Software misteriously missing from computer this morning

September 12, 2014 at 08:49:10
Specs: Windows 7, AMD Turion 2.4GHz/4GB RAM
My work computer has had weird behavior these last 2 days. First off I come into work yesterday and all my icons on my desktop are missing (except the standard, Computer, Recycle Bin, Network, Etc.). Ironically there was a Google Chrome icon still there, which is weird because I did not previously have that installed. I try to do a system restore to the day before but that failed with some critical error (cant remember the exact error), also any earlier restore point gave the same error. I checked the recycle bin and most of the icons/files were there, so I restored them to their original locations. How they got there is a mystery. It is possible that someone else accidentally deleted them, but that is HIGHLY unlikely. I uninstalled Google Chrome and did a virus scan with MBAM and everything turned up clean. I didn't use the computer much the rest of the day to notice any other weird behavior.

I come in this morning and my QuickBooks software is missing. I check the event log on my computer (right click Computer ->Manage->Event Viewer and I see that there is an entry at roughly 5am this morning that "QuickBooks has been uninstalled successfully". Also between 4:15am and 5:30am this morning, there were several other titles uninstalled according to the event viewer. These titles include ITunes, MySQL server and related software, .Net framework, Filemaker Pro, several HP software titles, MSXML 4.0 SP2, Skype, Tight VNC and Visual Studio for the Office system.

While trying to reinstall QuickBooks from a backup .iso file I also notice that my Power ISO software, used to install QuickBooks from the .iso, is missing, but not listed in the event viewer as uninstalled. I also notice that another very important software title that we use for our industry is missing, yet not listed in the event viewer, and then mysteriously Google Chrome is re-installed (at 5pm yesterday according to the event viewer).

All this is a mystery to me as to how they were uninstalled. Virus scan turns up clean, and other general behavior is pretty much normal. There are 2 additional things worth mentioning...Yesterday when troubleshooting the icons missing I did a restart. After booting and clicking my name to log in, it took a minute or so for everything to load as normal, but after about 2 minutes after logging on, the log-on screen reappeared and I had to click my name to log back in. This logged me on again and reloaded everything for another minute or so as opposed to just the quick loading as if "Switching Users". I don't know how or why its doing that but thought it might be worth mentioning. The second thing to note is that I often use remote desktop to log in to my work computer from home (or sometimes from another computer in the office). I am able to use this through somewhat of a hack. Natively, Windows 7 Home Professional does not allow incoming remote desktop connections, however I use the tool "Concurrent RDP Patcher" which allows the connection through Home Professional, as well as allows me to log on at the same time when someone else is currently using it.

I only mention the remote desktop connection because of a long-shot theory I have about this behavior. The remote desktop connection is not password protected and it "may" be possible for someone to personally and maliciously be attacking me. I only think this because most of the software titles uninstalled are ones specifically related to our everyday business needs.

So... What are anyone's suggestions on what the problem may be and how to fix this from happening again. If anyone agrees with my "hacker" theory, is there any way to find out if and when someone actually logged on to my computer?


See More: Software misteriously missing from computer this morning

Report •

#1
September 12, 2014 at 14:05:34
Have you checked with your IT Department?

Report •

#2
September 12, 2014 at 15:13:36
If your IT department can't help you, get back to us.

You are almost for sure infected, your standard tools ( AV etc ) will no longer be able to help you.


Report •

#3
September 13, 2014 at 07:49:38
We are a very small local business and do not have an IT department. Our network consists of only 4 computers networked with basic windows networking, and no server. Technically speaking I guess I am the IT department.

An update to the situation now... As stated yesterday I reinstalled all the software that was mysteriously removed and continued on with the day as usual without any issues. This morning I tried to remote desktop from home as I usually do just to check on everything. but now it is saying my login credentials are incorrect. They were fine yesterday when I successfully logged on remotely but not this morning??? Also as stated before, I do not use a password when connecting, and now that it is stating my credentials are incorrect it is basically saying that someone/something added a password sometime last night.

Further suggestions? unfortunately I will not be physically back in office to attempt solutions, and was hoping to accomplish anything through remote desktop connection, but that will no longer work right now.


Report •

Related Solutions

#4
September 13, 2014 at 18:09:35
"my credentials are incorrect"

Try the fixes here.
http://social.technet.microsoft.com...
http://superuser.com/questions/6044...
http://serverfault.com/questions/47...
https://4sysops.com/archives/how-to...

Once you get a connection, let us know & we can try special programs to fix the infections.

message edited by Johnw


Report •

#5
September 13, 2014 at 19:32:41
You have remote access that's not password protected. That'd be where I'd start looking.

Report •

#6
September 14, 2014 at 04:05:17
DAVEINCAPS I agree.

I done a course with a fella that could access our laptops networked through a switch. He would open the CD tray on EVERY windows pc simultaneously and said he could plant or steal files or make all of our computers shut down....

Basically an unprotected system is open to all sorts of behaviours which describes the OPs post.

He described the MS operating system as a walled garden with the gate left wide open.

He was a Linux freak and very adept at OS security penetration. Very good with the MS OS too.

I'm sure he wasn't a one off...


Report •

#7
September 15, 2014 at 10:40:20
Ok came into work this morning and not only could I not log into my user account due to it being now password protected, but there were 2 additional accounts listed in the login screen. The names were "Hack" and "timmy" and both of those were also password protected. It took me all morning to finally be able to successfully log in. I ultimately used a tool that removes all passwords by booting from a USB.

Now that I am logged in, everything "seems" ok so far with few exceptions. I went to the users section of the control panel to delete those other 2 users that were somehow added, but only the "timmy" user was listed, and not the "Hack" user.

I did a restart and once again its now asking for a password again. Re-booted from USB to clear the password again and now successfully logged back in. I actually created my own password this time (as opposed to a blank one prior) and am writing this before I attempt another restart to see what happens.

So... Any suggestions on the mysterious behavior? Could this still just be a virus or is it a hacker of some sort? An additional note... like stated in my original post, today once successfully logged back in, after a minute or so I was returned to the login screen and had to log in a second time. I then went to the task manager and under the users tab there were 2 listings...
User       ID       Status       Client Name       Session
Joe       1       Active       Console      
Joe       2       Active       SEGUN-PC       RDP-Tcp#0 <-------This is a mysterious user logged in which I proceeded to disconnect.

Is there any way to check if someone has been logging onto my computer, maybe somewhere in the event viewer? And if a virus, what kind and how do remove it since MBAM is showing clean?


Report •

#8
September 15, 2014 at 16:23:41
Because so much stuff has been going on, I would start by going down the virus path.

This is the first step down that path.

Run ESET Online Scanner, Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
You may have to download ESET from a good computer, put it on a flash/thumb/pen drive & run it from there, if your comp is unbootable, or won't let you download.
Create a ESET SysRescue CD or USB drive
http://kb.eset.com/esetkb/index?pag...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://kb.eset.com/esetkb/index?pag...
Configure ESET this way & disable your AV.
http://i.imgur.com/3U7YC.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Which web browsers are compatible with ESET Online Scanner?
http://www.nod32.fi/eset-online-sca...
http://kb.eset.com/esetkb/index?pag...
Online Scanner not working
http://kb.eset.com/esetkb/index?pag...
Why Would I Ever Need an Online Virus Scanner? I already have an antivirus program installed, isn't that enough?
http://www.squidoo.com/the-best-fre...
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://kb.eset.com/esetkb/index?pag...
http://www.eset.com/home/products/o...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\EsetOnlineScanner\log.txt". You can view this file by navigating to the directory and double-clicking on it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start ? Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#9
September 15, 2014 at 19:30:06
Until you solve this problem, I would recommend turning off any remote access and probably even shutting down the computer at night.
I would recommend getting a network security specialist to install a secure VPN for your remote access (probably a business class router will be needed) and plug those holes in your security.
Right now, the hacker is just playing annoying games with you but if he/she gets nasty or bored and decides to post the access details on some hacker forum publicly, you could be in major trouble.

You have to be a little bit crazy to keep you from going insane.


Report •

#10
September 15, 2014 at 19:57:16
Here are some tools, if you want to try before running ESET.

Windows Forensics: Have I been Hacked?
http://www.bleepingcomputer.com/tut...


Report •

#11
September 15, 2014 at 20:42:53
You know how to hack passwords but are oblivious to security. That is something I don't understand.

Uninstall the remote desktop application as it seems something that was promoted by hackers.

Teamviewer and logmein are better solutions to access remote PC's and encrypted.
There are free versions and premium versions.

Every PC at work should have password protected accounts and even the ctrl-alt-del sequence activated.


Report •

#12
September 16, 2014 at 07:39:24
Ran scan overnight and it found 4 threats. Details of log file are below but it seems to have little detail. I hope this is the right log file. The path in the previous post did not exist for the log file but did find one at "C:\Program Files (x86)\ESET\EsetOnlineScanner\log.txt".

Here is the log file:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

The scan results are here:

C:\Users\Joe\Application Data\Mozilla\Firefox\Extensions\MozillaHotfix\chrome\content\update.js JS/Adware.Chromex.B application
C:\Users\Joe\Application Data\WinLive\MSWinLive.dll a variant of MSIL/Adware.BHO.B application
C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix\chrome\content\update.js JS/Adware.Chromex.B application cleaned by deleting - quarantined
C:\Users\Joe\AppData\Roaming\WinLive\MSWinLive.dll a variant of MSIL/Adware.BHO.B application cleaned by deleting - quarantined

What now? Should I delete the quarantined files?


Report •

#13
September 16, 2014 at 11:06:49
"I hope this is the right log file"
Yes.
"What now? Should I delete the quarantined files?"
Yes please.

Step 2: Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"

If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#14
September 25, 2014 at 20:20:46
Sorry for the late reply. Took some time off and been busy with other things. My computer has been running good since the last posting, with a few exceptions I will get to in a minute. I added a password to my account, and since have had no other suspicious activity.

My problem now is that I cannot send or receive any mail through my Verizon account through Outlook. I have other accounts in Outlook that work fine, but my Verizon account (which is my main account) doesn't work. Obviously I checked and rechecked my server names, ports, user name & password, security and etc., but it just wont work. Its "almost" as if the mail server is being blocked in a firewall or something. I did check firewall settings though and found nothing . The error I am getting is: "Outlook cannot connect to your incoming (POP3) email server. If you continue to receive this error contact your administrator." The same message for Outgoing mail (SMTP).

