MSG77

Seems OK I guess. Nothing too noticeable wrong. But there wasn't anything that bad before. Just worried about what might be on there hidden. I seem to get quite a few system performance warnings from Norton. But it is an old computer so maybe it's just performance with new stuff. I did get a performance alert when I opened IE after running the FRST fix. High disk write from svchost.exe I think. Not sure if that's normal. When I ran RogueKiller and AdwCleaner scans before my first post a lot of stuff came up. So I just want to make sure I keep what's good and get rid of the bad stuff. But computer overall is not running terrible or doing strange things a lot.

Logs attached. I ran FRST in safe mode. Hope that is OK. I have been able to run it there no problems so figured I'd just stick to that. If I need to rerun it in normal mode I will. Just have to figure out how to shut off whatever in Norton is killing it. I guess I can just shut off everything in the menus? MBAM ran in normal mode. Nothing found but that is not new. Hasn't found anything since Nov 13 scan when it got the 2 Trojans. Nothing new to report I guess. When I opened IE my homepage got reset. But all favorites and everything were still there. Also, all recent docs were erased so I had to manually reopen from file sites. But you prob expected all that. Saw that FRST did clean out temp files. Awaiting further instructions/requests. Thanks. Hmmm...Just as I am posting this I get a Norton popup that says its fixing Suspicious.Cloud7.EP. And it removed and deleted FRST from my desktop. Damn it. Stupid thing. I guess I'll have to go and download it again. Frustrating. mbam log 2014-11-22 1526.txt Fixlog.txt

Also, I just realized that my AdwCleaner and RogueKiller scan logs didn't attach to my 1st post. I can attach them if it will help. Maybe I run fixes those I will have less probs w downloading FRST again? If not then no worries. I'll try to get FRST back on my machine so I can run fixlist first.

I tried to run a FRST scan again before my OP to get updated list. I ran it in normal bootup mode and it got deleted off my machine by Norton I think. When I try to download it again in safe mode I get a message from the download portion of IE that it is "not commonly downloaded" and "not signed" or something. I can't "save as" to my desktop. I can "save" only. It then gives me the warning and asks if I want to run it anyway. Should I turn off the service that blocks it? I think I can in options. But don't want to if it is blocking me from downloading something that is not really FRST.exe. The 1st time I downloaded in safe mode it did not block it. Concerned I may not be downloading real file. I did use links from this forum that get me to bleeping computer so it seems legit. Not sure of how malware is affecting this tho. I could download from another computer and load via USB. But maybe not until Monday which is not ideal. If its just because its an updated version of FRST and is fine I'll just download it directly by telling it to download from IE. Thanks.

