16:06 - 00243712 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\srvnet.sys
2016-06-21 19:10 - 2016-05-13 16:04 - 00044032 _____ (Adobe Systems) C:\WINDOWS\system32\atmlib.dll
2016-06-21 19:10 - 2016-05-13 15:34 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2016-06-21 19:10 - 2016-05-13 15:19 - 00035840 _____ (Adobe Systems) C:\WINDOWS\SysWOW64\atmlib.dll
2016-06-21 19:10 - 2016-05-13 14:58 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2016-06-21 19:10 - 2016-05-12 11:38 - 00135336 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpapi.dll
2016-06-21 19:10 - 2016-05-12 10:43 - 00115704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gpapi.dll
2016-06-21 19:10 - 2016-05-12 09:17 - 00331776 _____ (Microsoft Corporation) C:\WINDOWS\system32\polstore.dll
2016-06-21 19:10 - 2016-05-12 09:08 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\FwRemoteSvr.dll
2016-06-21 19:10 - 2016-05-12 09:07 - 01360896 _____ (Microsoft Corporation) C:\WINDOWS\system32\gpsvc.dll
2016-06-21 19:10 - 2016-05-12 08:59 - 00398848 _____ (Microsoft Corporation) C:\WINDOWS\system32\IPSECSVC.DLL
2016-06-21 19:10 - 2016-05-12 08:43 - 00291328 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\polstore.dll
2016-06-21 19:10 - 2016-05-12 08:37 - 00050176 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\FwRemoteSvr.dll
2016-06-21 19:10 - 2016-05-09 14:35 - 07075328 _____ (Microsoft Corporation) C:\WINDOWS\system32\glcndFilter.dll
2016-06-21 19:10 - 2016-05-09 13:56 - 05270016 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\glcndFilter.dll
2016-06-21 19:10 - 2016-05-09 13:45 - 07793152 _____ (Microsoft Corporation) C:\WINDOWS\system32\Windows.Data.Pdf.dll
2016-06-21 19:10 - 2016-05-09 13:23 - 05265920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Windows.Data.Pdf.dll
2016-06-21 19:10 - 2016-05-06 08:45 - 00748544 _____ (Microsoft Corporation) C:\WINDOWS\system32\StructuredQuery.dll
2016-06-21 19:10 - 2016-05-06 08:23 - 00503808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\StructuredQuery.dll
2016-06-21 19:09 - 2016-05-18 16:15 - 01379040 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2016-06-21 19:09 - 2016-05-18 13:35 - 01097216 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2016-06-21 19:09 - 2016-05-14 13:01 - 00363104 _____ (Microsoft Corporation) C:\WINDOWS\system32\ws2_32.dll
2016-06-21 19:09 - 2016-05-14 13:01 - 00320720 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ws2_32.dll
2016-06-21 19:09 - 2016-05-13 16:07 - 00281088 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\netbt.sys
2016-06-21 19:09 - 2016-05-13 14:58 - 00339456 _____ (Microsoft Corporation) C:\WINDOWS\system32\mswsock.dll
2016-06-21 19:09 - 2016-05-13 14:45 - 00802816 _____ (Microsoft Corporation) C:\WINDOWS\system32\winhttp.dll
2016-06-21 19:09 - 2016-05-13 14:35 - 00286208 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mswsock.dll
2016-06-21 19:09 - 2016-05-13 14:26 - 00631808 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\winhttp.dll
2016-06-21 14:31 - 2016-04-12 08:46 - 14467584 _____ (Microsoft Corporation) C:\WINDOWS\system32\twinui.dll
2016-06-21 14:31 - 2016-04-12 08:30 - 12879872 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\twinui.dll
2016-06-21 14:26 - 2016-04-14 08:25 - 02778624 _____ (Microsoft Corporation) C:\WINDOWS\system32\authui.dll
2016-06-21 14:26 - 2016-04-14 08:11 - 02464768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\authui.dll
2016-06-21 14:26 - 2016-01-31 12:17 - 00118624 _____ (Microsoft Corporation) C:\WINDOWS\system32\consent.exe
2016-06-21 14:26 - 2016-01-31 11:07 - 00110080 _____ (Microsoft Corporation) C:\WINDOWS\system32\appinfo.dll
2016-06-21 14:26 - 2016-01-31 10:42 - 03320832 _____ (Microsoft Corporation) C:\WINDOWS\system32\msi.dll
2016-06-21 14:26 - 2016-01-31 10:14 - 03607040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msi.dll
2016-06-16 07:29 - 2016-06-16 07:29 - 00000000 ____D C:\Users\Mom\AppData\Local\{2A82324E-1E3C-4E88-A68A-8BA11B0417FE}
2016-06-16 07:28 - 2016-06-16 07:29 - 00000000 ____D C:\Users\Mom\AppData\Local\Wide Angle Software
2016-06-16 07:27 - 2016-06-16 07:27 - 00002643 _____ C:\Users\Public\Desktop\TouchCopy12.lnk
2016-06-16 07:27 - 2016-06-16 07:27 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TouchCopy
2016-06-16 07:27 - 2016-06-16 07:27 - 00000000 ____D C:\Program Files (x86)\Wide Angle Software
2016-06-16 04:49 - 2016-06-16 04:28 - 00196608 _____ C:\Users\Mom\Downloads\BE8E33EB-DB5D-42CE-89E1-269B1F2C169A.Diagnose.0.etl
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-09 11:07 - 2016-05-17 23:22 - 00000000 ____D C:\FRST
2016-07-09 10:46 - 2014-10-19 18:40 - 00000934 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-09 09:05 - 2013-11-14 00:28 - 00999688 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-07-09 09:05 - 2013-08-22 06:36 - 00000000 ____D C:\WINDOWS\Inf
2016-07-09 04:20 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-07-08 15:46 - 2014-10-19 18:40 - 00000930 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-07 02:48 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-07-07 01:12 - 2014-02-21 04:24 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3493290847-1453576955-1801232407-1001
2016-07-07 01:05 - 2014-10-19 18:40 - 00000000 ____D C:\Users\Mom\AppData\Local\Google
2016-07-07 00:38 - 2014-02-21 05:18 - 00000000 ___DO C:\Users\Mom\OneDrive
2016-07-06 17:39 - 2014-12-13 15:25 - 00485032 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-07-05 20:07 - 2016-05-18 19:45 - 00000340 _____ C:\WINDOWS\Tasks\HPCeeScheduleForMom.job
2016-07-05 20:07 - 2013-08-22 07:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-07-05 20:07 - 2013-08-22 07:44 - 00505376 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-07-05 20:06 - 2014-07-10 23:36 - 00000000 ____D C:\Users\Mom\AppData\Local\CrashDumps
2016-07-05 20:06 - 2014-02-26 21:43 - 00000000 ____D C:\Users\Mom
2016-07-05 20:06 - 2013-08-22 06:25 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-07-05 12:53 - 2016-05-18 19:45 - 00003150 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForMom
2016-07-04 13:22 - 2013-08-22 08:36 - 00000000 ___SD C:\WINDOWS\Downloaded Program Files
2016-07-03 01:53 - 2014-07-10 22:33 - 00003174 _____ C:\WINDOWS\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-3493290847-1453576955-1801232407-1001
2016-07-02 02:09 - 2014-07-11 00:36 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-07-01 14:23 - 2014-02-21 04:16 - 00003938 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{4592D35F-4E17-4918-B6A1-DB66552FAB41}
2016-06-30 05:45 - 2013-08-22 08:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-06-29 09:05 - 2014-01-22 22:30 - 00000000 ____D C:\Users\Mom\AppData\LocalLow\Temp
2016-06-28 05:42 - 2013-10-02 20:57 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-06-26 13:47 - 2016-05-10 15:41 - 00000000 ____D C:\Users\Mom\AppData\Local\ElevatedDiagnostics
2016-06-26 12:09 - 2014-02-21 04:13 - 00000000 ____D C:\Users\Mom\AppData\Local\Packages
2016-06-26 11:50 - 2013-08-22 08:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-06-25 01:45 - 2016-05-15 03:01 - 00007665 _____ C:\Users\Mom\AppData\Local\resmon.resmoncfg
2016-06-23 04:30 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\rescache
2016-06-22 07:13 - 2014-12-13 15:14 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-06-22 07:13 - 2013-08-22 08:36 - 00000000 ___RD C:\WINDOWS\ToastData
2016-06-22 06:32 - 2012-07-26 00:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-06-22 06:24 - 2014-02-22 10:47 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-06-22 06:10 - 2014-02-22 10:47 - 142482544 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-06-22 01:36 - 2016-06-05 15:36 - 00058647 _____ C:\Users\Mom\Desktop\MTB.txt
2016-06-21 14:22 - 2014-10-19 18:41 - 00002182 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-21 14:22 - 2014-10-19 18:41 - 00002170 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-16 06:00 - 2013-08-22 08:36 - 00000000 ____D C:\WINDOWS\vpnplugins
2016-06-16 05:44 - 2014-07-10 23:38 - 00000000 ____D C:\Users\Mom\Documents\Youcam
 