Now this may be related or just a coincidence, but if I try to log on to my Verizon email account through the Verizon website directly, I also cannot log on. The Verizon page will load just fine, but when I hover over the log in link, usually a dropdown menu appears where I can enter my user ID/ Password, but in my case it is just a blank dropdown area. After a few minutes that "blank" dropdown will display the "This webpage cannot be displayed" message as if you are trying to open a page that doesn't exist. Its hard to verbally explain how its not working but I hope I did my best. The funny thing about this problem is that this particular website log in link will not work on ALL computers on my work network, not just mine (On my home computer, my outlook and the Verizon webpage are working fine). Now, strangely enough, if I switch to the Spanish version of the site, the login dropdown displays correctly, but when I switch back to English its gone again. Like stated before, I don't know if its related to my Outlook problem, but its worth mentioning. I tried enabling and disabling all types of Active X and security features and even went as far as resetting Internet Explorer to its default settings but nothing fixes it.

Now back to where we last left off. I ran combofix and here are the results:

ComboFix 14-09-24.01 - Joe 09/25/2014 17:17:58.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3982.1892 [GMT -4:00]
Running from: c:\users\Joe\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\7576AccountantCenter.html
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\ac.css
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\ac.js
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\close_pop.png
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\jq.css
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\jquery.corner.js
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\jquery.min.js
c:\users\Joe\AppData\Local\Microsoft\Windows\Temporary Internet Files\qbw.css
c:\users\Joe\AppData\Local\TapTap
c:\users\Joe\AppData\Local\TapTap\score.xml
c:\windows\Fonts\USPSIMBStandard.ttf
.
.
((((((((((((((((((((((((( Files Created from 2014-08-25 to 2014-09-25 )))))))))))))))))))))))))))))))
.
.
2014-09-25 21:24 . 2014-09-25 21:24 -------- d-----w- c:\users\Remote Login\AppData\Local\temp
2014-09-25 21:24 . 2014-09-25 21:24 -------- d-----w- c:\users\QBDataServiceUser24\AppData\Local\temp
2014-09-25 21:24 . 2014-09-25 21:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-09-25 13:48 . 2014-09-25 13:48 -------- d-sh--w- c:\users\Joe\AppData\Local\EmieUserList
2014-09-25 13:48 . 2014-09-25 13:48 -------- d-sh--w- c:\users\Joe\AppData\Local\EmieSiteList
2014-09-25 13:34 . 2014-09-25 13:54 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-09-25 12:51 . 2014-09-25 12:51 -------- d-----w- c:\programdata\PDFC
2014-09-24 05:45 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-24 05:45 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-23 06:47 . 2014-09-23 06:47 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C2F961B9-F9BF-492D-A664-4849B233EE46}\offreg.dll
2014-09-23 06:46 . 2014-09-09 02:05 11578928 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{C2F961B9-F9BF-492D-A664-4849B233EE46}\mpengine.dll
2014-09-16 01:24 . 2014-09-16 01:24 -------- d-----w- c:\program files (x86)\ESET
2014-09-15 19:06 . 2014-09-15 19:21 -------- d-----w- c:\programdata\Recovery
2014-09-15 17:06 . 2014-09-25 21:16 -------- d-----w- c:\users\QBDataServiceUser24.JOE
2014-09-14 07:14 . 2014-09-14 07:14 -------- d-----w- c:\windows\Migration
2014-09-12 14:23 . 2014-09-12 14:23 -------- d-----w- C:\PROJECTTEMPLATESROOT
2014-09-12 14:01 . 2014-09-12 14:01 -------- d-----w- c:\program files (x86)\Common Files\Nuance
2014-09-12 14:01 . 2014-09-12 14:01 -------- d-----w- c:\programdata\Nuance
2014-09-11 14:48 . 2014-09-25 13:34 128728 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-11 07:01 . 2014-06-27 02:08 2777088 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-09-11 07:01 . 2014-06-27 01:45 2285056 ----a-w- c:\windows\SysWow64\msmpeg2vdec.dll
2014-09-10 17:01 . 2014-09-10 17:01 -------- d-----w- c:\users\Joe\AppData\Local\Macroplant_LLC
2014-09-10 16:58 . 2014-09-11 14:41 -------- d-----w- c:\program files (x86)\iExplorer
2014-09-10 07:23 . 2014-08-01 11:53 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-09-10 07:23 . 2014-08-01 11:35 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-09-10 07:23 . 2014-06-24 03:29 2565120 ----a-w- c:\windows\system32\d3d10warp.dll
2014-09-10 07:23 . 2014-06-24 02:59 1987584 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2014-09-10 07:23 . 2014-07-07 02:06 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-09-10 07:23 . 2014-07-07 02:06 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-09-10 07:23 . 2014-07-07 01:40 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-09-10 07:23 . 2014-07-07 01:40 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-09-10 07:23 . 2014-07-07 01:39 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-09-10 07:23 . 2014-09-05 02:10 578048 ----a-w- c:\windows\system32\aepdu.dll
2014-09-10 07:23 . 2014-09-05 02:05 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-09-10 02:33 . 2014-09-10 02:33 -------- d-----w- c:\users\Joe\Tracing
2014-08-28 07:58 . 2014-08-23 02:07 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-28 07:58 . 2014-08-23 01:45 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-28 07:58 . 2014-08-23 00:59 3163648 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-25 13:34 . 2014-07-15 17:13 92888 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-09-15 13:06 . 2010-11-21 03:27 278152 ------w- c:\windows\system32\MpSigStub.exe
2014-09-11 14:56 . 2012-12-06 19:10 210944 ----a-w- c:\windows\system32\rdpclip.exe
2014-09-11 07:02 . 2013-02-27 17:56 101694776 ----a-w- c:\windows\system32\MRT.exe
2014-09-02 12:15 . 2011-03-29 02:36 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2014-07-25 06:35 . 2014-07-25 06:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-25 03:47 . 2014-07-25 03:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-14 02:02 . 2014-08-12 19:54 1216000 ----a-w- c:\windows\system32\rpcrt4.dll
2014-07-14 01:40 . 2014-08-12 19:54 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll
2014-07-09 02:03 . 2014-08-12 19:54 7168 ----a-w- c:\windows\system32\KBDYAK.DLL
2014-07-09 02:03 . 2014-08-12 19:54 7168 ----a-w- c:\windows\system32\KBDTAT.DLL
2014-07-09 02:03 . 2014-08-12 19:54 7168 ----a-w- c:\windows\system32\KBDRU1.DLL
2014-07-09 02:03 . 2014-08-12 19:54 6656 ----a-w- c:\windows\system32\KBDRU.DLL
2014-07-09 02:03 . 2014-08-12 19:54 7168 ----a-w- c:\windows\system32\KBDBASH.DLL
2014-07-09 01:31 . 2014-08-12 19:54 7168 ----a-w- c:\windows\SysWow64\KBDYAK.DLL
2014-07-09 01:31 . 2014-08-12 19:54 6656 ----a-w- c:\windows\SysWow64\KBDBASH.DLL
2014-06-30 22:24 . 2014-08-13 07:01 8856 ----a-w- c:\windows\system32\icardres.dll
2014-06-30 22:14 . 2014-08-13 07:01 8856 ----a-w- c:\windows\SysWow64\icardres.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-11-21 . E589BCD6041786C5E38E2D223C24C193 . 680960 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.1.7601.17514_none_ecc547376ae3a1a3\termsrv.dll
[-] 2010-11-21 . E589BCD6041786C5E38E2D223C24C193 . 680960 . . [6.1.7601.17514] .. c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2013-01-14 21:12 1020424 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2013-01-14 21:12 1020424 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2013-01-14 21:12 1020424 ----a-r- c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2013-11-20 59720]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2013-11-20 59720]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Carbonite Backup"="c:\program files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe" [2013-01-14 1065480]
"SwitchBoard"="c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS6ServiceManager"="c:\program files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" [2012-03-09 1073312]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe" [2011-09-05 36760]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe" [2011-09-05 2904984]
"Intuit SyncManager"="c:\program files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2014-06-26 3775800]
.
c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-12-2 576000]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Intuit Data Protect.lnk - c:\program files (x86)\Common Files\Intuit\DataProtect\IntuitDataProtect.exe /Startup [2014-6-26 6306104]
OSR_TinyWeb.lnk - c:\program files (x86)\Intuit\IDN\Common\TinyWeb\TINY.EXE "c:\program files (x86)\Intuit\IDN" 2211 127.0.0.1 [2013-11-7 58880]
QuickBooks Update Agent.lnk - c:\program files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2014-6-26 1129288]
QuickBooks_Standard_21.lnk - c:\program files (x86)\Intuit\QuickBooks 2014\QBW32.EXE -silent [2014-6-26 1215816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 QuickBooksDB24;QuickBooksDB24;c:\progra~2\Intuit\QUICKB~3\QBDBMgrN.exe;c:\progra~2\Intuit\QUICKB~3\QBDBMgrN.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S2 CalendarSynchService;CalendarSynchService;c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe;c:\program files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 MySQL55;MySQL55;c:\program files\MySQL\MySQL Server 5.5\bin\mysqld --defaults-file=c:\programdata\MySQL\MySQL Server 5.5\my.ini MySQL55;c:\program files\MySQL\MySQL Server 5.5\bin\mysqld --defaults-file=c:\programdata\MySQL\MySQL Server 5.5\my.ini MySQL55 [x]
S2 QBVSS;QBIDPService;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe;c:\program files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - PROCMON23
*Deregistered* - PROCMON23
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-26 c:\windows\Tasks\HPCeeScheduleForJoe.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 12:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2013-01-14 21:01 1292808 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2013-01-14 21:01 1292808 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2013-01-14 21:01 1292808 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPSYSDRV"="c:\program files (x86)\Hewlett-Packard\HP Odometer\HPSYSDRV.EXE" [2008-11-20 62768]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"MFNetworkScanUtility"="c:\program files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE" [2012-09-27 486552]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2013-01-11 172144]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2013-01-11 399984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2013-01-11 441968]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: google.com
Trusted Zone: google.com\local
Trusted Zone: google.com\maps
Trusted Zone: google.com\www
TCP: DhcpNameServer = 167.206.245.135 167.206.245.136
TCP: Interfaces\{C8689D7E-ECE1-4260-9B44-C9B66C606ACC}: DhcpNameServer = 167.206.245.135 167.206.245.136
DPF: {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} - hxxps://merchantaccount.quickbooks.com/recurchrg/IntuitRecurPayCom2009.cab
DPF: {5C709EEC-DDE1-4738-8E57-7564E2637891} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom1_2009.cab
DPF: {788539E8-002D-4E59-9089-40B694A99C9A} - hxxps://merchantaccount.quickbooks.com/sync/QBMASSyncCom2_2008.cab
FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\oyv1mqiu.default\
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/?ei=utf-8&fr=tightropetb&type=11053_091114
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=tightropetb&type=11053_091114&p=
FF - ExtSQL: !HIDDEN! 2013-02-18 13:52; hotfix@mozilla.org; c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
FF - user.js: plugin.state.npconduitfirefoxplugin - 0
FF - user.js: plugin.state.nptnt - 2
FF - user.js: plugin.state.nptnt - 2
FF - user.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=tightropetb&type=11053_091114&p=
FF - user.js: browser.search.defaultenginename - Yahoo:
FF - user.js: browser.keywordURLPromptDeclined - 1
FF - user.js: browser.startup.homepage - hxxp://search.yahoo.com/?ei=utf-8&fr=tightropetb&type=11053_091114
FF - user.js: browser.startup.page - 1
FF - user.js: browser.newtab.url - file:///c:\users\Joe\AppData\Local\TNT2\2.0.0.1855\pinnedSearch.htm
FF - user.js: browser.newtab.url -
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-AdobeBridge - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-tvncontrol - c:\program files (x86)\TightVNC\tvnserver.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM_Wow6432Node-ActiveSetup-{438363A8-F486-4C37-834C-4955773CB3D3} - msiexec
WebBrowser-{8D0BF943-CE38-44DF-A40D-B18FD3C8645B} - (no file)
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\MySQL55]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\programdata\MySQL\MySQL Server 5.5\my.ini\" MySQL55"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_9_900_152_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_9_900_152.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B9A09F18-45AB-4F09-A117-A4ADDA8FA8C8}]
@Denied: (A) (Everyone)
"Solution"="{36eb6792-3a29-43b3-8cd0-f67d266fb426}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane\0]
"Key"="ActionsPane"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\8.0\\ActionsPane.xsd"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-09-25 17:26:06
ComboFix-quarantined-files.txt 2014-09-25 21:26
.
Pre-Run: 354,597,793,792 bytes free
Post-Run: 361,665,290,240 bytes free
.
- - End Of File - - 21EBA100AE77A2E8AAB30296B824A2B9


