Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Poweliks removed add/remove programs not accessible. [Closed]


  • This topic is locked This topic is locked

#1
Cotutor

Cotutor

    Member

  • Member
  • PipPipPip
  • 494 posts

Ok, windows 7 system I purchased used.

Didn't want to reload, as it had some software installed that I wanted to learn on (reason I bought the computer)

I knew it had some sort of infection because when I installed Mbytes Pro it kept blocking a program trying to access internet.

I ran OTL scan and didn't see anything that suspicious, so I ran FRST64, and wahla, Poweliks identified.

I downloaded the Poweliks removal tool from Symantec and ran it without problems, reran the FRST scan and looked good.

Ran Malwarebytes scan and then ESET online scan for good measure.

computer seems to be running ok, but I cannot access add/remove programs either from control panel or appwiz.cpl  No errors, just never opens.

I've run several tools, and yes I know I ran them at my own risk, and used it for a learning experience. If you check you will find that I was a junior in GeekU, but my consulting business got too busy for me to apply the necessary time and I've had to exit. I have enough experience to be dangerous, but it's my computer and I'm the only danger.

I've run a new OTL scan and will copy the results here, and then will wait and post again with results of previous extras.txt and then again with FRST scan, including the additions.txt which has what raised my eyebrow some event errors concerning host.dll, but it's way over my head and I'm hoping that you guys have time to help me out.

    I won't be doing any other scanning or running off on my own on this, and I'll follow all instructions and be as cooperative as possible. Just wanted to tackle it on my own first, before coming to you guys and gals with my mess.

OTL results first

---------------------------------------------------

OTL logfile created on: 12/31/2014 6:39:48 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\cotutor\cleanup updated 11-10-14\OTL
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.17148)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.90 Gb Total Physical Memory | 2.25 Gb Available Physical Memory | 57.68% Memory free
7.80 Gb Paging File | 6.43 Gb Available in Paging File | 82.39% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 465.66 Gb Total Space | 420.26 Gb Free Space | 90.25% Space Free | Partition Type: NTFS
 
Computer Name: USER-PC | User Name: User | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/10/01 14:40:28 | 001,349,576 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
PRC - [2014/09/12 04:43:06 | 000,064,704 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/10/11 18:32:52 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\cotutor\cleanup updated 11-10-14\OTL\OTL.exe
PRC - [2011/01/23 22:14:16 | 000,113,288 | ---- | M] (Renesas Electronics Corporation) -- C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
PRC - [2011/01/23 22:00:38 | 002,656,280 | R--- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2011/01/23 22:00:38 | 000,326,168 | R--- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
 
 
========== Modules (No Company Name) ==========
 
 
========== Services (SafeList) ==========
 
SRV:64bit: - [2014/10/01 14:40:28 | 001,349,576 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe -- (ekrn)
SRV:64bit: - [2013/05/27 00:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2010/09/22 01:05:24 | 000,165,032 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Windows\SysNative\IPROSetMonitor.exe -- (Intel®
SRV - [2014/12/10 09:57:19 | 000,267,440 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/11/21 06:12:56 | 000,969,016 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2014/11/21 06:12:54 | 001,871,160 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2014/10/07 10:05:32 | 000,733,184 | ---- | M] () [Auto | Stopped] -- C:\cotutor\CTRemote.exe -- (AmmyyAdmin)
SRV - [2014/09/12 04:43:06 | 000,064,704 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2014/03/20 17:49:18 | 000,067,224 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2011/01/23 22:00:38 | 002,656,280 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2011/01/23 22:00:38 | 000,326,168 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2009/07/13 20:14:18 | 000,007,168 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWow64\dllhost.exe -- (COMSysApp)
 
 
========== Driver Services (SafeList) ==========
 
DRV:64bit: - [2014/11/21 06:14:22 | 000,063,704 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV:64bit: - [2014/11/21 06:14:08 | 000,025,816 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2014/09/18 12:38:22 | 000,158,968 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\epfwwfpr.sys -- (epfwwfpr)
DRV:64bit: - [2014/08/18 10:28:32 | 000,243,440 | ---- | M] (ESET) [File_System | System | Running] -- C:\Windows\SysNative\drivers\eamonm.sys -- (eamonm)
DRV:64bit: - [2014/08/18 10:28:32 | 000,169,280 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\ehdrv.sys -- (ehdrv)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2011/01/23 22:14:18 | 000,180,736 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3xhc.sys -- (nusb3xhc)
DRV:64bit: - [2011/01/23 22:14:18 | 000,080,384 | ---- | M] (Renesas Electronics Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nusb3hub.sys -- (nusb3hub)
DRV:64bit: - [2011/01/23 22:10:24 | 012,262,688 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\igdkmd64.sys -- (igfx)
DRV:64bit: - [2011/01/23 22:00:37 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2011/01/03 23:12:35 | 000,315,568 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2010/06/23 06:18:46 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2010/06/23 06:18:36 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/?ilc=14
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BF 1C 57 32 84 19 D0 01  [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {86ADE5FD-1E94-41B6-9B8D-F9B4A674BC23}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE10SR
IE - HKCU\..\SearchScopes\{86ADE5FD-1E94-41B6-9B8D-F9B4A674BC23}: "URL" = https://www.google.c...?q={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
 
========== FireFox ==========
 
FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.10.2: C:\Windows\system32\npDeployJava1.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.25.2: C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.25.2: C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files (x86)\Motive\npMotive.dll (Alcatel-Lucent)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
 
 
========== Chrome  ==========
 
CHR - default_search_provider:  (Enabled)
CHR - default_search_provider: search_url =
CHR - default_search_provider: suggest_url =
CHR - homepage: http://www.google.com/
CHR - plugin: Error reading preferences file
CHR - Extension: Google Docs = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.7_0\
CHR - Extension: Google Drive = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: Google Voice Search Hotword (Beta) = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5019_0\
CHR - Extension: YouTube = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Google Wallet = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_1\
CHR - Extension: Gmail = C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
 
O1 HOSTS File: ([2014/12/31 15:51:07 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: []  File not found
O4 - HKLM..\Run: [NUSB3MON] C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe (Renesas Electronics Corporation)
O4 - HKCU..\Run: [cdloader] C:\Users\User\AppData\Roaming\mjusbsp\cdloader2.exe (magicJack L.P.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9:64bit: - Extra Button: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print\SmartPrintSetup.exe (Hewlett-Packard)
O9:64bit: - Extra 'Tools' menuitem : HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print\SmartPrintSetup.exe (Hewlett-Packard)
O9 - Extra Button: HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print\SmartPrintSetup.exe (Hewlett-Packard)
O9 - Extra 'Tools' menuitem : HP Smart Print - {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print\SmartPrintSetup.exe (Hewlett-Packard)
O13 - gopher Prefix: missing
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.m...ilUpdater64.cab (WebBrowserType Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.3.3
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E833CA54-8CD3-4ACB-9DF7-93068F099EBB}: DhcpNameServer = 192.168.3.3
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/12/31 18:27:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/12/31 18:11:18 | 000,000,000 | ---D | C] -- C:\MATS
[2014/12/31 16:49:41 | 000,000,000 | ---D | C] -- C:\ProgramData\RogueKiller
[2014/12/31 15:52:02 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2014/12/31 15:51:59 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2014/12/31 15:46:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2014/12/31 15:46:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2014/12/31 15:46:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2014/12/31 15:46:14 | 000,000,000 | ---D | C] -- C:\ComboFix
[2014/12/31 15:46:13 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/12/31 15:46:03 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2014/12/16 16:18:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
[2014/12/16 16:18:07 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET
[2014/12/16 16:18:07 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2014/12/11 13:41:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Google
 
========== Files - Modified Within 30 Days ==========
 
[2014/12/31 18:36:26 | 000,096,472 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014/12/31 18:27:48 | 000,135,384 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014/12/31 18:21:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af.job
[2014/12/31 18:21:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6.job
[2014/12/31 18:00:19 | 000,029,120 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/12/31 18:00:19 | 000,029,120 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/12/31 17:57:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/12/31 16:53:25 | 000,037,624 | ---- | M] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2014/12/31 16:48:30 | 000,041,711 | ---- | M] () -- C:\Users\User\Documents\camera pictures.eml
[2014/12/31 16:48:29 | 000,041,711 | ---- | M] () -- C:\Users\User\Desktop\camera pictures.eml
[2014/12/31 16:21:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d.job
[2014/12/31 15:51:07 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2014/12/31 13:18:32 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/12/31 13:18:29 | 3142,062,080 | -HS- | M] () -- C:\hiberfil.sys
[2014/12/31 10:37:58 | 000,782,510 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/12/31 10:37:58 | 000,662,400 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/12/31 10:37:58 | 000,122,268 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/12/11 13:41:18 | 000,002,200 | ---- | M] () -- C:\Users\Public\Desktop\HP Officejet Pro 8610.lnk
 
========== Files Created - No Company Name ==========
 
[2014/12/31 16:49:43 | 000,037,624 | ---- | C] () -- C:\Windows\SysNative\drivers\TrueSight.sys
[2014/12/31 15:46:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2014/12/31 15:46:16 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2014/12/31 15:46:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2014/12/31 15:46:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2014/12/31 15:46:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2014/12/11 13:41:18 | 000,002,200 | ---- | C] () -- C:\Users\Public\Desktop\HP Officejet Pro 8610.lnk
[2014/11/12 11:13:14 | 000,000,095 | ---- | C] () -- C:\Users\User\.accessibility.properties
[2014/09/17 12:52:41 | 000,000,057 | ---- | C] () -- C:\ProgramData\Ament.ini
[2013/12/01 15:00:17 | 000,774,632 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/03/15 18:42:05 | 000,004,608 | ---- | C] () -- C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/01/11 03:37:57 | 000,960,940 | ---- | C] () -- C:\Windows\SysWow64\igkrng600.bin
[2013/01/11 03:37:57 | 000,207,376 | ---- | C] () -- C:\Windows\SysWow64\igfcg600m.bin
[2013/01/11 03:37:57 | 000,145,804 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng600.bin
 
========== ZeroAccess Check ==========
 
[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64
 
[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2014/06/24 21:05:42 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/06/24 20:41:30 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
 
========== LOP Check ==========
 
[2013/01/15 11:46:32 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\LibreOffice
[2014/03/21 01:43:28 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\mjusbsp
[2013/09/26 19:50:15 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\TeamViewer
[2013/01/30 07:49:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Windows Live Writer
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 769 bytes -> C:\Users\User\Documents\camera pictures.eml:OECustomProperty
@Alternate Data Stream - 769 bytes -> C:\Users\User\Desktop\camera pictures.eml:OECustomProperty

< End of report >

 

------------------------------------------------------------------------

OTL Extras next:

OTL Extras logfile created on: 10/1/2014 6:53:44 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\cotutor\cleanup updated 9-10-14\OTL
64bit- An unknown product  (Version = 6.2.9200) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17278)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
3.89 Gb Total Physical Memory | 2.68 Gb Available Physical Memory | 68.92% Memory free
4.58 Gb Paging File | 3.10 Gb Available in Paging File | 67.73% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 444.21 Gb Total Space | 415.96 Gb Free Space | 93.64% Space Free | Partition Type: NTFS
 
Computer Name: CLAIRE | User Name: cmorgan | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.url[@ = internetshortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
 
[HKEY_USERS\.DEFAULT\SOFTWARE\Classes\<extension>]
 
[HKEY_USERS\S-1-5-18\SOFTWARE\Classes\<extension>]
 
[HKEY_USERS\S-1-5-19\SOFTWARE\Classes\<extension>]
 
[HKEY_USERS\S-1-5-20\SOFTWARE\Classes\<extension>]
 
[HKEY_USERS\S-1-5-21-2576105596-3767872-55191717-1001\SOFTWARE\Classes\<extension>]
 
========== Shell Spawning ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\OpenWith.exe "%1" (Microsoft Corporation)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\OpenWith.exe "%1" (Microsoft Corporation)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.
 