==================== Files in the root of some directories =======
 
2014-10-15 13:34 - 2014-10-15 13:34 - 0000044 _____ () C:\Users\Mom\AppData\Roaming\WB.CFG
2016-05-15 03:01 - 2016-06-25 01:45 - 0007665 _____ () C:\Users\Mom\AppData\Local\resmon.resmoncfg
2015-04-07 07:55 - 2015-04-07 07:55 - 0000148 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
 
Some files in TEMP:
====================
C:\Users\Mom\AppData\Local\Temp\libeay32.dll
C:\Users\Mom\AppData\Local\Temp\msvcr120.dll
C:\Users\Mom\AppData\Local\Temp\sqlite3.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-07-02 04:47
 
==================== End of FRST.txt ============================

Edited by A_BeautifulMess, 09 July 2016 - 01:45 PM.


#8 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 09 July 2016 - 01:46 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 09-07-2016
Ran by Mom (2016-07-09 11:09:18)
Running from C:\Users\Mom\Desktop
Windows 8.1 (Update) (X64) (2014-02-27 18:22:33)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3493290847-1453576955-1801232407-500 - Administrator - Disabled) => C:\Users\Administrator
ari (S-1-5-21-3493290847-1453576955-1801232407-1007 - Limited - Enabled) => C:\Users\ari
Guest (S-1-5-21-3493290847-1453576955-1801232407-501 - Limited - Disabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-3493290847-1453576955-1801232407-1005 - Limited - Enabled)
Mom (S-1-5-21-3493290847-1453576955-1801232407-1001 - Administrator - Enabled) => C:\Users\Mom
pix4l_000 (S-1-5-21-3493290847-1453576955-1801232407-1006 - Limited - Enabled) => C:\Users\pix4l_000
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
AMD Catalyst Install Manager (HKLM\...\{7378D661-1AD0-CB5A-FA5B-B73C8037E393}) (Version: 8.0.903.0 - Advanced Micro Devices, Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{26356515-5821-40FA-9C3D-9785052A1062}) (Version: 4.3.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{C2651553-6CA3-4822-B2E6-BC4ACA6E0EA2}) (Version: 4.3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{2E4AF2A6-50EA-4260-9BA4-5E582D11879A}) (Version: 9.3.0.15 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{56EC47AA-5813-4FF6-8E75-544026FBEA83}) (Version: 2.2.0.150 - Apple Inc.)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3.5901 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.3.2509 - CyberLink Corp.)
Cyberlink PhotoDirector (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.1.3724 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.3.2301 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.3.2524 - CyberLink Corp.)
CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.8.4930 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.6.6104 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.103 - Google Inc.)
Google Photos Backup (HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\Google Photos Backup) (Version: 1.1.2.13 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: 1.0 - Meridian Audio Ltd)
HP MyRoom (HKLM-x32\...\{9C35EDE5-4B0F-45E7-A438-314BA889948E}) (Version: 9.0.0.0 - Hewlett-Packard Company)
HP Quick Start (HKLM-x32\...\{574F0207-8E98-46CD-8F79-318348C98C46}) (Version: 1.0.4660.30220 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.6263.4289 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{78E2C850-ADA6-420D-BA35-2F4A9BE733CC}) (Version: 8.2.8.25 - HP)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 12.00.0000 - Hewlett-Packard)
HP Support Solutions Framework (HKLM-x32\...\{5F084DD8-AF2C-4004-9C92-820C32E4BD55}) (Version: 12.4.18.7 - HP)
iCloud (HKLM\...\{ADFDB647-35C0-4254-9EE6-2D9C3B7104BD}) (Version: 5.2.1.69 - Apple Inc.)
iPhone Backup Extractor (x32 Version: 5.8.2.429 - Reincubate Ltd) Hidden
iTunes (HKLM\...\{9F4BF859-C3A4-4AB6-BDD1-9C5D58188598}) (Version: 12.4.1.6 - Apple Inc.)
Java 7 Update 65 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217065FF}) (Version: 7.0.650 - Oracle)
Microsoft Office 365 - en-us (HKLM\...\O365HomePremRetail - en-us) (Version: 16.0.6965.2058 - Microsoft Corporation)
Microsoft Office 365 Business - en-us (HKLM\...\O365BusinessRetail - en-us) (Version: 16.0.6965.2058 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\OneDriveSetup.exe) (Version: 17.3.6390.0509 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Extensibility Component (x32 Version: 16.0.6925.1018 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (Version: 16.0.6925.1018 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (x32 Version: 16.0.6925.1018 - Microsoft Corporation) Hidden
Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros)
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.11.201.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7084 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{0D61A55C-3ADC-409F-BF5B-A1766D1F5944}) (Version: 6.2.9200.28137 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.6208 - CyberLink Corp.) Hidden