Report •

#15
September 25, 2014 at 20:26:44
"Now back to where we last left off. I ran combofix and here are the results:"
Do you still have the Verizon problem after running Combofix & rebooting?

Report •

#16
September 25, 2014 at 20:40:44
yes, Both the Verizon in Outlook and the Verizon webiste

Report •

#17
September 25, 2014 at 20:43:52
Step 3: Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.

Report •

#18
September 25, 2014 at 21:01:42
Ran the program and here are the results... There was no RKreport[1].txt on my desktop but I clicked the "report" button in RogueKiller itself and it gave me this Hope its correct...

RogueKiller V9.2.13.0 [Sep 25 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Joe [Admin rights]
Mode : Scan -- Date : 09/25/2014 23:57:49

¤¤¤ Bad processes : 1 ¤¤¤
[Suspicious.Path] HPSFfix.exe -- C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFfix.exe[7] -> KILLED [TermThr]

¤¤¤ Registry Entries : 22 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 167.206.245.135 167.206.245.136 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 167.206.245.135 167.206.245.136 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 167.206.245.135 167.206.245.136 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C8689D7E-ECE1-4260-9B44-C9B66C606ACC} | DhcpNameServer : 167.206.245.135 167.206.245.136 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C8689D7E-ECE1-4260-9B44-C9B66C606ACC} | DhcpNameServer : 167.206.245.135 167.206.245.136 -> FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{C8689D7E-ECE1-4260-9B44-C9B66C606ACC} | DhcpNameServer : 167.206.245.135 167.206.245.136 -> FOUND
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2944885638-3624093982-2585505729-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2944885638-3624093982-2585505729-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> FOUND
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redi... -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[Suspicious.Path] \Hewlett-Packard\HP Support Assistant\HPSFfix -- C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFfix.exe (/s /p 1) -> FOUND
[Suspicious.Path] \Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Scan -ScheduleJob -RestrictPrivileges) -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 0 (Driver: NOT LOADED [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] oyv1mqiu.default : user_pref("browser.startup.homepage", "http://search.yahoo.com/?ei=utf-8&fr=tightropetb&type=11053_091114"); -> FOUND

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HDS721050CLA660 +++++
--- User ---
[MBR] 21278aa5a72fef1e91c3e4870ebdcac8
[BSP] b97e5e4dd5755e6a6633285e88609b2b : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK


Report •

#19
September 25, 2014 at 21:11:26
Bit by bit we are dismantling the malware.

Run both of these, in this order.
Step 4: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#20
September 25, 2014 at 21:14:15
Opp's, don't think you hit Delete in Roguekiller.

Report •

#21
September 26, 2014 at 06:51:01
Was gonna ask about that. I figured I should have so I did. I just finished running the next two steps and the logs are as follows...

ADWCleaner:
# AdwCleaner v3.310 - Report created 26/09/2014 at 09:26:22
# Updated 12/09/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Joe - JOE
# Running from : C:\Users\Joe\Desktop\adwcleaner_3.310.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\oyv1mqiu.default\user.js

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\biclient_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\biclient_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_free-pdf-unlocker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_free-pdf-unlocker_RASMANCS
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKCU\Software\Softonic
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17280


-\\ Mozilla Firefox v18.0.1 (en-US)

[ File : C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\oyv1mqiu.default\prefs.js ]

Line Deleted : user_pref("plugin.state.npconduitfirefoxplugin", 0);

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [2546 octets] - [26/09/2014 09:17:16]
AdwCleaner[S0].txt - [2332 octets] - [26/09/2014 09:26:22]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2392 octets] ##########