========== Security Center Settings ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = AC 1C AE C5 46 9F CE 01  [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Upgrade]
"UpgradeTime" =  [binary data]
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"FirewallOverride" = 0
"AntivirusOverride" = 0
"UacDisableNotify" = 0
"AntiSpywareDisableNotify" = 0
"AutoUpdateDisableNotify" = 0
"InternetSettingsDisableNotify" = 0
"UpdatesDisableNotify" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 0
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Upgrade]
"UpgradeTime" = Reg Error: Unknown registry data type -- File not found
 
========== System Restore Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{20840904-457D-434C-9CA1-E632B2D48146}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{299FF73D-F230-48B8-8258-C103A03BECE6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3982FE14-CDC9-40F8-BD84-6777D61DE1CF}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{3CFF214A-56C4-4C5D-82E4-41BC664341A9}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{3DD45806-DB56-4AD2-953E-C0682F5E363E}" = rport=10243 | protocol=6 | dir=out | app=system |
"{6E0DFC20-558F-4673-ACE1-83DF6870E00A}" = lport=2869 | protocol=6 | dir=in | app=system |
"{95B4C32B-EDF8-40ED-A1BC-5DB4DDB10ED0}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9B07F742-0CDE-4878-AA89-CEA9C8133526}" = lport=10243 | protocol=6 | dir=in | app=system |
"{9E835905-E224-44C0-A818-B972D817FB78}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{DB976C7D-0F91-4268-89D9-93C9888B22BF}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{E9D978E7-5FC6-48D3-B678-58DD98E3871C}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{05294DDD-AD6A-4A37-A92F-D278275EF837}" = dir=in | name=juniper networks junos pulse |
"{0A4B7F8D-E974-443F-AE25-1989647BC086}" = dir=out | name=windows_ie_ac_001 |
"{1CCB8312-3C0A-4D42-A27C-089BD68518BC}" = dir=in | [email protected]{microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/resources/communicationspackagename} |
"{2441D6F5-07D4-4F6C-AD75-D18CC8B43E92}" = dir=out | name=kindle |
"{296B78FF-186D-467A-880D-4B3F265349AE}" = dir=in | name=f5 vpn |
"{2B5F52F4-C397-40D8-AFA9-134BBD2B0939}" = dir=out | name=f5 vpn |
"{2E185AA2-98A4-445D-B852-A94EED522CBF}" = dir=out | [email protected]{microsoft.bingmaps_2.1.3230.2048_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingmaps/resources/appdisplayname} |
"{2E1B05DF-57E7-407A-B45F-8C3C3083F9DF}" = dir=in | [email protected]{microsoft.skypeapp_1.3.0.112_x86__kzf8qxf38zg5c?ms-resource://microsoft.skypeapp/resources/manifest_display_name} |
"{3503EB69-F9E8-4F6C-9660-01BFE847B8D0}" = dir=out | name=skype |
"{382598E7-F18B-406E-B634-027C970F0EA9}" = dir=out | [email protected]{microsoft.zunevideo_2.6.314.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.zunevideo/resources/ids_manifest_video_app_name} |
"{3A583934-1C7C-4150-AC06-D17A7247818B}" = dir=out | [email protected]{microsoft.binghealthandfitness_3.0.4.212_x64__8wekyb3d8bbwe?ms-resource://microsoft.binghealthandfitness/resources/apptitle} |
"{3B3D11AE-0F64-453E-9D5A-7CAF44BAA9BE}" = dir=out | [email protected]{microsoft.bingtravel_3.0.4.212_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingtravel/resources/brandedapptitle} |
"{3C9C51DF-0647-486C-95B6-6F16B9AEDF3B}" = dir=out | [email protected]{microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/resources/communicationspackagename} |
"{4282FE99-8560-4BC7-9576-5F3ED84E263F}" = dir=in | name=checkpoint.vpn |
"{4A6610CD-0556-411A-9FEA-DB73EFAEE018}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{53597CEB-D8C4-4023-A4AC-88803733FA76}" = dir=out | [email protected]{microsoft.bingtravel_1.7.0.26_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingtravel/resources/apptitle} |
"{548DCF8C-BFF2-4BA4-AA88-FBAF9AC8BCC6}" = dir=in | [email protected]{c:\windows\winstore\resources.pri?ms-resource://winstore/resources/displayname} |
"{560448D6-095C-4907-B046-AC7F710701A7}" = dir=in | name=sonicwall.mobileconnect |
"{5E8C8740-BBC2-4E37-A55C-67FDD9BBFB08}" = dir=out | name=juniper networks junos pulse |
"{5F419237-82C5-43EF-A88F-9E36712E5325}" = dir=in | [email protected]{microsoft.windowscommunicationsapps_17.5.9600.20605_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/resources/communicationspackagename} |
"{5F4632C0-D5B1-40C3-B0D9-E3A759C81B9E}" = dir=out | name=sonicwall.mobileconnect |
"{661DDD93-9902-476E-B1D8-52653E32E60F}" = dir=out | [email protected]{microsoft.skypeapp_1.3.0.112_x86__kzf8qxf38zg5c?ms-resource://microsoft.skypeapp/resources/manifest_display_name} |
"{7206B29D-ABC4-464D-BF9C-F8E62CC281D8}" = dir=in | name=onenote |
"{735B3048-E0D5-4D0D-A100-393CFB8514EF}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{740302EF-5816-4C74-83D5-6643D84D6D6D}" = dir=out | [email protected]{microsoft.bingweather_2.0.0.310_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingweather/resources/apptitle} |
"{7695DBC4-5386-4E0B-91E2-523E33106D74}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{789E8A11-6AC5-420B-8093-9264C2B76297}" = dir=out | name=sonicwall mobile connect |
"{79412FED-5D5F-4000-9003-486EAEFB3090}" = dir=out | [email protected]{microsoft.zunemusic_1.1.144.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.zunemusic/resources/33273} |
"{7B9F13B4-D81F-42FC-AB22-059A9F8670C1}" = dir=out | [email protected]{microsoft.bingfoodanddrink_3.0.4.212_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingfoodanddrink/resources/apptitlewithbranding} |
"{7D706607-9FC9-44E0-B486-6EA386A6D12D}" = protocol=17 | dir=in | app=c:\program files\common files\mcafee\platform\mcsvchost\mcsvhost.exe |
"{7DDB678C-AD17-4EE6-8C24-64C1BF85C773}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{7FE585FB-B94E-47C8-8639-9677647E9AD8}" = dir=out | [email protected]{microsoft.windowscommunicationsapps_17.5.9600.20605_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowscommunicationsapps/resources/communicationspackagename} |
"{808F1451-4108-46FD-ADBB-F17324B5F0BD}" = dir=out | [email protected]{c:\windows\winstore\resources.pri?ms-resource://winstore/resources/displayname} |
"{8214D03E-1B7E-4D72-A811-B1686ABF4D40}" = dir=in | name=skype |
"{852A9649-1199-46B8-8918-AE685884C280}" = dir=out | [email protected]{microsoft.bingweather_3.0.4.214_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingweather/resources/brandedapptitle} |
"{8573BEF4-B8C7-49C0-9B44-7AC89A25D691}" = dir=out | name=check point vpn |
"{858B9FB4-9F5E-48E9-A48D-804D94CB41C4}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8A3AF656-C258-4086-8E53-18D2E2EAB122}" = dir=out | [email protected]{microsoft.zunevideo_1.1.134.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.zunevideo/resources/33270} |
"{8ACAC137-4D0A-4447-89E8-2D0A77F71797}" = dir=out | [email protected]{microsoft.windowsreadinglist_6.3.9654.20540_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowsreadinglist/resources/apppackagename} |
"{8F052868-B65E-4B18-8725-11CA7E29858E}" = dir=out | [email protected]{microsoft.zunemusic_2.6.320.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.zunemusic/resources/ids_manifest_music_app_name} |
"{905D7B5D-B622-4182-946C-27BBD49EC354}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{92BF55DF-8A7A-4DF7-8020-9B72E2963833}" = dir=out | [email protected]{microsoft.bingmaps_1.5.1.240_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingmaps/resources/appdisplayname} |
"{9E3D57FC-7C37-4424-9352-4831E97D029D}" = dir=out | [email protected]{c:\windows\winstore\resources.pri?ms-resource://winstore/resources/displayname} |
"{A434837F-05CA-4BBA-A172-8B4F3A224363}" = dir=in | [email protected]{microsoft.reader_6.2.9200.20623_x64__8wekyb3d8bbwe?ms-resource://microsoft.reader/resources/shortdisplayname} |
"{A58319A2-32A2-4E58-8EF0-8045D8ABDEDA}" = dir=in | name=check point vpn |
"{A73A7F92-8CF8-436F-A5F2-17AFADE9E74E}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{A7703867-FE70-4DF0-ABF7-E92374E3E34C}" = dir=out | name=fresh paint |
"{AF56CD10-6A28-4AA8-A1FE-5A279F1DB079}" = dir=out | [email protected]{microsoft.bingfinance_1.7.0.38_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingfinance/resources/apptitle} |
"{B8435373-3CDD-460B-93F2-9DEFA3D0E715}" = dir=out | [email protected]{microsoft.reader_6.2.9200.20623_x64__8wekyb3d8bbwe?ms-resource://microsoft.reader/resources/shortdisplayname} |
"{BB216CA3-73F0-425B-819B-BA147E599FCC}" = dir=out | [email protected]{microsoft.bingnews_3.0.4.213_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingnews/resources/brandedapptitle} |
"{C7C83877-0FB7-4CC2-9F87-2314DCB14E44}" = dir=in | app=c:\program files (x86)\cyberlink\powerdvd10\powerdvd10.exe |
"{D183FF4A-7A44-43C6-AAA5-BE69589A03A7}" = dir=out | name=onenote |
"{D1A0CAD9-3441-48D7-8581-2991EF7733FE}" = dir=out | [email protected]{microsoft.bingfinance_3.0.4.212_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingfinance/resources/brandedapptitle} |
"{D36AB9FF-D7F2-4388-A024-6B5B36091127}" = dir=out | [email protected]{microsoft.bingnews_2.0.0.308_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingnews/resources/news} |
"{D400A6BF-921E-46BB-94F5-50383E9D3BDF}" = dir=out | [email protected]{microsoft.bingsports_1.8.0.51_x64__8wekyb3d8bbwe?ms-resource://microsoft.bingsports/resources/bingsports} |
"{D6980480-941A-4DF6-AB81-3734ECD3D779}" = dir=out | name=junipernetworks.junospulsevpn |
"{DB57B86C-CD82-401C-8EDD-9059668563F9}" = dir=in | name=sonicwall mobile connect |
"{DB59588E-ED90-4C47-A7B5-7929DD0C0BD2}" = dir=out | name=checkpoint.vpn |
"{E2C8AD1F-B0E5-49CB-A47D-30E15C5DAEE5}" = dir=out | [email protected]{microsoft.xboxlivegames_1.1.134.0_x64__8wekyb3d8bbwe?ms-resource://microsoft.xboxlivegames/resources/34150} |
"{E610F554-C644-4903-A1B1-56650BBFFB8A}" = dir=out | name=windows_ie_ac_001 |
"{E7985E1D-C36F-4787-80A8-6350D07E9266}" = dir=in | [email protected]{c:\windows\winstore\resources.pri?ms-resource://winstore/resources/displayname} |
"{E7DBBE20-71DE-431F-8F38-22FFE2E6840A}" = dir=in | [email protected]{microsoft.windowsreadinglist_6.3.9654.20540_x64__8wekyb3d8bbwe?ms-resource://microsoft.windowsreadinglist/resources/apppackagename} |
"{EA6AD8A9-6946-4138-B752-25F78D0E562E}" = dir=out | name=windows_ie_ac_001 |
"{EC799E33-72BA-42D7-9127-DEFE68F9799D}" = dir=in | name=junipernetworks.junospulsevpn |
"{ECF0A5E0-4474-4D80-9A1E-AB9353379109}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\platform\mcsvchost\mcsvhost.exe |
"{EDAA662E-4AA6-4FDD-A464-7FE5881A717B}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{EDCF1ED6-757D-40F1-B945-8819E2C98136}" = protocol=6 | dir=out | app=system |
"{F64300AD-D559-4000-BD45-0997BCC8E70A}" = dir=out | name=f5.vpn.client |
"{F77E5446-4378-4E99-8B7A-7061AAAEA193}" = dir=in | name=f5.vpn.client |
"{F85DA5A9-877D-4F2B-A1C7-D632B76466A3}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0FBEEDF8-30FA-4FA3-B31F-C9C7E7E8DFA2}" = ASUS Screen Saver
"{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" = Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
"{70FF93CE-F19C-4DD0-AEF7-C2D7666122B1}" = Update for Microsoft en-us Dictionary
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9B6239BF-4E85-4590-8D72-51E30DB1A9AA}" = ASUS Power4Gear Hybrid
"{E9F0BCD8-6BD5-1ED7-EDA3-9FCF2A478AA1}" = Microsoft App Update for microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe (x64)
"{E9FA781F-3E80-4399-825A-AD3E11C28C77}" = MSVCRT110_amd64
"{EF79C448-6946-4D71-8134-03407888C054}" = Shared C Run-time for x64
"{F4404AFD-2EF3-40C1-8C09-29E5F3B6972B}" = Intel® Trusted Connect Service Client
"D9E691DCEE7D3B9B7C62A7F5C2EAABBB9335DC9A" = Windows Driver Package - ASUS (ATP) Mouse  (09/17/2013 1.0.0.186)
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0454BB9A-2A7A-4214-BDFF-937F7A711A44}" = Windows Live Communications Platform
"{061FF8F3-5226-4278-8AAB-282C1B024F58}" = Photo Common
"{0969AF05-4FF6-4C00-9406-43599238DE0D}" = ASUS Splendid Video Enhancement Technology
"{13F3CEA5-9E2C-4C4E-9F0F-D0DB389CF4A9}" = Movie Maker
"{18272881-CFC0-434D-A975-E5BE44206AA0}" = Windows Live UX Platform Language Pack
"{1DBD1F12-ED93-49C0-A7CC-56CBDE488158}" = ASUS LifeFrame3
"{1FEE19BC-6F0C-42E4-82FF-FB597F6141DF}" = Windows Live Essentials
"{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Qualcomm Atheros Client Installation Program
"{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App" = Update Installer for WildTangent Games App
"{30F99474-EBE3-4134-A02B-F6CD38CFE243}" = Photo Gallery
"{3C63F944-803E-49A7-B3A2-B8AB3313E883}" = Windows Live UX Platform Language Pack
"{446CC8CE-0E90-44F7-ADD0-774B243EF090}" = Galerie de photos
"{4CCBD1F4-CEEC-452A-9CB8-46564B501315}" = Windows Live UX Platform
"{4D3286A6-F6AB-498A-82A4-E4F040529F3D}" = ASUS Smart Gesture
"{5BABDA39-61CF-41EE-992D-4054B6649A9B}" = Movie Maker
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel® Management Engine Components
"{6A8DB215-7BCD-4377-B015-2E4541A3E7C6}" = Windows Live PIMT Platform
"{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-asus" = WildTangent Games App
"{749F674B-2674-47E8-879C-5626A06B2A91}" = ASUS InstantOn
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek Ethernet Controller Driver
"{8A642ACD-CE3A-4A23-A8B1-A0F7EB12B214}" = Windows Live SOXE Definitions
"{8D813AFF-D91D-4EE0-821F-B901FC2E89FA}" = Windows Live
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E14DDC8-EA60-4E18-B3E3-1937104D5BDA}" = MSVCRT110
"{8F21291E-0444-4B1D-B9F9-4370A73E346D}" = WinFlash
"{8F7FECEC-088F-431D-A5FB-2B59E1E69943}" = Galería de fotos
"{90150000-0138-0409-0000-0000000FF1CE}" = Microsoft Office
"{90993BD9-C7D9-4C2F-B56C-2F7AFEBD4CD0}" = Windows Live UX Platform Language Pack
"{A17946CA-18E5-4CF0-8D55-A56D804718F8}" = Movie Maker
"{A859E3E5-C62F-4BFA-AF1D-2B95E03166AF}" = ASUS USB Charger Plus
"{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}" = ATK Package
"{AC76BA86-7AD7-FFFF-7B44-AA0000000001}" = Adobe Reader X (10.1.12) MUI
"{C034A6F9-6569-491B-B3BF-F5D15221A708}" = Windows Live Essentials
"{C1594429-8296-4652-BF54-9DBE4932A44C}" = Realtek PCIE Card Reader
"{C424CD5E-EA05-4D3E-B5DA-F9F149E1D3AC}" = Windows Live Installer
"{C9B6EFD0-4F01-4BBA-8374-39AD99A3ED72}" = Windows Live Photo Common
"{D888F114-7537-4D48-AF03-5DA9C82D7540}" = Photo Common
"{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}" = ASUSDVD
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{ED6C77F9-4D7E-447C-9EC0-9A212D075535}" = Movie Maker
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel® Processor Graphics
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F54030F3-14B6-432D-9361-78DCB1473920}" = Photo Common
"{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}" = ASUS Live Update
"{FC6C7107-7D72-41A1-A031-3CE751159BAB}" = Photo Gallery
"{FCB3772C-B7D0-4933-B1A9-3707EBACC573}" = Intel® SDK for OpenCL - CPU Only Runtime Package
"{FE7C0B3D-50B9-4951-BE78-A321CBF86552}" = Windows Live SOXE
"Asus Vibe2.0" = AsusVibe2.0
"ASUS WebStorage" = ASUS WebStorage Sync Agent
"InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}" = ASUSDVD
"MyBitCast" = MyBitCast 2.0
"WildTangent wildgames Master Uninstall" = WildTangent Games
"WinLiveSuite" = Windows Live Essentials
"WTA-2f37a8f4-f44d-4d6a-afb3-80bbe9dc78b1" = Cut the Rope
"WTA-300528be-6cb0-4daf-9f1a-1ed861c3d155" = Bejeweled 3
"WTA-9516301f-005d-47c0-871c-7d6da0032d49" = Penguins!
"WTA-a9ab6aab-28ce-4502-b8b2-adc6cb75f60a" = Peggle
"WTA-b9847515-e6c4-4db4-b28f-d343a1997d25" = Tales of Lagoona
"WTA-baee0226-8abd-44de-acf0-4469c54acd02" = Azteca
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 6/15/2014 1:29:28 PM | Computer Name = claire | Source = Application Hang | ID = 1002
Description = The program Explorer.EXE version 6.3.9600.17039 stopped interacting
 with Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: b24    Start
 Time: 01cf88bbeea9b68e    Termination Time: 0    Application Path: C:\WINDOWS\Explorer.EXE