Last week there were files found and removed by Malwarebytes. I also ran MRT and it found something. I posted a thread on here but got no response. Maybe because it was low priority, prob because I didn't have logs attached (I am having trouble with FRST). Computer is OK most of time but still a few issues. Would just like to know if I'm OK or still have real problems. I could only download FRST in safemode. Ran it in safemode. Tried to run it in normal mode and Norton (I think) killed it and deleted it. Tried to download it again in safe mode and was given some sort of warning (not typically downloaded/no registration) from Windows. Not sure if that is real or related to Malware. Also not sure if the warning was real if I was actually downloading the real FRST. I did go thru links from this site tho. I am also getting security certificate errors for this site so not sure if anything is real or not. Maybe I'm getting malware errors on a lot of stuff? I ran RogueKiller and AdwCleaner scans and some stuff came up. Not sure if its all bad. I've attached those logs at bottom. Can also provide Malwarebytes log and MS MRT log of what was found if needed. If someone could take a look at all these logs and tell me if I'm OK or if I still have infections it would be much appreciated. FRST logs (from when I was able to run it a few days ago)- Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 17-11-2014 Ran by Matthew (administrator) on GAROFALO-PC on 18-11-2014 21:23:38 Running from C:\Users\Matthew\Downloads Loaded Profile: Matthew (Available profiles: Matthew & Marc & SBG & UpdatusUser & Guest) Platform: Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86) OS Language: English (United States) Internet Explorer Version 9 Boot Mode: Safe Mode (with Networking) Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company) HKLM\...\Run: [KBD] => C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] () HKLM\...\Run: [Norton Online Backup] => C:\Program Files\Symantec\Norton Online Backup\NOBuClient.exe [968536 2010-06-08] (Symantec Corporation) HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated) HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.) HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.) HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation) HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\...\Run: [swg] => C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [68856 2007-12-07] (Google Inc.) HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation) HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\...0c966feabec1\InprocServer32: [Default-shell32] ATTENTION! ====> ZeroAccess? Startup: C:\Users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) Startup: C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DING!.lnk ShortcutTarget: DING!.lnk -> C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines) Startup: C:\Users\SBG\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled. ProxyServer: [.DEFAULT] => http=127.0.0.1:55879 HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/ HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION SearchScopes: HKLM -> {6C139C8F-63C4-4E72-90D4-853DB50F9858} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt SearchScopes: HKLM -> {B94A42AA-9562-45E9-A63D-CBC133CC3A2B} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM -> {ED6BFC8B-0C9B-4F2C-B4E7-304143DA65C5} URL = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7 SearchScopes: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000 -> {6C139C8F-63C4-4E72-90D4-853DB50F9858} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt SearchScopes: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000 -> {B94A42AA-9562-45E9-A63D-CBC133CC3A2B} URL = SearchScopes: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000 -> {ED6BFC8B-0C9B-4F2C-B4E7-304143DA65C5} URL = http://search.live.com/results.aspx?q={searchTerms}&entrypoint={referrer:source?}&FORM=HVDUS7 BHO: SnagIt Toolbar Loader -> {00C6482D-C502-44C8-8409-FCE54AD9C208} -> C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll (TechSmith Corporation) BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation) BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation) BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKLM - SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll (TechSmith Corporation) Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000 -> &Links - {F2CF5485-4E02-4F68-819C-B92DE9277049} - C:\Windows\system32\ieframe.dll (Microsoft Corporation) Toolbar: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000 -> No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} http://video.vividas.com/media/4190_Auskick/web/player/vivid_ocx.jpeg DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1 FireFox: ======== FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll () FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF Plugin: @Google.com/GoogleEarthPlugin -> C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll No File FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF Plugin: @movenetworks.com/Quantum Media Player -> C:\Users\Matthew\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks) FF Plugin: @pack.google.com/Google Updater;version=14 -> C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google) FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 -> C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.) FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) FF Plugin: @veetle.com/vbp;version=0.9.17 -> C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc) FF Plugin: @veetle.com/veetleCorePlugin,version=0.9.18 -> C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc) FF Plugin: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc) FF Plugin: @videolan.org/vlc,version=2.0.7 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) FF Plugin HKU\S-1-5-21-2019752364-3093643521-3082652746-1000: @movenetworks.com/Quantum Media Player -> C:\Users\Matthew\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks) FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-07-04] FF HKLM\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.1.7\coFFPlgn FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.1.7\coFFPlgn [2014-11-16] FF HKLM\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.1.7\IPSFF FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.1.1.7\IPSFF [2014-03-12] Chrome: ======= CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-24] ========================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [61440 2007-06-05] (Hewlett-Packard) [File not signed] S3 hpqcxs08; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqcxs08.dll [225280 2007-03-13] (Hewlett-Packard Co.) [File not signed] S2 hpqddsvc; C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqddsvc.dll [131072 2007-03-13] (Hewlett-Packard Co.) [File not signed] S2 IAANTMON; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [81920 2006-09-29] (Intel Corporation) [File not signed] S3 IDriverT; c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed] S2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed] S2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed] S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [43520 2006-11-08] (Hewlett-Packard) [File not signed] S2 NIS; C:\Program Files\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation) S2 NOBU; C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe [2057560 2010-06-08] (Symantec Corporation) S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53248 2006-11-08] (Hewlett-Packard) [File not signed] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) S1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\BASHDefs\20141107.001\BHDrvx86.sys [1138392 2014-10-03] (Symantec Corporation) S1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1506000.020\ccSetx86.sys [127064 2013-09-25] (Symantec Corporation) S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-09-09] (Symantec Corporation) S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-09-09] (Symantec Corporation) S3 FTDIBUS; C:\Windows\System32\drivers\ftdibus.sys [62216 2012-04-13] (FTDI Ltd.) S3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [391168 2009-03-19] (Hauppauge Computer Works, Inc) S1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\IPSDefs\20141114.002\IDSvix86.sys [479448 2014-11-17] (Symantec Corporation) R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-11-18] (Malwarebytes Corporation) S3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\VirusDefs\20141117.001\NAVENG.SYS [95704 2014-11-09] (Symantec Corporation) S3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\VirusDefs\20141117.001\NAVEX15.SYS [1636696 2014-11-09] (Symantec Corporation) S3 SRTSP; C:\Windows\System32\Drivers\NIS\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation) S1 SRTSPX; C:\Windows\system32\drivers\NIS\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation) R0 SymDS; C:\Windows\System32\drivers\NIS\1506000.020\SYMDS.SYS [367704 2013-09-09] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\NIS\1506000.020\SYMEFA.SYS [936152 2014-03-03] (Symantec Corporation) S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-03-08] (Symantec Corporation) S1 SymIRON; C:\Windows\system32\drivers\NIS\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation) S1 SYMTDIv; C:\Windows\System32\Drivers\NIS\1506000.020\SYMTDIV.SYS [384728 2014-02-17] (Symantec Corporation) U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation) S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X] S4 InCDFs; system32\drivers\InCDFs.sys [X] S1 InCDPass; system32\drivers\InCDPass.sys [X] S1 InCDRm; system32\drivers\InCDRm.sys [X] S3 IpInIp; system32\DRIVERS\ipinip.sys [X] S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X] S3 SYMFW; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMFW.SYS [X] S3 SYMNDISV; \SystemRoot\System32\Drivers\NIS\1008000.029\SYMNDISV.SYS [X] ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-11-18 21:23 - 2014-11-18 21:24 - 00016551 _____ () C:\Users\Matthew\Downloads\FRST.txt 2014-11-18 21:23 - 2014-11-18 21:23 - 00000000 ____D () C:\FRST 2014-11-18 21:20 - 2014-11-18 21:21 - 01108992 _____ (Farbar) C:\Users\Matthew\Downloads\FRST.exe 2014-11-15 00:36 - 2014-11-15 00:38 - 14678104 _____ () C:\Users\Matthew\Desktop\RogueKiller.exe 2014-11-15 00:23 - 2014-11-15 00:23 - 02140160 _____ () C:\Users\Matthew\Desktop\AdwCleaner.exe 2014-11-14 18:01 - 2014-11-14 18:01 - 04184008 _____ (Kaspersky Lab ZAO) C:\Users\Matthew\Desktop\tdsskiller.exe 2014-11-14 16:43 - 2014-11-14 16:43 - 00000000 ____D () C:\NPE 2014-11-14 16:39 - 2014-11-14 17:58 - 00000000 ____D () C:\Users\Matthew\AppData\Local\NPE 2014-11-12 03:30 - 2014-10-09 20:01 - 00449536 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll 2014-11-12 03:30 - 2014-10-09 20:00 - 01259008 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll 2014-11-12 03:30 - 2014-10-09 20:00 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll 2014-11-12 03:30 - 2014-10-09 18:22 - 00619520 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll 2014-11-12 03:29 - 2014-08-26 19:55 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll 2014-11-12 03:29 - 2014-08-26 19:55 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll 2014-11-12 03:28 - 2014-09-18 19:50 - 00278528 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll 2014-11-12 03:27 - 2014-10-23 20:04 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll 2014-11-12 03:25 - 2014-08-11 21:25 - 00729600 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL 2014-11-12 03:21 - 2014-10-17 20:08 - 00564224 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll 2014-11-12 03:21 - 2014-10-02 20:18 - 00274432 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll 2014-11-12 03:21 - 2014-10-02 20:17 - 00396800 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll 2014-11-12 03:21 - 2014-10-02 20:17 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll 2014-11-12 03:21 - 2014-10-02 20:17 - 00170496 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll 2014-11-12 03:01 - 2014-10-12 18:34 - 02054656 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2014-11-12 01:24 - 2014-10-27 14:10 - 12366848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2014-11-12 01:24 - 2014-10-27 14:05 - 01810944 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2014-11-12 01:24 - 2014-10-27 14:02 - 09739776 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2014-11-12 01:24 - 2014-10-27 13:59 - 01139712 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2014-11-12 01:24 - 2014-10-27 13:59 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2014-11-12 01:24 - 2014-10-27 13:58 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2014-11-12 01:24 - 2014-10-27 13:57 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2014-11-12 01:24 - 2014-10-27 13:57 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2014-11-12 01:24 - 2014-10-27 13:56 - 01802752 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2014-11-12 01:24 - 2014-10-27 13:56 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2014-11-12 01:24 - 2014-10-27 13:56 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2014-11-12 01:24 - 2014-10-27 13:56 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2014-11-12 01:24 - 2014-10-27 13:56 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2014-11-12 01:24 - 2014-10-27 13:55 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2014-11-12 01:24 - 2014-10-27 13:55 - 00353792 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll 2014-11-12 01:24 - 2014-10-27 13:55 - 00223232 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll 2014-11-12 01:24 - 2014-10-27 13:55 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2014-11-12 