JRT:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.2.2 (09.26.2014:2)
OS: Windows 7 Home Premium x64
Ran by Joe on Fri 09/26/2014 at 9:46:15.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{31712969-34FA-45D3-B2C7-B7790F15333F}

~~~ Files

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Joe\appdata\local\{3F8D38B4-5A31-4ABB-997A-D9C43D23F0DF}

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 09/26/2014 at 9:48:28.94
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#22
September 26, 2014 at 15:05:57
Step 5: Update & Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan ( now called Threat Scan )
Make sure you uncheck > Enable free trial < at the END of the install.
http://i.imgur.com/tUFCbYz.gif
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif
Copy and Paste the contents of the log, in your reply please.
http://i.imgur.com/U9IqcVj.gif
http://i.imgur.com/zHMG6J9.gif
Or,
http://i.imgur.com/eLcvyZD.gif

Report •

#23
September 26, 2014 at 15:14:51
Extract from your ADWCleaner log.

Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_free-pdf-unlocker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_free-pdf-unlocker_RASMANCS
Key Deleted : HKCU\Software\Softonic

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic )
http://dottech.org/23420/cnet-crapw...


Report •

#24
September 26, 2014 at 18:02:34
Just ran MBAM and camp up clean, Here is the log anyway:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/26/2014
Scan Time: 8:49:24 PM
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.09.27.01
Rootkit Database: v2014.09.19.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Joe

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 438125
Time Elapsed: 10 min, 23 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


Report •

#25
September 26, 2014 at 18:06:47
" Here is the log anyway:"
Good one, we are getting there.

Shortcut Cleaner
http://www.bleepingcomputer.com/dow...
Please download Shortcut Cleaner and save it onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Right click the sc-cleaner.exe file and click Run as Administrator to run the application. Follow the prompts and post the contents of sc-cleaner.txt in your next reply.


Report •

#26
September 26, 2014 at 18:20:20
No issues found. Here is the log:

Shortcut Cleaner 1.3.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
http://www.bleepingcomputer.com/dow...

Windows Version: Windows 7 Home Premium Service Pack 1
Program started at: 09/26/2014 09:19:05 PM.

Scanning for registry hijacks:

* No issues found in the Registry.

Searching for Hijacked Shortcuts:

Searching C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\

Searching C:\ProgramData\Microsoft\Windows\Start Menu\

Searching C:\Users\Joe\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\

Searching C:\Users\Public\Desktop\

Searching C:\Users\Joe\Desktop


0 bad shortcuts found.

Program finished at: 09/26/2014 09:19:07 PM
Execution time: 0 hours(s), 0 minute(s), and 2 seconds(s)


Report •

#27
September 26, 2014 at 18:21:54
I will check these logs, don't hang around, it will take me a while to get through them.
Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using this, or upload to a site of your choosing. No account needed. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

Report •

#28
September 26, 2014 at 18:42:01
FRST.txt log:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-09-2014
Ran by Joe (administrator) on JOE on 26-09-2014 21:33:41
Running from C:\Users\Joe\Desktop
Loaded Profile: Joe (Available profiles: Joe & QBDataServiceUser24)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topi...

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Ivy Computer, Inc.) C:\Program Files (x86)\TrashFlow\TFWV2.exe
(Microsoft Corporation) C:\Windows\splwow64.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\rdpclip.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_11_9_900_152_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2944885638-3624093982-2585505729-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-2944885638-3624093982-2585505729-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
ShellIconOverlayIdentifiers: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: Carbonite.Green -> {95A27763-F62A-4114-9072-E81D87DE3B68} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: Carbonite.Partial -> {E300CD91-100F-4E67-9AF3-1384A6124015} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)
ShellIconOverlayIdentifiers-x32: Carbonite.Yellow -> {5E529433-B50E-4bef-A63B-16A6B71B071A} => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteNSE.dll (Carbonite, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redi...
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x1C80CB7404D9CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {31712969-34FA-45D3-B2C7-B7790F15333F} URL = http://www.amazon.com/s/ref=azs_osd...
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-3...
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-3...
SearchScopes: HKCU - DefaultScope {3FC4CDFF-889F-4AAF-B61B-682D020E4724} URL = https://www.google.com/search?q={se...
SearchScopes: HKCU - {3FC4CDFF-889F-4AAF-B61B-682D020E4724} URL = https://www.google.com/search?q={se...
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Toolbar: HKCU - No Name - {8D0BF943-CE38-44DF-A40D-B18FD3C8645B} - No File
DPF: HKLM-x32 {0AD584EB-F10F-46F7-BCB8-1085C386BEAE} https://merchantaccount.quickbooks....
DPF: HKLM-x32 {5C709EEC-DDE1-4738-8E57-7564E2637891} https://merchantaccount.quickbooks....
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eo...
DPF: HKLM-x32 {788539E8-002D-4E59-9089-40B694A99C9A} https://merchantaccount.quickbooks....
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - No File
Handler-x32: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - C:\Program Files (x86)\Intuit\QuickBooks 2014\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler-x32: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\windows\SysWOW64\mscoree.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 167.206.245.135 167.206.245.136

FireFox:
========
FF ProfilePath: C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\oyv1mqiu.default
FF NewTab: user_pref("browser.newtab.url", "");
FF DefaultSearchEngine: Yahoo:
FF Homepage: hxxp://search.yahoo.com/?ei=utf-8&fr=tightropetb&type=11053_091114
FF Keyword.URL: hxxp://search.yahoo.com/search?ei=utf-8&fr=tightropetb&type=11053_091114&p=
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2013-02-07]
FF HKLM-x32\...\Firefox\Extensions: [hotfix@mozilla.org] - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
FF Extension: Mozilla hotfix - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix [2013-02-18]
FF HKCU\...\Firefox\Extensions: [hotfix@mozilla.org] - C:\Users\Joe\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix

Chrome:
=======
CHR Profile: C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (No Name) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-11]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [86528 2012-09-27] (Hewlett-Packard Company) [File not signed]
S4 MySQL55; C:\ProgramData\MySQL\MySQL Server 5.5\my.ini [9172 2014-09-12] () [File not signed]
S4 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2014-06-26] (Intuit) [File not signed]
S4 QBFCService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [65536 2014-06-26] (Intuit Inc.) [File not signed]
S4 QBVSS; C:\Program Files (x86)\Common Files\Intuit\DataProtect\QBIDPService.exe [1248256 2014-06-26] (Intuit Inc.) [File not signed]
S4 QuickBooksDB24; C:\Program Files (x86)\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2014-06-26] (Intuit, Inc.) [File not signed]
S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 TermService; C:\Windows\System32\termsrv.dll [680960 2010-11-20] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-09-26] ()
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-26 21:33 - 2014-09-26 21:33 - 02108928 _____ (Farbar) C:\Users\Joe\Desktop\FRST64.exe
2014-09-26 21:33 - 2014-09-26 21:33 - 00011924 _____ () C:\Users\Joe\Desktop\FRST.txt
2014-09-26 21:33 - 2014-09-26 21:33 - 00000000 ____D () C:\FRST
2014-09-26 21:19 - 2014-09-26 21:19 - 00001784 _____ () C:\sc-cleaner.txt
2014-09-26 21:18 - 2014-09-26 21:18 - 00441592 _____ (Bleeping Computer, LLC) C:\Users\Joe\Desktop\sc-cleaner.exe
2014-09-26 15:35 - 2014-09-26 15:35 - 00000000 ____D () C:\windows\pss
2014-09-26 09:48 - 2014-09-26 09:48 - 00000885 _____ () C:\Users\Joe\Desktop\JRT.txt
2014-09-26 09:46 - 2014-09-26 09:46 - 00000000 ____D () C:\windows\ERUNT
2014-09-26 09:45 - 2014-09-26 09:45 - 00002488 _____ () C:\Users\Joe\Desktop\AdwCleaner[S0].txt
2014-09-26 09:44 - 2014-09-26 09:44 - 01699118 _____ (Thisisu) C:\Users\Joe\Desktop\JRT.exe
2014-09-26 09:17 - 2014-09-26 09:26 - 00000000 ____D () C:\AdwCleaner
2014-09-26 09:17 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\windows\SysWOW64\sqlite3.dll
2014-09-26 09:15 - 2014-09-26 09:15 - 01373475 _____ () C:\Users\Joe\Desktop\adwcleaner_3.310.exe
2014-09-25 23:54 - 2014-09-26 20:28 - 00034808 _____ () C:\windows\system32\Drivers\TrueSight.sys
2014-09-25 23:54 - 2014-09-25 23:54 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-09-25 23:53 - 2014-09-25 23:53 - 04893784 _____ () C:\Users\Joe\Desktop\RogueKiller.exe
2014-09-25 17:26 - 2014-09-25 17:26 - 00023817 _____ () C:\ComboFix.txt
2014-09-25 17:15 - 2014-09-25 17:26 - 00000000 ____D () C:\Qoobox
2014-09-25 17:15 - 2011-06-26 02:45 - 00256000 _____ () C:\windows\PEV.exe
2014-09-25 17:15 - 2010-11-07 13:20 - 00208896 _____ () C:\windows\MBR.exe
2014-09-25 17:15 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) C:\windows\NIRCMD.exe
2014-09-25 17:15 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) C:\windows\SWREG.exe
2014-09-25 17:15 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) C:\windows\SWSC.exe
2014-09-25 17:15 - 2000-08-30 20:00 - 00098816 _____ () C:\windows\sed.exe
2014-09-25 17:15 - 2000-08-30 20:00 - 00080412 _____ () C:\windows\grep.exe
2014-09-25 17:15 - 2000-08-30 20:00 - 00068096 _____ () C:\windows\zip.exe
2014-09-25 17:14 - 2014-09-25 17:25 - 00000000 ____D () C:\windows\erdnt
2014-09-25 09:48 - 2014-09-25 09:48 - 00000000 __SHD () C:\Users\Joe\AppData\Local\EmieUserList
2014-09-25 09:48 - 2014-09-25 09:48 - 00000000 __SHD () C:\Users\Joe\AppData\Local\EmieSiteList
2014-09-25 09:34 - 2014-09-25 09:54 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-09-25 09:33 - 2014-09-25 09:33 - 14349744 _____ (Malwarebytes Corp.) C:\Users\Joe\Downloads\mbar-1.07.0.1012.exe
2014-09-25 09:22 - 2014-09-25 09:22 - 00000000 ____D () C:\Users\Joe\Desktop\ProcessMonitor
2014-09-25 08:51 - 2014-09-25 08:51 - 00000000 ____D () C:\ProgramData\PDFC
2014-09-24 22:59 - 2014-09-24 22:59 - 00000000 ____D () C:\Users\Joe\Desktop\ProcessExplorer
2014-09-24 22:11 - 2014-09-24 22:11 - 00000000 ____D () C:\Users\Joe\Desktop\TCPView
2014-09-24 22:09 - 2014-09-24 22:09 - 00386464 _____ (Bleeping Computer, LLC) C:\Users\Joe\Desktop\show-hidden.exe
2014-09-24 22:03 - 2014-09-25 17:14 - 05580995 ____R (Swearware) C:\Users\Joe\Desktop\ComboFix.exe
2014-09-24 01:45 - 2014-09-09 18:11 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll
2014-09-24 01:45 - 2014-09-09 17:47 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll
2014-09-16 13:47 - 2014-09-16 13:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2014-09-16 13:02 - 2014-09-16 13:02 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2014-09-16 13:02 - 2014-09-16 13:02 - 00002010 _____ () C:\Users\Public\Desktop\Adobe Reader XI.lnk