Report
 Id: 739eaa63-f4b2-11e3-8251-bcee7b20a80e    Faulting package full name:     Faulting package-relative
 application ID:  
 
Error - 6/24/2014 8:55:42 PM | Computer Name = claire | Source = Application Hang | ID = 1002
Description = The program LiveComm.exe version 17.5.9600.20498 stopped interacting
 with Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: 2650    Start
 Time: 01cf900f2c821763    Termination Time: 4294967295    Application Path: C:\Program
Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20498_x64__8wekyb3d8bbwe\LiveComm.exe

Report
 Id: 6b338b39-fc03-11e3-be7f-bcee7b20a80e    Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20498_x64__8wekyb3d8bbwe

Faulting
 package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1 
 
Error - 6/27/2014 8:34:37 PM | Computer Name = claire | Source = Application Hang | ID = 1002
Description = The program LiveComm.exe version 17.5.9600.20498 stopped interacting
 with Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: 2328    Start
 Time: 01cf9267a3eeb327    Termination Time: 4294967295    Application Path: C:\Program
Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20498_x64__8wekyb3d8bbwe\LiveComm.exe

Report
 Id: f115b781-fe5b-11e3-be7f-bcee7b20a80e    Faulting package full name: microsoft.windowscommunicationsapps_17.5.9600.20498_x64__8wekyb3d8bbwe

Faulting
 package-relative application ID: ppleae38af2e007f4358a809ac99a64a67c1 
 
Error - 6/29/2014 11:07:01 PM | Computer Name = claire | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 11.0.9600.17126 stopped interacting
 with Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: 56f8    Start
 Time: 01cf9401c8a52910    Termination Time: 62    Application Path: C:\Program Files\Internet
 Explorer\iexplore.exe    Report Id: 97bd2b55-0003-11e4-be7f-bcee7b20a80e    Faulting package
 full name:     Faulting package-relative application ID:  
 
Error - 7/5/2014 7:47:09 PM | Computer Name = claire | Source = Microsoft-Windows-LocationProvider | ID = 2006
Description = There was an error with the Windows Location Provider database
 
Error - 7/14/2014 8:27:12 PM | Computer Name = claire | Source = Customer Experience Improvement Program | ID = 1008
Description =
 
Error - 7/20/2014 7:43:31 PM | Computer Name = claire | Source = Customer Experience Improvement Program | ID = 1008
Description =
 
Error - 7/20/2014 11:47:00 PM | Computer Name = claire | Source = Microsoft-Windows-Immersive-Shell | ID = 2486
Description = App Microsoft.FreshPaint_1.0.13011.1_x86__8wekyb3d8bbwe+Microsoft.FreshPaint
 did not launch within its allotted time.
 
Error - 7/20/2014 11:47:12 PM | Computer Name = claire | Source = Application Hang | ID = 1002
Description = The program FreshPaint.exe version 1.0.13011.1 stopped interacting
 with Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Action Center control panel.    Process ID: 19b8    Start
 Time: 01cfa4966235dbdb    Termination Time: 4294967295    Application Path: C:\Program
Files\WindowsApps\Microsoft.FreshPaint_1.0.13011.1_x86__8wekyb3d8bbwe\FreshPaint.exe

Report
 Id: abcfa5c8-1089-11e4-be81-bcee7b20a80e    Faulting package full name: Microsoft.FreshPaint_1.0.13011.1_x86__8wekyb3d8bbwe

Faulting
 package-relative application ID: Microsoft.FreshPaint 
 
Error - 8/6/2014 8:55:54 PM | Computer Name = claire | Source = Application Error | ID = 1000
Description = Faulting application name: mcuicnt.exe, version: 5.9.2.0, time stamp:
 0x52309272  Faulting module name: mcmscui.dll, version: 12.8.957.0, time stamp: 0x535ae002
Exception
 code: 0xc0000005  Fault offset: 0x00000000000181b5  Faulting process id: 0xf04  Faulting
 application start time: 0x01cfb1da573b0cf6  Faulting application path: C:\Program
 Files\Common Files\McAfee\Platform\mcuicnt.exe  Faulting module path: c:\PROGRA~1\mcafee\msc\mcmscui.dll
Report
 Id: 952cbdd3-1dcd-11e4-be88-bcee7b20a80e  Faulting package full name:   Faulting package-relative
 application ID:
 
[ System Events ]
Error - 8/6/2014 8:43:11 PM | Computer Name = claire | Source = DCOM | ID = 10010
Description =
 
Error - 8/6/2014 9:03:26 PM | Computer Name = claire | Source = DCOM | ID = 10010
Description =
 
Error - 8/6/2014 9:03:56 PM | Computer Name = claire | Source = DCOM | ID = 10010
Description =
 
Error - 8/10/2014 4:36:32 PM | Computer Name = claire | Source = DCOM | ID = 10010
Description =
 
Error - 8/10/2014 4:37:02 PM | Computer Name = claire | Source = DCOM | ID = 10010
Description =
 
Error - 8/10/2014 7:08:36 PM | Computer Name = claire | Source = Schannel | ID = 36887
Description = A fatal alert was received from the remote endpoint. The TLS protocol
 defined fatal alert code is 20.
 
