[strew1224]

I have a HP Pavillion desktop computer that has been hijacked by something. It has shut down my antivirus and it won't let me access the internet. I don't know how to post anything for you to look at.

[Advertisements]

Hello and welcome to Geeks to Go! My nickname is Pystryker , and I will be helping you with your issue today.

Please note: I am currently in training and all my fixes must be approved by my teacher before being posted. This gives you the advantage of having two people working to solve your problems.

Before we get started, I have a few things I need to go over with you

• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  
• Please subscribe to this topic. By subscribing, the board will notify you when a new reply is added to your topic. You can find instructions on how to do that by clicking here.

• If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  
• Please read through my instructions carefully and completely before executing them.
  
• Please make sure that all the programs I ask you to download are downloaded to and run from your Desktop.
  
• Please make sure you print out these instructions so that you will be able to refer to them while working on your machine. Part of the solution(s) to your problem may involve us working in Safe Mode and you will need them to go by.
  
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• Please read through my instructions carefully and make sure you complete them from start to finish. I will make sure that I lay the instructions out in a step by step order to make them easy to follow
  
• This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  
• Please make sure you reply within 3 days to my responses, if there is no reply within 3 days, the topic will be closed and you will need to request the topic be reopened.
  
• Before we get started, please remember we will do our best to get your machine repaired. However, there are some cases where the only solution is a reformat and reinstall of the operating system. This is a worst case scenario though.
  
• It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  
• If possible, please have your original Windows installation disks handy, just in case.
  
• If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  
• If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  
• Please copy and paste the contents of any requested logs in your replies. Do not attach the log files in your replies unless requested to do so.
  
• Please remember, the fixes are for your machine and your machine ONLY!

Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future

Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way.

Now, let's get started, shall we?

I have a HP Pavillion desktop computer that has been hijacked by something. It has shut down my antivirus and it won't let me access the internet. I don't know how to post anything for you to look at.

Do you have another computer and a USB drive? If so, download the tool below to the usb drive and transfer it to the affected computer's desktop. Once there, follow the instructions for running the scan.



Download OTL

Download OTL to your desktop by clicking here. If for some reason, that link is not working, please click here for a secondary site.

• Close any open windows and then double click (Vista, Windows 7, 8, right click and then click Run as Administrator) the icon to start OTL.
  
• Please make sure the following boxes are checked.
  
• Scan All Users
• Use Company-Name WhiteList
• Skip Microsoft Files
• Use No-Company-Name Whitelist
• LOP Check
• Purity Check
  
• Please check Use Safelist is checked under Extra Registry.
  
• Copy the contents of the quote box below Do not copy the word quote! and paste them into the Custom Scans/Fixes box at the bottom of OTL's control panel.
  
  

  %SYSTEMDRIVE%\*.exe
  /md5start
  services.*
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  dir "%systemdrive%\*" /S /A:L /C
  

• Click the Run Scan button.

• Please do not interrupt the scanning process. It may take a while to complete the scan, so please be patient.
  
• When the scan is finished, it will generate 2 logs, OTL.txt and Extras.txt, each in a Notepad window. Both of these logs are saved in the same location as OTL. In this case, on your desktop.
  
• Please post each log in your next reply.

[pystryker]

Hello and welcome to Geeks to Go! My nickname is Pystryker , and I will be helping you with your issue today.

Please note: I am currently in training and all my fixes must be approved by my teacher before being posted. This gives you the advantage of having two people working to solve your problems.

Before we get started, I have a few things I need to go over with you

• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  
• Please subscribe to this topic. By subscribing, the board will notify you when a new reply is added to your topic. You can find instructions on how to do that by clicking here.

• If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  
• Please read through my instructions carefully and completely before executing them.
  
• Please make sure that all the programs I ask you to download are downloaded to and run from your Desktop.
  
• Please make sure you print out these instructions so that you will be able to refer to them while working on your machine. Part of the solution(s) to your problem may involve us working in Safe Mode and you will need them to go by.
  
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• Please read through my instructions carefully and make sure you complete them from start to finish. I will make sure that I lay the instructions out in a step by step order to make them easy to follow
  
• This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  
• Please make sure you reply within 3 days to my responses, if there is no reply within 3 days, the topic will be closed and you will need to request the topic be reopened.
  
• Before we get started, please remember we will do our best to get your machine repaired. However, there are some cases where the only solution is a reformat and reinstall of the operating system. This is a worst case scenario though.
  
• It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  
• If possible, please have your original Windows installation disks handy, just in case.
  
• If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  
• If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  
• Please copy and paste the contents of any requested logs in your replies. Do not attach the log files in your replies unless requested to do so.
  
• Please remember, the fixes are for your machine and your machine ONLY!

Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future

Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way.

Now, let's get started, shall we?

I have a HP Pavillion desktop computer that has been hijacked by something. It has shut down my antivirus and it won't let me access the internet. I don't know how to post anything for you to look at.

Do you have another computer and a USB drive? If so, download the tool below to the usb drive and transfer it to the affected computer's desktop. Once there, follow the instructions for running the scan.



Download OTL

Download OTL to your desktop by clicking here. If for some reason, that link is not working, please click here for a secondary site.

• Close any open windows and then double click (Vista, Windows 7, 8, right click and then click Run as Administrator) the icon to start OTL.
  
• Please make sure the following boxes are checked.
  
• Scan All Users
• Use Company-Name WhiteList
• Skip Microsoft Files
• Use No-Company-Name Whitelist
• LOP Check
• Purity Check
  
• Please check Use Safelist is checked under Extra Registry.
  
• Copy the contents of the quote box below Do not copy the word quote! and paste them into the Custom Scans/Fixes box at the bottom of OTL's control panel.
  
  

  %SYSTEMDRIVE%\*.exe
  /md5start
  services.*
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  dir "%systemdrive%\*" /S /A:L /C
  

• Click the Run Scan button.

• Please do not interrupt the scanning process. It may take a while to complete the scan, so please be patient.
  
• When the scan is finished, it will generate 2 logs, OTL.txt and Extras.txt, each in a Notepad window. Both of these logs are saved in the same location as OTL. In this case, on your desktop.
  
• Please post each log in your next reply.