2014-09-15 15:06 - 2014-09-15 15:21 - 00000000 ____D () C:\ProgramData\Recovery
2014-09-15 13:06 - 2014-09-25 17:16 - 00000000 ____D () C:\Users\QBDataServiceUser24.JOE
2014-09-15 13:06 - 2014-09-15 13:06 - 00000020 ___SH () C:\Users\QBDataServiceUser24.JOE\ntuser.ini
2014-09-15 13:06 - 2013-04-17 03:00 - 00000000 ____D () C:\Users\QBDataServiceUser24.JOE\AppData\Local\Microsoft Help
2014-09-15 13:06 - 2012-12-11 10:28 - 00000000 ____D () C:\Users\QBDataServiceUser24.JOE\AppData\Roaming\Macromedia
2014-09-15 13:06 - 2012-11-21 16:57 - 00000000 ____D () C:\Users\QBDataServiceUser24.JOE\AppData\Local\Hewlett-Packard
2014-09-15 13:06 - 2009-07-14 00:54 - 00000000 ___RD () C:\Users\QBDataServiceUser24.JOE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2014-09-15 13:06 - 2009-07-14 00:49 - 00000000 ___RD () C:\Users\QBDataServiceUser24.JOE\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2014-09-12 12:30 - 2014-09-12 12:30 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MySQL
2014-09-12 10:29 - 2014-09-12 10:31 - 00000990 _____ () C:\Users\Public\Desktop\Trash Flow.lnk
2014-09-12 10:24 - 2014-09-12 10:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intuit SDKs
2014-09-12 10:23 - 2014-09-12 10:23 - 00000000 ____D () C:\PROJECTTEMPLATESROOT
2014-09-12 10:01 - 2014-09-12 10:01 - 00000000 ____D () C:\ProgramData\Nuance
2014-09-12 09:35 - 2014-09-12 09:35 - 00537728 _____ () C:\Users\Joe\Downloads\Setup_QuickBooksPro2014.exe
2014-09-11 10:48 - 2014-09-26 20:49 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-11 03:09 - 2014-08-19 14:05 - 00374968 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll
2014-09-11 03:09 - 2014-08-19 13:39 - 00327872 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll
2014-09-11 03:09 - 2014-08-18 19:01 - 23591424 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll
2014-09-11 03:09 - 2014-08-18 18:29 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb
2014-09-11 03:09 - 2014-08-18 18:29 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll
2014-09-11 03:09 - 2014-08-18 18:26 - 17455104 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll
2014-09-11 03:09 - 2014-08-18 18:20 - 02793984 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll
2014-09-11 03:09 - 2014-08-18 18:19 - 05833728 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll
2014-09-11 03:09 - 2014-08-18 18:15 - 00547328 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll
2014-09-11 03:09 - 2014-08-18 18:15 - 00066048 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll
2014-09-11 03:09 - 2014-08-18 18:14 - 00083968 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll
2014-09-11 03:09 - 2014-08-18 18:14 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll
2014-09-11 03:09 - 2014-08-18 18:08 - 04232704 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll
2014-09-11 03:09 - 2014-08-18 18:08 - 00051200 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll
2014-09-11 03:09 - 2014-08-18 18:08 - 00033792 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll
2014-09-11 03:09 - 2014-08-18 18:05 - 00596480 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll
2014-09-11 03:09 - 2014-08-18 18:03 - 00758272 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll
2014-09-11 03:09 - 2014-08-18 18:03 - 00139264 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe
2014-09-11 03:09 - 2014-08-18 18:03 - 00111616 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe
2014-09-11 03:09 - 2014-08-18 17:57 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb
2014-09-11 03:09 - 2014-08-18 17:56 - 00940032 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe
2014-09-11 03:09 - 2014-08-18 17:51 - 00446464 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll
2014-09-11 03:09 - 2014-08-18 17:46 - 00454656 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll
2014-09-11 03:09 - 2014-08-18 17:45 - 00072704 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll
2014-09-11 03:09 - 2014-08-18 17:45 - 00061952 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll
2014-09-11 03:09 - 2014-08-18 17:44 - 00061952 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll
2014-09-11 03:09 - 2014-08-18 17:44 - 00051200 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll
2014-09-11 03:09 - 2014-08-18 17:42 - 02185728 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll
2014-09-11 03:09 - 2014-08-18 17:40 - 00195584 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll
2014-09-11 03:09 - 2014-08-18 17:39 - 00085504 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll
2014-09-11 03:09 - 2014-08-18 17:39 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll
2014-09-11 03:09 - 2014-08-18 17:39 - 00032768 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll
2014-09-11 03:09 - 2014-08-18 17:38 - 00289280 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll
2014-09-11 03:09 - 2014-08-18 17:37 - 00440320 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll
2014-09-11 03:09 - 2014-08-18 17:36 - 00112128 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe
2014-09-11 03:09 - 2014-08-18 17:35 - 00597504 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll
2014-09-11 03:09 - 2014-08-18 17:27 - 00365056 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll
2014-09-11 03:09 - 2014-08-18 17:25 - 00727040 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll
2014-09-11 03:09 - 2014-08-18 17:25 - 00707072 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe
2014-09-11 03:09 - 2014-08-18 17:23 - 02104832 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl
2014-09-11 03:09 - 2014-08-18 17:23 - 01249280 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll
2014-09-11 03:09 - 2014-08-18 17:22 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-09-11 03:09 - 2014-08-18 17:19 - 00164864 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll
2014-09-11 03:09 - 2014-08-18 17:17 - 00243200 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll
2014-09-11 03:09 - 2014-08-18 17:17 - 00069632 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll
2014-09-11 03:09 - 2014-08-18 17:16 - 13588480 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll
2014-09-11 03:09 - 2014-08-18 17:15 - 11769856 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll
2014-09-11 03:09 - 2014-08-18 17:15 - 02310656 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll
2014-09-11 03:09 - 2014-08-18 17:09 - 00603136 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll
2014-09-11 03:09 - 2014-08-18 17:08 - 02014208 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl
2014-09-11 03:09 - 2014-08-18 17:07 - 01068032 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll
2014-09-11 03:09 - 2014-08-18 16:55 - 01447424 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll
2014-09-11 03:09 - 2014-08-18 16:46 - 01812992 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll
2014-09-11 03:09 - 2014-08-18 16:38 - 01190400 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll
2014-09-11 03:09 - 2014-08-18 16:38 - 00775168 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll
2014-09-11 03:09 - 2014-08-18 16:36 - 00678400 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll
2014-09-11 03:01 - 2014-06-26 22:08 - 02777088 _____ (Microsoft Corporation) C:\windows\system32\msmpeg2vdec.dll
2014-09-11 03:01 - 2014-06-26 21:45 - 02285056 _____ (Microsoft Corporation) C:\windows\SysWOW64\msmpeg2vdec.dll
2014-09-10 13:01 - 2014-09-10 13:01 - 00000000 ____D () C:\Users\Joe\AppData\Local\Macroplant_LLC
2014-09-10 12:58 - 2014-09-11 10:41 - 00000000 ____D () C:\Program Files (x86)\iExplorer
2014-09-10 12:57 - 2014-09-10 12:57 - 11221024 _____ (Macroplant LLC ) C:\Users\Joe\Downloads\iExplorer_setup_3321.exe
2014-09-10 03:23 - 2014-09-04 22:10 - 00578048 _____ (Microsoft Corporation) C:\windows\system32\aepdu.dll
2014-09-10 03:23 - 2014-09-04 22:05 - 00424448 _____ (Microsoft Corporation) C:\windows\system32\aeinv.dll
2014-09-10 03:23 - 2014-08-01 07:53 - 01031168 _____ (Microsoft Corporation) C:\windows\system32\TSWorkspace.dll
2014-09-10 03:23 - 2014-08-01 07:35 - 00793600 _____ (Microsoft Corporation) C:\windows\SysWOW64\TSWorkspace.dll
2014-09-10 03:23 - 2014-07-06 22:06 - 01460736 _____ (Microsoft Corporation) C:\windows\system32\lsasrv.dll
2014-09-10 03:23 - 2014-07-06 22:06 - 00728064 _____ (Microsoft Corporation) C:\windows\system32\kerberos.dll
2014-09-10 03:23 - 2014-07-06 21:40 - 00550912 _____ (Microsoft Corporation) C:\windows\SysWOW64\kerberos.dll
2014-09-10 03:23 - 2014-07-06 21:40 - 00022016 _____ (Microsoft Corporation) C:\windows\SysWOW64\secur32.dll
2014-09-10 03:23 - 2014-07-06 21:39 - 00096768 _____ (Microsoft Corporation) C:\windows\SysWOW64\sspicli.dll
2014-09-10 03:23 - 2014-06-23 23:29 - 02565120 _____ (Microsoft Corporation) C:\windows\system32\d3d10warp.dll
2014-09-10 03:23 - 2014-06-23 22:59 - 01987584 _____ (Microsoft Corporation) C:\windows\SysWOW64\d3d10warp.dll
2014-09-09 22:33 - 2014-09-09 22:33 - 00000000 ____D () C:\Users\Joe\Tracing
2014-08-28 03:58 - 2014-08-22 22:07 - 00404480 _____ (Microsoft Corporation) C:\windows\system32\gdi32.dll
2014-08-28 03:58 - 2014-08-22 21:45 - 00311808 _____ (Microsoft Corporation) C:\windows\SysWOW64\gdi32.dll
2014-08-28 03:58 - 2014-08-22 20:59 - 03163648 _____ (Microsoft Corporation) C:\windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-26 21:31 - 2012-12-02 14:36 - 01489921 _____ () C:\windows\WindowsUpdate.log
2014-09-26 16:10 - 2012-12-02 17:25 - 00000000 ____D () C:\RGB Tools
2014-09-26 15:44 - 2009-07-14 00:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-26 15:44 - 2009-07-14 00:45 - 00024608 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-26 15:37 - 2013-07-22 20:02 - 00000632 __RSH () C:\Users\Joe\ntuser.pol
2014-09-26 15:37 - 2012-12-02 14:38 - 00000000 ____D () C:\Users\Joe
2014-09-26 15:36 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-09-26 15:36 - 2009-07-14 00:51 - 00042116 _____ () C:\windows\setupact.log
2014-09-26 15:16 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\system32\NDF
2014-09-26 14:02 - 2012-12-02 17:25 - 00000000 ____D () C:\QuickBooks Company File
2014-09-26 09:38 - 2010-11-20 23:47 - 00892846 _____ () C:\windows\PFRO.log
2014-09-26 00:55 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\rescache
2014-09-25 22:23 - 2012-12-05 15:34 - 00000000 ____D () C:\Users\Joe\AppData\Local\CrashDumps
2014-09-25 22:23 - 2011-02-11 13:15 - 00800560 _____ () C:\windows\SysWOW64\PerfStringBackup.INI
2014-09-25 17:26 - 2009-07-13 23:20 - 00000000 __RHD () C:\Users\Default
2014-09-25 17:24 - 2009-07-13 22:34 - 00000215 _____ () C:\windows\system.ini
2014-09-25 09:34 - 2014-07-15 13:13 - 00092888 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys
2014-09-25 08:51 - 2012-11-21 17:00 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Productivity and Tools
2014-09-22 12:38 - 2014-05-30 12:45 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\Download Manager
2014-09-16 13:03 - 2012-12-11 10:20 - 00000000 ____D () C:\Users\Joe\AppData\Local\Adobe
2014-09-16 13:02 - 2012-12-11 10:28 - 00000000 ____D () C:\Program Files (x86)\Adobe
2014-09-16 13:02 - 2012-12-11 10:25 - 00000000 ____D () C:\ProgramData\Adobe
2014-09-15 23:10 - 2013-02-18 14:52 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\WinLive
2014-09-15 14:46 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\PLA
2014-09-15 14:29 - 2013-07-17 11:44 - 00000000 ____D () C:\Program Files (x86)\Google
2014-09-15 12:54 - 2014-02-19 12:01 - 00000000 ____D () C:\Software Backups