Error - 8/10/2014 9:22:08 PM | Computer Name = claire | Source = Service Control Manager | ID = 7023
Description = The Superfetch service terminated with the following error:   %%1062
 
Error - 8/12/2014 8:51:46 PM | Computer Name = claire | Source = DCOM | ID = 10010
Description =
 
Error - 8/12/2014 8:52:16 PM | Computer Name = claire | Source = DCOM | ID = 10010
Description =
 
Error - 8/12/2014 9:53:33 PM | Computer Name = claire | Source = Schannel | ID = 36888
Description = A fatal alert was generated and sent to the remote endpoint. This
may result in termination of the connection. The TLS protocol defined fatal error
 code is 40. The Windows SChannel error state is 252.
 
 
< End of report >

 

--------------------------------------------------------------------

FRST scan:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014
Ran by User (administrator) on USER-PC on 31-12-2014 13:57:54
Running from C:\cotutor
Loaded Profile: User (Available profiles: User)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\cotutor\CTRemote.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
(Intel Corporation) C:\Windows\System32\IPROSetMonitor.exe
() C:\cotutor\CTRemote.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files (x86)\Scanner Mouse\Scanner Mouse.exe
(Alcatel-Lucent) C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
() C:\Program Files (x86)\Scanner Mouse\Scanner Mouse Monitoring.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_15_0_0_246_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11660904 2011-01-26] (Realtek Semiconductor)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [5595336 2014-10-01] (ESET)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2011-01-23] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-668036187-398662584-905741155-1000\...\Run: [cdloader] => C:\Users\User\AppData\Roaming\mjusbsp\cdloader2.exe [50592 2012-02-01] (magicJack L.P.)
Startup: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Scanner Mouse.lnk
ShortcutTarget: Scanner Mouse.lnk -> C:\Program Files (x86)\Scanner Mouse\Scanner Mouse.exe ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-668036187-398662584-905741155-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-668036187-398662584-905741155-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/?ilc=14
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
SearchScopes: HKU\S-1-5-21-668036187-398662584-905741155-1000 -> DefaultScope {86ADE5FD-1E94-41B6-9B8D-F9B4A674BC23} URL = https://www.google.c...?q={searchTerms}
SearchScopes: HKU\S-1-5-21-668036187-398662584-905741155-1000 -> {86ADE5FD-1E94-41B6-9B8D-F9B4A674BC23} URL = https://www.google.c...?q={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab
DPF: HKLM-x32 {E0FEE963-BB53-4215-81AD-B28C77384644} https://pattcw.att.m...ilUpdater64.cab
Tcpip\Parameters: [DhcpNameServer] 192.168.3.3

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_246.dll ()
FF Plugin: @java.com/DTPlugin,version=10.10.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_246.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Motive.com/NpMotive,version=1.0 -> C:\Program Files (x86)\Motive\npMotive.dll (Alcatel-Lucent)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Thunderbird\Extensions: [[email protected]] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird

Chrome:
=======
CHR Profile: C:\Users\User\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-14]
CHR Extension: (Google Drive) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-14]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-21]
CHR Extension: (YouTube) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-14]
CHR Extension: (Google Search) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-14]
CHR Extension: (Google Wallet) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-14]
CHR Extension: (Gmail) - C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AmmyyAdmin; C:\cotutor\CTRemote.exe [733184 2014-10-07] () [File not signed]
S3 COMSysApp; C:\Windows\SysWOW64\dllhost.exe [7168 2009-07-13] () [File not signed]
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [1349576 2014-10-01] (ESET)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 McciCMService; C:\Program Files (x86)\Common Files\Motive\McciCMService.exe [319488 2010-06-23] (Alcatel-Lucent) [File not signed]
R2 McciCMService64; C:\Program Files\Common Files\Motive\McciCMService.exe [517632 2010-06-23] (Alcatel-Lucent) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [243440 2014-08-18] (ESET)
U5 edevmon; C:\Windows\System32\Drivers\edevmon.sys [241368 2014-08-18] (ESET)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [169280 2014-08-18] (ESET)
R2 epfwwfpr; C:\Windows\System32\DRIVERS\epfwwfpr.sys [158968 2014-09-18] (ESET)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-12-31] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
S3 MREMP50; C:\Program Files (x86)\Common Files\Motive\MREMP50.sys [21248 2010-06-23] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files (x86)\Common Files\Motive\MRESP50.sys [20096 2010-06-23] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-31 13:17 - 2014-12-31 13:17 - 00003544 ____N () C:\bootsqm.dat
2014-12-16 16:18 - 2014-12-16 16:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2014-12-16 16:18 - 2014-12-16 16:18 - 00000000 ____D () C:\ProgramData\ESET
2014-12-16 16:18 - 2014-12-16 16:18 - 00000000 ____D () C:\Program Files\ESET
2014-12-11 13:41 - 2014-12-11 13:41 - 00002200 _____ () C:\Users\Public\Desktop\HP Officejet Pro 8610.lnk
2014-12-11 13:41 - 2014-12-11 13:41 - 00000000 ____D () C:\ProgramData\Google
2014-12-11 13:41 - 2014-07-21 16:31 - 00763912 ____N (Hewlett-Packard Development Company, LP) C:\Windows\system32\HPDiscoPM7112.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-31 13:57 - 2014-11-10 17:51 - 00000000 ____D () C:\FRST
2014-12-31 13:57 - 2013-01-15 11:13 - 00000000 ____D () C:\cotutor
2014-12-31 13:57 - 2013-01-10 16:25 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-31 13:25 - 2009-07-13 23:45 - 00029120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-31 13:25 - 2009-07-13 23:45 - 00029120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-31 13:21 - 2014-11-12 16:16 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af.job
2014-12-31 13:21 - 2014-06-18 23:04 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6.job
2014-12-31 13:18 - 2014-10-07 10:55 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-31 13:18 - 2014-06-18 23:04 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d.job
2014-12-31 13:18 - 2013-08-18 00:00 - 00017809 _____ () C:\Windows\setupact.log
2014-12-31 13:18 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-31 11:47 - 2013-01-11 03:29 - 01139550 _____ () C:\Windows\WindowsUpdate.log
2014-12-31 11:23 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Public\Libraries
2014-12-31 10:37 - 2009-07-14 00:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-12-30 18:56 - 2014-10-07 10:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-30 18:56 - 2014-10-07 10:54 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-30 18:56 - 2014-09-17 12:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP
2014-12-30 18:56 - 2014-09-17 12:54 - 00000000 ____D () C:\ProgramData\HP
2014-12-30 18:56 - 2014-09-17 12:54 - 00000000 ____D () C:\Program Files (x86)\HP
2014-12-30 18:56 - 2014-04-14 11:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-12-30 18:56 - 2014-04-14 11:48 - 00000000 ____D () C:\Program Files\Google
2014-12-30 18:56 - 2013-01-10 16:25 - 00000000 ____D () C:\Windows\SysWOW64\Macromed
2014-12-30 18:56 - 2011-04-12 03:28 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-12-30 18:56 - 2009-07-14 00:08 - 00032566 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-12-30 18:55 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\registration
2014-12-12 15:03 - 2014-09-17 10:22 - 00000000 ____D () C:\Users\User\AppData\Local\HP
2014-12-12 07:17 - 2010-11-20 22:47 - 00143384 _____ () C:\Windows\PFRO.log
2014-12-11 13:46 - 2014-09-17 12:55 - 00000000 ____D () C:\Users\User\AppData\Roaming\HpUpdate
2014-12-11 13:41 - 2014-09-17 12:55 - 00003606 _____ () C:\Windows\System32\Tasks\HPCustParticipation HP Officejet Pro 8610
2014-12-11 13:41 - 2014-04-14 11:48 - 00000000 ____D () C:\Program Files (x86)\Google
2014-12-10 09:57 - 2013-01-10 16:25 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-10 09:57 - 2013-01-10 16:25 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-10 09:57 - 2013-01-10 16:25 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-12-25 08:56

==================== End Of Log ============================

 

-----------------------------------------------------

additions.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2014
Ran by User at 2014-12-31 13:58:21
Running from C:\cotutor
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET NOD32 Antivirus 7.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ESET NOD32 Antivirus 8.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
ESET NOD32 Antivirus (HKLM\...\{7F39EB28-B9B7-41B8-8564-DB33284A010D}) (Version: 8.0.304.0 - ESET, spol s r. o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HP Officejet Pro 8610 Basic Device Software (HKLM\...\{39DA3F40-0B9E-4002-8E01-108FEC9EFE43}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP Officejet Pro 8610 Help (HKLM-x32\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Network Connections 15.7.176.0 (HKLM\...\PROSetDX) (Version: 15.7.176.0 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2279 - Intel Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Junk Mail filter update (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
LibreOffice 3.6 (HKLM-x32\...\{60B2F25C-22CB-4CD9-9168-8C63708DC1A1}) (Version: 3.6.4.3 - The Document Foundation)
magicJack (HKU\S-1-5-21-668036187-398662584-905741155-1000\...\magicJack) (Version: 2.0.6073.4413 - magicJack L.P.)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1047 - Marvell)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
OmniForm Premium 5.0 (HKLM-x32\...\{D9E2AA0C-078F-491E-A728-1A621ADF9900}) (Version: 5.00.029 - ScanSoft, Inc.)
Product Improvement Study for HP Officejet Pro 8610 (HKLM\...\{D2064264-3162-4DB1-AFE0-167BEFBBCD9C}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6257 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.26.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.26.0 - Renesas Electronics Corporation) Hidden
Scanner Mouse (HKLM-x32\...\{85651637-F4FA-425E-B66F-5E015F8D81FA}) (Version: 1.7.3 - Dacuda)
Star Envelope Printer Pro v5.30 (HKLM-x32\...\Star Envelope Printer Pro_is1) (Version: 5.30 - Starre Enterprises, Inc.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WiseConvert (HKLM-x32\...\WiseConvert) (Version: 1.0 - WiseConvert) <==== ATTENTION!