[strew1224]

I transferred the file to a usb drive and copied it to the desktop of the infected computer. When I try to run it a box pops up saying "Warning! Infected file detected" OTL.exe destroys and infects system files.

Also will my portable usb be infected since I plugged it into the infected computer?

Edited by strew1224, 08 January 2014 - 09:18 AM.

[strew1224]

Antivirus security found the following threats:

Win32/Sinowal.gen!X
Win32/Kelihos
JS/Redirector.XX
Win32/Zbot
Win32/Tracur.XX
Win32/Casus.2_0
Win32/Chedap.A
Win32/Xinkey
Win32/Conficker.X
Win32/Ramnit.X
Win32/PriceGong
Win32/Pramro.F
Win32/Dorkbot.A
Win32/Sality.XX

[pystryker]

Hello

Regarding the USB, download McShield to your other computer and follow the instructions.

Download MCShield to your desktop and install

• It will initially run a scan and show the result as a toaster by the system clock.
  
• Then in the control center select Scanner and tick unhide items on flash drives.

• Plug in the drive and McShield will start a scan
  
• Then get the log which will be here :
  
• Start > all programs > MCShield > logs > all scans

And post that in your next reply.



What operating system do you have on your machine, and is it 32-bit or 64-bit? Please let me know and we can proceed from there.

[strew1224]

I ran MCShield on the computer I'm using to communicate with you. This is the MCShield log:

>>> MCShield AllScans.txt <<<



MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.8.3.24 / DB: 2014.1.6.1 / Windows Vista <<<


1/8/2014 1:38:11 PM > Drive C: - scan started (HP ~286 GB, NTFS HDD )...



=> The drive is clean.


1/8/2014 1:38:12 PM > Drive D: - scan started (FACTORY_IMAGE ~12 GB, NTFS HDD )...


>>> D:\desktop.ini - Malware > Deleted. (14.01.08. 13.38 desktop.ini.50823; MD5: 12a51a677a89535de21b6127c487eb50)


=> Malicious files : 1/1 deleted.

____________________________________________

::::: Scan duration: 3sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 2.8.3.24 / DB: 2014.1.6.1 / Windows Vista <<<


1/8/2014 1:39:10 PM > Drive F: - scan started (no label ~7630 MB, FAT32 flash drive )...

>>> F:\autorun.inf > Legitimate file.


=> The drive is clean.

[pystryker]

Ok, what version is the operating system of the infected computer? And is it 32 bit or 64 bit?

[strew1224]

The infected computer is running Windows 8 version 6.2 (build 9200)

[pystryker]

Ok, let's see if we can get a log with FRST in Recovery Mode. Please follow the instructions below.


Farbar Recovery Scan Tool

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select English as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]

[strew1224]

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-01-2014 01
Ran by SYSTEM on MININT-NBEVT53 on 09-01-2014 07:28:53
Running from E:\
Windows 8 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BeatsOSDApp] - C:\Program Files\IDT\WDM\Beats64.exe [37888 2012-09-19] (Hewlett-Packard )
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-09-19] (IDT, Inc.)
HKLM\...\Run: [AS2014] - C:\ProgramData\gallgaDp\gallgaDp.exe [638616 2013-10-20] ()
HKLM-x32\...\Run: [CLMLServer_For_P2G8] - C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] - C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-01] (CyberLink Corp.)
HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2013-12-12] (Hewlett-Packard)
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\gallgaDp\gallgaDp.exe -sm,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Victoria\...\Run: [AS2014] - C:\ProgramData\gallgaDp\gallgaDp.exe [638616 2013-10-20] ()
HKU\Victoria\...\Run: [regetion] - rundll32 "C:\Users\Victoria\AppData\Local\Temp\choition.dll",CreateProcessNotify <===== ATTENTION
HKU\Victoria\...\Run: [compeown] - rundll32 "C:\Users\Victoria\AppData\Local\Temp\choition64.dll",CreateProcessNotify <===== ATTENTION
HKU\Victoria\...\RunOnce: [Uninstall C:\Users\Victoria\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64] - C:\windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Victoria\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64"
AppInit_DLLs: [ ] ()
AppInit_DLLs-x32: [ ] ()
Startup: C:\Users\Victoria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)

==================== Services (Whitelisted) =================

S2 HPConnectedRemote; c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35232 2012-08-29] (Hewlett-Packard)
S2 HPRegistrationSvc; c:\Program Files (x86)\Hewlett-Packard\HP Registration Service\HPRegistrationService.exe [205216 2012-07-18] (Hewlett-Packard)
S2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-18] (Intel Corporation)
S2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe [144520 2012-12-23] (Symantec Corporation)
S2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1907896 2013-11-02] (Microsoft Corporation)
S4 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16048 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