Shoebox (HKLM-x32\...\{9D83AA93-BAA4-4F75-80AF-AABC12B65E3C}) (Version: 3.0.0 - Couch Labs)
TouchCopy 12 (HKLM-x32\...\{8AF3D831-23DC-4AFB-9994-FB5B5BAFDFB0}) (Version: 12.37 - Wide Angle Software)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
CustomCLSID: HKU\S-1-5-21-3493290847-1453576955-1801232407-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileCoAuthLib64.dll ()
CustomCLSID: HKU\S-1-5-21-3493290847-1453576955-1801232407-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Mom\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-3493290847-1453576955-1801232407-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileCoAuth.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3493290847-1453576955-1801232407-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Mom\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll (Google Inc.)
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {04FE6CAD-63C6-455C-A9EF-5765261F940B} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonx86\Microsoft Shared\Office16\OLicenseHeartbeat.exe [2016-06-26] (Microsoft Corporation)
Task: {1C7029B4-24BC-44D7-952A-FC9368D796D7} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Active Health Launcher => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-06-15] (HP Inc.)
Task: {1CBBC86F-2A60-4A3D-B18D-95DA7CD99AC0} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater - Resources => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-05-04] (Hewlett-Packard)
Task: {255172C0-A0D3-48CE-AE68-258973702F1A} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe
Task: {25E05DCE-BA5E-4CE1-B482-A094DC227BEE} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2012-12-26] (CyberLink)
Task: {26381C62-8748-449B-91A2-EF9B13C3F00B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-02-18] (Hewlett-Packard Company)
Task: {3812469F-5376-4DDB-BE40-77730231FC99} - System32\Tasks\{24B17E9E-43E6-4229-993D-1792FA8E921A} => pcalua.exe -a "C:\Users\Mom\AppData\Roaming\0T1M1P0A1E1E0M1T1G\Minecraft Packages\uninstaller.exe" -c /Uninstall /NM="Minecraft Packages" /AN="0T1M1P0A1E1E0M1T1G" /MBN="Minecraft Packages"
Task: {44A6F04E-D1A3-4590-94CF-0017470A8212} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2016-06-28] (HP Inc.)
Task: {493D24C1-1A7B-4C93-B22A-3C98D3204E1F} - System32\Tasks\Shoebox\ShoeboxUploader-fc292bd7 => C:\Program Files (x86)\Couch Labs\Shoebox\Shoebox.exe [2015-02-18] (Couch Labs)
Task: {4AE233EF-E5B1-47F3-A106-F0E6255F7D3C} - System32\Tasks\{D3977F33-35F7-418F-A408-CE0C8ACBA0AA} => pcalua.exe -a "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" -c scenario=install scenariosubtype=uninstall baseurl="C:\Program Files\Microsoft Office 15" platform=x86 version=15.0.4815.1002 culture=en-us productstoremove=O365HomePremRetail_en-us_x-none
Task: {4BCB859F-1BDE-45D2-A5AD-EC25612BF090} - System32\Tasks\CLMLSvc_P2G8 => c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2012-11-01] (CyberLink)
Task: {4C3ADA89-DE74-4F26-9469-2B55F3F95B82} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2016-02-23] (Apple Inc.)
Task: {55CAACE0-DD55-439A-A55E-1EDD97598C1D} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-06-15] (HP Inc.)
Task: {627DEFA8-4B5B-45D2-BA6E-804654F3322A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-05-04] (Hewlett-Packard)
Task: {66F81C0D-A11B-48C0-A2EA-ED160E5FEF70} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-3493290847-1453576955-1801232407-1001 => C:\Users\Mom\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2016-06-05] (Microsoft Corporation)
Task: {6F415A61-3B45-4839-AA6C-292FCC6FE092} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_CN477370JX => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2016-06-28] (HP Inc.)
Task: {70E88FAD-035B-45C9-AEFE-ACE9B42B72E1} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-06-10] (Microsoft Corporation)
Task: {73CEA80A-A44E-48E1-A3D6-880285CD4D66} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe [2016-06-10] (Microsoft Corporation)
Task: {75B0D29B-EB8D-4BAC-9ED7-748DD57DCD53} - System32\Tasks\HPCeeScheduleForMom => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2016-01-22] (Hewlett-Packard)
Task: {80CB8833-E7E3-4933-B752-F0FAAAF0EFBF} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-18] (Google Inc.)
Task: {8343FEB3-F304-438A-996E-489CF68A48C8} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2016-06-28] (HP Inc.)
Task: {8816C15B-BD07-4CC5-BB78-79ED90894065} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001UA => C:\Users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe [2016-07-07] (Google Inc.)
Task: {8B7A1C9F-2805-427E-9CFE-1D23BAB2E31C} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-06-22] (Microsoft Corporation)
Task: {98B91996-557C-40DF-8620-CE8ED4BB6E5D} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001Core => C:\Users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe [2016-07-07] (Google Inc.)