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

28-11-2014 12:00:02 Scheduled Checkpoint
05-12-2014 16:33:50 Scheduled Checkpoint
13-12-2014 00:00:03 Scheduled Checkpoint
16-12-2014 16:17:12 Installed ESET NOD32 Antivirus
24-12-2014 00:00:04 Scheduled Checkpoint
30-12-2014 16:51:13 Restore Operation

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {9577D8FA-7B6B-402F-BAE8-7D2A55BB1A22} - System32\Tasks\HPCustParticipation HP Officejet Pro 8610 => C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPCustPartic.exe [2014-07-21] (Hewlett-Packard Development Company, LP)
Task: {9D5924C6-2DF6-4D07-88C6-4CD82470A762} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-10] (Adobe Systems Incorporated)
Task: {B503A5C9-0BDD-4220-B265-19670E49D5A4} - System32\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: {BB0A85F5-B99D-4F64-90E1-0ED5DFE45B2C} - System32\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: {DEE981C2-F291-4ABB-8A67-94B310E68ABA} - System32\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-10-07 10:05 - 2014-10-07 10:05 - 00733184 _____ () C:\cotutor\CTRemote.exe
2013-01-11 03:37 - 2011-01-23 22:10 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-04-09 16:48 - 2013-04-09 16:48 - 37797992 _____ () C:\Program Files (x86)\Scanner Mouse\Scanner Mouse.exe
2013-04-09 16:34 - 2013-04-09 16:34 - 02450432 _____ () C:\Program Files (x86)\Scanner Mouse\Scanner Mouse Monitoring.exe
2013-04-09 16:32 - 2013-04-09 16:32 - 02139136 _____ () C:\Program Files (x86)\Scanner Mouse\XOcr.dll
2013-04-09 16:30 - 2013-04-09 16:30 - 00095232 _____ () C:\Program Files (x86)\Scanner Mouse\XLogger.dll
2013-04-09 16:32 - 2013-04-09 16:32 - 01735680 _____ () C:\Program Files (x86)\Scanner Mouse\XSkin.dll
2013-04-09 16:32 - 2013-04-09 16:32 - 00064000 _____ () C:\Program Files (x86)\Scanner Mouse\XRegister.dll
2012-07-05 14:11 - 2012-07-05 14:11 - 00033792 _____ () C:\Program Files (x86)\Scanner Mouse\DLL_OvtApi.dll
2012-10-12 18:39 - 2012-10-12 18:39 - 00019968 _____ () C:\Program Files (x86)\Scanner Mouse\SCCBCore.dll
2012-10-12 18:39 - 2012-10-12 18:39 - 00028160 _____ () C:\Program Files (x86)\Scanner Mouse\OVBaseIF.dll
2012-10-12 18:39 - 2012-10-12 18:39 - 00027648 _____ () C:\Program Files (x86)\Scanner Mouse\DXCore.dll
2012-06-05 08:39 - 2012-06-05 08:39 - 01927680 _____ () C:\Program Files (x86)\Scanner Mouse\isam.dll
2012-06-05 08:39 - 2012-06-05 08:39 - 00153088 _____ () C:\Program Files (x86)\Scanner Mouse\libsvm.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 01082368 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\GoogleTranslate\GoogleTranslate.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00111104 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\PasteAsImage\PasteAsImage.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00134144 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\PasteAsText\PasteAsText.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00188928 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\ShareFacebook\SharePlugin.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00188928 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\ShareFlickr\SharePlugin.dll
2014-10-07 11:25 - 2014-10-07 11:25 - 00188928 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\ShareTwitter\SharePlugin.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00119296 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\WinMail\WinMail.dll
2013-01-22 14:07 - 2013-01-22 14:07 - 00051272 _____ () C:\Program Files (x86)\Scanner Mouse\StartScreenHandler.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:9342EF85
AlternateDataStreams: C:\Users\User\Desktop\camera pictures.eml:OECustomProperty
AlternateDataStreams: C:\Users\User\Documents\camera pictures.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdmin => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: SacReminder => C:\ProgramData\OfficeGuardian\reminder\SacReminder.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-668036187-398662584-905741155-500 - Administrator - Disabled)
Guest (S-1-5-21-668036187-398662584-905741155-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-668036187-398662584-905741155-1002 - Limited - Enabled)
User (S-1-5-21-668036187-398662584-905741155-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (12/31/2014 01:20:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 11:36:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 10:35:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/30/2014 06:57:13 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.

Error: (12/30/2014 06:14:57 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.

Error: (12/30/2014 05:32:17 PM) (Source: System Restore) (EventID: 8204) (User: )
Description: System restore ended unexpectedly because of power loss or a program error. Additional information: (Scheduled Checkpoint).

Error: (12/30/2014 04:55:32 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Installed ESET NOD32 Antivirus). Additional information: 0x80070005.

Error: (12/30/2014 04:46:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 10.0.9200.17148, time stamp: 0x544c16cd
Faulting module name: MSHTML.dll, version: 10.0.9200.17148, time stamp: 0x544c2aa1
Exception code: 0xc0000005
Fault offset: 0x00052afe
Faulting process id: 0x13a0
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

Error: (12/30/2014 08:27:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/29/2014 08:05:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 10.0.9200.17148, time stamp: 0x544c16cd
Faulting module name: MSHTML.dll, version: 10.0.9200.17148, time stamp: 0x544c2aa1
Exception code: 0xc0000005
Fault offset: 0x00052afe
Faulting process id: 0x1be8
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

System errors:
=============
Error: (12/31/2014 01:33:36 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{AD3EDBCA-0901-415B-82E9-C16D3B65E38C}5{3519154C-227E-47F3-9CC9-12C3F05817F1}

Error: (12/31/2014 01:19:07 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/31/2014 11:35:08 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (12/31/2014 11:35:03 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/31/2014 10:48:43 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{AD3EDBCA-0901-415B-82E9-C16D3B65E38C}5{3519154C-227E-47F3-9CC9-12C3F05817F1}

Error: (12/31/2014 10:34:25 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (12/31/2014 10:34:18 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/30/2014 06:57:46 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (12/30/2014 06:57:32 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/30/2014 05:32:22 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Microsoft Office Sessions:
=========================
Error: (12/31/2014 01:20:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 11:36:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 10:35:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/30/2014 06:57:13 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Scheduled Checkpoint0x80070005

Error: (12/30/2014 06:14:57 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Scheduled Checkpoint0x80070005

Error: (12/30/2014 05:32:17 PM) (Source: System Restore) (EventID: 8204) (User: )
Description: Scheduled Checkpoint

Error: (12/30/2014 04:55:32 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Installed ESET NOD32 Antivirus0x80070005

Error: (12/30/2014 04:46:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: IEXPLORE.EXE10.0.9200.17148544c16cdMSHTML.dll10.0.9200.17148544c2aa1c000000500052afe13a001d02479ca5a60f8C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\MSHTML.dll4088e811-906d-11e4-89cb-4c72b9e611ba

Error: (12/30/2014 08:27:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/29/2014 08:05:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: IEXPLORE.EXE10.0.9200.17148544c16cdMSHTML.dll10.0.9200.17148544c2aa1c000000500052afe1be801d023680a717cd1C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\MSHTML.dll6341ee23-8f5b-11e4-8eb1-4c72b9e611ba

 


  • 0

Advertisements


#2
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Hi. My name is Brian, and I would be happy to look into your issue.
 
I am currently in training and my posts will need to be reviewed by an expert, so expect a slight delay between posts.



- General Instructions -

  • Please read all instructions and fixes thoroughly. Read the ENTIRE post BEFORE performing any steps so you understand all that needs to be done.
  • I would advise printing any instructions for easy reference as some of the fixes may require you to boot in Safe mode. Access to these instructions may not be available in Safe Mode.
  • Any fixes provided by myself are for this log file only and should not be used on any other systems.
  • Do not run any other removal software or perform updates other than the ones I provide, as it will complicate the cleaning process.
  • It's very likely that part of our cleanup will include emptying your recycle bin. If you use your recycle bin as an archive and do not wish this to be emptied, please let me know.
  • You have 4 days to reply to each post or the topic will be closed. You will be able to request that the topic be re-opened by sending me a PM (Personal Message) or PM a moderator.
  • Please feel free to ask any questions, especially if you are having problems with my instructions.


- Save ALL Tools to your Desktop-

 

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.
 
Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

- Finally Before We Start-

 
Removing malware is a complicated multiple step process, Please stay with me until I have declared your system clean. I strongly recommend you backup your personal files and folders. Although rare, attempting to remove malware can render your machine unbootable or cause data loss. Having backups of your data is your responsibility. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

 

 

 

 

I'd be happy to take a look. Please acknowledge you have read the information above and post the complete Addition.txt file. It appears to have been cut off. Thank you.


  • 0

#3
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

One more question. Are you aware of the file CTRemote.exe that is in C:\Cotutor? It may be a Remote Desktop software from AmmyyAdmin but I need to know if you use this software. Thank you.


  • 0

#4
Cotutor

Cotutor

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 494 posts

Brian,

Thank you for your help I truly appreciate it, and hope that the learning experience is beneficial as well.

Yes I am familiar with the CTRemote, it is a customized version of the AmmyyAdmin that I use for accessing my computers when I'm away.  I can disable the service if it's causing you issues?

 

Below is the additions.txt.

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2014
Ran by User at 2014-12-31 13:58:21
Running from C:\cotutor
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET NOD32 Antivirus 7.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ESET NOD32 Antivirus 8.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
ESET NOD32 Antivirus (HKLM\...\{7F39EB28-B9B7-41B8-8564-DB33284A010D}) (Version: 8.0.304.0 - ESET, spol s r. o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HP Officejet Pro 8610 Basic Device Software (HKLM\...\{39DA3F40-0B9E-4002-8E01-108FEC9EFE43}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP Officejet Pro 8610 Help (HKLM-x32\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Network Connections 15.7.176.0 (HKLM\...\PROSetDX) (Version: 15.7.176.0 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2279 - Intel Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Junk Mail filter update (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
LibreOffice 3.6 (HKLM-x32\...\{60B2F25C-22CB-4CD9-9168-8C63708DC1A1}) (Version: 3.6.4.3 - The Document Foundation)
magicJack (HKU\S-1-5-21-668036187-398662584-905741155-1000\...\magicJack) (Version: 2.0.6073.4413 - magicJack L.P.)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1047 - Marvell)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
OmniForm Premium 5.0 (HKLM-x32\...\{D9E2AA0C-078F-491E-A728-1A621ADF9900}) (Version: 5.00.029 - ScanSoft, Inc.)
Product Improvement Study for HP Officejet Pro 8610 (HKLM\...\{D2064264-3162-4DB1-AFE0-167BEFBBCD9C}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6257 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.26.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.26.0 - Renesas Electronics Corporation) Hidden
Scanner Mouse (HKLM-x32\...\{85651637-F4FA-425E-B66F-5E015F8D81FA}) (Version: 1.7.3 - Dacuda)
Star Envelope Printer Pro v5.30 (HKLM-x32\...\Star Envelope Printer Pro_is1) (Version: 5.30 - Starre Enterprises, Inc.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WiseConvert (HKLM-x32\...\WiseConvert) (Version: 1.0 - WiseConvert) <==== ATTENTION!