S3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130515.001\BHDrvx64.sys [1390680 2013-04-12] (Symantec Corporation)
S3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1403010.016\ccSetx64.sys [168096 2012-11-15] (Symantec Corporation)
S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
S3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-04-08] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-04-08] (Symantec Corporation)
S3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130531.001\IDSvia64.sys [513184 2013-04-05] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20130531.019\ENG64.SYS [126040 2013-05-21] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20130531.019\EX64.SYS [2098776 2013-05-21] (Symantec Corporation)
S3 SRTSP; C:\Windows\System32\Drivers\NISx64\1403010.016\SRTSP64.SYS [796248 2013-01-28] (Symantec Corporation)
S3 SRTSPX; C:\Windows\system32\drivers\NISx64\1403010.016\SRTSPX64.SYS [36952 2013-01-28] (Symantec Corporation)
S3 SymDS; C:\Windows\system32\drivers\NISx64\1403010.016\SYMDS64.SYS [493656 2013-01-21] (Symantec Corporation)
S3 SymEFA; C:\Windows\system32\drivers\NISx64\1403010.016\SYMEFA64.SYS [1139800 2013-01-30] (Symantec Corporation)
S4 SymELAM; C:\Windows\system32\drivers\NISx64\1403010.016\SymELAM.sys [23448 2012-06-20] (Symantec Corporation)
S3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-01-14] (Symantec Corporation)
S3 SymIRON; C:\Windows\system32\drivers\NISx64\1403010.016\Ironx64.SYS [224416 2012-11-15] (Symantec Corporation)
S3 SymNetS; C:\Windows\System32\Drivers\NISx64\1403010.016\SYMNETS.SYS [432800 2013-01-30] (Symantec Corporation)
S3 tilfilter; C:\Windows\System32\drivers\TIxHCIlfilter.sys [17528 2012-11-20] (Texas Instruments, Inc.)
S3 tiufilter; C:\Windows\System32\drivers\TIxHCIufilter.sys [23184 2012-11-20] (Texas Instruments, Inc.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-09 07:28 - 2014-01-09 07:28 - 00000000 ____D C:\FRST
2014-01-09 07:20 - 2014-01-09 07:20 - 00000000 ____D C:\ProgramData\Recovery
2014-01-08 07:12 - 2014-01-08 09:17 - 00602112 _____ (OldTimer Tools) C:\Users\Victoria\Desktop\OTL.exe
2013-12-13 19:41 - 2013-12-13 19:41 - 00000000 ___HD C:\$SysReset
2013-12-13 19:36 - 2014-01-09 07:12 - 00001668 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro.lnk
2013-12-13 19:36 - 2014-01-09 07:12 - 00000118 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro support.url
2013-12-13 19:29 - 2013-12-13 19:29 - 00000000 ____D C:\Users\Victoria\AppData\Local\HP Quick Start
2013-12-13 18:58 - 2013-12-13 18:58 - 00003110 _____ C:\Windows\System32\Tasks\{D211F594-E130-4B13-81E3-1ACB2B2C6D42}
2013-12-13 18:42 - 2013-12-13 18:42 - 00003124 _____ C:\Windows\System32\Tasks\{47401DA1-26A7-442E-880E-381C26290DB9}
2013-12-13 18:38 - 2013-12-13 18:38 - 00003106 _____ C:\Windows\System32\Tasks\{3CFDBD71-D8E2-429B-A6A3-A716D72BAF59}
2013-12-13 18:35 - 2014-01-08 12:35 - 00000364 _____ C:\Windows\Tasks\HPCeeScheduleForVictoria.job
2013-12-13 18:35 - 2013-12-13 18:35 - 00003184 _____ C:\Windows\System32\Tasks\HPCeeScheduleForVictoria
2013-12-13 18:24 - 2013-12-13 18:24 - 00432288 _____ C:\Windows\System32\FNTCACHE.DAT

==================== One Month Modified Files and Folders =======

2014-01-09 07:28 - 2014-01-09 07:28 - 00000000 ____D C:\FRST
2014-01-09 07:21 - 2012-07-25 23:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-09 07:20 - 2014-01-09 07:20 - 00000000 ____D C:\ProgramData\Recovery
2014-01-09 07:12 - 2013-12-13 19:36 - 00001668 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro.lnk
2014-01-09 07:12 - 2013-12-13 19:36 - 00000118 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro support.url
2014-01-08 13:00 - 2012-07-26 00:12 - 00000000 ____D C:\Windows\System32\sru
2014-01-08 12:35 - 2013-12-13 18:35 - 00000364 _____ C:\Windows\Tasks\HPCeeScheduleForVictoria.job
2014-01-08 09:17 - 2014-01-08 07:12 - 00602112 _____ (OldTimer Tools) C:\Users\Victoria\Desktop\OTL.exe
2014-01-08 07:32 - 2013-09-16 11:19 - 00000296 _____ C:\Windows\Tasks\TopArcadeHits.job
2014-01-08 07:31 - 2013-04-08 17:16 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4105523587-2539770913-2756829736-1001
2014-01-08 06:58 - 2012-07-26 00:12 - 00000000 ___HD C:\Windows\ELAMBKUP
2014-01-08 06:53 - 2013-04-08 17:06 - 01587877 _____ C:\Windows\WindowsUpdate.log
2014-01-08 06:25 - 2012-07-25 23:28 - 00876494 _____ C:\Windows\System32\PerfStringBackup.INI
2014-01-08 06:24 - 2012-07-25 23:21 - 00027219 _____ C:\Windows\setupact.log
2014-01-07 14:03 - 2012-07-25 21:26 - 00262144 ___SH C:\Windows\System32\config\ELAM
2014-01-07 14:01 - 2012-08-01 18:02 - 00030012 _____ C:\Windows\PFRO.log
2013-12-13 19:44 - 2013-10-20 20:11 - 00000000 ____D C:\ProgramData\gallgaDp
2013-12-13 19:44 - 2013-10-19 19:03 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2013-12-13 19:44 - 2012-07-26 00:12 - 00000000 ____D C:\Windows\registration
2013-12-13 19:44 - 2012-07-25 21:26 - 00262144 ___SH C:\Windows\System32\config\BBI
2013-12-13 19:41 - 2013-12-13 19:41 - 00000000 ___HD C:\$SysReset
2013-12-13 19:41 - 2013-04-08 17:05 - 00000000 ____D C:\users\Victoria
2013-12-13 19:29 - 2013-12-13 19:29 - 00000000 ____D C:\Users\Victoria\AppData\Local\HP Quick Start
2013-12-13 18:59 - 2013-01-14 19:34 - 00000000 ____D C:\Program Files (x86)\CyberLink
2013-12-13 18:59 - 2013-01-14 19:29 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-12-13 18:58 - 2013-12-13 18:58 - 00003110 _____ C:\Windows\System32\Tasks\{D211F594-E130-4B13-81E3-1ACB2B2C6D42}
2013-12-13 18:57 - 2013-01-14 19:37 - 00000000 ____D C:\Program Files (x86)\HP Games
2013-12-13 18:56 - 2013-01-14 19:36 - 00000000 ____D C:\ProgramData\WildTangent
2013-12-13 18:49 - 2013-09-16 11:20 - 00000000 ____D C:\Program Files (x86)\AbiWord
2013-12-13 18:42 - 2013-12-13 18:42 - 00003124 _____ C:\Windows\System32\Tasks\{47401DA1-26A7-442E-880E-381C26290DB9}
2013-12-13 18:42 - 2013-10-19 19:02 - 00000000 ____D C:\ProgramData\eSafe
2013-12-13 18:39 - 2013-10-19 19:02 - 00000866 _____ C:\Windows\SysWOW64\InstallUtil.InstallLog
2013-12-13 18:38 - 2013-12-13 18:38 - 00003106 _____ C:\Windows\System32\Tasks\{3CFDBD71-D8E2-429B-A6A3-A716D72BAF59}
2013-12-13 18:37 - 2013-04-09 16:15 - 00000000 ____D C:\Program Files\Microsoft Office 15
2013-12-13 18:35 - 2013-12-13 18:35 - 00003184 _____ C:\Windows\System32\Tasks\HPCeeScheduleForVictoria
2013-12-13 18:33 - 2013-04-12 03:30 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2013-12-13 18:33 - 2013-04-12 03:30 - 00000000 _____ C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2013-12-13 18:33 - 2013-04-08 17:08 - 00003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{2D43F1F4-8269-4CBF-B37B-FD4A2F3DAD5C}
2013-12-13 18:26 - 2013-09-16 11:20 - 00000258 __RSH C:\Users\Victoria\ntuser.pol
2013-12-13 18:26 - 2013-01-14 19:52 - 00018152 _____ C:\Windows\System32\results.xml
2013-12-13 18:24 - 2013-12-13 18:24 - 00432288 _____ C:\Windows\System32\FNTCACHE.DAT