Task: {AED7E7C3-36EC-4761-8AC9-0D6DFC8367B7} - System32\Tasks\HPGenoobeReminder => C:\Program Files (x86)\Hewlett-Packard\HP Registration Service\HP GenOOBE\HPGenOOBE.exe [2012-10-30] ()
Task: {B5AB7FB5-89F9-4579-8F3A-1AD845CCAD0D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-11-18] (Google Inc.)
Task: {BAD0E04B-B836-4E74-9F6D-58FBB66FDF67} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-04-06] (Hewlett-Packard)
Task: {CA86AD39-AFDF-4671-A93D-95C761366ACF} - System32\Tasks\Norton Family\Norton Error Processor => C:\Program Files (x86)\Norton Family\Engine\3.6.0.31\SymErr.exe
Task: {EF2D16B2-2C5B-4D5D-B030-B82C154693D3} - System32\Tasks\Norton Family\Norton Error Analyzer => C:\Program Files (x86)\Norton Family\Engine\3.6.0.31\SymErr.exe
Task: {F4C71861-6A2B-4ECF-A551-86FB002ABE0A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-02-18] (Hewlett-Packard Company)
Task: {F7E52257-9702-41BD-933A-79971CE48E7F} - System32\Tasks\CLVDLauncher => c:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2012-11-01] (CyberLink Corp.)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001Core.job => C:\Users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3493290847-1453576955-1801232407-1001UA.job => C:\Users\Mom\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForMom.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
Shortcut: C:\Users\Public\Desktop\Snapfish.lnk -> hxxp://www.snapfish.com/hp_desktop_desktopicon_2013_usAC:\Program Files (x86)\Online Services\snapfish\SnapfishGreen.ico (No File)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-03-18 22:56 - 2016-03-18 22:56 - 00092472 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2016-04-22 01:07 - 2016-04-22 01:07 - 01337144 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2016-06-26 11:39 - 2016-06-26 11:39 - 08919752 _____ () C:\Program Files (x86)\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Office\Office16\1033\GrooveIntlResource.dll
2016-06-05 05:08 - 2016-06-05 05:08 - 00959168 _____ () C:\Users\Mom\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\ClientTelemetry.dll
2013-10-02 21:00 - 2012-06-07 20:34 - 00627216 _____ () c:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2012-06-08 11:34 - 2012-06-08 11:34 - 00016400 _____ () c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
2016-04-22 01:08 - 2016-04-22 01:08 - 01047864 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2016-03-18 22:56 - 2016-03-18 22:56 - 00080184 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2016-04-08 15:35 - 2016-04-08 15:35 - 03481600 _____ () C:\Users\Mom\AppData\Local\Programs\Google\Google Photos Backup\gpuploader_i18n.dll
2016-06-21 14:18 - 2016-06-15 02:15 - 01745560 _____ () C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\libglesv2.dll
2016-06-21 14:18 - 2016-06-15 02:15 - 00091288 _____ () C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\sharepoint.com -> hxxps://artfundinvestments-files.sharepoint.com
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2015-07-08 18:03 - 2016-06-27 02:02 - 00000831 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\HP\HP_Svinoya_Norway_Sunset.jpg
DNS Servers: 68.105.28.11 - 68.105.29.11
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
HKLM\...\StartupApproved\Run: => "iTunesHelper"
HKLM\...\StartupApproved\Run32: => "SunJavaUpdateSched"
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\StartupApproved\Run: => "iCloudServices"
HKU\S-1-5-21-3493290847-1453576955-1801232407-1001\...\StartupApproved\Run: => "C77B34DEB73DE0849E4BE289D36231EA4CA83D43._service_run"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{0E82E560-9900-4DF3-B265-FDBDA27A7139}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [UDP Query User{BEF74EA6-8052-4565-ADA3-DC99FFAA4116}C:\program files (x86)\google\chrome\application\chrome.exe] => (Allow) C:\program files (x86)\google\chrome\application\chrome.exe
FirewallRules: [{A02C6F67-8CE0-4F4C-BC73-0151A46E2497}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [TCP Query User{1E6401E2-2280-428B-8918-0938C6D9B54B}C:\program files (x86)\hewlett-packard\hp support solutions\modules\hpdevicedetection3.exe] => (Allow) C:\program files (x86)\hewlett-packard\hp support solutions\modules\hpdevicedetection3.exe
FirewallRules: [UDP Query User{ED4B1FE3-3D8E-4869-AA53-425195CE98C9}C:\program files (x86)\hewlett-packard\hp support solutions\modules\hpdevicedetection3.exe] => (Allow) C:\program files (x86)\hewlett-packard\hp support solutions\modules\hpdevicedetection3.exe
FirewallRules: [{BE264C23-55AF-4B5F-A679-EC050616A8D6}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\outlook.exe
FirewallRules: [{B09072F5-BDB9-4E07-9E66-48BD634D62E2}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{7BB3D98D-3CB9-4848-96CF-59BD9473C69B}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{B8F02882-24EE-4CA9-889D-EA2443CBD51B}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{B961297C-AFF2-4F06-9E5D-AC67261B14F2}] => (Allow) C:\Program Files\iTunes\iTunes.exe
 