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

28-11-2014 12:00:02 Scheduled Checkpoint
05-12-2014 16:33:50 Scheduled Checkpoint
13-12-2014 00:00:03 Scheduled Checkpoint
16-12-2014 16:17:12 Installed ESET NOD32 Antivirus
24-12-2014 00:00:04 Scheduled Checkpoint
30-12-2014 16:51:13 Restore Operation

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {9577D8FA-7B6B-402F-BAE8-7D2A55BB1A22} - System32\Tasks\HPCustParticipation HP Officejet Pro 8610 => C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPCustPartic.exe [2014-07-21] (Hewlett-Packard Development Company, LP)
Task: {9D5924C6-2DF6-4D07-88C6-4CD82470A762} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-10] (Adobe Systems Incorporated)
Task: {B503A5C9-0BDD-4220-B265-19670E49D5A4} - System32\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: {BB0A85F5-B99D-4F64-90E1-0ED5DFE45B2C} - System32\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: {DEE981C2-F291-4ABB-8A67-94B310E68ABA} - System32\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-10-07 10:05 - 2014-10-07 10:05 - 00733184 _____ () C:\cotutor\CTRemote.exe
2013-01-11 03:37 - 2011-01-23 22:10 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-04-09 16:48 - 2013-04-09 16:48 - 37797992 _____ () C:\Program Files (x86)\Scanner Mouse\Scanner Mouse.exe
2013-04-09 16:34 - 2013-04-09 16:34 - 02450432 _____ () C:\Program Files (x86)\Scanner Mouse\Scanner Mouse Monitoring.exe
2013-04-09 16:32 - 2013-04-09 16:32 - 02139136 _____ () C:\Program Files (x86)\Scanner Mouse\XOcr.dll
2013-04-09 16:30 - 2013-04-09 16:30 - 00095232 _____ () C:\Program Files (x86)\Scanner Mouse\XLogger.dll
2013-04-09 16:32 - 2013-04-09 16:32 - 01735680 _____ () C:\Program Files (x86)\Scanner Mouse\XSkin.dll
2013-04-09 16:32 - 2013-04-09 16:32 - 00064000 _____ () C:\Program Files (x86)\Scanner Mouse\XRegister.dll
2012-07-05 14:11 - 2012-07-05 14:11 - 00033792 _____ () C:\Program Files (x86)\Scanner Mouse\DLL_OvtApi.dll
2012-10-12 18:39 - 2012-10-12 18:39 - 00019968 _____ () C:\Program Files (x86)\Scanner Mouse\SCCBCore.dll
2012-10-12 18:39 - 2012-10-12 18:39 - 00028160 _____ () C:\Program Files (x86)\Scanner Mouse\OVBaseIF.dll
2012-10-12 18:39 - 2012-10-12 18:39 - 00027648 _____ () C:\Program Files (x86)\Scanner Mouse\DXCore.dll
2012-06-05 08:39 - 2012-06-05 08:39 - 01927680 _____ () C:\Program Files (x86)\Scanner Mouse\isam.dll
2012-06-05 08:39 - 2012-06-05 08:39 - 00153088 _____ () C:\Program Files (x86)\Scanner Mouse\libsvm.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 01082368 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\GoogleTranslate\GoogleTranslate.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00111104 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\PasteAsImage\PasteAsImage.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00134144 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\PasteAsText\PasteAsText.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00188928 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\ShareFacebook\SharePlugin.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00188928 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\ShareFlickr\SharePlugin.dll
2014-10-07 11:25 - 2014-10-07 11:25 - 00188928 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\ShareTwitter\SharePlugin.dll
2013-05-17 17:38 - 2013-05-17 17:38 - 00119296 _____ () C:\Users\User\AppData\Local\Scanner Mouse\extensions\WinMail\WinMail.dll
2013-01-22 14:07 - 2013-01-22 14:07 - 00051272 _____ () C:\Program Files (x86)\Scanner Mouse\StartScreenHandler.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:9342EF85
AlternateDataStreams: C:\Users\User\Desktop\camera pictures.eml:OECustomProperty
AlternateDataStreams: C:\Users\User\Documents\camera pictures.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdmin => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: SacReminder => C:\ProgramData\OfficeGuardian\reminder\SacReminder.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-668036187-398662584-905741155-500 - Administrator - Disabled)
Guest (S-1-5-21-668036187-398662584-905741155-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-668036187-398662584-905741155-1002 - Limited - Enabled)
User (S-1-5-21-668036187-398662584-905741155-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (12/31/2014 01:20:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 11:36:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 10:35:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/30/2014 06:57:13 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.

Error: (12/30/2014 06:14:57 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.

Error: (12/30/2014 05:32:17 PM) (Source: System Restore) (EventID: 8204) (User: )
Description: System restore ended unexpectedly because of power loss or a program error. Additional information: (Scheduled Checkpoint).

Error: (12/30/2014 04:55:32 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Installed ESET NOD32 Antivirus). Additional information: 0x80070005.

Error: (12/30/2014 04:46:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 10.0.9200.17148, time stamp: 0x544c16cd
Faulting module name: MSHTML.dll, version: 10.0.9200.17148, time stamp: 0x544c2aa1
Exception code: 0xc0000005
Fault offset: 0x00052afe
Faulting process id: 0x13a0
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

Error: (12/30/2014 08:27:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/29/2014 08:05:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 10.0.9200.17148, time stamp: 0x544c16cd
Faulting module name: MSHTML.dll, version: 10.0.9200.17148, time stamp: 0x544c2aa1
Exception code: 0xc0000005
Fault offset: 0x00052afe
Faulting process id: 0x1be8
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

System errors:
=============
Error: (12/31/2014 01:33:36 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{AD3EDBCA-0901-415B-82E9-C16D3B65E38C}5{3519154C-227E-47F3-9CC9-12C3F05817F1}

Error: (12/31/2014 01:19:07 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/31/2014 11:35:08 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (12/31/2014 11:35:03 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/31/2014 10:48:43 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{AD3EDBCA-0901-415B-82E9-C16D3B65E38C}5{3519154C-227E-47F3-9CC9-12C3F05817F1}

Error: (12/31/2014 10:34:25 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (12/31/2014 10:34:18 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/30/2014 06:57:46 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (12/30/2014 06:57:32 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/30/2014 05:32:22 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Microsoft Office Sessions:
=========================
Error: (12/31/2014 01:20:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 11:36:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 10:35:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/30/2014 06:57:13 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Scheduled Checkpoint0x80070005

Error: (12/30/2014 06:14:57 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Scheduled Checkpoint0x80070005

Error: (12/30/2014 05:32:17 PM) (Source: System Restore) (EventID: 8204) (User: )
Description: Scheduled Checkpoint

Error: (12/30/2014 04:55:32 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Installed ESET NOD32 Antivirus0x80070005

Error: (12/30/2014 04:46:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: IEXPLORE.EXE10.0.9200.17148544c16cdMSHTML.dll10.0.9200.17148544c2aa1c000000500052afe13a001d02479ca5a60f8C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\MSHTML.dll4088e811-906d-11e4-89cb-4c72b9e611ba

Error: (12/30/2014 08:27:39 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/29/2014 08:05:40 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: IEXPLORE.EXE10.0.9200.17148544c16cdMSHTML.dll10.0.9200.17148544c2aa1c000000500052afe1be801d023680a717cd1C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\system32\MSHTML.dll6341ee23-8f5b-11e4-8eb1-4c72b9e611ba


  • 0

#5
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

It's still cut off. When you double-click on the Addition.txt file and scroll all the way to the bottom, do you not see the following sections? At the end of the log you should see the End of Log section. Let me know. Thanks. Also, no need to disable that service. I just wanted to ensure you used it.

 

==================== Memory info ===========================

Processor: Intel® Core™ i7-2860QM CPU @ 2.50GHz
Percentage of memory in use: 60%
Total physical RAM: 2047.49 MB
Available physical RAM: 812.88 MB
Total Pagefile: 4094.98 MB
Available Pagefile: 2931.16 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:59.9 GB) (Free:29.99 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 60 GB) (Disk ID: 06379F6F)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=59.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================


  • 0

#6
Cotutor

Cotutor

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 494 posts

Brian,

 

The original log did not have an end of log section. What do I need to do to run another addition scan so that it has this?


  • 0

#7
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Step#1 - Let's get that Addition.txt File
 
1. Right click on FRST64 and select Run as administrator.
2. Ensure that the Addition.txt check box is checked in the Optional Scan area at the bottom of the screen.
3. Press the Scan button.
4. It will produce a log called FRST.txt in the same directory the tool is run from (which should now be the desktop). We will not need this log this time.
5. Another log will be created (Addition.txt - also located in the same directory as FRST64.exe).
6. Please paste the contents of the Addition.txt log in your next reply.


Edited by BrianDrab, 02 January 2015 - 09:31 AM.

  • 0

#8
Cotutor

Cotutor

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 494 posts

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2014
Ran by User at 2015-01-02 10:40:41
Running from C:\Users\User\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: ESET NOD32 Antivirus 7.0 (Enabled - Up to date) {19259FAE-8396-A113-46DB-15B0E7DFA289}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ESET NOD32 Antivirus 8.0 (Enabled - Up to date) {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.246 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
ESET NOD32 Antivirus (HKLM\...\{7F39EB28-B9B7-41B8-8564-DB33284A010D}) (Version: 8.0.304.0 - ESET, spol s r. o.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HP Officejet Pro 8610 Basic Device Software (HKLM\...\{39DA3F40-0B9E-4002-8E01-108FEC9EFE43}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
HP Officejet Pro 8610 Help (HKLM-x32\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Network Connections 15.7.176.0 (HKLM\...\PROSetDX) (Version: 15.7.176.0 - Intel)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2279 - Intel Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Junk Mail filter update (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
LibreOffice 3.6 (HKLM-x32\...\{60B2F25C-22CB-4CD9-9168-8C63708DC1A1}) (Version: 3.6.4.3 - The Document Foundation)
magicJack (HKU\S-1-5-21-668036187-398662584-905741155-1000\...\magicJack) (Version: 2.0.6073.4413 - magicJack L.P.)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1047 - Marvell)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
OmniForm Premium 5.0 (HKLM-x32\...\{D9E2AA0C-078F-491E-A728-1A621ADF9900}) (Version: 5.00.029 - ScanSoft, Inc.)
Product Improvement Study for HP Officejet Pro 8610 (HKLM\...\{D2064264-3162-4DB1-AFE0-167BEFBBCD9C}) (Version: 32.3.198.49673 - Hewlett-Packard Co.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6257 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.26.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.26.0 - Renesas Electronics Corporation) Hidden
Star Envelope Printer Pro v5.30 (HKLM-x32\...\Star Envelope Printer Pro_is1) (Version: 5.30 - Starre Enterprises, Inc.)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WiseConvert (HKLM-x32\...\WiseConvert) (Version: 1.0 - WiseConvert) <==== ATTENTION!

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

05-12-2014 16:33:50 Scheduled Checkpoint
13-12-2014 00:00:03 Scheduled Checkpoint
16-12-2014 16:17:12 Installed ESET NOD32 Antivirus
24-12-2014 00:00:04 Scheduled Checkpoint
30-12-2014 16:51:13 Restore Operation
31-12-2014 16:47:37 OTL Restore Point - 12/31/2014 4:47:35 PM

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2014-12-31 15:51 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {9577D8FA-7B6B-402F-BAE8-7D2A55BB1A22} - System32\Tasks\HPCustParticipation HP Officejet Pro 8610 => C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPCustPartic.exe [2014-07-21] (Hewlett-Packard Development Company, LP)
Task: {9D5924C6-2DF6-4D07-88C6-4CD82470A762} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-12-10] (Adobe Systems Incorporated)
Task: {B503A5C9-0BDD-4220-B265-19670E49D5A4} - System32\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: {BB0A85F5-B99D-4F64-90E1-0ED5DFE45B2C} - System32\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6 => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: {DEE981C2-F291-4ABB-8A67-94B310E68ABA} - System32\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14] (Google Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2014-10-07 10:05 - 2014-10-07 10:05 - 00733184 _____ () C:\cotutor\CTRemote.exe
2013-01-11 03:37 - 2011-01-23 22:10 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\User\Desktop\camera pictures.eml:OECustomProperty
AlternateDataStreams: C:\Users\User\Documents\camera pictures.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AmmyyAdmin => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: SacReminder => C:\ProgramData\OfficeGuardian\reminder\SacReminder.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-668036187-398662584-905741155-500 - Administrator - Disabled)
Guest (S-1-5-21-668036187-398662584-905741155-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-668036187-398662584-905741155-1002 - Limited - Enabled)
User (S-1-5-21-668036187-398662584-905741155-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/01/2015 02:18:36 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/01/2015 11:02:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/01/2015 10:27:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 01:20:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 11:36:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 10:35:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/30/2014 06:57:13 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.