2014-09-15 09:06 - 2010-11-20 23:27 - 00278152 ____N (Microsoft Corporation) C:\windows\system32\MpSigStub.exe
2014-09-15 03:04 - 2009-07-14 01:13 - 00775588 _____ () C:\windows\system32\PerfStringBackup.INI
2014-09-13 03:53 - 2009-07-14 00:45 - 05142968 _____ () C:\windows\system32\FNTCACHE.DAT
2014-09-12 13:03 - 2013-01-10 14:35 - 00000250 _____ () C:\windows\ODBCINST.INI
2014-09-12 13:03 - 2012-12-06 14:14 - 00000000 ____D () C:\Program Files (x86)\MySQL
2014-09-12 13:01 - 2013-01-24 13:42 - 00000152 _____ () C:\windows\ODBC.INI
2014-09-12 12:58 - 2013-01-16 13:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MySQL
2014-09-12 12:31 - 2012-12-06 14:16 - 00000000 ____D () C:\Program Files\MySQL
2014-09-12 12:30 - 2013-01-16 13:45 - 00000000 ____D () C:\ProgramData\MySQL
2014-09-12 10:22 - 2012-12-02 17:20 - 00000000 ____D () C:\Program Files (x86)\Intuit
2014-09-12 10:20 - 2012-12-05 11:20 - 00000000 ____D () C:\Users\Joe\AppData\Local\Downloaded Installations
2014-09-12 10:05 - 2012-12-02 17:28 - 00118808 _____ () C:\Users\Joe\AppData\Local\GDIPFONTCACHEV1.DAT
2014-09-12 10:05 - 2012-12-02 17:20 - 00000090 _____ () C:\windows\QBChanUtil_Trigger.ini
2014-09-12 10:04 - 2012-12-02 17:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickBooks
2014-09-12 10:01 - 2012-12-02 17:20 - 00000000 ____D () C:\ProgramData\Intuit
2014-09-12 09:59 - 2014-05-30 22:29 - 00000000 ____D () C:\Users\Public\Documents\Intuit
2014-09-12 05:06 - 2014-05-30 22:35 - 00000000 ____D () C:\Users\QBDataServiceUser24
2014-09-12 05:05 - 2013-07-17 11:44 - 00000000 ____D () C:\Users\Joe\AppData\Local\Google
2014-09-12 04:54 - 2012-11-21 17:09 - 00000000 ____D () C:\ProgramData\Skype
2014-09-12 04:36 - 2013-02-27 12:55 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-09-12 04:31 - 2012-11-21 17:02 - 00000000 ____D () C:\Program Files (x86)\HP Games
2014-09-12 04:31 - 2012-11-21 16:54 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP TouchSmart
2014-09-12 04:31 - 2009-07-14 01:32 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2014-09-12 04:29 - 2013-03-13 12:04 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\WildTangent
2014-09-12 04:29 - 2012-11-21 17:01 - 00000000 ____D () C:\ProgramData\WildTangent
2014-09-12 04:26 - 2012-11-21 16:57 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HP Help and Support
2014-09-12 04:26 - 2012-11-21 16:54 - 00000000 ____D () C:\ProgramData\Hewlett-Packard
2014-09-12 04:26 - 2012-11-21 16:53 - 00000000 ____D () C:\Program Files\Hewlett-Packard
2014-09-11 10:56 - 2012-12-06 15:10 - 00210944 _____ (Microsoft Corporation) C:\windows\system32\rdpclip.exe
2014-09-11 10:54 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\Resources
2014-09-11 10:41 - 2014-03-19 09:46 - 00001945 _____ () C:\windows\epplauncher.mif
2014-09-11 03:14 - 2012-12-03 12:39 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-09-11 03:06 - 2013-08-14 03:01 - 00000000 ____D () C:\windows\system32\MRT
2014-09-11 03:02 - 2013-02-27 13:56 - 101694776 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe
2014-09-11 03:00 - 2014-05-06 03:00 - 00000000 ___SD () C:\windows\system32\CompatTel
2014-09-10 12:29 - 2012-12-02 17:27 - 00000000 ____D () C:\Users\Joe\Documents\RGB
2014-09-09 22:34 - 2012-12-02 17:27 - 00002308 ____H () C:\Users\Joe\Documents\Default.rdp

Some content of TEMP:
====================
C:\Users\Joe\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2013-01-24 01:35

==================== End Of Log ============================


Report •

#29
September 26, 2014 at 18:43:06
Addition.txt log:

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 26-09-2014
Ran by Joe at 2014-09-26 21:34:36
Running from C:\Users\Joe\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - )
Adobe Acrobat X Pro - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7760-000000000005}) (Version: 10.1.1 - Adobe Systems)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 3.1.0.4880 - Adobe Systems Incorporated)
Adobe AIR (x32 Version: 3.1.0.4880 - Adobe Systems Incorporated) Hidden
Adobe Creative Suite 6 Master Collection (HKLM-x32\...\{E8AD3069-9EB7-4BA8-8BFE-83F4E69355C0}) (Version: 6 - Adobe Systems Incorporated)
Adobe Flash Player 10 Plugin (HKLM-x32\...\{BC41C09D-FAA9-4346-9FE6-1E0017BC551A}) (Version: 10.1.52.14 - Adobe Systems, Inc.)
Adobe Flash Player 11 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 11.9.900.152 - Adobe Systems Incorporated)
Adobe Help Manager (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 4.0.244 - Adobe Systems Incorporated)
Adobe Help Manager (x32 Version: 4.0.244 - Adobe Systems Incorporated) Hidden
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe Media Player (x32 Version: 1.8 - Adobe Systems Incorporated) Hidden
Adobe Reader XI (11.0.08) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Adobe Widget Browser (HKLM-x32\...\com.adobe.WidgetBrowser) (Version: 2.0 Build 348 - Adobe Systems Incorporated.)
Adobe Widget Browser (x32 Version: 2.0.348 - Adobe Systems Incorporated.) Hidden
AnswerWorks 5.0 English Runtime (HKLM-x32\...\{DBCC73BA-C69A-4BF5-B4BF-F07501EE7039}) (Version: 5.0.7 - Vantage Software Technologies)
Apple Mobile Device Support (HKLM\...\{7446FE8D-C1F9-4D42-AAAE-5DBCE58605A6}) (Version: 6.0.0.59 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
BitTorrent (HKCU\...\BitTorrent) (Version: 7.8.2.30587 - BitTorrent Inc.)
bl (x32 Version: 1.0.0 - Your Company Name) Hidden
Blio (HKLM-x32\...\{FCD6D60F-AF2B-49E3-ABC4-A4C96B56225D}) (Version: 3.0.9482 - K-NFB Reading Technology, Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bubble Wrap (HKLM-x32\...\{5BFFDDEB-AFD7-499F-BB13-7A6EAD927CDA}_is1) (Version: 1.0.0.0 - XM Asia Pacific Pte Ltd)
Canon D1300/MF6700 (HKLM\...\{DC61FFB7-A6FE-4237-B836-EDE8CA85B5AE}) (Version: 3.9.0.0 - CANON INC.)
Canon MF Toolbox 4.9.1.1.mf12 (HKLM-x32\...\{6767DFEE-8909-453A-B553-C7693912B2EB}) (Version: 4.9.1.1.mf12 - CANON INC.)
Carbonite (HKLM-x32\...\Carbonite Backup) (Version: 5.4.3 build 2832 (Jan-14-2013) - Carbonite)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DirectX for Managed Code Update (Summer 2004) (x32 Version: 9.02.2904 - Microsoft) Hidden
Disney Infinity Toy Box (HKLM-x32\...\{11CB229E-8A2B-40FD-8670-4EC92D3DDAD5}) (Version: 1.81.1602 - Disney Interactive)
Facebook (HKLM-x32\...\{8AE50893-3A87-4439-9A57-942ED43F7189}) (Version: 1.1.0004 - Hewlett-Packard)
Hewlett-Packard ACLM.NET v1.2.1.1 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Auto (Version: 1.0.12935.3667 - Hewlett-Packard Company) Hidden
HP Calendar (HKLM-x32\...\{2B38E0FA-D8A5-4EBF-A018-E3C1C8E7A2E2}) (Version: 5.1.4245.23508 - Hewlett-Packard)
HP Customer Experience Enhancements (x32 Version: 6.0.1.8 - Hewlett-Packard) Hidden
HP LinkUp (HKLM-x32\...\{7E750542-55BC-4300-8B7B-AC2A762FB435}) (Version: 2.01.029 - Hewlett-Packard)
HP Magic Canvas (HKLM-x32\...\{DDFDC9D6-4220-41F8-BF9A-8E7512C4EF52}) (Version: 5.1.15.0 - Hewlett-Packard)
HP Magic Canvas Tutorials (HKLM-x32\...\{858FCB65-7C6D-4BA4-AD80-A3CB3744CE09}_is1) (Version: 6.0.0.0 - Hewlett-Packard)
HP Notes (HKLM-x32\...\{86BAB08A-5E66-4C53-82E3-C1E91673C7CA}) (Version: 5.1.4274.30382 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP RSS (HKLM-x32\...\{452479C5-0118-48E9-AA69-0A7339F95FC8}) (Version: 5.1.4289.23799 - Hewlett-Packard)
HP Setup (HKLM-x32\...\{438363A8-F486-4C37-834C-4955773CB3D3}) (Version: 9.1.15430.4033 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}) (Version: 7.0.39.15 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 11.00.0001 - Hewlett-Packard)
HP TouchSmart Background - Beats (HKLM-x32\...\{6A6F8D36-04BA-41E9-9004-1789BD545874}) (Version: 1.0.1.0 - Hewlett-Packard)
HP TouchSmart RecipeBox (HKLM-x32\...\{20714B53-FC73-4F9C-9687-49EB237D6FD7}) (Version: 3.0.3830.27730 - Hewlett-Packard)
HP Update (HKLM-x32\...\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}) (Version: 5.003.001.001 - Hewlett-Packard)
HP Weather (HKLM-x32\...\{776CC95E-8160-401B-AC79-164822AA8306}) (Version: 5.1.4245.22595 - Hewlett-Packard)
iCloud (HKLM\...\{81E20D41-C277-4526-934D-F2380AF91B78}) (Version: 3.1.0.40 - Apple Inc.)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.0.1351 - Intel Corporation)
Intel(R) OpenCL CPU Runtime (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.2932 - Intel Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.4507 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.4507 - CyberLink Corp.) Hidden
MagicDisc 2.7.106 (HKLM-x32\...\MagicDisc 2.7.106) (Version: - )
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Metric Converter (HKLM-x32\...\{D0661463-50F7-4A1E-83CB-37CC590589AE}_is1) (Version: 1.0.0.0 - XM Asia Pacific Pte Ltd)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Access database engine 2010 (English) (HKLM-x32\...\{90140000-00D1-0409-0000-0000000FF1CE}) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft MapPoint North America 2013 (HKLM-x32\...\{C82185E8-C27B-4EF4-2013-1111BC2C2B6D}) (Version: 19.0.18.2600 - Microsoft Corporation)
Microsoft Mathematics (64-bit) (HKLM\...\{E57B7E0A-8BE5-42E2-BE60-C07ED680A063}) (Version: 4.0 - Microsoft Corporation)
Microsoft Mathematics (HKLM-x32\...\{4D090F70-6F08-4B60-9357-A1DFD4458F09}) (Version: 4.0 - Microsoft Corporation)
Microsoft Office 2007 Primary Interop Assemblies (HKLM-x32\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Access Developer Extensions (English) 2007 (HKLM-x32\...\{90120000-00D0-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Access MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Groove Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office InfoPath MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (x32 Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (x32 Version: - Microsoft) Hidden
Microsoft Office Publisher MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2007 (x32 Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (x32 Version: 8.0.60940.0 - Microsoft Corporation) Hidden
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50701 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (Version: 10.0.50706 - Microsoft Corporation) Hidden
Microsoft_VC80_ATL_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_ATL_x86_x64 (Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_CRT_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_CRT_x86_x64 (Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFC_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFC_x86_x64 (Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFCLOC_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFCLOC_x86_x64 (Version: 80.50727.4053 - Adobe) Hidden
Microsoft_VC90_ATL_x86 (x32 Version: 1.00.0000 - Adobe) Hidden
Microsoft_VC90_ATL_x86_x64 (Version: 1.00.0000 - Adobe) Hidden
Microsoft_VC90_CRT_x86 (x32 Version: 1.00.0000 - Adobe) Hidden
Microsoft_VC90_CRT_x86_x64 (Version: 1.00.0000 - Adobe) Hidden
Microsoft_VC90_MFC_x86 (x32 Version: 1.00.0000 - Adobe) Hidden
Microsoft_VC90_MFC_x86_x64 (Version: 1.00.0000 - Adobe) Hidden
Mozilla Firefox 18.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 18.0.1 (x86 en-US)) (Version: 18.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 18.0.1 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MySQL Connector C 6.0.2 (HKLM\...\{5B6A2A7C-658E-4661-A254-3C36F5B63943}) (Version: 6.0.2 - Sun Microsystems)
MySQL Connector C 6.0.2 (HKLM-x32\...\{66F9302D-E145-4375-8C84-54DA2339C483}) (Version: 6.0.2 - Sun Microsystems)
MySQL Connector C++ 1.1.0 (HKLM-x32\...\{FD753E57-1F44-41E6-B962-E01D76676206}) (Version: 1.1.0 - Oracle and/or its affiliates)
MySQL Connector J (HKLM-x32\...\{145A09DE-8628-4F54-ACA2-45507391CDFB}) (Version: 5.1.19.0 - Oracle Corporation)