==================== Restore Points =========================
 
23-06-2016 20:11:01 20160623
02-07-2016 01:43:48 Removed iTunes
02-07-2016 02:07:15 Installed iTunes
09-07-2016 04:00:28 Scheduled Checkpoint
 
==================== Faulty Device Manager Devices =============
 
Name: Microsoft XPS Document Writer
Description: Local Print Queue
Class Guid: {1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}
Manufacturer: Microsoft
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/09/2016 09:04:26 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database
 
Error: (07/08/2016 02:24:31 PM) (Source: Office 2016 Licensing Service) (EventID: 0) (User: )
Description: Subscription licensing service failed: -2146762481
 
Error: (07/08/2016 02:24:31 PM) (Source: Microsoft Office 16) (EventID: 2011) (User: )
Description: Office Subscription licensing exception: Error Code: 0x800B010F; CorrelationId: {3B68569A-0BFE-4C8D-BE24-2E0228792069}
 
Error: (07/07/2016 05:13:31 AM) (Source: SideBySide) (EventID: 35) (User: )
Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is UccApi,processorArchitecture="AMD64",type="win32",version="16.0.0.0".
Definition is UccApi,processorArchitecture="x86",type="win32",version="16.0.0.0".
Please use sxstrace.exe for detailed diagnosis.
 
Error: (07/07/2016 01:12:33 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: HP23AIO)
Description: Activation of app SymantecCorporation.NortonStudio_v68kp9n051hdp!App failed with error: -2144927141 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (07/05/2016 08:06:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NF.exe, version: 13.0.1.127, time stamp: 0x555e22f5
Faulting module name: TRAYICON.DLL, version: 3.6.0.31, time stamp: 0x574bd363
Exception code: 0xc000041d
Fault offset: 0x0006ea6e
Faulting process id: 0xb50
Faulting application start time: 0xNF.exe0
Faulting application path: NF.exe1
Faulting module path: NF.exe2
Report Id: NF.exe3
Faulting package full name: NF.exe4
Faulting package-relative application ID: NF.exe5
 