Some content of TEMP:
====================
C:\Users\Victoria\AppData\Local\Temp\214_FPPSetup.exe
C:\Users\Victoria\AppData\Local\Temp\air213.exe
C:\Users\Victoria\AppData\Local\Temp\air4026.exe
C:\Users\Victoria\AppData\Local\Temp\air5739.exe
C:\Users\Victoria\AppData\Local\Temp\air66CB.exe
C:\Users\Victoria\AppData\Local\Temp\airAD0C.exe
C:\Users\Victoria\AppData\Local\Temp\airC56.exe
C:\Users\Victoria\AppData\Local\Temp\BackupSetup.exe
C:\Users\Victoria\AppData\Local\Temp\choition.dll
C:\Users\Victoria\AppData\Local\Temp\choition64.dll
C:\Users\Victoria\AppData\Local\Temp\Extract.exe
C:\Users\Victoria\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Victoria\AppData\Local\Temp\sp58915.exe
C:\Users\Victoria\AppData\Local\Temp\SP59485.exe
C:\Users\Victoria\AppData\Local\Temp\SP60467.exe
C:\Users\Victoria\AppData\Local\Temp\SP61665.exe
C:\Users\Victoria\AppData\Local\Temp\SP62612.exe
C:\Users\Victoria\AppData\Local\Temp\toparcadesetup.exe
C:\Users\Victoria\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Victoria\AppData\Local\Temp\vcredist_x64.exe


==================== Known DLLs (Whitelisted) ================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2013-12-21 03:00:56
Restore point made on: 2013-12-29 03:00:25
Restore point made on: 2014-01-05 03:00:45

==================== Memory info ===========================

Percentage of memory in use: 11%
Total physical RAM: 8072.36 MB
Available physical RAM: 7107.75 MB
Total Pagefile: 8072.36 MB
Available Pagefile: 7132.25 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:910.27 GB) (Free:868.7 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (Recovery Image) (Fixed) (Total:19.76 GB) (Free:2.17 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: () (Removable) (Total:7.45 GB) (Free:7.35 GB) FAT32
Drive j: (COMBAT_ZONE) (CDROM) (Total:6 GB) (Free:0 GB) UDF
Drive x: (Boot) (Fixed) (Total:0.12 GB) (Free:0.12 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: CB9ADFE0)

Partition: GPT Partition Type
========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)


LastRegBack: 2014-01-07 03:00

==================== End Of Log ============================

[pystryker]

Hi, just a quick note to let you know that I'm awaiting approval for the fix for your machine. Soon as I get it, I'll post it for you.

[pystryker]

Hello

Alright, now we're getting somewhere. Your machine has been infected with a rogue antivirus program called AntiVirus Security Pro. The purpose of these programs is to give you false warnings about infections on your machine. Most of them want a payment to "register" or buy their software with the promise of removing the threats. In many cases, the security software will actually download more malware to your machine.

Let's get started cleaning out this rogue. Please follow the steps below.

After completing this, please let me know if you can get back online with the infected machine.


Step 1: FRST Fixlist

• Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
• Right-click in the open notepad and select Paste).
• Save it on the flashdrive as fixlist.txt

Start
HKU\Victoria\...\Run: [AS2014] - C:\ProgramData\gallgaDp\gallgaDp.exe [638616 2013-10-20] ()
HKU\Victoria\...\Run: [regetion] - rundll32 "C:\Users\Victoria\AppData\Local\Temp\choition.dll",CreateProcessNotify <===== ATTENTION
HKU\Victoria\...\Run: [compeown] - rundll32 "C:\Users\Victoria\AppData\Local\Temp\choition64.dll",CreateProcessNotify <===== ATTENTION
2013-12-13 19:36 - 2014-01-09 07:12 - 00001668 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro.lnk
2013-12-13 19:36 - 2014-01-09 07:12 - 00000118 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro support.url
2014-01-08 07:32 - 2013-09-16 11:19 - 00000296 _____ C:\Windows\Tasks\TopArcadeHits.job
2013-12-13 19:44 - 2013-10-19 19:03 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
AppInit_DLLs: [ ] ()
AppInit_DLLs-x32: [ ] ()
C:\Users\Victoria\AppData\Local\Temp\214_FPPSetup.exe
C:\Users\Victoria\AppData\Local\Temp\air*.exe
C:\Users\Victoria\AppData\Local\Temp\BackupSetup.exe
C:\Users\Victoria\AppData\Local\Temp\choition.dll
C:\Users\Victoria\AppData\Local\Temp\choition64.dll
C:\Users\Victoria\AppData\Local\Temp\toparcadesetup.exe
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemOn Vista or Windows 7

Now please enter System Recovery Options.

Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

[strew1224]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-01-2014 01
Ran by SYSTEM at 2014-01-10 06:26:23 Run:1
Running from J:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
Start
HKU\Victoria\...\Run: [AS2014] - C:\ProgramData\gallgaDp\gallgaDp.exe [638616 2013-10-20] ()
HKU\Victoria\...\Run: [regetion] - rundll32 "C:\Users\Victoria\AppData\Local\Temp\choition.dll",CreateProcessNotify <===== ATTENTION
HKU\Victoria\...\Run: [compeown] - rundll32 "C:\Users\Victoria\AppData\Local\Temp\choition64.dll",CreateProcessNotify <===== ATTENTION
2013-12-13 19:36 - 2014-01-09 07:12 - 00001668 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro.lnk
2013-12-13 19:36 - 2014-01-09 07:12 - 00000118 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro support.url
2014-01-08 07:32 - 2013-09-16 11:19 - 00000296 _____ C:\Windows\Tasks\TopArcadeHits.job
2013-12-13 19:44 - 2013-10-19 19:03 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
AppInit_DLLs: [ ] ()
AppInit_DLLs-x32: [ ] ()
C:\Users\Victoria\AppData\Local\Temp\214_FPPSetup.exe
C:\Users\Victoria\AppData\Local\Temp\air*.exe
C:\Users\Victoria\AppData\Local\Temp\BackupSetup.exe
C:\Users\Victoria\AppData\Local\Temp\choition.dll
C:\Users\Victoria\AppData\Local\Temp\choition64.dll
C:\Users\Victoria\AppData\Local\Temp\toparcadesetup.exe
End
*****************

HKU\Victoria\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKU\Victoria\Software\Microsoft\Windows\CurrentVersion\Run\\regetion => Value deleted successfully.
HKU\Victoria\Software\Microsoft\Windows\CurrentVersion\Run\\compeown => Value deleted successfully.
C:\Users\Victoria\Desktop\Antivirus Security Pro.lnk => Moved successfully.
C:\Users\Victoria\Desktop\Antivirus Security Pro support.url => Moved successfully.
C:\Windows\Tasks\TopArcadeHits.job => Moved successfully.
C:\Program Files (x86)\MyPC Backup => Moved successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs => Value was restored successfully.
C:\Users\Victoria\AppData\Local\Temp\214_FPPSetup.exe => Moved successfully.
C:\Users\Victoria\AppData\Local\Temp\air*.exe => Moved successfully.
C:\Users\Victoria\AppData\Local\Temp\BackupSetup.exe => Moved successfully.
C:\Users\Victoria\AppData\Local\Temp\choition.dll => Moved successfully.
C:\Users\Victoria\AppData\Local\Temp\choition64.dll => Moved successfully.
C:\Users\Victoria\AppData\Local\Temp\toparcadesetup.exe => Moved successfully.

==== End of Fixlog ====


I am able to get on the internet now but every thing I do comes up with the following message:


Warning! The site you are attempting to view may harm your computer!
Your current security settings put your computer at risk!
Recommendation
Activate Antivirus Security Pro, and enable safe web surfing (recommended).
Ignore warnings and visit that site in the current state (not recommended).

[pystryker]

Hello

Ok, now that we've got the internet connection fixed, let's see if we can download some tools to get rid of the rest of the rogue.

If you can download these tools directly to the infected machine's desktop, please do so. If not, download them to your usb, transfer them to the desktop, and then run them.


Step 1: FRST Scan

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please copy and paste log back here.
  
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Step 2: Scan with aswMBR

• Please download aswMBR.exe to your desktop.
  
• Double click the file to run it.
  
• It will ask if you want to download the latest Avast! virus definitions, please answer yes.

• Click the Scan button to begin the scan.

• Once the scan has finished, click on Save Log, save it to your desktop as asw.txt, and please post it in your next reply.
  
• Click Exit

Things I need to see in your next post:

FRST Log

Addition.txt Log

aswMBR Log

[strew1224]

Ok I can get on the internet but anytime I try to navigate to a page it tell me:

warning the site you are attempting to view may harm your computer.

I tell it to ignore warnings but it keeps popping up.

I transferred the FRST and ASWMBR to the computer via usb. When I try to run ASWMBR a popup comes up telling me:
Warning Infected file detected
It won't let me do anything with the file.

I did run FRST and the results are:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 13-01-2014 01
Ran by Victoria (administrator) on TODDTOREY on 13-01-2014 06:36:21
Running from C:\Users\Victoria\Desktop
Windows 8 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ccsvchst.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ccsvchst.exe
(Hewlett-Packard ) C:\Program Files\IDT\WDM\Beats64.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\ProgramData\gallgaDp\gallgaDp.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteUser.exe
(Microsoft Corporation) \\?\C:\windows\system32\wbem\WMIADAP.EXE


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [BeatsOSDApp] - C:\Program Files\IDT\WDM\beats64.exe [37888 2012-09-19] (Hewlett-Packard )
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-09-19] (IDT, Inc.)
HKLM\...\Run: [AS2014] - C:\ProgramData\gallgaDp\gallgaDp.exe [638616 2013-10-20] ()
HKLM-x32\...\Run: [CLMLServer_For_P2G8] - c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111120 2012-06-07] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] - c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [491120 2012-07-01] (CyberLink Corp.)
HKLM\...\RunOnce: [NCPluginUpdater] - "C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" Update [21720 2013-12-12] (Hewlett-Packard)
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\gallgaDp\gallgaDp.exe -sm,
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKCU\...\Run: [AS2014] - C:\ProgramData\gallgaDp\gallgaDp.exe [638616 2013-10-20] ()
HKCU\...\Runonce: [Uninstall C:\Users\Victoria\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64] - C:\windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Victoria\AppData\Local\Microsoft\SkyDrive\17.0.2003.1112\amd64"
Startup: C:\Users\Victoria\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.c...9YN162_S1D7CP4W
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.c...9YN162_S1D7CP4W
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.c...9YN162_S1D7CP4W
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.c...9YN162_S1D7CP4W
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.qone8.c...9YN162_S1D7CP4W
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.qone8.c...9YN162_S1D7CP4W
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://start.qone8.c...9YN162_S1D7CP4W
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://start.qone8.c...q={searchTerms}
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...0TR&pc=HPDTDFJS
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://start.qone8.c...q={searchTerms}
SearchScopes: HKLM - {7BD59B51-BF68-424C-AB94-97D5E2BF4112} URL = http://www.amazon.co...s={searchTerms}
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo....psg&type=HPDTDF
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://start.qone8.c...q={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...0TR&pc=HPDTDFJS
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://start.qone8.c...q={searchTerms}
SearchScopes: HKLM-x32 - {7BD59B51-BF68-424C-AB94-97D5E2BF4112} URL = http://www.amazon.co...s={searchTerms}
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo....psg&type=HPDTDF
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...0TR&pc=HPDTDFJS
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...0TR&pc=HPDTDFJS
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKCU - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://start.qone8.c...q={searchTerms}
SearchScopes: HKCU - {7BD59B51-BF68-424C-AB94-97D5E2BF4112} URL = http://www.amazon.co...s={searchTerms}
SearchScopes: HKCU - {B2A558D1-5F64-4CE7-A41B-AA7594DCE46E} URL = http://search.condui...q={searchTerms}
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo....psg&type=HPDTDF
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...54371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
BHO: Lync Browser Helper - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: TopArcadeHits Games - {A7A9D7E7-E0C0-4202-9F13-6A06BD073CDA} - C:\Users\Victoria\AppData\Local\TopArcadeHits\Toparcadehits.dll ()
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office 15\root\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Define - {B78F92C8-DEB3-11E2-9A0A-FB64281D6ADE} - C:\Users\Victoria\AppData\Local\DefineExt\temp.dat ()
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.1.10.1