01:24 - 2014-10-27 13:55 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\msfeedsbs.dll 2014-11-12 01:24 - 2014-10-27 13:55 - 00011776 _____ (Microsoft Corporation) C:\Windows\system32\mshta.exe 2014-11-12 01:24 - 2014-10-27 13:55 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msfeedssync.exe 2014-11-12 01:24 - 2014-10-27 13:54 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2014-10-23 19:54 - 2014-10-23 19:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes 2014-10-23 19:53 - 2014-10-23 19:54 - 00000000 ____D () C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB 2014-10-23 19:53 - 2014-10-23 19:53 - 00000000 ____D () C:\Program Files\iPod ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-11-18 21:22 - 2013-04-11 22:21 - 00000000 ____D () C:\Users\Matthew\Desktop\Malware Removal 2014-11-18 20:58 - 2014-05-29 12:15 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys 2014-11-17 23:21 - 2006-11-02 08:01 - 00032590 _____ () C:\Windows\Tasks\SCHEDLGU.TXT 2014-11-17 23:21 - 2006-11-02 08:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT 2014-11-17 23:21 - 2006-11-02 07:52 - 01446245 _____ () C:\Windows\WindowsUpdate.log 2014-11-17 23:21 - 2006-11-02 07:47 - 00003696 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2014-11-17 23:21 - 2006-11-02 07:47 - 00003696 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2014-11-17 22:45 - 2012-04-05 20:12 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job 2014-11-17 22:33 - 2009-12-21 08:20 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-11-17 15:33 - 2009-12-21 08:20 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-11-17 12:46 - 2009-03-24 11:47 - 00000868 _____ () C:\Windows\Tasks\Google Software Updater.job 2014-11-14 18:44 - 2014-02-04 13:12 - 00002439 _____ () C:\Users\Matthew\Desktop\A9.txt 2014-11-14 16:40 - 2009-05-15 03:58 - 00000000 ____D () C:\ProgramData\Norton 2014-11-14 11:24 - 2012-02-12 00:06 - 00000000 ____D () C:\Users\Matthew\AppData\Roaming\88CA8 2014-11-13 15:56 - 2010-12-31 14:23 - 00128031 _____ () C:\Users\Matthew\Documents\Weight Log.xlsx 2014-11-12 05:43 - 2006-11-02 06:18 - 00000000 ____D () C:\Windows\rescache 2014-11-12 03:56 - 2006-11-02 06:18 - 00000000 ____D () C:\Windows\Microsoft.NET 2014-11-12 03:51 - 2006-11-02 07:47 - 00437104 _____ () C:\Windows\system32\FNTCACHE.DAT 2014-11-12 03:29 - 2007-06-04 16:48 - 00000000 ____D () C:\ProgramData\Microsoft Help 2014-11-12 03:18 - 2013-07-25 23:48 - 00000000 ____D () C:\Windows\system32\MRT 2014-11-12 03:02 - 2006-11-02 05:24 - 100445232 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2014-11-11 23:48 - 2012-04-05 20:12 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe 2014-11-11 23:48 - 2011-05-15 20:15 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl 2014-11-11 20:31 - 2011-01-01 13:32 - 00000000 ____D () C:\Users\Matthew\AppData\Local\CrashDumps 2014-11-09 11:35 - 2006-11-02 05:33 - 00763546 _____ () C:\Windows\system32\PerfStringBackup.INI 2014-11-04 04:37 - 2006-11-02 07:37 - 00000000 ____D () C:\Program Files\Windows Sidebar 2014-10-28 05:35 - 2010-06-30 16:30 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe 2014-10-24 00:36 - 2007-06-04 17:04 - 00881194 _____ () C:\Windows\PFRO.log 2014-10-24 00:10 - 2014-05-29 12:15 - 00000901 _____ () C:\Users\Public\Desktop\MalwarebyteAntiMalware.lnk 2014-10-24 00:10 - 2014-05-29 12:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2014-10-24 00:10 - 2014-05-29 12:15 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware 2014-10-23 19:54 - 2012-09-26 00:37 - 00001666 _____ () C:\Users\Public\Desktop\iTunes.lnk 2014-10-23 19:54 - 2009-12-12 21:56 - 00000000 ____D () C:\Program Files\iTunes 2014-10-23 19:53 - 2007-06-30 14:03 - 00000000 ____D () C:\Program Files\Common Files\Apple 2014-10-23 19:52 - 2014-09-12 15:27 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1 Some content of TEMP: ==================== C:\Users\SBG\AppData\Local\Temp\2zfco0-p.dll C:\Users\SBG\AppData\Local\Temp\4is5zka9.dll C:\Users\SBG\AppData\Local\Temp\8qruvoxn.dll C:\Users\SBG\AppData\Local\Temp\apxmr9ov.dll C:\Users\SBG\AppData\Local\Temp\e3rquukj.dll C:\Users\SBG\AppData\Local\Temp\ecfnrfsu.dll C:\Users\SBG\AppData\Local\Temp\gwrxe-g3.dll C:\Users\SBG\AppData\Local\Temp\i2r7c1tx.dll C:\Users\SBG\AppData\Local\Temp\k6j_4sgl.dll C:\Users\SBG\AppData\Local\Temp\nf1da_gp.dll C:\Users\SBG\AppData\Local\Temp\o9hphkmd.dll C:\Users\SBG\AppData\Local\Temp\pakkkbt8.dll C:\Users\SBG\AppData\Local\Temp\pnarnb7e.dll C:\Users\SBG\AppData\Local\Temp\po5bieub.dll C:\Users\SBG\AppData\Local\Temp\qr6nijrr.dll C:\Users\SBG\AppData\Local\Temp\u4rvfnkt.dll C:\Users\SBG\AppData\Local\Temp\u9vrkmob.dll C:\Users\SBG\AppData\Local\Temp\vcopx39b.dll C:\Users\SBG\AppData\Local\Temp\vebowwu5.dll C:\Users\SBG\AppData\Local\Temp\wbl3c9ef.dll C:\Users\SBG\AppData\Local\Temp\yudw1vse.dll C:\Users\SBG\AppData\Local\Temp\zskbhf4c.dll ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\explorer.exe => File is digitally signed C:\Windows\system32\winlogon.exe => File is digitally signed C:\Windows\system32\wininit.exe => File is digitally signed C:\Windows\system32\svchost.exe => File is digitally signed C:\Windows\system32\services.exe => File is digitally signed C:\Windows\system32\User32.dll => File is digitally signed C:\Windows\system32\userinit.exe => File is digitally signed C:\Windows\system32\rpcss.dll => File is digitally signed C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-11-18 21:10 ==================== End Of Log ============================ Additional scan result of Farbar Recovery Scan Tool (x86) Version: 17-11-2014 Ran by Matthew at 2014-11-18 21:24:24 Running from C:\Users\Matthew\Downloads Boot Mode: Safe Mode (with Networking) ========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Norton Internet Security (Enabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB} AS: Norton Internet Security (Enabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} FW: Norton Internet Security (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0} ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) 32 Bit HP CIO Components Installer (Version: 1.0.0 - Hewlett-Packard) Hidden 888casino (HKLM\...\888casino) (Version: - ) Activation Assistant for the 2007 Microsoft Office suites (HKLM\...\Activation Assistant for the 2007 Microsoft Office suites) (Version: - Microsoft Corporation) Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0 - Microsoft Corporation) Hidden Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.) Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated) Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated) Adobe Reader X (10.1.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated) Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.3.633 - Adobe Systems, Inc.) Adobe® Photoshop® Album Starter Edition 3.2 (HKLM\...\Adobe® Photoshop® Album Starter Edition 3.2) (Version: 3.2.0 - http://www.adobe.com) AIO_CDB_ProductContext (Version: 82.0.242.000 - Hewlett-Packard) Hidden AIO_CDB_Software (Version: 82.0.242.000 - Hewlett-Packard) Hidden AIO_Scan (Version: 82.0.173.000 - Hewlett-Packard) Hidden Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.) Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.) AutoUpdate (HKLM\...\{18D10072035C4515918F7E37EAFAACFC}) (Version: 1.0 - ) Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.) BufferChm (Version: 82.0.173.000 - Hewlett-Packard) Hidden CCleaner (HKLM\...\CCleaner) (Version: 4.00 - Piriform) Copy (Version: 82.0.188.000 - Hewlett-Packard) Hidden CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden Destinations (Version: 82.0.173.000 - Hewlett-Packard) Hidden DeviceManagementQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden DING! (HKLM\...\{84031A18-BA9A-4156-A74F-E05B52DDFCE2}) (Version: 1.05.005 - Southwest Airlines) DivX (HKLM\...\{7B63B2922B174135AFC0E1377DD81EC2}) (Version: 5.2.1 - DivXNetworks, Inc.) DocProc (Version: 8.1.0.0 - Hewlett-Packard) Hidden DocProcQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden Enhanced Multimedia Keyboard Solution (HKLM\...\KBD) (Version: - Hewlett-Packard) eSupportQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden F300 (Version: 82.0.242.000 - Hewlett-Packard) Hidden F300_Help (Version: 82.0.242.000 - Hewlett-Packard) Hidden F300Trb (Version: 82.0.242.000 - Hewlett-Packard) Hidden Fax (Version: 82.0.188.000 - Hewlett-Packard) Hidden ffdshow [rev 1288] [2007-06-15] (HKLM\...\ffdshow_is1) (Version: 1.0 - ) Gmail POP Troubleshooter (HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\...\GmailPopTroubleshooter) (Version: 0.1 - Google) Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google) Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.) Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden Google Updater (HKLM\...\Google Updater) (Version: 2.4.2432.1652 - Google Inc.) Hardware Diagnostic Tools (HKLM\...\PC-Doctor 5 for Windows) (Version: 5.00.4424.15 - PC-Doctor, Inc.) Hewlett-Packard ACLM.NET v1.1.0.0 (Version: 1.00.0000 - Hewlett-Packard) Hidden HP Advisor (HKLM\...\{73A43E42-3658-4DD9-8551-FACDA3632538}) (Version: 3.1.9152.3107 - Hewlett-Packard) HP Connections (remove only) (HKLM\...\HPOOVClient-6811507 Uninstaller) (Version: - ) HP Customer Experience Enhancements (HKLM\...\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}) (Version: 1.00.0000 - Hewlett-Packard) HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP) HP Easy Setup - Core (HKLM\...\{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}) (Version: 1.00.0000 - Hewlett-Packard) HP Easy Setup - Frontend (HKLM\...\{40F7AED3-0C7D-4582-99F6-484A515C73F2}) (Version: 5.00.0000 - Hewlett-Packard) HP Imaging Device Functions 8.0 (HKLM\...\HP Imaging Device Functions) (Version: 8.0 - HP) HP OCR Software 8.0 (HKLM\...\HPOCR) (Version: 8.0 - HP) HP On-Screen Cap/Num/Scroll Lock Indicator (HKLM\...\OsdMaestro) (Version: - Hewlett-Packard) HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP) HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B (HKLM\...\{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}) (Version: 8.0 - HP) HP Product Detection (HKLM\...\{A436F67F-687E-4736-BD2B-537121A804CF}) (Version: 11.14.0001 - HP) HP Solution Center 8.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 8.0 - HP) HPProductAssistant (Version: 82.0.173.000 - Hewlett-Packard) Hidden HPSSupply (Version: 100.0.172.000 - Hewlett-Packard) Hidden iCloud (HKLM\...\{79BD66B2-4DAE-4C3B-B08E-DC72E507C163}) (Version: 2.1.3.25 - Apple Inc.) ieSpell (HKLM\...\ieSpell) (Version: 2.5.1 (build 106) - Red Egg Software) Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version: - ) iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.) LightScribe 1.4.142.1 (Version: 1.4.142.1 - http://www.lightscribe.com) Hidden Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation) MarketResearch (Version: 82.0.174.000 - Hewlett-Packard) Hidden Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation) Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation) MobileMe Control Panel (HKLM\...\{926BD0E8-24A3-41D2-AF9B-340F1A37ED12}) (Version: 3.1.8.0 - Apple Inc.) Move Media Player (HKU\S-1-5-21-2019752364-3093643521-3082652746-1000\...\Move Media Player) (Version: - Move Networks) MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) muvee autoProducer 5.0 (HKLM\...\{77CA976C-403C-47E2-940B-733ECAB6F62B}) (Version: 5.00.050 - muvee Technologies) My HP Games (HKLM\...\WildTangent hpdesktop Master Uninstall) (Version: HPCMPQ1601 - WildTangent) Nero 7 Ultra Edition (HKLM\...\{4781569D-5404-1F26-4B2B-6DF444441031}) (Version: 7.00.0177 - Nero AG) Norton Internet Security (HKLM\...\NIS) (Version: 21.6.0.32 - Symantec Corporation) Norton Online Backup (HKLM\...\{40A66DF6-22D3-44B5-A7D3-83B118A2C0DC}) (Version: 2.1.18320 - Symantec Corporation) NVIDIA 3D Vision Controller Driver 314.07 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 314.07 - NVIDIA Corporation) NVIDIA Graphics Driver 314.07 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 314.07 - NVIDIA Corporation) NVIDIA HD Audio Driver 1.3.23.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.23.1 - NVIDIA Corporation) NVIDIA PhysX System Software 9.12.0213 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.12.0213 - NVIDIA Corporation) NVIDIA Update 1.11.3 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.11.3 - NVIDIA Corporation) OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden PetraPro (HKLM\...\{19101D18-3750-461A-A867-C4BCFA83AE79}) (Version: 0.1.9 - JAMAR) PokerStove version 1.21 (HKLM\...\{6D0C6BE4-F674-43D2-96BC-3509345108C9}_is1) (Version: - ) Python 2.4.3 (HKLM\...\{75E71ADD-042C-4F30-BFAC-A9EC42351313}) (Version: 2.4.3150 - Martin v. Löwis) QuickTime (HKLM\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.) Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5789 - Realtek Semiconductor Corp.) Revo Uninstaller 1.94 (HKLM\...\Revo Uninstaller) (Version: 1.94 - VS Revo Group) Rhapsody Player Engine (HKLM\...\{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}) (Version: 1.0.604 - RealNetworks) Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.4.0 - Roxio) Roxio Creator Basic v9 (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.4.0 - Roxio) Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.4.0 - Roxio) Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.4.0 - Roxio) Roxio Creator EasyArchive (HKLM\...\{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}) (Version: 3.4.0 - Roxio) Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.4.0 - Roxio) Roxio Express Labeler 3 (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 3.2.1 - Roxio) Roxio MyDVD Basic v9 (HKLM\...\{938B1CD7-7C60-491E-AA90-1F1888168240}) (Version: 9.0.559 - Roxio) Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 10.0 - HP) SnagIt 8 (HKLM\...