Error: (07/05/2016 08:06:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: NF.exe, version: 13.0.1.127, time stamp: 0x555e22f5
Faulting module name: TRAYICON.DLL, version: 3.6.0.31, time stamp: 0x574bd363
Exception code: 0xc0000005
Fault offset: 0x0006ea6e
Faulting process id: 0xb50
Faulting application start time: 0xNF.exe0
Faulting application path: NF.exe1
Faulting module path: NF.exe2
Report Id: NF.exe3
Faulting package full name: NF.exe4
Faulting package-relative application ID: NF.exe5
 
Error: (07/04/2016 03:10:55 PM) (Source: MsiInstaller) (EventID: 1021) (User: HP23AIO)
Description: Product: Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 - Update '{6F8500D2-A80F-3347-9081-B41E71C8592B}' could not be removed. Error code 1647. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error: (07/04/2016 03:10:48 PM) (Source: MsiInstaller) (EventID: 1021) (User: HP23AIO)
Description: Product: Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 - Update '{6F8500D2-A80F-3347-9081-B41E71C8592B}' could not be removed. Error code 1647. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
 
Error: (07/04/2016 03:06:10 PM) (Source: Microsoft-Windows-RestartManager) (EventID: 10006) (User: HP23AIO)
Description: Application or service 'iCloud Services' could not be shut down.
 
 
System errors:
=============
Error: (07/09/2016 03:03:21 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80004005: AD2F1837.SavingsCenterFeaturedOffers.
 
Error: (07/08/2016 06:36:42 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80004005: AD2F1837.SavingsCenterFeaturedOffers.
 
Error: (07/07/2016 08:41:27 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80004005: AD2F1837.SavingsCenterFeaturedOffers.
 
Error: (07/07/2016 05:13:53 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80004005: AD2F1837.SavingsCenterFeaturedOffers.
 
Error: (07/07/2016 01:20:53 AM) (Source: DCOM) (EventID: 10010) (User: HP23AIO)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (07/07/2016 01:20:47 AM) (Source: DCOM) (EventID: 10010) (User: HP23AIO)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (07/07/2016 01:20:47 AM) (Source: DCOM) (EventID: 10010) (User: HP23AIO)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (07/07/2016 01:20:47 AM) (Source: DCOM) (EventID: 10010) (User: HP23AIO)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (07/07/2016 01:20:25 AM) (Source: DCOM) (EventID: 10010) (User: HP23AIO)
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 
Error: (07/07/2016 01:12:39 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80004005: AD2F1837.SavingsCenterFeaturedOffers.
 
 
CodeIntegrity:
===================================
  Date: 2016-07-09 11:08:11.709
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-09 11:08:08.909
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-09 11:08:05.537
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-09 11:08:02.709
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-07 17:20:49.143
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-07 17:20:45.613
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-04 13:25:40.491
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-04 13:25:37.494
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-04 13:25:33.748
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2016-07-04 13:25:30.515
  Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: AMD E2-2000 APU with Radeon™ HD Graphics
Percentage of memory in use: 38%
Total physical RAM: 5717.26 MB
Available physical RAM: 3502.94 MB
Total Virtual: 6117.26 MB
Available Virtual: 3051.86 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:445.57 GB) (Free:305.39 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Recovery Image) (Fixed) (Total:18.38 GB) (Free:2.22 GB) NTFS ==>[system with boot components (obtained from drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 4D087268)
 
Partition: GPT.
 
========================================================
Disk: 1 (Size: 931.5 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
==================== End of Addition.txt ============================


#9 polskamachina

polskamachina

  • Malware Response Team
  • 3,896 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 10 July 2016 - 10:05 PM

Hi Jen :)

Regarding your question:

Is it SAFE to Remove or Quarantine the found objects?

Yes, you may remove/quarantine the found objects.

Next:
Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to its Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"

    malwarebytes-anti-malware-fix-now.jpg
    .
  • Click on Update Now to download the current database definitions, then click the Scan Now >> button.
    .
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button.

    malwarebytes-anti-malware-2-0-update-now
    .
  • The THREAT SCAN will automatically begin.

    malwarebytes-anti-malware-scan.jpg
    .
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.

    malwarebytes-anti-malware-potential-thre
    .
  • To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

    mbam4_zps490948cc.png
    .
  • After rebooting the computer, copy and paste the mbam.log in your next reply.

  • To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)
    • Open Malwarebytes Anti-Malware.
    • Click the History Tab at the top and select Application Logs.
    • Select (check) the box next to Scan Log. Choose the most current scan.
    • Click the View button.
    • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
    • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
    • Be sure to post the complete log including the top portion which shows MBAM's database version and your operating system.
    To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)
    • Open Malwarebytes Anti-Malware.
    • Click the Scan Tab at the top.
    • Click the View detailed log link on the right.
    • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
    • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
    • Be sure to post the complete log including the top portion which shows MBAM's database version and your operating system.
    Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following location:
    C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

    Regarding your comment:

    Right now, I'm backing up my duplicating the backup of my photos since that's really the only thing I value on my computer. In addition to the HP23 AIO with Windows 8.1, I have several iPhones, two 3-in-1 printers, several iPads and currently or recently on my wifi network. I mention this only because nothing seems to run like it feel it should.