MySQL Connector Net 6.4.4 (HKLM-x32\...\{2DDC7E93-29AB-4260-A9DB-697F7FA88157}) (Version: 6.4.4 - Oracle)
MySQL Connector/ODBC 5.1 (HKLM\...\{583E320A-F7F7-4A23-A80E-26995A5371CC}) (Version: 5.1.10 - Oracle Corporation)
MySQL Connector/ODBC 5.1 (HKLM-x32\...\{C36A15FB-9882-4CB7-B128-239AACBB9BCD}) (Version: 5.1.10 - Oracle Corporation)
MySQL Documents 5.5 (HKLM-x32\...\{9C1610D3-293C-4A23-8059-7401C2997420}) (Version: 5.5.23 - Oracle Corporation)
MySQL Examples and Samples 5.5 (HKLM-x32\...\{F9D6CBE7-6002-4B5C-A78A-32A823BDC71D}) (Version: 5.5.23 - Oracle Corporation)
MySQL Installer (HKLM-x32\...\{7293D767-036E-46F2-960C-C017280D589E}) (Version: 1.0.19.0 - Oracle Corporation)
MySQL Server 5.5 (HKLM\...\{0D2B37D8-853A-4564-875D-06894B7F81C3}) (Version: 5.5.23 - Oracle Corporation)
MySQL Workbench 5.2 CE (HKLM-x32\...\{561BD069-5C63-4B48-98BD-91B743142304}) (Version: 5.2.39 - Oracle Corporation)
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
PDF Settings CS6 (x32 Version: 11.0 - Adobe Systems Incorporated) Hidden
ph (x32 Version: 1.0.0 - Your Company Name) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.6207 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.6207 - CyberLink Corp.) Hidden
PxMergeModule (x32 Version: 1.00.0000 - Your Company Name) Hidden
QuickBooks (x32 Version: 24.0.4007.2403 - Intuit Inc.) Hidden
QuickBooks Connection Diagnostic Tool (HKLM-x32\...\{8FC44A80-059E-4358-BBB4-50FAEBED7627}) (Version: 4.0.0 - Intuit)
QuickBooks Pro 2014 (HKLM-x32\...\{4A21D17E-2FE8-42CD-88B7-ACF8E8860834}) (Version: 24.0.4007.2403 - Intuit Inc.)
QuickBooks Remote Data Sharing Server (HKLM-x32\...\{2A2470D4-F490-487D-B270-FBCB5D1AF798}) (Version: 7.0.0.121 - Intuit Developer Network)
QuickBooks Runtime Redistributable (HKLM\...\{F2A4F809-2DE6-4D27-888B-4D2BB8DAF20E}) (Version: 1.00.0000 - Intuit Inc.)
QuickBooks SDK 13.0 (HKLM-x32\...\{C4E4AE4D-6BC7-4C17-9B5B-936AFBCF285E}) (Version: 13.0.0.23 - Intuit Partner Platform)
Quicken 2010 (HKLM-x32\...\{CCF6F57B-F6B4-4508-BF45-63AAC9DE416A}) (Version: 19.1.1.27 - Intuit)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6463 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.0.5119 - CyberLink Corp.) Hidden
Remote Graphics Receiver (HKLM-x32\...\{16FC3056-90C0-4757-8A68-64D8DA846ADA}) (Version: 5.4.5 - Hewlett-Packard)
TrashFlow (HKLM-x32\...\TrashFlow) (Version: - Ivy Computer, Inc.)
TSHostedAppLauncher (x32 Version: 5.1.15.0 - Hewlett-Packard) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-002A-0000-1000-0000000FF1CE}_ENTERPRISE_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version: - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version: - Microsoft)
Update for Microsoft Office Access 2007 Help (KB963663) (HKLM-x32\...\{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{6B76A18A-AA1E-42AB-A7AD-6C84BBB43987}) (Version: - Microsoft)
Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM-x32\...\{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version: - Microsoft)
Update for Microsoft Office Infopath 2007 Help (KB963662) (HKLM-x32\...\{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{716B81B8-B13C-41DF-8EAC-7A2F656CAB63}) (Version: - Microsoft)
Update for Microsoft Office OneNote 2007 Help (KB963670) (HKLM-x32\...\{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2744EF05-38E1-4D5D-B333-E021EDAEA245}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{ED38F8A3-4F61-494E-8BCA-E3AC7760C924}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{53DEC068-4690-4F6B-9946-7D21EF02236B}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 Help (KB963677) (HKLM-x32\...\{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{0451F231-E3E3-4943-AB9F-58EB96171784}) (Version: - Microsoft)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2889914) 32-Bit Edition (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{F3F83933-75FC-4B60-84F2-3F8FA63D042E}) (Version: - Microsoft)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM-x32\...\{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version: - Microsoft)
Update for Microsoft Office Publisher 2007 Help (KB963667) (HKLM-x32\...\{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2E40DE55-B289-4C8B-8901-5D369B16814F}) (Version: - Microsoft)
Update for Microsoft Office Script Editor Help (KB963671) (HKLM-x32\...\{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version: - Microsoft)
Update for Microsoft Office Word 2007 Help (KB963665) (HKLM-x32\...\{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version: - Microsoft)
Visual Studio Tools for the Office system 3.0 Runtime (HKLM-x32\...\Visual Studio Tools for the Office system 3.0 Runtime) (Version: - Microsoft Corporation)
Visual Studio Tools for the Office system 3.0 Runtime (x32 Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual Studio Tools for the Office system 3.0 Runtime Service Pack 1 (KB949258) (HKLM-x32\...\{8FB53850-246A-3507-8ADE-0060093FFEA6}.KB949258) (Version: 1 - Microsoft Corporation)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (x32 Version: 15.4.3538.0513 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

19-09-2014 06:46:05 Windows Update
23-09-2014 06:46:09 Windows Update
24-09-2014 07:00:13 Windows Update
25-09-2014 12:47:28 Removed Norton Online Backup

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2014-09-25 17:24 - 00000027 ____A C:\windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0607F4BB-6392-4BC1-8C40-955C06AB8628} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {51F74795-BF80-478E-A945-3383416E16FD} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HPSFUpdater => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {81C10F05-2BB8-4966-BEF7-FBE684C067A5} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: {8E9117C0-2AD9-47BD-B377-2AD542482BC1} - System32\Tasks\HPCeeScheduleForJoe => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {903D7A69-ADB2-4264-8CE0-94962AD302ED} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2013-03-07] (Hewlett-Packard)
Task: {B6C0FE01-0BEC-4124-B38B-E87B7AAE3BF4} - System32\Tasks\{5F6010C8-60E5-41f3-BF5B-C3AF5DBE12D4} => C:\ProgramData\Carbonite\Carbonite Backup\CarboniteUpgrade.exe [2014-09-26] (Carbonite, Inc.)
Task: {C314CF3D-867B-4CE1-9A0D-E8895F83036C} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: {C44BB733-98D1-408D-B8F8-8C665EA2DB0B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HPSFUpdaterRedux => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {DDB896BF-93AD-463C-BF2F-D5C96AC84BBE} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\windows\Tasks\HPCeeScheduleForJoe.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============


==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: CalendarSynchService => 2
MSCONFIG\Services: CarboniteService => 2
MSCONFIG\Services: cphs => 3
MSCONFIG\Services: HP Support Assistant Service => 2
MSCONFIG\Services: hpqwmiex => 3
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: MySQL55 => 2
MSCONFIG\Services: QBCFMonitorService => 2
MSCONFIG\Services: QBFCService => 3
MSCONFIG\Services: QBVSS => 2
MSCONFIG\Services: QuickBooksDB24 => 3
MSCONFIG\Services: SwitchBoard => 3
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Intuit Data Protect.lnk => C:\windows\pss\Intuit Data Protect.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^OSR_TinyWeb.lnk => C:\windows\pss\OSR_TinyWeb.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk => C:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks_Standard_21.lnk => C:\windows\pss\QuickBooks_Standard_21.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Joe^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk => C:\windows\pss\MagicDisc.lnk.Startup
MSCONFIG\startupreg: Acrobat Assistant 8.0 => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe"
MSCONFIG\startupreg: Adobe Acrobat Speed Launcher => "C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AdobeCS6ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: ApplePhotoStreams => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
MSCONFIG\startupreg: Carbonite Backup => C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
MSCONFIG\startupreg: HotKeysCmds => C:\windows\system32\hkcmd.exe
MSCONFIG\startupreg: HP Software Update => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: HPSYSDRV => C:\Program Files (x86)\Hewlett-Packard\HP Odometer\HPSYSDRV.EXE
MSCONFIG\startupreg: iCloudServices => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
MSCONFIG\startupreg: IgfxTray => C:\windows\system32\igfxtray.exe
MSCONFIG\startupreg: Intuit SyncManager => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
MSCONFIG\startupreg: MFNetworkScanUtility => C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE
MSCONFIG\startupreg: Persistence => C:\windows\system32\igfxpers.exe
MSCONFIG\startupreg: SwitchBoard => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-2944885638-3624093982-2585505729-500 -> Administrator - Disabled - Status: Degraded)
Guest (S-1-5-21-2944885638-3624093982-2585505729-501 -> Limited - Enabled - Status: OK)
hack (S-1-5-21-2944885638-3624093982-2585505729-1006 -> Limited - Enabled - Status: OK)
HomeGroupUser$ (S-1-5-21-2944885638-3624093982-2585505729-1002 -> Limited - Enabled - Status: OK)
Joe (S-1-5-21-2944885638-3624093982-2585505729-1000 -> Administrator - Enabled - Status: OK) => C:\Users\Joe
QBDataServiceUser24 (S-1-5-21-2944885638-3624093982-2585505729-1009 -> Limited - Enabled - Status: OK) => C:\Users\QBDataServiceUser24.JOE

==================== Faulty Device Manager Devices =============

Name: StorLib bus (virtual storages support)
Description: StorLib bus (virtual storages support)
Class Guid: {1378e71b-ab4d-4348-af26-cba56b12969e}
Manufacturer: EldoS Corporation
Service: cbfs3
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/26/2014 08:32:36 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17280 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: dcc

Start Time: 01cfd9ea5a171354

Termination Time: 0

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (09/26/2014 08:31:17 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17280 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 3c8

Start Time: 01cfd9e387ad4a2a

Termination Time: 0

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (09/26/2014 05:19:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17280 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 56c

Start Time: 01cfd9c194b811c5

Termination Time: 0

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id: bd4feb78-45c2-11e4-8996-24be050af2a4

Error: (09/26/2014 04:10:06 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17280 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 10f8

Start Time: 01cfd9c21162b530

Termination Time: 0

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (09/26/2014 11:53:31 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2014":
V24.0D R7 (M=1066, L=335, C=249, V=0 (0))

Error: (09/26/2014 11:52:56 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2014":
V24.0D R7 (M=1066, L=335, C=249, V=0 (0))

Error: (09/26/2014 11:49:45 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2014":
ExcelHelper::SetCustomPropertyString - Cannot add variable to excel : QBSUBSTORAGE

Error: (09/26/2014 11:49:45 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2014":
ExcelHelper::WriteExcelVariable Com Error#: 800a03ec

Error: (09/26/2014 11:49:09 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2014":
V24.0D R7 (M=1066, L=335, C=249, V=0 (0))

Error: (09/26/2014 11:28:17 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks Pro 2014":