\{DA0BF7AB-88EB-4675-8FA1-531EAD938821}) (Version: 8.2.3 - TechSmith Corporation) SolutionCenter (Version: 82.0.188.000 - Hewlett-Packard) Hidden SopCast 3.0.3 (HKLM\...\SopCast) (Version: 3.0.3 - SopCast.com) Spelling Dictionaries Support For Adobe Reader 8 (HKLM\...\{AC76BA86-7AD7-5464-3428-800000000003}) (Version: 8.0.0 - Adobe Systems) Status (Version: 82.0.173.000 - Hewlett-Packard) Hidden swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden Toolbox (Version: 82.0.173.000 - Hewlett-Packard) Hidden TrayApp (Version: 82.0.188.000 - Hewlett-Packard) Hidden TVAnts 1.0 (HKLM\...\TVAnts 1.0) (Version: - ) UnloadSupport (Version: 1.00.0000 - Hewlett-Packard) Hidden Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) Veetle TV 0.9.18 (HKLM\...\Veetle TV) (Version: 0.9.18 - Veetle, Inc) VLC media player 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN) VoiceOver Kit (HKLM\...\{6B4AD1A9-E73A-4184-9D6B-072F8A3C5EBA}) (Version: 1.42.128.0 - Apple Inc.) WebReg (Version: 82.0.173.000 - Hewlett-Packard) Hidden Winamp (remove only) (HKLM\...\Winamp) (Version: - ) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{047466F1-82AE-455A-AFC4-D3AC463FBF6B}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{0BBFE402-CCA1-4f64-9322-13B66D841049}\InprocServer32 -> C:\Users\Matthew\AppData\Local\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{25D005BF-FE63-4cce-AA25-CE952B1D9381}\InprocServer32 -> C:\Users\Matthew\AppData\Local\TechSmith\SnagIt\Accessories\{638B203F-8FB6-49ec-A139-AB8C530F0CAB}\MSPowerPoint.dll (TechSmith Corporation) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{54050FBB-F2AE-404b-8BFD-7EE3EC784A52}\InprocServer32 -> C:\Users\Matthew\AppData\Local\TechSmith\SnagIt\Accessories\{18AA4E21-D540-4a3a-9F9F-E6DE33D6F253}\MSExcel.dll (TechSmith Corporation) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{6B1948B3-9547-42F8-9B37-7AA9768134C4}\InprocServer32 -> C:\Users\Matthew\AppData\Local\TechSmith\SnagIt\Accessories\{23102CBF-AC8D-4424-9364-A79738894850}\MSWord.dll (TechSmith Corporation) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\InprocServer32 -> C:\Windows\system32\urlmon.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{DF2FCE13-25EC-45BB-9D4C-CECD47C2430C}\InprocServer32 -> C:\Windows\system32\urlmon.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{e3e02f12-2adb-478c-8742-5f0819f9f0f4}\InprocServer32 -> C:\Users\Matthew\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{e473a65c-8087-49a3-affd-c5bc4a10669b}\InprocServer32 -> C:\Users\Matthew\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{fc345d4c-b8f4-4674-bff7-3c37d2e535ee}\InprocServer32 -> C:\Users\Matthew\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks) CustomCLSID: HKU\S-1-5-21-2019752364-3093643521-3082652746-1000_Classes\CLSID\{fd6484ed-ebe3-4c3d-938a-8238003b41b7}\InprocServer32 -> C:\Users\Matthew\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks) ==================== Restore Points ========================= 04-11-2014 10:20:50 Scheduled Checkpoint 05-11-2014 05:28:31 Scheduled Checkpoint 06-11-2014 13:30:13 Scheduled Checkpoint 07-11-2014 21:29:38 Windows Update 09-11-2014 07:14:23 Scheduled Checkpoint 09-11-2014 23:37:31 Scheduled Checkpoint 11-11-2014 06:41:41 Windows Update 12-11-2014 06:59:47 Scheduled Checkpoint 12-11-2014 08:00:54 Windows Update 12-11-2014 21:24:27 Scheduled Checkpoint 15-11-2014 00:25:16 Scheduled Checkpoint 15-11-2014 14:10:45 Scheduled Checkpoint 16-11-2014 07:28:07 Scheduled Checkpoint 17-11-2014 05:35:18 Scheduled Checkpoint ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2006-11-02 05:23 - 2006-09-18 16:41 - 00000761 ____N C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {01D74EF9-1233-44A8-B9FA-350572AF421C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-11] (Adobe Systems Incorporated) Task: {0E92BECB-CE61-4B8B-8D68-C8F1CC6A80DE} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation) Task: {3577A9EB-FC5D-4AAE-AD8E-30ABEE532C45} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-21] (Google Inc.) Task: {406F5410-D677-41F5-99A6-02AD3E3B7F83} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.) Task: {6742D1CA-BD4D-47FF-A8E3-CAA48842180C} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-03-25] (Piriform Ltd) Task: {745D9D36-19A4-4EDC-B334-6BAF428CA9A7} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe [2014-09-21] (Symantec Corporation) Task: {CE269559-7D8A-46F6-BDC3-29D71C61D9A6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-21] (Google Inc.) Task: {CFAB208F-1FC6-467F-B489-050AA4EAD6BB} - System32\Tasks\HP Health Check => c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2007-06-05] (Hewlett-Packard) Task: {D3A26D09-744A-4A2A-A087-F8865BA2EF11} - System32\Tasks\Microsoft\Windows\RestartManager\{10430237-BCF2-44c7-A022-05EABF98A9D4} => C:\Windows\system32\rmclient.exe [2006-11-02] (Microsoft Corporation) Task: {E01940DB-0D71-468E-A5BF-A9E36FBD209D} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation) Task: {FE913AB0-F287-4550-9393-8878F68AD843} - System32\Tasks\Google Software Updater => C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2012-08-15] (Google) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\Google Software Updater.job => C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe ==================== Loaded Modules (whitelisted) ============= ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMSwissArmy => ""="Driver" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SMR430 => ""="Service" HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2" ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk => C:\Windows\pss\HP Connections.lnk.CommonStartup MSCONFIG\startupfolder: C:^Users^Matthew^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" MSCONFIG\startupreg: Adobe Photo Downloader => "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" MSCONFIG\startupreg: AppleSyncNotifier => C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" MSCONFIG\startupreg: ehTray.exe => C:\Windows\ehome\ehTray.exe MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" MSCONFIG\startupreg: HP Health Check Scheduler => c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe MSCONFIG\startupreg: IAAnotif => "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" MSCONFIG\startupreg: MobileDocuments => C:\Program Files\Common Files\Apple\Internet Services\ubd.exe MSCONFIG\startupreg: NeroFilterCheck => C:\Windows\system32\NeroCheck.exe MSCONFIG\startupreg: OsdMaestro => "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime MSCONFIG\startupreg: RtHDVCpl => RtHDVCpl.exe MSCONFIG\startupreg: WMPNSCFG => C:\Program Files\Windows Media Player\WMPNSCFG.exe ========================= Accounts: ========================== Administrator (S-1-5-21-2019752364-3093643521-3082652746-500 - Administrator - Disabled) Guest (S-1-5-21-2019752364-3093643521-3082652746-501 - Limited - Enabled) => C:\Users\Guest Marc (S-1-5-21-2019752364-3093643521-3082652746-1001 - Limited - Enabled) => C:\Users\Marc Matthew (S-1-5-21-2019752364-3093643521-3082652746-1000 - Administrator - Enabled) => C:\Users\Matthew SBG (S-1-5-21-2019752364-3093643521-3082652746-1002 - Limited - Enabled) => C:\Users\SBG UpdatusUser (S-1-5-21-2019752364-3093643521-3082652746-1004 - Limited - Enabled) => C:\Users\UpdatusUser ==================== Faulty Device Manager Devices ============= ==================== Event log errors: ========================= Application errors: ================== Error: (11/18/2014 08:55:19 PM) (Source: EventSystem) (EventID: 4609) (User: ) Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c Error: (11/16/2014 01:12:20 PM) (Source: Application Hang) (EventID: 1002) (User: ) Description: The program HPAdvisor.exe version 3.1.9152.3107 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: f4c Start Time: 01d001c87210d895 Termination Time: 55 Error: (11/15/2014 07:42:30 AM) (Source: SideBySide) (EventID: 33) (User: ) Description: Activation context generation failed for "Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.4148"1". Dependent Assembly Microsoft.VC90.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.30729.4148" could not be found. Please use sxstrace.exe for detailed diagnosis. Error: (11/14/2014 01:44:42 PM) (Source: PerfNet) (EventID: 2004) (User: ) Description: Error: (11/14/2014 01:38:42 PM) (Source: PerfNet) (EventID: 2004) (User: ) Description: Error: (11/14/2014 01:36:40 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: WmiApRplC:\Windows\system32\wbem\wmiaprpl.dll4 Error: (11/14/2014 01:36:40 PM) (Source: Perflib) (EventID: 1010) (User: ) Description: SpoolerC:\Windows\system32\winspool.drv4 Error: (11/14/2014 01:36:40 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4 Error: (11/14/2014 01:36:39 PM) (Source: PerfNet) (EventID: 2004) (User: ) Description: Error: (11/14/2014 01:36:39 PM) (Source: Perflib) (EventID: 1010) (User: ) Description: EmdCacheC:\Windows\system32\emdmgmt.dll4 System errors: ============= Error: (11/18/2014 08:58:48 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030} Error: (11/18/2014 08:57:16 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} Error: (11/18/2014 08:55:59 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: BHDrvx86 ccSet_NIS eeCtrl IDSVix86 InCDPass InCDRm spldr SRTSPX SymIRON SYMTDIv Wanarpv6 Error: (11/18/2014 08:55:59 PM) (Source: Service Control Manager) (EventID: 7001) (User: ) Description: Computer BrowserServer%%1068 Error: (11/18/2014 08:55:21 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF} Error: (11/18/2014 08:55:19 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF} Error: (11/18/2014 08:55:06 PM) (Source: DCOM) (EventID: 10005) (User: ) Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC} Error: (11/16/2014 01:12:52 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: NVIDIA Update Service Daemon%%1069 Error: (11/16/2014 01:12:52 PM) (Source: Service Control Manager) (EventID: 7038) (User: ) Description: nvUpdatusService.\UpdatusUser%%1330 Error: (11/16/2014 01:10:21 PM) (Source: Service Control Manager) (EventID: 7026) (User: ) Description: InCDPass InCDRm Microsoft Office Sessions: ========================= Error: (10/08/2014 00:05:49 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 19177 seconds with 2160 seconds of active time. This session ended with a crash. Error: (10/07/2014 06:46:08 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 195 seconds with 0 seconds of active time. This session ended with a crash. Error: (10/07/2014 06:45:51 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 178 seconds with 0 seconds of active time. This session ended with a crash. Error: (08/20/2014 09:13:05 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 22 seconds with 0 seconds of active time. This session ended with a crash. Error: (08/20/2014 09:09:30 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 32 seconds with 0 seconds of active time. This session ended with a crash. Error: (08/20/2014 09:08:47 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 40 seconds with 0 seconds of active time. This session ended with a crash. Error: (08/20/2014 09:07:52 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 25 seconds with 0 seconds of active time. This session ended with a crash. Error: (08/20/2014 09:07:10 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 7 seconds with 0 seconds of active time. This session ended with a crash. Error: (08/20/2014 09:06:47 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 6 seconds with 0 seconds of active time. This session ended with a crash. Error: (08/20/2014 09:05:28 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 15771 seconds with 840 seconds of active time. This session ended with a crash. CodeIntegrity Errors: =================================== Date: 2014-11-18 21:24:00.730 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:24:00.418 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:24:00.137 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:23:59.841 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\SYMEVENT.SYS because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:23:43.882 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\BASHDefs\20141107.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:23:43.585 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\BASHDefs\20141107.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:23:43.289 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\BASHDefs\20141107.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:23:42.977 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Norton Internet Security\NortonData\21.1.1.7\Definitions\BASHDefs\20141107.001\BHDrvx86.sys because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:05:17.630 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system. Date: 2014-11-18 21:05:17.270 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system. ==================== Memory info =========================== Processor: Intel® Core2 CPU 6420 @ 2.13GHz Percentage of memory in use: 50% Total physical RAM: 2045.77 MB Available physical RAM: 1017.38 MB Total Pagefile: 4340.56 MB Available Pagefile: 3522.75 MB Total Virtual: 2047.88 MB Available Virtual: 1921.1 MB ==================== Drives ================================ Drive c: (HP) (Fixed) (Total:290.32 GB) (Free:33.46 GB) NTFS ==>[Drive with boot components (obtained from BCD)] Drive d: (Recovery) (Fixed) (Total:7.77 GB) (Free:0.88 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 298.1 GB) (Disk ID: 1549F232) Partition 1: (Active) - (Size=290.3 GB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=7.8 GB) - (Type=07 NTFS) ==================== End Of Log ============================