==================== Services (Whitelisted) =================

U2 HPConnectedRemote; c:\Program Files (x86)\Hewlett-Packard\HP Connected Remote\HPConnectedRemoteService.exe [35232 2012-08-29] (Hewlett-Packard)
U2 HPRegistrationSvc; c:\Program Files (x86)\Hewlett-Packard\HP Registration Service\HPRegistrationService.exe [205216 2012-07-18] (Hewlett-Packard)
U2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-18] (Intel Corporation)
U2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
U2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\ccSvcHst.exe [144520 2012-12-23] (Symantec Corporation)
U2 OfficeSvc; C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [1907896 2013-11-02] (Microsoft Corporation)
U4 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16048 2013-07-01] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

U3 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\BASHDefs\20130515.001\BHDrvx64.sys [1390680 2013-04-12] (Symantec Corporation)
U3 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1403010.016\ccSetx64.sys [168096 2012-11-15] (Symantec Corporation)
U1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
U3 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-04-08] (Symantec Corporation)
U3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-04-08] (Symantec Corporation)
U3 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\IPSDefs\20130531.001\IDSvia64.sys [513184 2013-04-05] (Symantec Corporation)
U3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20130531.019\ENG64.SYS [126040 2013-05-21] (Symantec Corporation)
U3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.0.0.136\Definitions\VirusDefs\20130531.019\EX64.SYS [2098776 2013-05-21] (Symantec Corporation)
U3 SRTSP; C:\Windows\System32\Drivers\NISx64\1403010.016\SRTSP64.SYS [796248 2013-01-28] (Symantec Corporation)
U3 SRTSPX; C:\Windows\system32\drivers\NISx64\1403010.016\SRTSPX64.SYS [36952 2013-01-28] (Symantec Corporation)
U3 SymDS; C:\Windows\system32\drivers\NISx64\1403010.016\SYMDS64.SYS [493656 2013-01-21] (Symantec Corporation)
U3 SymEFA; C:\Windows\system32\drivers\NISx64\1403010.016\SYMEFA64.SYS [1139800 2013-01-30] (Symantec Corporation)
U4 SymELAM; C:\Windows\system32\drivers\NISx64\1403010.016\SymELAM.sys [23448 2012-06-20] (Symantec Corporation)
U3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-01-14] (Symantec Corporation)
U3 SymIRON; C:\Windows\system32\drivers\NISx64\1403010.016\Ironx64.SYS [224416 2012-11-15] (Symantec Corporation)
U3 SymNetS; C:\Windows\System32\Drivers\NISx64\1403010.016\SYMNETS.SYS [432800 2013-01-30] (Symantec Corporation)
U3 tilfilter; C:\Windows\System32\drivers\TIxHCIlfilter.sys [17528 2012-11-20] (Texas Instruments, Inc.)
U3 tiufilter; C:\Windows\System32\drivers\TIxHCIufilter.sys [23184 2012-11-20] (Texas Instruments, Inc.)

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-13 06:36 - 2014-01-13 06:36 - 00014367 _____ C:\Users\Victoria\Desktop\FRST.txt
2014-01-13 06:35 - 2014-01-13 09:33 - 04745728 _____ (AVAST Software) C:\Users\Victoria\Desktop\aswmbr.exe
2014-01-13 06:35 - 2014-01-13 09:33 - 02075648 _____ (Farbar) C:\Users\Victoria\Desktop\FRST64.exe
2014-01-10 06:28 - 2014-01-13 06:28 - 00001668 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro.lnk
2014-01-10 06:28 - 2014-01-13 06:28 - 00000118 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro support.url
2014-01-09 07:28 - 2014-01-09 07:28 - 00000000 ____D C:\FRST
2014-01-09 07:20 - 2014-01-09 07:20 - 00000000 ____D C:\ProgramData\Recovery
2014-01-08 07:12 - 2014-01-08 09:17 - 00602112 _____ (OldTimer Tools) C:\Users\Victoria\Desktop\OTL.exe