    Keeping in mind that this topic will be limited to your Windows 8.1 pc, can you tell me specifically what issues, if any, you are having?
    • Does it seem unusually slow?
    • Does your wireless connection work at all or drop out intermittently?
    • Do you get popup notices that don't appear to be coming from legitimate sources?
    • Does the computer ever lock up?
    In summary I will need from you:
  • Answers to the above 4 questions.
  • Malwarebytes log.

Let me know if you have any questions.

polskamachina



#10 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 11 July 2016 - 07:50 AM

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/07/11 03:14:06 -0700</date>
<logfile>mbam-log-2016-07-11 (03-14-03).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.07.11.03</malware-database>
<rootkit-database>v2016.05.27.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>HP23AIO</hostname>
<ip>192.168.0.15</ip>
<osversion>Windows 8.1</osversion>
<arch>x64</arch>
<username>Mom</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>526126</objects>
<time>4930</time>
<processes>0</processes>
<modules>0</modules>
<keys>9</keys>
<values>10</values>
<datas>0</datas>
<folders>3</folders>
<files>2</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>enabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Update AdvanceElite</path><vendor>PUP.Optional.Yontoo</vendor><action>success</action><hash>27981a085149de585c66e7f8f70cfb05</hash></key>
<key><path>HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Util AdvanceElite</path><vendor>PUP.Optional.Yontoo</vendor><action>success</action><hash>cef14ed4cecc71c599296679f40f3ac6</hash></key>
<key><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-1006\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{1722C4C8-FCFA-4949-9662-EFF6F7CFE537}</path><vendor>PUP.Optional.ASK</vendor><action>success</action><hash>c8f7f82ab7e3f5412e2a89684ab97090</hash></key>
<key><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-1006\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{5EF06929-C9E4-42A1-A471-B25B8909B99C}</path><vendor>PUP.Optional.ASK</vendor><action>success</action><hash>efd0ce54b8e2171f3325965b739025db</hash></key>
<key><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-1007\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{1722C4C8-FCFA-4949-9662-EFF6F7CFE537}</path><vendor>PUP.Optional.ASK</vendor><action>success</action><hash>229da1816f2b5adc431513de7d865aa6</hash></key>
<key><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-1007\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8969834C-579E-40FA-856E-3E95171FDFC6}</path><vendor>PUP.Optional.ASK</vendor><action>success</action><hash>308fd64c89114aec2533628f689b04fc</hash></key>
<key><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{1722C4C8-FCFA-4949-9662-EFF6F7CFE537}</path><vendor>PUP.Optional.ASK</vendor><action>success</action><hash>1aa5180a01992d09441421d0689bfa06</hash></key>
<key><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-501\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{1722C4C8-FCFA-4949-9662-EFF6F7CFE537}</path><vendor>PUP.Optional.ASK</vendor><action>success</action><hash>1aa54dd58d0db77f1e3ad918ea19be42</hash></key>
<key><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-501\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9B267240-07FD-4A26-AB3D-71AC65D28184}</path><vendor>PUP.Optional.ASK</vendor><action>success</action><hash>3b84ff23cad00432adab9061d72ce11f</hash></key>
<value><path>HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY</path><valuename>AppPath</valuename><vendor>PUP.Optional.Astromenda</vendor><action>success</action><valuedata>C:\Program Files (x86)\WSE_Astromenda\\</valuedata><hash>724d839fa3f7a3933ef5861215ee3dc3</hash></value>
<value><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-1007\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8969834C-579E-40FA-856E-3E95171FDFC6}</path><valuename>FaviconURL</valuename><vendor>PUP.Optional.ASK</vendor><action>success</action><valuedata>http://www.search.ask.com/favicon.ico</valuedata><hash>308fd64c89114aec2533628f689b04fc</hash></value>
<value><path>HKU\S-1-5-21-3493290847-1453576955-1801232407-501\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{9B267240-07FD-4A26-AB3D-71AC65D28184}</path><valuename>FaviconURL</valuename><vendor>PUP.Optional.ASK</vendor><action>success</action><valuedata>http://www.search.ask.com/favicon.ico</valuedata><hash>3b84ff23cad00432adab9061d72ce11f</hash></value>
<folder><path>C:\Users\Mom\AppData\LocalLow\OnlineMapFinder_9pEI</path><vendor>PUP.Optional.MindSpark</vendor><action>success</action><hash>407f4fd32179a591a84b9424669c57a9</hash></folder>
<folder><path>C:\Users\Mom\AppData\LocalLow\OnlineMapFinder_9pEI\Installr</path><vendor>PUP.Optional.MindSpark</vendor><action>success</action><hash>407f4fd32179a591a84b9424669c57a9</hash></folder>
<folder><path>C:\Users\Mom\AppData\LocalLow\OnlineMapFinder_9pEI\Installr\Cache</path><vendor>PUP.Optional.MindSpark</vendor><action>success</action><hash>407f4fd32179a591a84b9424669c57a9</hash></folder>
<file><path>C:\Users\Mom\AppData\LocalLow\OnlineMapFinder_9pEI\Installr\Cache\029F7F03.exe</path><vendor>PUP.Optional.MindSpark</vendor><action>success</action><hash>407f4fd32179a591a84b9424669c57a9</hash></file>
<file><path>C:\Users\Mom\AppData\LocalLow\OnlineMapFinder_9pEI\Installr\Cache\files.ini</path><vendor>PUP.Optional.MindSpark</vendor><action>success</action><hash>407f4fd32179a591a84b9424669c57a9</hash></file>
</items>
</mbam-log>
 


#11 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 11 July 2016 - 08:59 PM

Answers below

Keeping in mind that this topic will be limited to your Windows 8.1 pc, can you tell me specifically what issues, if any, you are having?