Sometime last week Norton alerted me to a blocked attack. The next day or two I got a pop up from "Windows Firewall" or something telling me my computer was infected and to call some number to fix it. Obv that seemed like a fishing scam so I looked it up and it was. I then figured my computer was infected somehow so ran multiple MBAM and Norton full scans over the next few days but they found nothing. Didn't really have any problems and no other pop ups so figured it might have been just one time and fine. Then a day or two ago - about a week after the blocked attack and pop up attack - MBAM found 2 Trojan files - FakeMS.ED It quarantined and deleted them. I had this happen in the past and found that even after this there were still files on my computer causing trouble. I rebooted in safe mode and did a full MBAM scan - nothing found. I ran MS MRT and it found some backdoor agent or file which I assume it fixed/deleted. Did a full Norton scan and it found nothing. Clicked on the option for if I thought there were still risks and it ran Norton Power Eraser which also found nothing. Just curious if I am totally clean now or if there are still things I need to clean up? I downloaded TDSSKiller, RogueKiller, and AdwCleaner but have not run them yet. I was guided thru using some of them in the past and I just want to make sure that I am using them correctly and do not deleted or change things that are not malicious and possible essential. I don't want to screw things up and I know these programs are not so user friendly and idiot proof. Also, for some reason I can't download FRST. Norton blocks it every time. Says it is unsafe or something. The error it gives is "Suspicious.Cloud7.EP" and tells me to run NPE again. Not sure if this is just an error or if it is somehow related to other issues. The links I used are straight from this forum. No problems downloading any of TDSSKiller, RogueKiller, or AdwCleaner. Thanks.