==================== One Month Modified Files and Folders =======

2014-01-13 09:33 - 2014-01-13 06:35 - 04745728 _____ (AVAST Software) C:\Users\Victoria\Desktop\aswmbr.exe
2014-01-13 09:33 - 2014-01-13 06:35 - 02075648 _____ (Farbar) C:\Users\Victoria\Desktop\FRST64.exe
2014-01-13 06:36 - 2014-01-13 06:36 - 00014367 _____ C:\Users\Victoria\Desktop\FRST.txt
2014-01-13 06:35 - 2013-12-13 18:35 - 00000364 _____ C:\windows\Tasks\HPCeeScheduleForVictoria.job
2014-01-13 06:33 - 2012-07-25 23:28 - 00876494 _____ C:\windows\system32\PerfStringBackup.INI
2014-01-13 06:31 - 2013-04-08 17:08 - 00003942 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{2D43F1F4-8269-4CBF-B37B-FD4A2F3DAD5C}
2014-01-13 06:29 - 2013-04-08 17:06 - 01591827 _____ C:\windows\WindowsUpdate.log
2014-01-13 06:28 - 2014-01-10 06:28 - 00001668 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro.lnk
2014-01-13 06:28 - 2014-01-10 06:28 - 00000118 _____ C:\Users\Victoria\Desktop\Antivirus Security Pro support.url
2014-01-10 14:00 - 2012-07-26 00:12 - 00000000 ____D C:\windows\system32\sru
2014-01-10 06:35 - 2013-04-12 03:30 - 00000052 _____ C:\windows\SysWOW64\DOErrors.log
2014-01-10 06:35 - 2013-04-12 03:30 - 00000000 _____ C:\windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-01-10 06:27 - 2012-07-25 23:22 - 00000006 ____H C:\windows\Tasks\SA.DAT
2014-01-09 07:28 - 2014-01-09 07:28 - 00000000 ____D C:\FRST
2014-01-09 07:20 - 2014-01-09 07:20 - 00000000 ____D C:\ProgramData\Recovery
2014-01-09 07:11 - 2012-07-26 00:12 - 00000000 ___HD C:\windows\ELAMBKUP
2014-01-08 09:17 - 2014-01-08 07:12 - 00602112 _____ (OldTimer Tools) C:\Users\Victoria\Desktop\OTL.exe
2014-01-08 07:31 - 2013-04-08 17:16 - 00003600 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4105523587-2539770913-2756829736-1001
2014-01-08 06:24 - 2012-07-25 23:21 - 00027219 _____ C:\windows\setupact.log
2014-01-07 14:03 - 2012-07-25 21:26 - 00262144 ___SH C:\windows\system32\config\ELAM
2014-01-07 14:01 - 2012-08-01 18:02 - 00030012 _____ C:\windows\PFRO.log

Some content of TEMP:
====================
C:\Users\Victoria\AppData\Local\Temp\Extract.exe
C:\Users\Victoria\AppData\Local\Temp\OfficeSetup.exe
C:\Users\Victoria\AppData\Local\Temp\sp58915.exe
C:\Users\Victoria\AppData\Local\Temp\SP59485.exe
C:\Users\Victoria\AppData\Local\Temp\SP60467.exe
C:\Users\Victoria\AppData\Local\Temp\SP61665.exe
C:\Users\Victoria\AppData\Local\Temp\SP62612.exe
C:\Users\Victoria\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Victoria\AppData\Local\Temp\vcredist_x64.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-07 03:00

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 13-01-2014 01
Ran by Victoria at 2014-01-13 06:36:40
Running from C:\Users\Victoria\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Internet Security (Disabled - Out of date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Disabled - Out of date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security (Disabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

==================== Installed Programs ======================

Bonjour (Version: 3.0.0.10 - Apple Inc.)
CyberLink Media Suite 10 (x32 Version: 10.0.1.1916 - CyberLink Corp.)
CyberLink Media Suite 10 (x32 Version: 10.0.1.1916 - CyberLink Corp.) Hidden
CyberLink PhotoDirector (x32 Version: 2.0.1.3109 - CyberLink Corp.)
CyberLink PhotoDirector (x32 Version: 2.0.1.3109 - CyberLink Corp.) Hidden
CyberLink Power2Go 8 (x32 Version: 8.0.1.1902 - CyberLink Corp.)
CyberLink Power2Go 8 (x32 Version: 8.0.1.1902 - CyberLink Corp.) Hidden
CyberLink PowerDirector 10 (x32 Version: 10.0.1.1925 - CyberLink Corp.)
CyberLink PowerDirector 10 (x32 Version: 10.0.1.1925 - CyberLink Corp.) Hidden
CyberLink PowerDVD (x32 Version: 10.0.8.5511 - CyberLink Corp.)
CyberLink PowerDVD (x32 Version: 10.0.8.5511 - CyberLink Corp.) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Define Ext (HKCU Version: 8 - DefineExt.com)
Flash Player Pro V5.4 (x32 Version: - FlashPlayerPro.com)
Hewlett-Packard ACLM.NET v1.2.1.1 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Connected Music (Meridian - installer) (x32 Version: v1.0 - Meridian Audio Ltd)
HP Connected Remote (x32 Version: 1.0.1206 - Hewlett-Packard)
HP Customer Experience Enhancements (x32 Version: 6.0.1.7 - Hewlett-Packard) Hidden
HP Games (x32 Version: 1.0.3.0 - WildTangent)
HP MyRoom (x32 Version: 9.0.0.0 - Hewlett-Packard Company)
HP Postscript Converter (Version: 3.1.3591 - Hewlett-Packard) Hidden
HP Quick Start (x32 Version: 1.0.4660.30220 - Hewlett-Packard)
HP Registration Service (Version: 1.0.5976.4186 - Hewlett-Packard)
HP Support Assistant (x32 Version: 7.0.39.15 - Hewlett-Packard Company)
HP Support Information (x32 Version: 12.00.0000 - Hewlett-Packard)
IDT Audio (x32 Version: 1.0.6418.0 - IDT)
Intel® Management Engine Components (x32 Version: 8.1.0.1252 - Intel Corporation)
Intel® Processor Graphics (x32 Version: 9.17.10.2932 - Intel Corporation)
Intel® SDK for OpenCL - CPU Only Runtime Package (x32 Version: 2.0.0.37149 - Intel Corporation)
Intel® Trusted Connect Service Client (Version: 1.24.388.1 - Intel Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 365 Home Premium - en-us (Version: 15.0.4551.1011 - Microsoft Corporation)
Microsoft SkyDrive (HKCU Version: 17.0.2006.0314 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (x32 Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT110 (x32 Version: 16.4.1108.0727 - Microsoft) Hidden
MSVCRT110_amd64 (Version: 16.4.1108.0727 - Microsoft) Hidden
Norton Internet Security (x32 Version: 20.3.1.22 - Symantec Corporation)
Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4551.1011 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Licensing Component (Version: 15.0.4551.1011 - Microsoft Corporation) Hidden
Office 15 Click-to-Run Localization Component (x32 Version: 15.0.4551.1011 - Microsoft Corporation) Hidden
Photo Common (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Photo Gallery (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Ralink RT5390R 802.11bgn Wi-Fi Adapter (x32 Version: 5.0.0.0 - Ralink)
Realtek Ethernet Controller Driver (x32 Version: 8.2.612.2012 - Realtek)
Recovery Manager (x32 Version: 5.5.0.5530 - CyberLink Corp.) Hidden
TopArcadeHits (HKCU Version: - TopArcadeHits)
Windows Live Communications Platform (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 16.4.3503.0728 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 16.4.3503.0728 - Microsoft Corporation) Hidden