Error: (12/30/2014 06:14:57 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Scheduled Checkpoint). Additional information: 0x80070005.

Error: (12/30/2014 05:32:17 PM) (Source: System Restore) (EventID: 8204) (User: )
Description: System restore ended unexpectedly because of power loss or a program error. Additional information: (Scheduled Checkpoint).

Error: (12/30/2014 04:55:32 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Installed ESET NOD32 Antivirus). Additional information: 0x80070005.

System errors:
=============
Error: (01/02/2015 08:59:27 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (01/01/2015 03:00:04 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (01/01/2015 02:31:50 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{AD3EDBCA-0901-415B-82E9-C16D3B65E38C}5{3519154C-227E-47F3-9CC9-12C3F05817F1}

Error: (01/01/2015 11:27:15 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (01/01/2015 11:16:00 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{AD3EDBCA-0901-415B-82E9-C16D3B65E38C}5{3519154C-227E-47F3-9CC9-12C3F05817F1}

Error: (01/01/2015 11:02:51 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (01/01/2015 10:41:10 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{AD3EDBCA-0901-415B-82E9-C16D3B65E38C}5{3519154C-227E-47F3-9CC9-12C3F05817F1}

Error: (01/01/2015 10:30:20 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Error: (01/01/2015 10:26:26 AM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{B366DEBE-645B-43A5-B865-DDD82C345492}5{4CB43D7F-7EEE-4906-8698-60DA1C38F2FE}

Error: (12/31/2014 06:01:37 PM) (Source: DCOM) (EventID: 10000) (User: )
Description: C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}5{06622D85-6856-4460-8DE1-A81921B41C4B}

Microsoft Office Sessions:
=========================
Error: (01/01/2015 02:18:36 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/01/2015 11:02:44 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/01/2015 10:27:53 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 01:20:15 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 11:36:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/31/2014 10:35:28 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (12/30/2014 06:57:13 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Scheduled Checkpoint0x80070005

Error: (12/30/2014 06:14:57 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Scheduled Checkpoint0x80070005

Error: (12/30/2014 05:32:17 PM) (Source: System Restore) (EventID: 8204) (User: )
Description: Scheduled Checkpoint

Error: (12/30/2014 04:55:32 PM) (Source: System Restore) (EventID: 8210) (User: )
Description: Installed ESET NOD32 Antivirus0x80070005

CodeIntegrity Errors:
===================================
  Date: 2014-12-31 15:50:49.552
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-12-31 15:50:49.505
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Pentium® CPU G850 @ 2.90GHz
Percentage of memory in use: 31%
Total physical RAM: 3995.34 MB
Available physical RAM: 2754.84 MB
Total Pagefile: 7988.86 MB
Available Pagefile: 6735.13 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.66 GB) (Free:419.41 GB) NTFS
Drive d: (GRMCPRXFRER_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 5F792904)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

==================== End Of Log ============================


  • 0

#9
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Thanks for the information.  It looks like you ran a bit more than what you had mentioned. I see Combofix and RougeKiller as well. Running all these tools could be contributing to your current problems but let's see what we can do. Please follow the steps below.
 
Step#1 - Warnings
Windows Sidebar/Gadgets
I see that you use the Windows Sidebar with Gadgets. Microsoft deems these as a security vulnerability and recommends that they are disabled. Unless you have good reason not to, please download and install the Microsoft Fix-It from here. Note: Please ensure you reboot when prompted. If you don't and continue this could leave your machine in an unstable state.
 
 
Step#2 - Malwarebytes Log
I'd like to take a look at the log from the Malwarebytes scan that you did. Here are instructions to locate that Malwarebytes log.
 
1. Open up the Malwarebytes program again. You can simply double click on the shortcut on your desktop that says "Malwarebytes Anti-Malware".
2. Click the History button as shown in the picture below.
3. Click Application Logs as shown in the picture below.
4. Put a check mark next to Scan Log as shown in the picture below.
5. Click the view button as shown in the picture below.
GetLog.JPG
 
Step#3 - FRST Fix
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
1. Download attached file and save it to the Desktop. Attached File  fixlist.txt   454bytes   92 downloads
Note. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work (in this case...the desktop).
2. Run FRST64 by Right-Clicking on the file and choosing Run as administrator.
3. Press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
4. When finished FRST64 will generate a log on the Desktop (Fixlog.txt). Please post the contents of it in your reply.

 
Step#4 - AdWCleaner
1. Please download AdwCleaner by Xplode onto your desktop.
2. Close all open programs and internet browsers.
3. Right-click on AdwCleaner.exe and select Run as administrator to run the tool.
4. Click on Scan.
5. After the scan is complete click on "Clean"
6. Confirm each time with Ok.
7. Your computer will be rebooted automatically. A text file will open after the restart.
8. Please post the content of that logfile with your next answer.
9. If need be, you can also find the logfile at C:\AdwCleaner\AdwCleaner[S0].txt as well.

 
 
Step#5 - Rootkit Scan
1. Download aswMBR to your desktop.
2. Right-click on aswMBR.exe and select Run as administrator to run it.
3. If you get a question about Virtualization Technology, answer Yes.
4. If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
5. Click the "Scan" button to start scan.
6. On completion of the scan click "Save log", save it to your desktop and post in your next reply.
NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.
 
  
 
Items for your next post
1. Malwarebytes log
2. FRST Fix Log
3. AdwCleaner log
4. Rootkit Scan log


  • 0

#10
Cotutor

Cotutor

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 494 posts

1. Malwarebytes Scan is attached.

 

Attached File  Malwarebytes Scan Log.rtf   4.15MB   37 downloads

 

 

2. FRST FIX:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2014
Ran by User at 2015-01-02 15:33:26 Run:5
Running from C:\Users\User\Desktop
Loaded Profiles: User &  (Available profiles: User)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-20\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
AlternateDataStreams: C:\ProgramData\TEMP:9342EF85
cmd: type C:\ComboFix.txt
cmd: type c:\users\user\desktop\RKreport.txt
cmd: bitsadmin /reset /allusers
EmptyTemp:

*****************

Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run\\Sidebar => Value not found.
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run\\Sidebar => Value not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"C:\ProgramData\TEMP" => ":9342EF85" ADS not found.

=========  type C:\ComboFix.txt =========

ComboFix 14-12-30.01 - User 12/31/2014  15:47:34.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3995.2524 [GMT -5:00]
Running from: c:\cotutor\cleanup updated 11-10-14\ComboFix.exe
AV: ESET NOD32 Antivirus 7.0 *Disabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: ESET NOD32 Antivirus 8.0 *Disabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\END
.
.
(((((((((((((((((((((((((   Files Created from 2014-11-28 to 2014-12-31  )))))))))))))))))))))))))))))))
.
.
2014-12-31 20:51 . 2014-12-31 20:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-12-16 21:18 . 2014-12-16 21:18 -------- d-----w- c:\program files\ESET
2014-12-11 18:41 . 2014-07-21 21:31 763912 ------w- c:\windows\system32\HPDiscoPM7112.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-12-31 19:04 . 2014-10-07 15:55 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-10 14:57 . 2013-01-10 21:25 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-12-10 14:57 . 2013-01-10 21:25 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-21 11:14 . 2014-10-07 15:54 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 11:14 . 2014-10-07 15:54 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14 . 2014-10-07 15:54 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-18 19:00 . 2014-11-18 18:57 11222744 ----a-w- C:\HitmanPro_x64.exe
2014-11-13 21:36 . 2013-01-10 20:18 103374192 ----a-w- c:\windows\system32\MRT.exe
2014-11-10 21:31 . 2014-11-10 21:03 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-11-05 17:56 . 2014-11-13 21:33 304640 ----a-w- c:\windows\system32\generaltel.dll
2014-11-05 17:56 . 2014-11-13 21:33 228864 ----a-w- c:\windows\system32\aepdu.dll
2014-11-05 17:52 . 2014-11-13 21:33 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-10-26 01:56 . 2014-11-13 21:33 51712 ----a-w- c:\windows\system32\ie4uinit.exe
2014-10-26 01:56 . 2014-11-13 21:33 2237952 ----a-w- c:\windows\system32\wininet.dll
2014-10-26 01:56 . 2014-11-13 21:33 600064 ----a-w- c:\windows\system32\vbscript.dll
2014-10-26 01:56 . 2014-11-13 21:33 1409536 ----a-w- c:\windows\system32\urlmon.dll
2014-10-26 01:55 . 2014-11-13 21:33 197120 ----a-w- c:\windows\system32\msrating.dll
2014-10-26 01:55 . 2014-11-13 21:33 19284480 ----a-w- c:\windows\system32\mshtml.dll
2014-10-26 01:55 . 2014-11-13 21:33 97280 ----a-w- c:\windows\system32\mshtmled.dll
2014-10-26 01:55 . 2014-11-13 21:33 603136 ----a-w- c:\windows\system32\msfeeds.dll
2014-10-26 01:54 . 2014-11-13 21:33 3959296 ----a-w- c:\windows\system32\jscript9.dll
2014-10-26 01:54 . 2014-11-13 21:33 53760 ----a-w- c:\windows\system32\jsproxy.dll
2014-10-26 01:54 . 2014-11-13 21:33 855552 ----a-w- c:\windows\system32\jscript.dll
2014-10-26 01:54 . 2014-11-13 21:33 526336 ----a-w- c:\windows\system32\ieui.dll
2014-10-26 01:54 . 2014-11-13 21:33 15399424 ----a-w- c:\windows\system32\ieframe.dll
2014-10-26 01:54 . 2014-11-13 21:33 2655232 ----a-w- c:\windows\system32\iertutil.dll
2014-10-26 01:54 . 2014-11-13 21:33 136704 ----a-w- c:\windows\system32\iesysprep.dll
2014-10-26 01:54 . 2014-11-13 21:33 255488 ----a-w- c:\windows\system32\iedkcs32.dll
2014-10-26 01:54 . 2014-11-13 21:33 67072 ----a-w- c:\windows\system32\iesetup.dll
2014-10-26 01:54 . 2014-11-13 21:33 39936 ----a-w- c:\windows\system32\iernonce.dll
2014-10-26 01:54 . 2014-11-13 21:33 451584 ----a-w- c:\windows\system32\dxtmsft.dll
2014-10-26 01:54 . 2014-11-13 21:33 281600 ----a-w- c:\windows\system32\dxtrans.dll
2014-10-26 01:53 . 2014-11-13 21:33 1509376 ----a-w- c:\windows\system32\inetcpl.cpl
2014-10-26 00:36 . 2014-11-13 21:33 1762816 ----a-w- c:\windows\SysWow64\wininet.dll
2014-10-26 00:35 . 2014-11-13 21:33 523776 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-10-26 00:34 . 2014-11-13 21:33 2861568 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-10-26 00:34 . 2014-11-13 21:33 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
2014-10-26 00:34 . 2014-11-13 21:33 61440 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-10-26 00:34 . 2014-11-13 21:33 1441280 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-10-26 00:19 . 2014-11-13 21:33 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2014-10-26 00:13 . 2014-11-13 21:33 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-10-25 23:22 . 2014-11-13 21:33 89600 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-10-25 23:17 . 2014-11-13 21:33 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-10-25 01:57 . 2014-11-13 21:33 77824 ----a-w- c:\windows\system32\packager.dll
2014-10-25 01:32 . 2014-11-13 21:33 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-18 02:05 . 2014-11-13 21:32 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-18 01:33 . 2014-11-13 21:32 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-10-14 02:16 . 2014-11-13 21:33 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 02:13 . 2014-11-13 21:33 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 02:13 . 2014-11-13 21:33 3241984 ----a-w- c:\windows\system32\msi.dll
2014-10-14 02:12 . 2014-11-13 21:33 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 02:09 . 2014-11-13 21:33 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 02:07 . 2014-11-13 21:33 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-10-14 01:50 . 2014-11-13 21:33 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-10-14 01:50 . 2014-11-13 21:33 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-10-14 01:49 . 2014-11-13 21:33 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-10-14 01:47 . 2014-11-13 21:33 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-10-14 01:46 . 2014-11-13 21:33 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-10-10 00:57 . 2014-11-13 21:33 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-10-03 02:12 . 2014-11-13 21:33 500224 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-10-03 02:11 . 2014-11-13 21:33 284672 ----a-w- c:\windows\system32\EncDump.dll
2014-10-03 02:11 . 2014-11-13 21:33 680960 ----a-w- c:\windows\system32\audiosrv.dll
2014-10-03 02:11 . 2014-11-13 21:33 440832 ----a-w- c:\windows\system32\AudioEng.dll
2014-10-03 02:11 . 2014-11-13 21:33 296448 ----a-w- c:\windows\system32\AudioSes.dll
2014-10-03 01:44 . 2014-11-13 21:33 442880 ----a-w- c:\windows\SysWow64\AUDIOKSE.dll
2014-10-03 01:44 . 2014-11-13 21:33 374784 ----a-w- c:\windows\SysWow64\AudioEng.dll
2014-10-03 01:44 . 2014-11-13 21:33 195584 ----a-w- c:\windows\SysWow64\AudioSes.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\User\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2011-01-24 113288]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Scanner Mouse.lnk - c:\program files (x86)\Scanner Mouse\Scanner Mouse.exe /tray [2013-4-9 37797992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
R2 AmmyyAdmin;Ammyy Admin;c:\cotutor\CTRemote.exe;c:\cotutor\CTRemote.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys;c:\windows\SYSNATIVE\DRIVERS\eamonm.sys [x]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys;c:\windows\SYSNATIVE\DRIVERS\ehdrv.sys [x]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe;c:\program files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe [x]
S2 epfwwfpr;epfwwfpr;c:\windows\system32\DRIVERS\epfwwfpr.sys;c:\windows\SYSNATIVE\DRIVERS\epfwwfpr.sys [x]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe;c:\program files\Common Files\Motive\McciCMService.exe [x]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
S4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-12-12 22:21 1087816 ----a-w- c:\program files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-10 14:57]
.
2014-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cf8b739c78548d.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14 16:48]
.
2014-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cf8b739cdd09d6.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14 16:48]
.
2014-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cffebdf06b77af.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-14 16:48]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-01-24 167960]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-01-24 391704]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-01-24 418328]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-01-27 11660904]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2014-10-01 5595336]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.yahoo.com/?ilc=14
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.3.3
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-668036187-398662584-905741155-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-668036187-398662584-905741155-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-31  15:51:58
ComboFix-quarantined-files.txt  2014-12-31 20:51
.
Pre-Run: 449,663,836,160 bytes free
Post-Run: 449,527,816,192 bytes free
.
- - End Of File - - A375AD0E3A51271A5072C9572E26926D
A36C5E4F47E84449FF07ED3517B43A31