OK, sounds good. Hopefully that is it. Haven't had any problems since the start of the month so hopefully its all good and I just need to avoid clicking any dodgy ads or going to sketchy sites. Thanks so much for you time and effort. This was relatively straight forward and I'm sure you've done it a ton of times. Sorry I was hit or miss with the replies, probably could have been resolved in a couple of days.

OK, Thanks. Ran OTC. It restarted computer. Still left SecurityCheck, AdwCleaner, and HiJackThis programs on my desktop. Should I manually delete? Or leave them (move them to a new folder/directory so not on desktop)? Not on the list of things to keep - Revo, CCleaner, and MB. Thanks

OK, Re-enabled my drivers using DeFogger. Didn't ask me to restart. I restarted manually. Tried to unistall ComboFix. Got an error. Windows said it couldn't find it. What now? Its saved on my desktop as ComboFix.exe. I put in "ComboFix /Uninstall" in the run prompt. Got the error.

OK. If you say so. I guess its part of an Ask Toolbar? When it gets flagged as Malware and then won't delete on command I start to get a bit concerned. I'd rather it just be gone. But I haven't noticed anything strange with the computer since Sat or anything. Just want to be safe in that any personal info I enter isn't getting re-routed.

OK, copied and saved the delfile.bat. Ran it. Deleted everything but the APNIC.dll is still there in Program Data. I restarted and it was still there. I can't even locate the "All Users" file under C:\Users. Not sure how to get to that directory and check to see if APNIC.dll is still there. In any case, the whole "APN" directory in those locations was created on Sat afternoon. So I assume that came in with the downloads? Can I just delete the whole directory? The other files in there are "APNIC.7z" and "SetUp.ini". Should I use a "regsvr32 /u" command to unregister it? Then manually delete it? Not sure why it didn't delete with your command prompts?

Sorry, I ran RogueKiller on March 26, it was the version from March 18. Point still stands. Did I do something wrong in the setup/running? Should those files have been deleted?

The 2 files I was surprised to see were the 2 Trojan files - epbrsu.dll and mtofqpws.dll. I was pretty sure the 1st one was responsible for the google redirects since I looked it up when it was found by RogueKiller. Both those files are from March 15, so were obviously the original problem. I knew to look them up because they were found by RogueKiller. I thought they were deleted because the problems went away and I thought that is what RogueKiller did. And yet, there they are still in a file. I have a folder on my desktop called "RK_Quarantine" and they are in there. Did RK just quarantine them and not totally delete them? Do I need to do it manually? Just confused on how they are still there but I haven't had problems since I ran RK all the way back on March 18. Just want to get this stuff all cleaned up. Thanks for the help.

My father is one of the users on the computer. Apparently, he didn't get the memo that the fix wasn't complete and not to download any programs. I guess he thought because the google redirects stopped everything was back to normal. On Sat he decided he wanted to get a flight simulator to play. He also must have missed the memo that free download games and programs are loaded with extra crap you probably don't want. He says he unchecked everything but apparently didn't read the fine print or stay dilegent enough to what was happening. I "caught" him in the act and managed to stop the download of the program. But some of the add-on stuff had already downloaded. Some of it was harmless (Yahoo toolbar), some of it was OK I think (7zip utility) and some of it was pure crap - SweetIM got in there. I unistalled all of those 3 (yahoo, 7zip, and SweetIM) using just the normal Windows add/remove programs because I was going from his login and didn't want to mess around too much. I logged back onto my account and ran Revo as an admin and there was nothing to uninstall that was installed any later than my Adobe update from last week. That was the latest program listed in Revo and Windows Add/Remove. I looked up SweetIM thinking it was probably crap and making sure I got rid of it. Followed instructions and thought I got it all. IE, despite being a pretty crap browser in general compared to others (not sure why I still use it - fear of change?, I don't know) had the advantage of being easier it seemed to wipe out SweetIM. Didn't have to reset much. When I opened my browser it gave me an "install SweetIM" thing and I declined it so not sure it ever fully engaged. I reset the home pages manually and went into "Tools >Manage Add-ons" and went thru to make sure there were no signs of SweetIM in any of the menus or options there. There are no outward signs of it for any users on IE. Think that is all I needed to do to remove it. But of those 7 files, the last 3 (at least, not sure about the 1st 2) are from the aborted downloads on Sat. I need to remove the SweetIM setup file from my temp files and the "InstallIQ" files came in with the 7zip program. I can delete those as well. Not sure about the 1st 2 listed - Bundled.Toolbar.Ask.B. They seem to be Malware that gets downloaded with the Ask Toolbar. Correct? The date on those files is also from Sat afternoon so I guess maybe they came in with the attempted downloads also? Sorry about all that. I know we were right near the finish and then another user kinda screwed things up.

OK, Uninstalled most of the program startups listed. Kept a few I do use. Ran the ESET scan. Came up with 7 files! Yikes. Thought I might be going back to square one. But I looked thru the list and it just brought up some questions, and an explanation I was hoping to avoid because I thought I fixed it. Here is the ESET Scan log - C:\ProgramData\APN\APN-Stub\W3IV6-G\APNIC.dll Win32/Bundled.Toolbar.Ask.B application C:\Users\All Users\APN\APN-Stub\W3IV6-G\APNIC.dll Win32/Bundled.Toolbar.Ask.B application C:\Users\Matthew\AppData\Local\Apple\Temp\epbrsu.dll a variant of Win32/Boaxxe.AA trojan C:\Users\Matthew\AppData\Local\Azureus\mtofqpws.dll a variant of Win32/Boaxxe.P.Gen trojan C:\Users\Matthew\AppData\Local\Temp\Shortcut_bundlesweetimsetup.exe probably a variant of Win32/SweetIM.C application C:\Users\SBG\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\19W9NS1B\7zip_installer_d3715099.exe probably a variant of Win32/InstallIQ application C:\Users\SBG\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYTG0DDQ\7zip_installer_d3715101.exe probably a variant of Win32/InstallIQ application OK, first the explanation. Next post

Sorry about that, again. Busy weekend. I'm on it now.

Sorry about that. Managed to catch a virus (cold/flu) myself so went to bed early the last 2 nights. I realize there are still a few more steps needed to completely resolve any issues. Hope to get on them tonight. Will post results ASAP.