V24.0D R7 (M=1066, L=335, C=249, V=0 (0))


System errors:
=============
Error: (09/26/2014 08:41:10 PM) (Source: DCOM) (EventID: 10016) (User: JOE)
Description: application-specificLocalActivation{D3DCB472-7261-43CE-924B-0704BD730D5F}{D3DCB472-7261-43CE-924B-0704BD730D5F}JOEJoeS-1-5-21-2944885638-3624093982-2585505729-1000LocalHost (Using LRPC)

Error: (09/26/2014 08:41:10 PM) (Source: DCOM) (EventID: 10016) (User: JOE)
Description: application-specificLocalActivation{145B4335-FE2A-4927-A040-7C35AD3180EF}{145B4335-FE2A-4927-A040-7C35AD3180EF}JOEJoeS-1-5-21-2944885638-3624093982-2585505729-1000LocalHost (Using LRPC)

Error: (09/26/2014 08:40:52 PM) (Source: TermDD) (EventID: 56) (User: )
Description: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client.
Client IP: 71.187.225.14.

Error: (09/26/2014 08:34:26 PM) (Source: DCOM) (EventID: 10016) (User: JOE)
Description: application-specificLocalActivation{D3DCB472-7261-43CE-924B-0704BD730D5F}{D3DCB472-7261-43CE-924B-0704BD730D5F}JOEJoeS-1-5-21-2944885638-3624093982-2585505729-1000LocalHost (Using LRPC)

Error: (09/26/2014 08:34:26 PM) (Source: DCOM) (EventID: 10016) (User: JOE)
Description: application-specificLocalActivation{145B4335-FE2A-4927-A040-7C35AD3180EF}{145B4335-FE2A-4927-A040-7C35AD3180EF}JOEJoeS-1-5-21-2944885638-3624093982-2585505729-1000LocalHost (Using LRPC)

Error: (09/26/2014 08:28:38 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/26/2014 05:44:15 PM) (Source: Microsoft-Windows-Kernel-General) (EventID: 5) (User: NT AUTHORITY)
Description: 0x8000002a171\??\Volume{3afd89fc-a038-48de-bd87-77f1efb6a78f}\System Volume Information\SPP\SppCbsHiveStore\{cd42efe1-f6f1-427c-b004-033192c625a4}{D115FEA8-9517-4570-A661-73EDB0F71643}

Error: (09/26/2014 05:02:11 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\System32\drivers\TrueSight.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (09/26/2014 03:36:50 PM) (Source: Microsoft-Windows-TaskScheduler) (EventID: 413) (User: NT AUTHORITY)
Description: Task Scheduler service failed to load tasks at service startup. Additional Data: Error Value: 2147549183.

Error: (09/26/2014 03:18:03 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 43. The internal error state is 252.


Microsoft Office Sessions:
=========================
Error: (01/28/2014 01:04:49 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6606.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 1672 seconds with 1620 seconds of active time. This session ended with a crash.

Error: (05/14/2013 10:49:52 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.6606.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 4223 seconds with 2280 seconds of active time. This session ended with a crash.

Error: (03/21/2013 01:27:27 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 2, Application Name: Microsoft Office Access, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 316 seconds with 300 seconds of active time. This session ended with a crash.


CodeIntegrity Errors:
===================================
Date: 2014-09-25 17:23:38.085
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-09-25 17:23:38.022
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i3-2130 CPU @ 3.40GHz
Percentage of memory in use: 58%
Total physical RAM: 3982.01 MB
Available physical RAM: 1655.68 MB
Total Pagefile: 7962.2 MB
Available Pagefile: 6008.94 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:448.85 GB) (Free:334.75 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (HP_RECOVERY) (Fixed) (Total:16.69 GB) (Free:2.08 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 8371C76F)

Partition: GPT Partition Type.

==================== End Of Log ============================


Report •

#30
September 26, 2014 at 23:03:28
Copy & Paste the text below ( starting Toolbar: ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Toolbar: HKCU - No Name - {8D0BF943-CE38-44DF-A40D-B18FD3C8645B} - No File
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
C:\Users\Joe\AppData\Local\Temp\Quarantine.exe
FF Homepage: hxxp://search.yahoo.com/?ei=utf-8&fr=tightropetb&type=11053_091114
FF Keyword.URL: hxxp://search.yahoo.com/search?ei=utf-8&fr=tightropetb&type=11053_091114&p=


Report •

#31
September 27, 2014 at 07:12:53
New fixlog.txt contents:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-09-2014
Ran by Joe at 2014-09-27 10:11:18 Run:1
Running from C:\Users\Joe\Desktop
Loaded Profile: Joe (Available profiles: Joe & QBDataServiceUser24)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Toolbar: HKCU - No Name - {8D0BF943-CE38-44DF-A40D-B18FD3C8645B} - No File
Handler: intu-help-qb7 - {5A03BD9D-766D-47A6-8E87-CD90F60BE245} - No File
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
C:\Users\Joe\AppData\Local\Temp\Quarantine.exe
FF Homepage: hxxp://search.yahoo.com/?ei=utf-8&fr=tightropetb&type=11053_091114
FF Keyword.URL: hxxp://search.yahoo.com/search?ei=utf-8&fr=tightropetb&type=11053_091114&p=
*****************

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
"HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8D0BF943-CE38-44DF-A40D-B18FD3C8645B} => value deleted successfully.
"HKCR\CLSID\{8D0BF943-CE38-44DF-A40D-B18FD3C8645B}" => Key not found.
"HKCR\PROTOCOLS\Handler\intu-help-qb7" => Key deleted successfully.
"HKCR\CLSID\{5A03BD9D-766D-47A6-8E87-CD90F60BE245}" => Key not found.
"HKCR\PROTOCOLS\Handler\qbwc" => Key deleted successfully.
"HKCR\CLSID\{FC598A64-626C-4447-85B8-53150405FD57}" => Key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
C:\Users\Joe\AppData\Local\Temp\Quarantine.exe => Moved successfully.
Firefox homepage deleted successfully.
Firefox Keyword.URL deleted successfully.

==== End of Fixlog ====


Report •

#32
September 27, 2014 at 07:21:00
Just about to go to bed, I'm here.
http://www.timeanddate.com/worldclo...

Do these & then use the comp for a day or so & let me know what issues you have.

Uninstall ComboFix. The reason we remove Combofix, is that a new version comes out nearly every day.
Turn off all active protection software.
Push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
Please Copy and Paste the following into the box > ComboFix /Uninstall and click OK.
Or,
Start > Run, Copy and Paste > ComboFix /uninstall and click OK.

Run TFC
http://www.geekstogo.com/forum/file...
http://www.bleepingcomputer.com/dow...
http://oldtimer.geekstogo.com/TFC.exe
http://www.itxassociates.com/OT-Too...
Download it onto your Desktop If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Double-click TFC.exe to run it. Note: If you are running on Vista/Windows 7/8, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.


Report •

#33
September 27, 2014 at 10:29:44
Thanks for all your help so far. Unfortunately through all that, right off that bat I see that my new problems have not been corrected. To recap the current issue, the problem I am having is that I cannot access my Verizon email account through Outlook. Coincidentally I cannot open the Verizon.com website either. Any other website seems to load just fine, although they seem to load a lot slower than usual. Other computers OUTSIDE my work network can access my Verizon email and log on to the website just fine. I have not tested other computers on the same network as the problematic computer's network in a few days, but the last I checked they were having similar problems.

My original problem of the suspicious activity with passwords and users being mysteriously added, software uninstalled and files deleted seems to be corrected though.

I did notice something though. If you remember, one of the 2 mysterious users that was added was named "Hack". Strangely enough, the "Hack" user was never listed in the user accounts section of the control panel, but active in the login screen. In the process of trying to reset my password by booting from a flash drive utility I "thought" I deleted this user. I noticed in one of the scans though, that the "Hack" user appeared in the Accounts section of the Addition.txt log file. It seems like that user is still present in the system somehow. The other suspicious user was listed in the user accounts and I was able to delete all traces of that one.

I am not greatly familiar with firewall and internet blocking settings, but its almost like the Verizon.com domain is being blocked somehow. I only say that because it makes sense since the problem only pertains to my Verizon email and the Verizon website and nothing else. do you think it is worth going down that path of checking some of those settings? I quickly browsed through firewall settings and didn't find anything out of the usual, but maybe it's "hiding" as a predefined system setting or something like that. Thoughts???


Report •

#34
September 27, 2014 at 15:12:45
Thanks for the revision, everything that you had said originaly, was gone from my head, I have been memorizing/focused on the cleaning & waiting to see what issues remained.

"Thoughts"
Many, we shall have to keep trying.

Copy & Paste the text below ( starting (No Name) ), save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

CHR Extension: (No Name) - C:\Users\Joe\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-11]
hack (S-1-5-21-2944885638-3624093982-2585505729-1006 -> Limited - Enabled - Status: OK)

If the Verizon issue is still there after a reboot.
Reset browser settings
https://support.google.com/chrome/a...
http://windows.microsoft.com/en-au/...
https://support.mozilla.org/en-US/k...


Report •

#35
September 27, 2014 at 19:26:01
I have already tried a browser reset several days ago with out any difference.

I am home now and was running remote desktop to my work computer when I ran your new FRST64 fix. After remotely rebooting I cannot re-connect back to it. I figure 1 of 2 scenarios happened... 1. I accidentally hit shutdown instead of restart and cannot remotely "turn back on" my computer, or 2. the new fix changed some setting, prohibiting me to reconnect back. Regardless I cannot connect back at the moment to see if the problem is corrected. I may have to wait till Monday morning to see. I will keep you posted...


Report •

#36
September 28, 2014 at 01:36:36
Run Farbar Service Scanner ( FFS )
http://www.bleepingcomputer.com/dow...
http://www.bleepstatic.com/download...
http://www.bleepstatic.com/download...
Make sure the following options are checked:
RpcSs
PlugPlay
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please Copy and Paste the contents of the log in your next reply.

Report •

#37
September 29, 2014 at 09:44:30
Back at physical computer this morning. All "other" things seem ok, but still the Verizon Email and website problem. Ran the new scan and the results are followed:

Farbar Service Scanner Version: 21-07-2014
Ran by Joe (administrator) on 29-09-2014 at 12:42:26
Running from "C:\Users\Joe\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****


Report •

#38
September 29, 2014 at 11:15:38
On an added note, the problem I am having with not being able to access my Verizon email through Outlook and not being able to log onto the Verizon website altogether is happening on all computers on my work network. Maybe we should think about router setting or something else that may effect all computers

Report •

#39
September 29, 2014 at 15:12:59
" Maybe we should think about router setting or something else that may effect all computers"
Yep, process of elimination. Try holding the reset button in for 10secs or whatever your manual says.

We now know your Services are Ok.

message edited by Johnw


Report •

Ask Question