  • Does it seem unusually slow? Yes
  • Does your wireless connection work at all or drop out intermittently?  Yes it works but intermittently and I've seen some event viewer reports stating the internet profile has been changed to public 
  • Do you get popup notices that don't appear to be coming from legitimate sources?  Not so much but I used to before Nasdaq helped me in my first forum post regarding StdLib in my Startups
  • Does the computer ever lock up? Yes but again, I've not really been experiencing this as much since Nasdaq helped me http://www.bleepingcomputer.com/forums/t/614358/help-securing-wifi-with-stdlib-comodo-norton-others-removal/


#12 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 11 July 2016 - 09:18 PM

A few things I wanted to add, running Malwarebytes looks like i have older items still quarantined by the program

Attached File  mbam app logs.JPG   96.92KB   0 downloadsAttached File  mbam prior.JPG   125.59KB   0 downloads

 



#13 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 11 July 2016 - 09:24 PM

And while I understand we are just trying to remove malware from one of my PCs so I can get a clean place to start from, my desktop and laptop and even apple devices seem to be interacting in a way I don't want them to.  Example being that this screenshot here is of the screensaver from my ACER Chromebook EXCEPT I'm on my HP AIO23?!?!?

 

Attached File  wrong screensaver.JPG   125.43KB   0 downloads

 

I'm not sure when it showed up here on this desktop but I am sure, it doesn't belong here.  This is not an "ACER" machine.



#14 polskamachina

polskamachina

  • Malware Response Team
  • 3,896 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:10:44 PM

Posted 12 July 2016 - 03:45 PM

HI Jen :)
 
The list of quarantined files in the Malwarebytes program can be deleted by clicking the Delete (if you just want to select individual items) or Delete All button.
 
Regarding you screensaver on the HP AIO23 computer, let's hold off on tackling that problem until we've completed the Windows 8.1 computer.
 
Regarding your network profile changing to public, are you always connected to the same network? Each network can be configured independently.
 
Next, let's do a complete ESET scan
 
ESET Online Scanner:

Note: You will need to disable your currently installed Anti-Virus, how to do so can be read here.

  • Please go here, download the ESET Smart Installer, and save it to your desktop.
  • Double-click on the esetimage.png you just downloaded.
  • Place a checkmark next to "YES, I accept the Terms of Use" and click the shieldstart.png button.
  • Click "Yes" to the UAC (User Account Control) warning, then ESET will download it's components, register itself, and start itself.
  • In the new window that opens, tic the radio button next to Enable detection of potentially unwanted applications.
  • Then click "Advanced settings", and make sure there is a checkmark next to only the following items (uncheck everything else):
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Now click on: start.png
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. ...The scan may appear to be finished sometimes...if there is a progress bar visible, it is still scanning!
  • When the scan completes, click List Found Threats (only if anything is found).
  • Then click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click back.png, then click finish.png to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!

 

In summary I will need from you:

  • ESET scan log if any objects were found.

Let me know if you have any questions.

 

polskamachina



#15 A_BeautifulMess

A_BeautifulMess
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Laguna Audobon, California
  • Local time:09:44 PM

Posted 13 July 2016 - 06:01 PM

C:\AdwCleaner\FileQuarantine\C\Users\Mom\AppData\Roaming\0t1m1p0a1e1e0m1t1g\Minecraft Packages\uninstaller.exe.vir a variant of Win32/InstallCore.AEO.gen potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Windows\System32\drivers\{324e1577-96d7-407f-b1ce-1c9f8b33dad4}Gw64.sys.xBAD a variant of Win64/BrowseFox.Q potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Windows\System32\drivers\{46a147d8-5171-42d8-b8a8-6a187525781d}Gw64.sys.xBAD a variant of Win64/BrowseFox.Q potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Windows\System32\drivers\{5d78e0ee-ca60-46a4-9492-4f24429cc925}Gw64.sys.xBAD a variant of Win64/BrowseFox.Q potentially unwanted application cleaned by deleting
C:\FRST\Quarantine\C\Windows\System32\drivers\{949aba83-1d7f-4d0b-b0ba-203450825231}Gw64.sys.xBAD a variant of Win64/BrowseFox.Q potentially unwanted application cleaned by deleting
C:\Users\ari\AppData\Local\Microsoft\Windows\INetCache\IE\75O1TQ8Z\filewhiz.exe a variant of Win32/InstallIQ.A potentially unwanted application cleaned by deleting
C:\Users\ari\AppData\Local\Microsoft\Windows\INetCache\IE\IBH6VNQW\Minecraft Download Manager.exe a variant of Win32/InstallCore.ACZ potentially unwanted application cleaned by deleting
C:\Users\ari\AppData\Local\Microsoft\Windows\INetCache\IE\IBH6VNQW\OnlineMapFinder.exe a variant of Win32/AdInstaller potentially unwanted application cleaned by deleting
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users