MBAM log - Malwarebytes Anti-Malware 1.70.0.1100 www.malwarebytes.org Database version: v2013.04.02.03 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Matthew :: GAROFALO-PC [administrator] 4/1/2013 10:54:22 PM mbam-log-2013-04-01 (22-54-22).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 325349 Time elapsed: 11 minute(s), 3 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) HiJackThis report - Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:25:58 PM, on 4/1/2013 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v9.00 (9.00.8112.16470) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\hp\support\hpsysdrv.exe C:\Program Files\Symantec\Norton Online Backup\NOBuClient.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Southwest Airlines\Ding\Ding.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\NVIDIA Corporation\Display\nvtray.exe C:\Program Files\Norton Internet Security\Engine\20.3.0.36\ccSvcHst.exe C:\Windows\system32\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe C:\Windows\System32\mobsync.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hp\kbd\kbd.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\system32\NOTEPAD.EXE C:\Users\Matthew\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\20.3.0.36\coIEPlg.dll O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\20.3.0.36\IPS\IPSBHO.DLL O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\20.3.0.36\coIEPlg.dll O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE O4 - HKLM\..\Run: [Norton Online Backup] C:\Program Files\Symantec\Norton Online Backup\NOBuClient.exe O4 - HKLM\..\Run: [Google Updater] "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -check_deprecation O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-21-2019752364-3093643521-3082652746-1004\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'UpdatusUser') O4 - HKUS\S-1-5-21-2019752364-3093643521-3082652746-1004\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'UpdatusUser') O4 - HKUS\S-1-5-21-2019752364-3093643521-3082652746-1004\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe (User 'UpdatusUser') O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://video.vividas.com/media/4190_Auskick/web/player/vivid_ocx.jpeg O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\20.3.0.36\ccSvcHst.exe O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files\Symantec\Norton Online Backup\NOBuAgent.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 9380 bytes Everything seems to be OK as far as I can tell. Adobe Reader installed OK, as did CCleaner, so I guess I fixed the Windows Installer problem. Haven't had any more Google redirects and none of the MB scans I have done have listed anything else found. I did have Google toolbar installed before. I unistalled it when I started getting the redirects to see if that was the problem. Would like to reinstall it. Any known problems with it? Let me know if there are any other fixes or issues to take care of. Thanks.

Uninstalled the programs listed with Revo. Think somewhere in the uninstall of the Java I got rid of my Windows Installer program/registry. Thought it was just part of Java but I think it was the one for all Windows stuff. So when I tried to reinstall Adobe Reader I kept getting errors. Gave up after a while cuz I had Holiday stuff to do on Sat/Sun. Just getting back to it now. Figured out why. Redownloaded Windows Installer from MS. Installing Adobe Reader now. So far so good. No errors yet. Should have logs up soon. If not I'll let you know what kind of errors I'm getting and why things aren't progressing. Thanks.

Sorry, been busy. Will get to this tomorrow w the uninstalls/cleanup and the next few logs. Computer has been running fine for the little I've used it the last few days. No real noticable problems.

Yep. Worked. Rebooted and it came back after reboot as well. Can't really think of anything not working right now. Just a bit more cleanup or what is next step?

When I followed that it said "WMI repository is consistent", so I guess that wasn't the problem. I did a google search for the exact WD error code (its "0x800106ba") and came across this - http://social.technet.microsoft.com/Forums/en-US/itprovistaapps/thread/f5536f2d-aceb-41a5-beb6-92e5d3b2f73f/ Will try it with your permission. Don't think it will affect anything. Let me know and if you need me to rerun any logs.

Had to do hard restart. No problems noticed. Windows booted without giving me any improper shutdown errors. Windows Defender still won't open, tho. Ran CFScript into ComboFix. Latest log - ComboFix 13-03-26.01 - Matthew 03/27/2013 1:35.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.999 [GMT -4:00] Running from: c:\users\Matthew\Desktop\ComboFix.exe Command switches used :: c:\users\Matthew\Desktop\CFScript.txt AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2013-02-27 to 2013-03-27 ))))))))))))))))))))))))))))))) . . 2013-03-27 05:48 . 2013-03-27 05:48 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2013-03-27 05:48 . 2013-03-27 05:48 -------- d-----w- c:\users\SBG\AppData\Local\temp 2013-03-27 05:48 . 2013-03-27 05:48 -------- d-----w- c:\users\Marc\AppData\Local\temp 2013-03-27 05:48 . 2013-03-27 05:48 -------- d-----w- c:\users\Guest\AppData\Local\temp 2013-03-27 05:48 . 2013-03-27 05:48 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-03-26 18:08 . 2013-03-15 07:21 7108640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BF5DCCC1-5B1A-49F2-804B-5ACDF674C5F4}\mpengine.dll 2013-03-15 20:55 . 2013-03-16 21:02 -------- d-----w- c:\users\Matthew\AppData\Local\Azureus 2013-03-14 15:22 . 2012-12-19 05:41 28600 ----a-w- c:\windows\system32\nvhdap32.dll 2013-03-14 15:22 . 2012-12-19 05:41 154040 ----a-w- c:\windows\system32\drivers\nvhda32v.sys 2013-03-14 15:22 . 2013-02-10 03:20 8944416 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys 2013-03-14 15:22 . 2013-02-10 03:20 7964680 ----a-w- c:\windows\system32\nvcuda.dll 2013-03-14 15:22 . 2013-02-10 03:20 6267240 ----a-w- c:\windows\system32\nvopencl.dll 2013-03-14 15:22 . 2013-02-10 03:20 2726176 ----a-w- c:\windows\system32\nvcuvid.dll 2013-03-14 15:22 . 2013-02-10 03:20 20534560 ----a-w- c:\windows\system32\nvoglv32.dll 2013-03-14 15:22 . 2013-02-10 03:20 1990944 ----a-w- c:\windows\system32\nvcuvenc.dll 2013-03-14 15:22 . 2013-02-10 03:20 17560352 ----a-w- c:\windows\system32\nvcompiler.dll 2013-03-14 15:22 . 2013-02-10 03:20 15038296 ----a-w- c:\windows\system32\nvd3dum.dll 2013-03-14 15:22 . 2013-02-10 03:20 12862400 ----a-w- c:\windows\system32\nvwgf2um.dll 2013-03-14 14:09 . 2013-02-10 03:20 892704 ----a-w- c:\windows\system32\nvdispgenco3220162.dll 2013-03-14 14:09 . 2013-02-10 03:20 1012512 ----a-w- c:\windows\system32\nvdispco3220294.dll 2013-03-13 17:40 . 2013-03-13 18:51 -------- d-----w- c:\windows\system32\drivers\NIS\1403000.024 2013-03-13 17:29 . 2013-02-12 01:57 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-03-12 19:48 . 2012-04-06 01:12 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-03-12 19:48 . 2011-05-16 01:15 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-26 04:22 . 2011-11-02 03:01 1017120 ----a-w- c:\windows\system32\nvdispco32.dll 2013-02-26 04:22 . 2012-10-11 02:14 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll 2013-02-10 03:20 . 2012-11-18 19:07 2528840 ----a-w- c:\windows\system32\nvapi.dll 2013-02-10 00:35 . 2011-03-01 02:31 4115232 ----a-w- c:\windows\system32\nvcpl.dll 2013-02-10 00:35 . 2011-03-01 02:30 3010336 ----a-w- c:\windows\system32\nvsvc.dll 2013-02-10 00:35 . 2011-03-01 02:32 634144 ----a-w- c:\windows\system32\nvvsvc.exe 2013-02-10 00:35 . 2011-11-02 03:04 62752 ----a-w- c:\windows\system32\nvshext.dll 2013-02-10 00:35 . 2011-03-01 02:32 223008 ----a-w- c:\windows\system32\nvmctray.dll 2013-01-18 14:20 . 2011-03-01 02:32 2557728 ----a-w- c:\windows\system32\nvsvcr.dll 2013-01-17 05:28 . 2010-06-30 21:30 232336 ------w- c:\windows\system32\MpSigStub.exe 2013-01-05 05:26 . 2013-02-12 22:38 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-01-05 05:26 . 2013-02-12 22:38 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-01-04 11:28 . 2013-02-12 22:38 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-01-04 01:38 . 2013-02-12 22:41 2048512 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-08 68856] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536] "Norton Online Backup"="c:\program files\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-08 968536] "Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-11-02 161336] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] . c:\users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520] McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk backup=c:\windows\pss\HP Connections.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^Users^Matthew^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup backupExtension=.Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] 2007-03-09 16:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2011-10-06 05:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2013-01-28 18:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe] 2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2009-02-26 22:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler] 2007-06-05 13:12 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] 2006-09-29 19:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileDocuments] 2012-02-23 17:30 59240 ----a-w- c:\program files\Common Files\Apple\Internet Services\ubd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 16:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro] 2007-02-15 10:59 118784 ------w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl] 2008-01-15 16:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2013-03-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 19:48] . 2013-03-24 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-15 16:26] . 2013-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 13:20] . 2013-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 13:20] . 2013-03-27 c:\windows\Tasks\WebReg Deskjet F300 series.job - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2006-12-11 01:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://espn.go.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop uInternet Settings,ProxyOverride = *.local IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - hxxp://video.vividas.com/media/4190_Auskick/web/player/vivid_ocx.jpeg . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-03-27 01:48 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS] "ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.3.0.36\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.3.0.36\diMaster.dll\" /prefetch:1" . Completion time: 2013-03-27 01:51:19 ComboFix-quarantined-files.txt 2013-03-27 05:51 ComboFix2.txt 2013-03-27 03:24 . Pre-Run: 52,208,828,416 bytes free Post-Run: 52,353,908,736 bytes free . - - End Of File - - 2633A3F8EC508B56A6FCC3CA3989FBB9 Thanks for the help. Headed to bed for night. Will continue tomorrow.

I tried to restart again to see if things improved and now it's frozen on me. It's been "shutting down" for about an hour. Should I let it go indefinitely or manually shut off and restart? I can just turn off power and reboot but not sure if its in a sensitive state currently. It restarted quickly w no problems the 1st time I restarted after running combofix. Currently posting from my phone.

Here is the ComboFix Log - ComboFix 13-03-26.01 - Matthew 03/26/2013 23:09:11.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.945 [GMT -4:00] Running from: c:\users\Matthew\Desktop\ComboFix.exe AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF} FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4} SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2013-02-27 to 2013-03-27 ))))))))))))))))))))))))))))))) . . 2013-03-27 03:21 . 2013-03-27 03:21 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp 2013-03-27 03:21 . 2013-03-27 03:21 -------- d-----w- c:\users\SBG\AppData\Local\temp 2013-03-27 03:21 . 2013-03-27 03:21 -------- d-----w- c:\users\Marc\AppData\Local\temp 2013-03-27 03:21 . 2013-03-27 03:21 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-03-27 03:21 . 2013-03-27 03:21 -------- d-----w- c:\users\Guest\AppData\Local\temp 2013-03-26 18:08 . 2013-03-15 07:21 7108640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BF5DCCC1-5B1A-49F2-804B-5ACDF674C5F4}\mpengine.dll 2013-03-15 20:55 . 2013-03-16 21:02 -------- d-----w- c:\users\Matthew\AppData\Local\Azureus 2013-03-14 15:22 . 2012-12-19 05:41 28600 ----a-w- c:\windows\system32\nvhdap32.dll 2013-03-14 15:22 . 2012-12-19 05:41 154040 ----a-w- c:\windows\system32\drivers\nvhda32v.sys 2013-03-14 15:22 . 2013-02-10 03:20 8944416 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys 2013-03-14 15:22 . 2013-02-10 03:20 7964680 ----a-w- c:\windows\system32\nvcuda.dll 2013-03-14 15:22 . 2013-02-10 03:20 6267240 ----a-w- c:\windows\system32\nvopencl.dll 2013-03-14 15:22 . 2013-02-10 03:20 2726176 ----a-w- c:\windows\system32\nvcuvid.dll 2013-03-14 15:22 . 2013-02-10 03:20 20534560 ----a-w- c:\windows\system32\nvoglv32.dll 2013-03-14 15:22 . 2013-02-10 03:20 1990944 ----a-w- c:\windows\system32\nvcuvenc.dll 2013-03-14 15:22 . 2013-02-10 03:20 17560352 ----a-w- c:\windows\system32\nvcompiler.dll 2013-03-14 15:22 . 2013-02-10 03:20 15038296 ----a-w- c:\windows\system32\nvd3dum.dll 2013-03-14 15:22 . 2013-02-10 03:20 12862400 ----a-w- c:\windows\system32\nvwgf2um.dll 2013-03-14 14:09 . 2013-02-10 03:20 892704 ----a-w- c:\windows\system32\nvdispgenco3220162.dll 2013-03-14 14:09 . 2013-02-10 03:20 1012512 ----a-w- c:\windows\system32\nvdispco3220294.dll 2013-03-13 17:40 . 2013-03-13 18:51 -------- d-----w- c:\windows\system32\drivers\NIS\1403000.024 2013-03-13 17:29 . 2013-02-12 01:57 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-03-12 19:48 . 2012-04-06 01:12 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-03-12 19:48 . 2011-05-16 01:15 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-02-26 04:22 . 2011-11-02 03:01 1017120 ----a-w- c:\windows\system32\nvdispco32.dll 2013-02-26 04:22 . 2012-10-11 02:14 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll 2013-02-10 03:20 . 2012-11-18 19:07 2528840 ----a-w- c:\windows\system32\nvapi.dll 2013-02-10 00:35 . 2011-03-01 02:31 4115232 ----a-w- c:\windows\system32\nvcpl.dll 2013-02-10 00:35 . 2011-03-01 02:30 3010336 ----a-w- c:\windows\system32\nvsvc.dll 2013-02-10 00:35 . 2011-03-01 02:32 634144 ----a-w- c:\windows\system32\nvvsvc.exe 2013-02-10 00:35 . 2011-11-02 03:04 62752 ----a-w- c:\windows\system32\nvshext.dll 2013-02-10 00:35 . 2011-03-01 02:32 223008 ----a-w- c:\windows\system32\nvmctray.dll 2013-01-18 14:20 . 2011-03-01 02:32 2557728 ----a-w- c:\windows\system32\nvsvcr.dll 2013-01-17 05:28 . 2010-06-30 21:30 232336 ------w- c:\windows\system32\MpSigStub.exe 2013-01-05 05:26 . 2013-02-12 22:38 3550072 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-01-05 05:26 . 2013-02-12 22:38 3602808 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-01-04 11:28 . 2013-02-12 22:38 905576 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-01-04 01:38 . 2013-02-12 22:41 2048512 ----a-w- c:\windows\system32\win32k.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-08 68856] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536] "KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536] "Norton Online Backup"="c:\program files\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-08 968536] "Google Updater"="c:\program files\Google\Google Updater\GoogleUpdater.exe" [2011-11-02 161336] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-01-28 59720] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-03 946352] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-02-20 152392] . c:\users\Marc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] . c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520] McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Connections.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Connections.lnk backup=c:\windows\pss\HP Connections.lnk.CommonStartup backupExtension=.CommonStartup . [HKLM\~\startupfolder\C:^Users^Matthew^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup backupExtension=.Startup . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] 2007-03-09 16:09 63712 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2011-10-06 05:52 59240 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon] 2013-01-28 18:08 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe] 2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor] 2009-02-26 22:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler] 2007-06-05 13:12 71176 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif] 2006-09-29 19:39 151552 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MobileDocuments] 2012-02-23 17:30 59240 ----a-w- c:\program files\Common Files\Apple\Internet Services\ubd.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 16:50 155648 ----a-w- c:\windows\System32\NeroCheck.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OsdMaestro] 2007-02-15 10:59 118784 ------w- c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2011-10-24 18:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl] 2008-01-15 16:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG] 2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2013-03-27 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-06 19:48] . 2013-03-24 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-15 16:26] . 2013-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 13:20] . 2013-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-21 13:20] . 2013-03-27 c:\windows\Tasks\WebReg Deskjet F300 series.job - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqwrg.exe [2006-12-11 01:36] . . ------- Supplementary Scan ------- . uStart Page = hxxp://espn.go.com/ mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop uInternet Settings,ProxyOverride = *.local IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM TCP: DhcpNameServer = 192.168.1.1 192.168.1.1 DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - hxxp://video.vividas.com/media/4190_Auskick/web/player/vivid_ocx.jpeg . - - - - ORPHANS REMOVED - - - - . HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKLM-Run-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe HKLM-Run-NWEReboot - (no file) HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe HKLM-Run-StereoLinksInstall - c:\program files\NVIDIA Corporation\3D Vision\nvstlink.exe SafeBoot-WudfPf SafeBoot-WudfRd . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-03-26 23:22 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NIS] "ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.3.0.36\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.3.0.36\diMaster.dll\" /prefetch:1" . Completion time: 2013-03-26 23:24:23 ComboFix-quarantined-files.txt 2013-03-27 03:24 . Pre-Run: 50,301,038,592 bytes free Post-Run: 52,367,540,224 bytes free . - - End Of File - - 59506FF6A55676231B8D0C1865BC06B3 I got an "Illegal operation attempted ... marked for deletion" when I tried to reactivate Windows Defender. I restarted but now I can't open it. It gives me an "Application failed to initialize: error code" message. It says to restart or manually turn it on. Can't manually turn it on. Seems to be missing. Haven't tried another resart yet. Google redirects did not return. They seem to be gone from using RogueKiller.