==================== Restore Points =========================


==================== Hosts content: ==========================

2012-07-25 21:26 - 2012-07-25 21:26 - 00000824 ____N C:\windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {14CB1A55-925A-405E-916D-5D3857053248} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2013-12-13] (Microsoft Corporation)
Task: {1AAFF332-5C62-4558-9991-DAA649C4C9C5} - System32\Tasks\Microsoft\Windows\Sysmain\WsSwapAssessmentTask => Rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask
Task: {237CB348-23D1-4B84-B99D-17F922E8C70E} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\WSCStub.exe [2013-04-02] (Symantec Corporation)
Task: {23A5D8BE-9196-40EB-BD89-794398B2B073} - System32\Tasks\Microsoft\Windows\WS\WSRefreshBannedAppsListTask => Rundll32.exe WSClient.dll,RefreshBannedAppsList
Task: {2F5EDCAA-7370-47DA-B51F-A21D51410280} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: {2FB8D486-26A7-41BA-9BB7-8EC19BBEECE7} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2013-11-22] (Hewlett-Packard)
Task: {644A3C63-0794-4404-8C42-1E69874B149C} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\SymErr.exe [2013-01-25] (Symantec Corporation)
Task: {96E279C8-37DB-4FBD-BFEE-07EA5BE2C0F7} - System32\Tasks\HPCeeScheduleForVictoria => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2010-09-13] (Hewlett-Packard)
Task: {A72208BF-7A49-4FB8-B684-252375F3443A} - System32\Tasks\Microsoft\Windows\WS\License Validation => Rundll32.exe WSClient.dll,WSpTLR licensing
Task: {C26D2B9F-757E-471D-AF16-99DA99C4653F} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\SymErr.exe [2013-01-25] (Symantec Corporation)
Task: {C51EF219-F3E8-4F53-B84D-F927877B1121} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2013-11-22] (Hewlett-Packard)
Task: {C565EEC2-5A1C-4BC0-84AC-89A89BB4FDBD} - System32\Tasks\Microsoft\Windows\Setup\Pre-staged GDR Notification => C:\Windows\system32\NotificationUI.exe [2013-08-15] (Microsoft Corporation)
Task: {C6A88F2D-53D2-4805-9D69-443738A1847C} - System32\Tasks\Microsoft\Windows\ApplicationData\CleanupTemporaryState => Rundll32.exe Windows.Storage.ApplicationData.dll,CleanupTemporaryState
Task: {D44C9821-90E3-4397-B827-55BFBF145102} - System32\Tasks\TopArcadeHits => C:\Users\Victoria\AppData\Local\TopArcadeHits\updater.exe [2013-09-16] ()
Task: {EA3D3BE7-398C-42D1-998F-5CBFE63466BB} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2013-04-01] (Hewlett-Packard Company)
Task: {EBF06DEC-4228-4813-AC0C-62821AE4E330} - System32\Tasks\Microsoft\Windows\Application Experience\StartupAppTask => Rundll32.exe Startupscan.dll,SusRunTask
Task: {F7993466-82AB-45A7-9011-164940ADEB89} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\integratedoffice.exe [2013-11-02] (Microsoft Corporation)
Task: {F9F1BF82-99AB-4080-8673-88F960446120} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: C:\windows\Tasks\HPCeeScheduleForVictoria.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============

2013-12-13 18:36 - 2013-12-13 18:36 - 08866472 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2012-08-29 20:30 - 2012-08-29 20:30 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-08-29 10:02 - 2012-08-29 10:02 - 00120224 _____ () c:\program files (x86)\hewlett-packard\hp connected remote\HPItunesModule.dll
2013-04-08 17:07 - 2013-04-08 17:07 - 00120224 _____ () C:\Users\Victoria\AppData\Local\assembly\dl3\WPAT9553.YVV\BXZEYXKV.DCJ\7f48b298\0057376b_1086cd01\HPItunesModule.DLL
2012-08-29 10:02 - 2012-08-29 10:02 - 00048544 _____ () c:\program files (x86)\hewlett-packard\hp connected remote\HPItunesProxy.dll
2012-08-29 10:02 - 2012-08-29 10:02 - 00180224 _____ () c:\program files (x86)\hewlett-packard\hp connected remote\zxing.dll
2013-01-14 19:30 - 2012-07-18 00:50 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\ACE.dll
2013-04-15 19:29 - 2012-05-29 22:51 - 00699280 ____R () C:\PROGRAM FILES (X86)\NORTON INTERNET SECURITY\ENGINE\20.3.1.22\wincfi39.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\Temp:D346F792

==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Could not start eventlog service, could not read events.

The requested service has already been started.

More help is available by typing NET HELPMSG 2182.


==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 8072.36 MB
Available physical RAM: 6930.6 MB
Total Pagefile: 9288.36 MB
Available Pagefile: 8073.16 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:910.27 GB) (Free:875.35 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (Recovery Image) (Fixed) (Total:19.76 GB) (Free:2.48 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (COMBAT_ZONE) (CDROM) (Total:6 GB) (Free:0 GB) UDF
Drive j: () (Removable) (Total:7.45 GB) (Free:7.35 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 932 GB) (Disk ID: CB9ADFE0)

Partition: GPT Partition Type
========================================================
Disk: 1 (Size: 7 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=7 GB) - (Type=0B)

==================== End Of Log ============================