========= End of CMD: =========

=========  type c:\users\user\desktop\RKreport.txt =========

The system cannot find the file specified.

========= End of CMD: =========

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to cancel {4D97D7DB-E95F-47D8-9BAC-F0EEE9784820}.
Unable to cancel {041CD902-CDF0-4DBF-B332-AA5D79FDE694}.
Unable to cancel {F7DFFD02-C759-4322-9743-BEDEDBDEB4F8}.
Unable to cancel {D47D38A0-8F3E-4F9B-8973-3FC73E45F689}.
Unable to cancel {FD56CBE5-03C4-41E9-A7DB-3980EC77AEEC}.
Unable to cancel {10C387EB-35E1-43E1-A147-59A4336329A4}.
0 out of 6 jobs canceled.

========= End of CMD: =========

EmptyTemp: => Removed 368.3 MB temporary data.

The system needed a reboot.

==== End of Fixlog 15:35:24 ====

 

3. ADW Cleaner:

 

# AdwCleaner v4.106 - Report created 02/01/2015 at 15:44:19
# Updated 21/12/2014 by Xplode
# Database : 2015-01-01.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : User - USER-PC
# Running from : C:\Users\User\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\wiseconvert
Folder Deleted : C:\Program Files (x86)\wiseconvert
Folder Deleted : C:\Users\User\AppData\Local\Conduit
Folder Deleted : C:\Users\User\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\User\AppData\LocalLow\Conduit

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289847
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17148

-\\ Google Chrome v39.0.2171.95

[C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\User\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [1948 octets] - [02/01/2015 15:42:43]
AdwCleaner[S0].txt - [1804 octets] - [02/01/2015 15:44:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1864 octets] ##########

 

4. ROOTKIT SCAN:

 

aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2015-01-02 15:47:57
-----------------------------
15:47:57.215    OS Version: Windows x64 6.1.7601 Service Pack 1
15:47:57.215    Number of processors: 2 586 0x2A07
15:47:57.215    ComputerName: USER-PC  UserName: User
15:47:57.761    Initialize success
15:47:57.823    VM: initialized successfully
15:47:57.823    VM: Intel CPU supported
15:48:01.070    VM: supported disk I/O ataport.SYS
15:49:01.929    AVAST engine defs: 15010201
15:49:20.946    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5
15:49:20.961    Disk 0 Vendor: ST500DM002-1BD142 KC45 Size: 476940MB BusType: 11
15:49:21.086    VM: Disk 0 MBR read successfully
15:49:21.086    Disk 0 MBR scan
15:49:21.086    Disk 0 Windows 7 default MBR code
15:49:21.102    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
15:49:21.102    Disk 0 default boot code
15:49:21.117    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       476838 MB offset 206848
15:49:21.164    Disk 0 scanning C:\Windows\system32\drivers
15:49:32.599    Service scanning
15:49:58.354    Modules scanning
15:49:58.354    Disk 0 trace - called modules:
15:49:58.401    ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
15:49:58.417    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80045e4060]
15:49:58.417    3 CLASSPNP.SYS[fffff8800196a43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-5[0xfffffa80040f8060]
15:50:00.616    AVAST engine scan C:\Windows
15:50:03.643    AVAST engine scan C:\Windows\system32
15:53:43.182    AVAST engine scan C:\Windows\system32\drivers
15:54:10.810    AVAST engine scan C:\Users\User
16:01:33.382    AVAST engine scan C:\ProgramData
16:02:54.768    Disk 0 statistics 3671723/0/18 @ 3.34 MB/s
16:02:54.768    Scan finished successfully
16:05:54.511    Disk 0 MBR has been saved successfully to "C:\Users\User\Desktop\MBR.dat"
16:05:54.527    The log file has been saved successfully to "C:\Users\User\Desktop\aswMBR.txt"

 

 

 


  • 0

Advertisements


#11
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Thank you. Can you confirm that your only issue at the moment is getting to Add/Remove programs? Please verify that you still can't as well. Thank you.


  • 0

#12
Cotutor

Cotutor

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 494 posts

Yes. That is the only issue as far as I know and it still does not work. Thank you


  • 0

#13
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

Thanks for the info. Let's do a final few scans and then we can focus specifically on your Add/Remove issues.

 

Step#1 - ESET Online Scanner and Post Results
Before running this scan, please temporarily disable your antivirus software to avoid conflicts. You can re-enable once it's done. Instructions for doing this on many AVs are here.

 

  • Please go here and click on 1.JPG
  • Note: This site is optimized for Internet Explorer. Please use it for this scan. If you wish to use Firefox or Chrome you will be asked to download the ESET Smart Installer first (esetsmartinstaller_enu.exe). Go ahead and download and run this file.
  • Please accept the ESET Online Scanner EULA and click Start.
  • If prompted, allow the Add-On/Active X to install. If you have problems with this step please see this link.
  • Make sure Enable detection of potentially unwanted applications is selected.
  • Click the Advanced Settings link.
  • Make sure Remove found threats is NOT checked.
  • Make sure Scan archives IS checked.
  • Make sure Scan for potentially unsafe applications IS checked.
  • Make sure Enable Anti-Stealth technology IS checked
  • 2.JPG
     
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed, if anything was detected please click the List of found threats link.
  • ThreatsFound.JPG
     
  • Then click the Copy to Clipboard link and paste this information into your next reply.
  • CopyToClipboard.JPG

     

     

  • Then you may click the Back button.
  • Check Uninstall Application on Close before clicking finish.

 

Step#2 - Security Check
 
1. Download Security Check from here or here or here.
2. Save it to your Desktop.
3. Right-click SecurityCheck.exe and select Run as administrator. Follow the onscreen instructions inside of the black box.
4. A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: Don't be alarmed if the process runs for 10 to 15 minutes before completing. If it runs for over 30 minutes, just close the program and try running it again.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.

 

 

  

 

Items for your next post
1. Contents of the ESET log file

2. Security Check log


  • 0

#14
Cotutor

Cotutor

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 494 posts

ESET Online Scanner Results

 

C:\cotutor\CTRemote.exe a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe application
C:\cotutor\cleanup updated 11-10-14\CTRemote.exe a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe application
C:\Users\User\AppData\Local\Downloaded Installations\{AC08ECED-D6F8-404E-93A0-F037F0623C92}\The Weather Channel App.msi a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
C:\_OTL\MovedFiles\11102014_154757\C_Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7W3BEG2Q\CTRemote.exe a variant of Win32/RemoteAdmin.Ammyy.B potentially unsafe application

 

Security Check log

 

 Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is disabled!) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
ESET NOD32 Antivirus 7.0  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 25 
 Java version 32-bit out of Date!
  Adobe Flash Player 15.0.0.246 Flash Player out of Date! 
 Adobe Reader XI 
 Google Chrome (39.0.2171.71)
 Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent```````` 
 ESET NOD32 Antivirus egui.exe 
 ESET NOD32 Antivirus ekrn.exe 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 


  • 0

#15
BrianDrab

BrianDrab

    Trusted Helper

  • Malware Removal
  • 3,583 posts

OK, let's get your add/remove programs working again. Please do the following.
 
Step#1 - Install IE11
1. Please download IE11 to your desktop.
2. Double-click the file that was downloaded (IE11-Windows6.1-x64-en-us.exe) and install.
3. Once it's installed, see if you can access Add/Remove programs. If not, continue on.
 
Step#2 - System File Checker
 
1. Click your Start Orb in the lower left of your computer and type cmd in the search box.
2. Once the cmd program is found, right-click on it with your mouse and select Run as administrator as shown below.
ElevateCommandPrompt.JPG

3. Answer Yes when asked to allow.
4. You should now have a black window open that you can type in to.
5. Type sfc /scannow and hit enter to start the scan. Please notice the space between sfc and /scannow.
6. Once the scan finishes please copy and paste the following into the command prompt window and hit enter.
    findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >%userprofile%\Desktop\sfcdetails.txt
7. This will place a new file on your desktop named sfcdetails.txt. Please copy/past the contents of this file into your next post.

 

  

 

Items for your next post

1. sfcdetails.txt file if Add/Remove programs still doesn't work after the IE install


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP