Jump to content

Cryptowall 3.0 issue


Recommended Posts

I got hit with Cryptowall 3.0 a month or two ago.  I ran Malwarebytes, Superantispyware, and Spytbot.  The infection I believe is gone, however, when I open Microsoft Excel by itself or a file that was backed up before the infection, it opens three tabs.  One is the document I want to open and the other two are the Cryptowall warnings.  Am I still partially infected or is there a way to stop the other two tabs from opening?

Link to post
Share on other sites

Welcome to the forum. (Do what you can)

General P2P/Piracy Warning:

 

1. If you're using Peer 2 Peer software such uTorrent, BitTorrent or similar you must either fully uninstall it or completely disable it from running while being assisted here.

2. If you have illegal/cracked software (MS Office, Adobe Products, Windows), cracks, keygens, custom (Adobe) host file, etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Failure to remove such software will result in your topic being closed and no further assistance being provided.

 

<====><====><====><====><====><====><====><====>

 Please enable your system to show hidden files: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

1. Please run a Threat Scan with Malwarebytes (if possible)

Start Malwarebytes 2.0.........

Click on Settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware

Same for PUM (Potentially Unwanted Modifications)

Quarantine all that's found

Post the log (save the log as a .txt file not .xml)

Then......

2. Please download Farbar Recovery Scan Tool (FRST) and save it to a folder.

(use correct version for your system.....Which system am I using?)

FRST <----for 32 bit systems

FRST64 <----for 64 bit systems

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button. (make sure the Addition box is checked)
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
If the logs are large, you can attach them:

To attach a log:

Bottom right corner of this page.

reply1.jpg

New window that comes up.

replyer1.jpg

Last................

3. Please download and run RogueKiller 32 bit to your desktop.

RogueKiller<---use this one for 64 bit systems

Which system am I using?

You can also use this version of RogueKiller which works on both 32 and 64 bit:

RogueKiller 32 & 64 bit

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Wait for the Prescan to finish

Click Scan to scan the system.

When the scan completes > Don't Fix anything! > Click on the Report Button > Copy and paste the Report back here.

Don't run any other options, they're not all bad!!!!!!!

RogueKiller logs will also be located here:

%programdata%/RogueKiller/Logs <-------W7

C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <-------XP

(please don't put logs in code or quotes and use the default font)

MrC

Note:

Please read all of my instructions completely including these.

Make sure system restore is turned on and running. Create a new restore point

Make sure you're subscribed to this topic: Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

Removing malware can be unpredictable...unlikely but things can go very wrong! Backup any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a pen drive

<+>Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

<+>Sometimes when clearing out an infection the winsock stack will become corrupt and you'll loose your internet connection. To resolve this....reset the stack as outlined HERE

<+>The removal of malware isn't instantaneous, please be patient.

<+>When we are done, I'll give to instructions on how to cleanup all the tools and logs

<+>Please stick with me until I give you the "all clear".

------->Your topic will be closed if you haven't replied within 3 days!<--------

If I don't respond within 24 hours, please send me a PM

Link to post
Share on other sites

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/26/2015
Scan Time: 9:16 AM
Logfile: mbam 8-26-15.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.26.06
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: chris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 423005
Time Elapsed: 11 min, 1 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Error, 8/26/2015 8:45 AM, SYSTEM, WORKSTATION1, Protection, IsLicensed, 13,
Protection, 8/26/2015 8:45 AM, SYSTEM, WORKSTATION1, Protection, Malware Protection, Stopping,
Protection, 8/26/2015 8:45 AM, SYSTEM, WORKSTATION1, Protection, Malware Protection, Stopped,
Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, Remediation Database, 2015.8.18.1, 2015.8.25.1,
Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, AKA IP Database, 2015.8.21.1, 2015.8.25.1,
Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, AKA Domain Database, 2015.8.24.2, 2015.8.25.1,
Update, 8/26/2015 9:16 AM, SYSTEM, WORKSTATION1, Manual, Malware Database, 2015.8.25.4, 2015.8.26.6,
Scan, 8/26/2015 9:27 AM, SYSTEM, WORKSTATION1, Manual, Start:8/26/2015 9:16 AM, Duration:11 min 1 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:24-08-2015
Ran by chris (administrator) on WORKSTATION1 (26-08-2015 09:30:52)
Running from C:\Users\chris\Desktop
Loaded Profiles: chris (Available Profiles: chris & Administrator & user)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe
(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe
(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe
(Juniper Networks) C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
(EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(VMware, Inc.) C:\Windows\System32\vmnat.exe
(Data Perceptions / PowerProgrammer) C:\Windows\System32\WebUpdateSvc4.exe
(VMware, Inc.) C:\Windows\System32\vmnetdhcp.exe
(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
(VMware, Inc.) C:\Program Files\VMware\VMware Player\vmware-authd.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(McAfee Inc.) C:\Program Files\McAfee\Raptor\Raptor.exe
(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe
(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebToolkitHost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [QuickFinder Scheduler] => c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE [83232 2009-06-22] (Corel Corporation)
HKLM\...\Run: [intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2771832 2012-12-07] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [iSUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.)
HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [38888 2012-11-18] (Nuance Communications, Inc.)
HKLM\...\Run: [indexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [51176 2012-11-18] (Nuance Communications, Inc.)
HKLM\...\Run: [PPort14reminder] => C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe [333672 2012-01-03] (Nuance Communications, Inc.)
HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [30264 2009-10-06] (Hewlett-Packard Company)
HKLM\...\Run: [APSDaemon] => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [backupStatusIcon] => C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe [210944 2015-05-22] (Online Backup Solution)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\RunOnce: [Raptor] => C:\Program Files\McAfee\Raptor\Raptor.exe [1619824 2015-07-15] (McAfee Inc.)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-18\...\RunOnce: [sPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-06-23] (Microsoft Corporation)
Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html [2015-07-10] ()
Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt [2015-07-10] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk [2014-01-10]
ShortcutTarget: Event Reminder.lnk -> C:\Program Files\PrintMaster Platinum 18\Remind.exe (Broderbund Properties LLC)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2013-11-26]
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.att.yahoo.com/
BHO: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2011-06-30] (Zeon Corporation)
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-29] (Oracle Corporation)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-29] (Oracle Corporation)
DPF: {037790A6-1576-11D6-903D-00105AABADD3} hxxps://navigator.ecorpnet.com/Member/bz052/sglw2hcm.ocx
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} hxxp://server1/aspnet_client/system_web/2_0_50727/crystalreportviewers12/ActiveXControls/PrintControl.cab
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} hxxp://192.168.0.150/WebClient.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://stericycle.webex.com/client/WBXclient-T28L10NSP12EP20-10001/webex/ieatgpc1.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://qies-west.cms.gov/dana-cached/sc/JuniperSetupClient.cab
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll [2013-02-01] (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.10
Tcpip\..\Interfaces\{733E64BC-C0B0-44A5-A1F9-C8C52DDF48EA}: [DhcpNameServer] 192.168.0.10

FireFox:
========
FF ProfilePath: C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-13] ()
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-29] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-29] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll [2012-03-29] ( Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin: ZEON/PDF,version=2.0 -> C:\Program Files\Nuance\PDF Viewer Plus\bin\nppdf.dll [2011-07-15] (Zeon Corporation)
FF Plugin HKU\S-1-5-21-712691609-890981738-2795466230-1107: @citrixonline.com/appdetectorplugin -> C:\Users\chris\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-02-05] (Citrix Online)
FF Extension: Bidi Spooler APIs - C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default\Extensions\{2A51A223-F244-36E3-AD0D-FC0F70C42C0F} [2014-04-03]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BackupAgent; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe [47616 2015-05-22] (Online Backup Solution) [File not signed]
R2 BackupExtender; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe [51712 2015-05-22] (Online Backup Solution) [File not signed]
R2 BackupUpdater; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe [51712 2015-05-22] (Online Backup Solution) [File not signed]
R2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [688240 2014-04-10] (Juniper Networks)
R2 Emc.Captiva.WebCaptureService; C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe [39936 2012-04-04] (EMC Corporation) [File not signed]
S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-08-20] (Hewlett-Packard Company) [File not signed]
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 msftesql$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [95592 2007-06-22] (Microsoft Corporation)
R2 MSSQL$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29263712 2008-11-24] (Microsoft Corporation)
S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45408 2008-11-24] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed]
R2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [220048 2012-11-18] (Nuance Communications, Inc.)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed]
R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-02-01] (Intuit) [File not signed]
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]
R2 VMAuthdService; C:\Program Files\VMware\VMware Player\vmware-authd.exe [87120 2013-02-26] (VMware, Inc.)
R2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [357456 2013-02-26] (VMware, Inc.)
R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [721048 2012-10-11] (VMware, Inc.)
R2 VMware NAT Service; C:\Windows\system32\vmnat.exe [436304 2013-02-26] (VMware, Inc.)
R2 WebUpdate4; C:\Windows\system32\WebUpdateSvc4.exe [412776 2013-11-25] (Data Perceptions / PowerProgrammer)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [27648 2013-07-24] (Juniper Networks)
S3 eapihdrv; C:\Users\chris\AppData\Local\Temp\ehdrv.sys [135760 2015-07-13] (ESET)
R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [41496 2012-10-11] (VMware, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [57328 2008-02-26] (Sonic Solutions)
R3 TSUSB2; C:\Windows\System32\DRIVERS\TSUSB2.sys [54016 2007-01-19] (HTL)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2014-06-10] (Apple, Inc.) [File not signed]
R1 VHDTrack; C:\Windows\System32\DRIVERS\VHDTrack.sys [125840 2015-05-22] (AI Consulting)
R3 vmkbd; C:\Windows\system32\drivers\VMkbd.sys [26064 2013-02-26] (VMware, Inc.)
R3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16664 2013-02-26] (VMware, Inc.)
R2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [37016 2013-02-26] (VMware, Inc.)
R2 VMnetuserif; C:\Windows\system32\drivers\vmnetuserif.sys [26192 2013-02-26] (VMware, Inc.)
R2 VMparport; C:\Windows\system32\Drivers\VMparport.sys [24272 2013-02-26] (VMware, Inc.)
S3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2012-10-11] (VMware, Inc.)
R2 vmx86; C:\Windows\system32\Drivers\vmx86.sys [62416 2013-02-26] (VMware, Inc.)
R0 vsock; C:\Windows\System32\drivers\vsock.sys [61464 2012-10-24] (VMware, Inc.)
S3 catchme; \??\C:\Users\chris\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-26 09:29 - 2015-08-26 09:29 - 00001060 _____ C:\Users\chris\Desktop\mbam 8-26-15.txt
2015-08-26 09:29 - 2015-08-26 09:29 - 00000926 _____ C:\Users\chris\Desktop\mbam 2 8-26-15.txt
2015-08-25 10:28 - 2015-08-25 10:28 - 00042232 _____ C:\Users\chris\Desktop\Addition.txt
2015-08-25 10:27 - 2015-08-26 09:31 - 00014691 _____ C:\Users\chris\Desktop\FRST.txt
2015-08-25 10:27 - 2015-08-26 09:30 - 00000000 ____D C:\FRST
2015-08-25 10:27 - 2015-08-25 10:27 - 01690112 _____ (Farbar) C:\Users\chris\Desktop\FRST.exe
2015-08-24 16:05 - 2015-08-26 09:16 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-24 16:04 - 2015-08-24 16:04 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-08-24 16:04 - 2015-08-24 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-08-24 16:04 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-08-24 16:04 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-08-24 16:04 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-08-24 13:44 - 2015-08-24 14:10 - 00012805 _____ C:\Users\chris\Documents\2015 bims scores.xlsx
2015-08-24 08:45 - 2015-08-24 08:45 - 00000881 _____ C:\Users\chris\Desktop\JTAW32.EXE.lnk
2015-08-18 16:03 - 2015-08-18 16:04 - 00014359 _____ C:\Users\chris\Desktop\mm fair coupon.wpd
2015-08-14 14:03 - 2015-08-14 13:57 - 00171067 _____ C:\Users\chris\Desktop\201508141357_FC01_91.zip
2015-07-29 14:16 - 2015-07-29 14:16 - 00006636 _____ C:\Users\chris\Documents\personell policy.wpd
2015-07-27 14:34 - 2015-07-27 14:34 - 00002301 _____ C:\Users\chris\Desktop\43014Employees of Glenhaven that have accumulated fourteen (14).wpd
2015-07-27 13:57 - 2012-12-12 12:05 - 00007453 _____ C:\Users\chris\Desktop\technology policy 2.wpd

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-26 08:52 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-26 08:52 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-26 08:49 - 2014-04-23 14:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-26 08:49 - 2013-11-26 15:36 - 00910090 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-26 08:48 - 2013-11-26 15:33 - 02089153 _____ C:\Windows\WindowsUpdate.log
2015-08-26 08:46 - 2013-11-26 15:35 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl
2015-08-26 08:45 - 2014-04-22 13:57 - 00000000 ____D C:\ProgramData\VMware
2015-08-26 08:45 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-26 08:45 - 2009-07-13 23:39 - 00059333 _____ C:\Windows\setupact.log
2015-08-25 15:35 - 2015-06-04 10:30 - 00000610 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job
2015-08-25 15:34 - 2015-02-05 13:49 - 00000514 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job
2015-08-25 12:39 - 2015-07-06 09:52 - 00000000 ____D C:\ProgramData\BlueZone
2015-08-25 12:18 - 2013-11-26 18:17 - 00000848 ___SH C:\ProgramData\KGyGaAvL.sys
2015-08-25 12:18 - 2009-07-13 23:52 - 00000000 ____D C:\Windows\system32\FxsTmp
2015-08-25 08:29 - 2013-11-26 16:25 - 00013866 _____ C:\Windows\PFRO.log
2015-08-25 08:29 - 2009-07-13 23:53 - 00032594 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-08-24 16:04 - 2015-07-11 23:12 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOB.FOR
2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOA.FOR
2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXMR.FOR
2015-08-24 09:37 - 2013-11-26 18:22 - 00002032 ____H C:\Users\chris\Documents\Default.rdp
2015-08-24 08:39 - 2014-06-16 12:18 - 00000000 ____D C:\Users\chris\Desktop\move
2015-08-18 15:57 - 2013-11-26 18:17 - 00000000 ____D C:\Users\chris\Documents\Corel User Files
2015-08-13 09:49 - 2013-12-05 16:47 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-08-13 09:49 - 2013-12-05 16:47 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-07-27 08:52 - 2015-07-21 17:06 - 00012067 _____ C:\Users\chris\Desktop\june suplies.xlsx

==================== Files in the root of some directories =======

2014-02-06 13:16 - 2014-02-06 13:16 - 0000218 _____ () C:\Users\chris\AppData\Roaming\default.rss
2014-12-24 14:17 - 2014-12-24 14:17 - 0000000 _____ () C:\Users\chris\AppData\Local\rx_image32.Cache
2014-01-02 12:09 - 2014-01-02 14:05 - 0004180 _____ () C:\ProgramData\hpzinstall.log
2013-11-26 18:17 - 2015-08-25 12:18 - 0000848 ___SH () C:\ProgramData\KGyGaAvL.sys

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-08-24 10:43

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version:24-08-2015
Ran by chris (2015-08-26 09:31:19)
Running from C:\Users\chris\Desktop
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-777155561-1165665369-343804298-500 - Administrator - Disabled)
ASPNET (S-1-5-21-777155561-1165665369-343804298-1008 - Limited - Enabled)
Guest (S-1-5-21-777155561-1165665369-343804298-501 - Limited - Disabled)
user (S-1-5-21-777155561-1165665369-343804298-1001 - Administrator - Enabled) => C:\Users\user

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 7.1.4 - Hewlett-Packard) Hidden
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
Advertising Center (Version: 0.0.0.1 - Nero AG) Hidden
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
Citrix Online Launcher (HKLM\...\{1EFF9E6C-76E1-43F9-81FB-BC8C037B0902}) (Version: 1.0.258 - Citrix)
Corel WordPerfect Office - iFilter (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.00.000 - Corel Corporation)
Crystal Reports Basic Runtime for Visual Studio 2008 (HKLM\...\{CE26F10F-C80F-4377-908B-1B7882AE2CE3}) (Version: 10.5.0.0 - Business Objects)
CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
DolbyFiles (Version: 0.1 - Nero AG) Hidden
ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version:  - )
FIS DCC Driver Package 2011 (HKLM\...\FIS DCC Driver Package 2011) (Version: 2014.1.0.0 - FIS)
Fujitsu NetCOBOL Free Run-time (HKLM\...\InstallShield_{F84C7212-9DC4-4963-A564-73C2EFA18935}) (Version: 10.1.0000.0000 - FUJITSU LIMITED)
Fujitsu NetCOBOL Free Run-time (Version: 10.1.0000.0000 - FUJITSU LIMITED) Hidden
GoToMeeting 7.2.4.3215 (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\GoToMeeting) (Version: 7.2.4.3215 - CitrixOnline)
HP Customer Participation Program 10.0 (HKLM\...\HPExtendedCapabilities) (Version: 10.0 - HP)
HP Easy Scan (HKLM\...\{0007FD40-3ED2-4FDC-B45B-0C3A1C1A8C17}) (Version: 1.0.7.0 - Hewlett-Packard Company)
HP LaserJet P2050 Series 6.0 (HKLM\...\{6F801026-6AF0-4520-9153-4C9B4CAAB361}) (Version: 6.0 - HP)
HP Scanjet 3000 s2 ISIS Driver (HKLM\...\{20D6301E-0A14-4238-841D-45ECA567DB69}) (Version: 1.0.2597 - EMC Corporation)
HP Scanjet Pro 3000 s2 (HKLM\...\{1868D30B-72C7-41E8-9657-69C5DFE1C768}) (Version: 1.00.0000 - HP)
hppFonts (Version: 001.001.00061 - Hewlett-Packard) Hidden
hppQFolderP2050 (Version: 1.00.0000 - Hewlett-Packard) Hidden
hppusgP2050 (Version: 1.1.0.1 - Hewlett-Packard) Hidden
ImagXpress (Version: 7.0.74.0 - Nero AG) Hidden
InventoryControl (HKLM\...\{97C0445D-E7B6-4320-A541-50A5AB345422}) (Version: 5 - Wasp Technologies)
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Juniper Networks Network Connect 7.4.0 (HKLM\...\Juniper Network Connect 7.4.0) (Version: 7.4.0.30667 - Juniper Networks)
Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\Juniper_Setup_Client) (Version: 7.4.9.45013 - Juniper Networks, Inc.)
Labeler (HKLM\...\{78DA4EC4-8E94-45D4-B047-027B662EC6A6}) (Version: 6.0 - Wasp Technologies)
LightScribe System Software (HKLM\...\{CC8E94A2-55C7-4460-953C-2A790180578C}) (Version: 1.18.8.1 - LightScribe)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
MarketResearch (Version: 100.0.170.000 - Hewlett-Packard) Hidden
MCRIF32 - SNF (HKLM\...\{79EEAD1F-AD83-4F0C-A783-CD77C0BC1F2A}) (Version: 5.14.153.0 - Health Financial Systems)
Menu Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden
Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2007 Primary Interop Assemblies (HKLM\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.1.10329.0 - Microsoft Corporation)
Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version:  - Microsoft Corporation)
Microsoft SQL Server Management Studio Express (HKLM\...\{F43867C9-68FD-46C7-B0AF-214356305B5E}) (Version: 9.00.4035.00 - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}) (Version: 9.00.4035.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.4035.00 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{56B4002F-671C-49F4-984C-C760FE3806B5}) (Version: 9.00.4035.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4048 (HKLM\...\{5B1F2843-B379-3FF2-B0D3-64DD143ED53A}) (Version: 9.0.30729.4048 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version:  - Microsoft Corporation)
Microsoft Web Publishing Wizard 1.52 (HKLM\...\WebPost) (Version:  - )
MM Backup (HKLM\...\{34A6764B-D838-4E93-A6C0-9D67BE564691}) (Version: 5.5.4 - M & M Computer Solutions, LLC)
Movie Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden
Mozilla Firefox 31.0 (x86 en-US) (HKLM\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Nero 9 Essentials (HKLM\...\{1008cf13-3650-46d1-8ed6-31c0945215f6}) (Version:  - Nero AG)
Nuance PaperPort 14 (HKLM\...\{2C92D969-468E-4711-8CCA-01AD9C7EB4E7}) (Version: 14.2.0000 - Nuance Communications, Inc.)
Nuance PDF Viewer Plus (HKLM\...\{FC984E39-43D0-4AB2-ACC7-A7B87977B009}) (Version: 7.20.3274 - Nuance Communications, Inc.)
PaperPort Anywhere 1.4.4661.38157 powered by OfficeDrop (HKLM\...\{52357C6C-FE7F-4E8C-B045-EDE5146A1F9C}) (Version: 1.4.4661.38157 - OfficeDrop)
PaperPort Image Printer (HKLM\...\{6EF2FDAB-7FBF-4AB9-92CD-594BDDB6A56B}) (Version: 14.00.0000 - Nuance Communications, Inc.)
PrintMaster Platinum 18 (HKLM\...\{EBD9A954-6C1A-4E9F-A098-C98653035381}) (Version: 18.00.0000 - Broderbund Software)
QuickBooks (Version: 20.0.4017.807 - Intuit Inc.) Hidden
QuickBooks Pro 2010 (HKLM\...\{0700E22B-A422-40A5-BD20-04BF618CA0F9}) (Version: 20.0.4017.807 - Intuit Inc.)
QuickTime (HKLM\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Readiris Pro 14 (HKLM\...\{C34A50FC-2B95-4E69-809C-96310E9D7852}) (Version: 14.00.2719 - I.R.I.S.)
Roxio Creator LE 10 (HKLM\...\{537BF16E-7412-448C-95D8-846E85A1D817}) (Version: 10.1 - Roxio)
Scansoft PDF Professional (Version:  - ) Hidden
Software Update Wizard (Redist) 4.5 (HKLM\...\Software Update Wizard (Redist)) (Version: 4.5 - PowerProgrammer)
TellerScan 32-bit and 64-bit Combined Driver v4.2 (HKLM\...\{95D2D2E3-2FC4-4245-8DC2-C6202BE704CB}) (Version: 4.02.0000 - Precision Software Technologies, Inc.)
UB-04 ICD10 (HKLM\...\{2D0C2A6F-CD38-47C8-8C73-5586A8C73804}) (Version: 1.0.1.90 - SpeedySoft USA)
Visual Foxpro 6.0 Runtime version 6.00 (HKLM\...\{6016312C-6BA3-4AEA-B73D-8FC405508E8D}_is1) (Version: 6.00 - )
VMware Player (HKLM\...\VMware_Player) (Version: 5.0.2 - VMware, Inc)
VMware Player (Version: 5.0.2 - VMware, Inc.) Hidden
WebReg (Version: 100.0.170.000 - Hewlett-Packard) Hidden
WordPerfect Office X4 - Common (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - Content (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - EN (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - Filters (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - Graphics (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - ICA (Version: 14.1 - Corel Corporation) Hidden
WordPerfect Office X4 - IPM (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - IPM EN (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - Migration Manager (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - PerfectExperts (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - PR (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - QP (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - Skins (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 - System (Version: 14.1 - Corel Corporation) Hidden
WordPerfect Office X4 - WP (Version: 14.2 - Corel Corporation) Hidden
WordPerfect Office X4 (HKLM\...\_{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}) (Version:  - Corel Corporation)
WordPerfect Office X4 (Version: 14.2 - Corel Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{810CADD9-2658-4820-BA95-30199625191E}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\2185\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

==================== Restore Points =========================

21-07-2015 10:43:42 Scheduled Checkpoint
21-07-2015 16:08:48 Configured Microsoft Office Small Business 2007
29-07-2015 11:51:06 Scheduled Checkpoint
10-08-2015 10:38:00 Scheduled Checkpoint
18-08-2015 09:18:55 Scheduled Checkpoint
25-08-2015 11:14:36 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2015-08-14 14:04 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {25A01E62-3698-47F8-B578-400F1F9A0D9A} - System32\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {33B991F4-BED6-416D-9DCC-41B44CDC4E80} - System32\Tasks\{5EF5189C-3E71-4B71-B665-40BC9FDEFD6A} => pcalua.exe -a D:\Setup.exe -d D:\
Task: {6E6FC9A2-11DD-4899-A5A3-1E18FD44FBE6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-08-13] (Adobe Systems Incorporated)
Task: {996FA9DF-2204-485B-8A3B-3B6CFE1DFDDD} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)
Task: {C1FDB8BF-262E-4E40-864C-5A2EDDED79F8} - System32\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe
Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe

==================== Loaded Modules (Whitelisted) ==============

2015-05-22 11:15 - 2015-05-22 11:15 - 00016896 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vds.Common.dll
2015-05-22 11:15 - 2015-05-22 11:15 - 00124928 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\VDS.Platform.dll
2015-05-22 11:15 - 2015-05-22 11:15 - 01711616 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vim25Service.dll
2015-05-22 11:15 - 2015-05-22 11:15 - 03685456 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\gvmomi.dll
2015-05-22 11:15 - 2015-05-22 11:15 - 01229904 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libxml2.dll
2015-05-22 11:15 - 2015-05-22 11:15 - 00329808 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libcurl.dll
2015-05-22 11:15 - 2015-05-22 11:15 - 00318032 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libldap_r.dll
2015-05-22 11:15 - 2015-05-22 11:15 - 00144976 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\liblber.dll
2012-04-04 20:54 - 2012-04-04 20:54 - 00015360 _____ () C:\Program Files\EMC Captiva\Captiva Cloud Runtime\SSLSupport.dll
2013-02-26 02:28 - 2013-02-26 02:28 - 01260624 _____ () C:\Program Files\VMware\VMware Player\libxml2.dll
2006-10-26 21:30 - 2006-10-26 21:30 - 00065312 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll
2006-10-27 15:35 - 2006-10-27 15:35 - 00436512 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll
2006-10-26 13:56 - 2006-10-26 13:56 - 00757008 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\ecorpnet.com -> hxxps://navigator.ecorpnet.com
IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\server1 -> hxxp://server1

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-712691609-890981738-2795466230-1107\Control Panel\Desktop\\Wallpaper -> C:\Users\chris\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.0.10
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: LightScribeService => 2
MSCONFIG\Services: Nero BackItUp Scheduler 4.0 => 2
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: LightScribe Control Panel => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
MSCONFIG\startupreg: PDFProHook => "C:\Program Files\Nuance\PDF Viewer Plus\pdfpro7hook.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{8DF9BE9A-F03A-4B49-A92B-4CE446187EB4}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{6EDDD859-D085-4685-87AD-0947A111A474}] => (Allow) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
FirewallRules: [{EE4DDED9-EBCA-45C3-B1C1-B4EDF29DA501}] => (Allow) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
FirewallRules: [{970A4628-B556-44E3-800E-9B552E22A0EC}] => (Allow) LPort=6160
FirewallRules: [{CB1FC5CF-6B22-40F2-8B6E-4475D3E7AC77}] => (Allow) C:\Program Files\Wasp Technologies\InventoryControl\InventoryControl.exe
FirewallRules: [{13946AFF-2682-4264-A80A-8223D67B6310}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupMonitor.exe
FirewallRules: [{635F315A-F94E-4523-B825-FE6F33AFAD85}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe
FirewallRules: [{43EEB0EB-7F12-4784-B56C-955422B0F0B4}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe
FirewallRules: [{FAB54C15-84EC-4ABF-AB1A-F9F7ABC6C55B}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe
FirewallRules: [{71F50830-FA10-4D91-9C41-69D5E172859A}] => (Allow) C:\Program Files\Artisteer 4\bin\Artisteer.exe
FirewallRules: [{05FE104F-C24D-45B8-881A-66FFC781E2DC}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe
FirewallRules: [{29E25875-15B7-42F7-A7C6-F7EF091FC596}] => (Allow) LPort=8877
FirewallRules: [{0357C77A-FBF0-4FEC-B282-B124C9A5E834}] => (Allow) LPort=8878

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/26/2015 08:45:24 AM) (Source: BackupAgent) (EventID: 0) (User: )
Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD

Error: (08/25/2015 03:53:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17126, time stamp: 0x53882e30
Faulting module name: MSHTML.dll, version: 11.0.9600.17126, time stamp: 0x53884c7d
Exception code: 0xc0000005
Fault offset: 0x0027cd99
Faulting process id: 0x15a4
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (08/25/2015 12:00:42 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {11f9e127-c1c5-4084-8191-2f14fc50d3fd}

Error: (08/25/2015 12:00:20 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {11f9e127-c1c5-4084-8191-2f14fc50d3fd}

Error: (08/25/2015 11:08:35 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/25/2015 09:37:11 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (08/25/2015 09:37:11 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (08/25/2015 09:37:11 AM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (08/25/2015 08:30:19 AM) (Source: BackupAgent) (EventID: 0) (User: )
Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD

Error: (08/24/2015 12:00:26 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {f3b7f81e-1d52-4a7f-8617-d564718bf865}

System errors:
=============
Error: (08/26/2015 08:45:09 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)
Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator.

Error: (08/26/2015 08:45:03 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain GLENHAVEN due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (08/25/2015 04:17:27 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The UPnP Device Host service failed to start due to the following error:
%%1069

Error: (08/25/2015 04:17:27 PM) (Source: Service Control Manager) (EventID: 7038) (User: )
Description: The upnphost service was unable to log on as NT AUTHORITY\LocalService with the currently configured password due to the following error:
%%1352

To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

Error: (08/25/2015 04:17:27 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1069upnphost{204810B9-73B2-11D4-BF42-00B0D0118B56}

Error: (08/25/2015 08:29:58 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)
Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:
a) Name Resolution failure on the current domain controller.
b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (08/25/2015 08:29:56 AM) (Source: NETLOGON) (EventID: 5719) (User: )
Description: This computer was not able to set up a secure session with a domain
controller in domain GLENHAVEN due to the following:
%%1311

This may lead to authentication problems. Make sure that this
computer is connected to the network. If the problem persists,
please contact your domain administrator.

 

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it
sets up the secure session to the primary domain controller emulator in the specified
domain. Otherwise, this computer sets up the secure session to any domain controller
in the specified domain.

Error: (08/24/2015 09:15:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (08/24/2015 09:15:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (08/24/2015 09:15:04 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Microsoft Office:
=========================

==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E8400 @ 3.00GHz
Percentage of memory in use: 47%
Total physical RAM: 3033.82 MB
Available physical RAM: 1603.38 MB
Total Virtual: 7032.11 MB
Available Virtual: 5241.36 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.99 GB) (Free:242.2 GB) NTFS
Drive f: (apps) (Network) (Total:488.28 GB) (Free:391.52 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 3136FBFA)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

==================== End of FRST.txt ============================

 

RogueKiller V10.10.2.0 [Aug 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : chris [Administrator]
Started from : C:\Users\chris\Desktop\RogueKiller.exe
Mode : Scan -- Date : 08/26/2015 09:46:06

¤¤¤ Processes : 1 ¤¤¤
[Proc.Injected] Emc.Captiva.WebToolkitHost.exe(2424) -- C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebToolkitHost.exe[-] -> Killed [TermProc]

¤¤¤ Registry : 3 ¤¤¤
[suspicious.Path|VT.Unknown] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | PPort14reminder : "C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\14\Config\Ereg\Ereg.ini" [7][x][-] -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD3200AAJS-00YZCA0 ATA Device +++++
--- User ---
[MBR] b39075c2e5ee03714b6c11e0d0cc88f6
[bSP] 86a521cbc7c8754c985d8dac744f75c7 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 305143 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

Link to post
Share on other sites

Do you recognize this FireFox Extension:

FF Extension: Bidi Spooler APIs - C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default\Extensions\{2A51A223-F244-36E3-AD0D-FC0F70C42C0F} [2014-04-03]

 


==============================

I don't see much in the logs but lets run some scans:

bwebb7v.jpgDownload Delfix from Here and save it to your desktop.

  • Place a check mark in front of .......
  • Create registry backup <---only!
  • Uncheck the rest!
  • Click the Run button.

    Close the tool out when it's done....we'll use it later.

    ============================

    Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
    Run FRST.exe/FRST64.exe and click Fix only once and wait
    The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

    ==========================

    Lets check for any adware/spyware now:

    Please download AdwCleaner from HERE or HERE to your desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
    • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
    • Look over the log especially under Files/Folders for any program that may have been targeted by mistake.
    • If there's a program you may want to save, just uncheck it from AdwCleaner.
    • If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
    • If you're ready to clean it all up.....click the Clean button.
    • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
    • Copy and paste the contents of that logfile in your next reply.
    • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
    • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
    • To restore an item that has been deleted:
    • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.
    Next..................

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
    Next.........

    The last time you ran a scan with Malwarebytes, Rootkits was disabled...please enable it for this scan:
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled <------------
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

     



    Please Update and run a Threat Scan (Malwarebytes)
    Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware
    Same for PUM (Potentially Unwanted Modifications)
    Quarantine All that's found

    MrC

     

fixlist.txt

Link to post
Share on other sites

I do not recognize that FireFox Extension.  I hardly ever use FireFox.

 

Fix result of Farbar Recovery Scan Tool (x86) Version:24-08-2015
Ran by chris (2015-08-26 13:06:26) Run:1
Running from C:\Users\chris\Desktop
Loaded Profiles: chris (Available Profiles: chris & Administrator & user)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
S3 catchme; \??\C:\Users\chris\AppData\Local\Temp\catchme.sys [X]
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File

*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully.
catchme => service removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}" => key removed successfully.
"HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}" => key removed successfully.
EmptyTemp: => 790 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 13:07:53 ====

 

# AdwCleaner v5.003 - Logfile created 26/08/2015 at 13:15:06
# Updated 20/08/2015 by Xplode
# Database : 2015-08-25.1 [server]
# Operating system : Windows 7 Professional Service Pack 1 (x86)
# Username : chris - WORKSTATION1
# Running from : C:\Users\chris\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Folders ] *****

Folder Found : C:\ProgramData\Tarma Installer

***** [ Files ] *****

File Found : C:\Program Files\Mozilla Firefox\browser\searchplugins\yahoo.xml

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [648 bytes] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.8 (08.24.2015:1)
OS: Windows 7 Professional x86
Ran by chris on Wed 08/26/2015 at 13:33:57.12
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Tasks

 

~~~ Registry Values

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

Successfully deleted: [Folder] C:\ProgramData\tarma installer

 

~~~ FireFox

Emptied folder: C:\Users\chris\AppData\Roaming\mozilla\firefox\profiles\gp0mcsih.default\minidumps [1 files]

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/26/2015 at 13:35:08.59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/26/2015
Scan Time: 1:36 PM
Logfile: mbam.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.26.07
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: chris

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 419444
Time Elapsed: 10 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

OK...Next:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://www.bleepingcomputer.com/download/combofix/dl/12/<---ComboFix direct download

Please make sure you click download buttons that look similar to this, not "sponsored ad links":

bleep-crop.jpg

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

Link to post
Share on other sites

ComboFix 15-08-24.01 - chris 08/26/2015  16:02:19.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3034.1677 [GMT -5:00]
Running from: c:\users\chris\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((   Files Created from 2015-07-26 to 2015-08-26  )))))))))))))))))))))))))))))))
.
.
2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\user\AppData\Local\temp
2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-08-26 21:06 . 2015-08-26 21:06 -------- d-----w- c:\users\administrator\AppData\Local\temp
2015-08-26 21:00 . 2015-08-26 21:01 -------- d-----w- C:\32788R22FWJFW
2015-08-26 18:15 . 2015-08-26 18:15 -------- d-----w- C:\AdwCleaner
2015-08-26 18:03 . 2015-08-26 18:03 -------- d-----w- c:\windows\ERUNT
2015-08-26 14:35 . 2015-08-26 14:39 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-08-26 14:35 . 2015-08-26 14:38 -------- d-----w- c:\programdata\RogueKiller
2015-08-25 15:27 . 2015-08-26 18:09 -------- d-----w- C:\FRST
2015-08-24 21:05 . 2015-08-26 19:00 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-08-24 21:04 . 2015-06-18 13:41 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-08-24 21:04 . 2015-06-18 13:41 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-08-24 21:04 . 2015-06-18 13:41 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-08-25 17:18 . 2013-11-26 23:17 848 --sha-w- c:\programdata\KGyGaAvL.sys
2015-08-24 17:29 . 2014-10-23 17:36 1409 ----a-w- c:\windows\system32\BCFXOB.FOR
2015-08-24 17:29 . 2014-10-23 17:36 1409 ----a-w- c:\windows\system32\BCFXOA.FOR
2015-08-24 17:29 . 2014-10-23 17:36 1409 ----a-w- c:\windows\system32\BCFXMR.FOR
2015-08-13 14:49 . 2013-12-05 21:47 778440 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-08-13 14:49 . 2013-12-05 21:47 142536 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-05-29 14:15 . 2015-01-30 22:11 96352 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupStatusIcon"="c:\program files\M & M Computer Solutions" [X]
"QuickFinder Scheduler"="c:\program files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE" [2009-06-22 83232]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-12-07 2771832]
"ISUSPM"="c:\programdata\FLEXnet\Connect\11\\isuspm.exe" [2010-05-21 324976]
"PaperPort PTD"="c:\program files\Nuance\PaperPort\pptd40nt.exe" [2012-11-19 38888]
"IndexSearch"="c:\program files\Nuance\PaperPort\IndexSearch.exe" [2012-11-19 51176]
"PPort14reminder"="c:\program files\Nuance\PaperPort\Ereg\Ereg.exe" [2012-01-03 333672]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2009-10-06 30264]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [bU]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2015-04-30 334896]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Raptor"="c:\program files\McAfee\Raptor\Raptor.exe" [2015-07-15 1619824]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-06-23 280576]
.
c:\users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
help_restore_files_ohymd.html [2015-7-10 3811]
help_restore_files_ohymd.txt [2015-7-10 2171]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\PrintMaster Platinum 18\Remind.exe [2007-9-9 344064]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2013-2-1 1155912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2015-07-08 01:12 998104 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2009-08-20 19:25 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDFProHook]
2012-11-06 02:41 641424 ----a-w- c:\program files\Nuance\PDF Viewer Plus\PdfPro7Hook.exe
.
R2 BackupAgent;Backup Agent;c:\program files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe [2015-05-22 47616]
R2 BackupExtender;Backup Extender;c:\program files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe [2015-05-22 51712]
R2 BackupUpdater;Backup Updater;c:\program files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe [2015-05-22 51712]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes Anti-Malware\mbamservice.exe [2015-06-18 1133880]
R2 msftesql$WASPDBEXPRESS;SQL Server FullText Search (WASPDBEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [2007-06-22 95592]
R2 MSSQL$WASPDBEXPRESS;SQL Server (WASPDBEXPRESS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-25 29263712]
R2 PDFProFiltSrvPP;PDFProFiltSrvPP;c:\program files\Nuance\PaperPort\PDFProFiltSrvPP.exe [2012-11-19 220048]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2013-11-25 412776]
R3 eapihdrv;eapihdrv;c:\users\chris\AppData\Local\Temp\ehdrv.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-06-23 108032]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys [2015-06-18 51928]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2014-06-23 1343400]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2012-10-24 71152]
S0 vsock;vSockets Driver;c:\windows\system32\drivers\vsock.sys [2012-10-24 61464]
S1 VHDTrack;VHDTrack;c:\windows\system32\DRIVERS\VHDTrack.sys [2015-05-22 125840]
S2 Emc.Captiva.WebCaptureService;EMC Captiva Cloud Service;c:\program files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe [2012-04-05 39936]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2012-10-11 721048]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2015-06-18 23256]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-07-13 139776]
S3 TSUSB2;Driver for TellerScan Device;c:\windows\system32\DRIVERS\TSUSB2.sys [2007-01-19 54016]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 19:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-05 14:49]
.
2015-08-26 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job
- c:\program files\Citrix\GoToMeeting\3215\g2mupdate.exe [2015-08-14 18:46]
.
2015-08-26 c:\windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job
- c:\program files\Citrix\GoToMeeting\3215\g2mupload.exe [2015-08-14 18:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.yahoo.com/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Open with PDF Viewer 7 - c:\program files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm
IE: Open with WordPerfect - c:\program files\Corel\WordPerfect Office X4\Programs\WPLauncher.hta
LSP: %windir%\system32\vsocklib.dll
Trusted Zone: ecorpnet.com\navigator
Trusted Zone: server1
TCP: DhcpNameServer = 192.168.0.10
DPF: {037790A6-1576-11D6-903D-00105AABADD3} - hxxps://navigator.ecorpnet.com/Member/bz052/sglw2hcm.ocx
DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} - hxxp://server1/aspnet_client/system_web/2_0_50727/crystalreportviewers12/ActiveXControls/PrintControl.cab
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://192.168.0.150/WebClient.cab
FF - ProfilePath - c:\users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-{52357C6C-FE7F-4E8C-B045-EDE5146A1F9C} - c:\progra~2\TARMAI~1\{52357~1\Setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$WASPDBEXPRESS]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:WASPDBEXPRESS"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_18_0_0_232_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-08-26  16:08:09
ComboFix-quarantined-files.txt  2015-08-26 21:08
ComboFix2.txt  2015-07-12 19:18
ComboFix3.txt  2015-07-12 03:17
.
Pre-Run: 263,891,894,272 bytes free
Post-Run: 263,609,864,192 bytes free
.
- - End Of File - - 788A13591799485F29189DAA99053091
A36C5E4F47E84449FF07ED3517B43A31

 

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:24-08-2015

Ran by chris (administrator) on WORKSTATION1 (27-08-2015 08:33:18)

Running from C:\Users\chris\Desktop

Loaded Profiles: chris (Available Profiles: chris & Administrator & user)

Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)

Internet Explorer Version 11 (Default browser: IE)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe

(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe

(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe

(Juniper Networks) C:\Program Files\Juniper Networks\Common Files\dsNcService.exe

(EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe

(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe

(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe

(Protexis Inc.) C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

(VMware, Inc.) C:\Windows\System32\vmnat.exe

(Data Perceptions / PowerProgrammer) C:\Windows\System32\WebUpdateSvc4.exe

(VMware, Inc.) C:\Windows\System32\vmnetdhcp.exe

(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

(VMware, Inc.) C:\Program Files\VMware\VMware Player\vmware-authd.exe

(Microsoft Corporation) C:\Windows\System32\vds.exe

(EMC Corporation) C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebToolkitHost.exe

(McAfee Inc.) C:\Program Files\McAfee\Raptor\Raptor.exe

(Nuance Communications, Inc.) C:\Program Files\Nuance\PaperPort\pptd40nt.exe

(Hewlett-Packard Company) C:\Program Files\HP\HP UT\bin\hppusg.exe

(Online Backup Solution) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [QuickFinder Scheduler] => c:\Program Files\Corel\WordPerfect Office X4\Programs\QFSCHD140.EXE [83232 2009-06-22] (Corel Corporation)

HKLM\...\Run: [intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2771832 2012-12-07] (Intuit Inc. All rights reserved.)

HKLM\...\Run: [iSUSPM] => C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe [324976 2010-05-21] (Flexera Software, Inc.)

HKLM\...\Run: [PaperPort PTD] => C:\Program Files\Nuance\PaperPort\pptd40nt.exe [38888 2012-11-18] (Nuance Communications, Inc.)

HKLM\...\Run: [indexSearch] => C:\Program Files\Nuance\PaperPort\IndexSearch.exe [51176 2012-11-18] (Nuance Communications, Inc.)

HKLM\...\Run: [PPort14reminder] => C:\Program Files\Nuance\PaperPort\Ereg\Ereg.exe [333672 2012-01-03] (Nuance Communications, Inc.)

HKLM\...\Run: [HPUsageTracking] => C:\Program Files\HP\HP UT\bin\hppusg.exe [30264 2009-10-06] (Hewlett-Packard Company)

HKLM\...\Run: [APSDaemon] => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)

HKLM\...\Run: [backupStatusIcon] => C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe [210944 2015-05-22] (Online Backup Solution)

HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)

HKLM\...\RunOnce: [Raptor] => C:\Program Files\McAfee\Raptor\Raptor.exe [1619824 2015-07-15] (McAfee Inc.)

HKU\S-1-5-18\...\RunOnce: [sPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2014-06-23] (Microsoft Corporation)

Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html [2015-07-10] ()

Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt [2015-07-10] ()

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk [2014-01-10]

ShortcutTarget: Event Reminder.lnk -> C:\Program Files\PrintMaster Platinum 18\Remind.exe (Broderbund Properties LLC)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk [2013-11-26]

ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

HKU\S-1-5-21-712691609-890981738-2795466230-1107\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.att.yahoo.com/

BHO: PlusIEEventHelper Class -> {551A852F-39A6-44A7-9C13-AFBEC9185A9D} -> C:\Program Files\Nuance\PDF Viewer Plus\Bin\PlusIEContextMenu.dll [2011-06-30] (Zeon Corporation)

BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-29] (Oracle Corporation)

BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-29] (Oracle Corporation)

DPF: {037790A6-1576-11D6-903D-00105AABADD3} hxxps://navigator.ecorpnet.com/Member/bz052/sglw2hcm.ocx

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {88DD90B6-C770-4CFF-B7A4-3AFD16BB8824} hxxp://server1/aspnet_client/system_web/2_0_50727/crystalreportviewers12/ActiveXControls/PrintControl.cab

DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} hxxp://192.168.0.150/WebClient.cab

DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} hxxps://stericycle.webex.com/client/WBXclient-T28L10NSP12EP20-10001/webex/ieatgpc1.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} hxxps://qies-west.cms.gov/dana-cached/sc/JuniperSetupClient.cab

Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll [2013-02-01] (Intuit, Inc.)

Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll [2010-11-04] (Microsoft Corporation)

Tcpip\Parameters: [DhcpNameServer] 192.168.0.10

Tcpip\..\Interfaces\{733E64BC-C0B0-44A5-A1F9-C8C52DDF48EA}: [DhcpNameServer] 192.168.0.10

FireFox:

========

FF ProfilePath: C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_232.dll [2015-08-13] ()

FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-29] (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-29] (Oracle Corporation)

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll [2012-03-29] ( Microsoft Corporation)

FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)

FF Plugin: ZEON/PDF,version=2.0 -> C:\Program Files\Nuance\PDF Viewer Plus\bin\nppdf.dll [2011-07-15] (Zeon Corporation)

FF Plugin HKU\S-1-5-21-712691609-890981738-2795466230-1107: @citrixonline.com/appdetectorplugin -> C:\Users\chris\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2015-02-05] (Citrix Online)

FF Extension: Bidi Spooler APIs - C:\Users\chris\AppData\Roaming\Mozilla\Firefox\Profiles\gp0mcsih.default\Extensions\{2A51A223-F244-36E3-AD0D-FC0F70C42C0F} [2014-04-03]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 BackupAgent; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupAgent.exe [47616 2015-05-22] (Online Backup Solution) [File not signed]

R2 BackupExtender; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe [51712 2015-05-22] (Online Backup Solution) [File not signed]

R2 BackupUpdater; C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupUpdater.exe [51712 2015-05-22] (Online Backup Solution) [File not signed]

R2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [688240 2014-04-10] (Juniper Networks)

R2 Emc.Captiva.WebCaptureService; C:\Program Files\EMC Captiva\Captiva Cloud Runtime\Emc.Captiva.WebCaptureService.exe [39936 2012-04-04] (EMC Corporation) [File not signed]

S4 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2009-08-20] (Hewlett-Packard Company) [File not signed]

S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)

R2 msftesql$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe [95592 2007-06-22] (Microsoft Corporation)

R2 MSSQL$WASPDBEXPRESS; C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29263712 2008-11-24] (Microsoft Corporation)

S4 MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [45408 2008-11-24] (Microsoft Corporation)

R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed]

R2 PDFProFiltSrvPP; C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe [220048 2012-11-18] (Nuance Communications, Inc.)

R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed]

R2 QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [45056 2013-02-01] (Intuit) [File not signed]

S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]

R2 VMAuthdService; C:\Program Files\VMware\VMware Player\vmware-authd.exe [87120 2013-02-26] (VMware, Inc.)

R2 VMnetDHCP; C:\Windows\system32\vmnetdhcp.exe [357456 2013-02-26] (VMware, Inc.)

R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [721048 2012-10-11] (VMware, Inc.)

R2 VMware NAT Service; C:\Windows\system32\vmnat.exe [436304 2013-02-26] (VMware, Inc.)

R2 WebUpdate4; C:\Windows\system32\WebUpdateSvc4.exe [412776 2013-11-25] (Data Perceptions / PowerProgrammer)

R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [27648 2013-07-24] (Juniper Networks)

R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [41496 2012-10-11] (VMware, Inc.)

R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)

S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)

S4 RxFilter; C:\Windows\System32\DRIVERS\RxFilter.sys [57328 2008-02-26] (Sonic Solutions)

R3 TSUSB2; C:\Windows\System32\DRIVERS\TSUSB2.sys [54016 2007-01-19] (HTL)

S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2014-06-10] (Apple, Inc.) [File not signed]

R1 VHDTrack; C:\Windows\System32\DRIVERS\VHDTrack.sys [125840 2015-05-22] (AI Consulting)

R3 vmkbd; C:\Windows\system32\drivers\VMkbd.sys [26064 2013-02-26] (VMware, Inc.)

R3 VMnetAdapter; C:\Windows\System32\DRIVERS\vmnetadapter.sys [16664 2013-02-26] (VMware, Inc.)

R2 VMnetBridge; C:\Windows\System32\DRIVERS\vmnetbridge.sys [37016 2013-02-26] (VMware, Inc.)

R2 VMnetuserif; C:\Windows\system32\drivers\vmnetuserif.sys [26192 2013-02-26] (VMware, Inc.)

R2 VMparport; C:\Windows\system32\Drivers\VMparport.sys [24272 2013-02-26] (VMware, Inc.)

S3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2012-10-11] (VMware, Inc.)

R2 vmx86; C:\Windows\system32\Drivers\vmx86.sys [62416 2013-02-26] (VMware, Inc.)

R0 vsock; C:\Windows\System32\drivers\vsock.sys [61464 2012-10-24] (VMware, Inc.)

S3 catchme; \??\C:\Users\chris\AppData\Local\Temp\catchme.sys [X]

S3 eapihdrv; \??\C:\Users\chris\AppData\Local\Temp\ehdrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-27 08:31 - 2015-08-27 08:33 - 00014633 _____ C:\Users\chris\Desktop\FRST.txt

2015-08-26 16:08 - 2015-08-26 16:08 - 00011392 _____ C:\ComboFix.txt

2015-08-26 16:02 - 2015-08-27 08:33 - 00000000 ____D C:\Users\chris\Desktop\txt files

2015-08-26 16:00 - 2015-08-26 16:01 - 00000000 ____D C:\32788R22FWJFW

2015-08-26 13:56 - 2015-08-26 13:56 - 00001052 _____ C:\mbam.txt

2015-08-26 13:33 - 2015-08-26 12:34 - 01798560 _____ (Malwarebytes Corporation) C:\Users\chris\Desktop\JRT.exe

2015-08-26 13:15 - 2015-08-26 13:15 - 00000000 ____D C:\AdwCleaner

2015-08-26 13:11 - 2015-08-26 13:13 - 01605632 _____ C:\Users\chris\Desktop\AdwCleaner.exe

2015-08-26 13:03 - 2015-08-26 13:03 - 00781312 _____ C:\Users\chris\Desktop\delfix_1.011.exe

2015-08-26 13:03 - 2015-08-26 13:03 - 00000265 _____ C:\DelFix.txt

2015-08-26 13:03 - 2015-08-26 13:03 - 00000000 ____D C:\Windows\ERUNT

2015-08-26 09:35 - 2015-08-26 09:39 - 00035064 _____ C:\Windows\system32\Drivers\TrueSight.sys

2015-08-26 09:35 - 2015-08-26 09:38 - 00000000 ____D C:\ProgramData\RogueKiller

2015-08-26 09:34 - 2015-08-26 09:35 - 18772040 _____ C:\Users\chris\Desktop\RogueKiller.exe

2015-08-25 10:27 - 2015-08-27 08:33 - 00000000 ____D C:\FRST

2015-08-25 10:27 - 2015-08-25 10:27 - 01690112 _____ (Farbar) C:\Users\chris\Desktop\FRST.exe

2015-08-24 16:05 - 2015-08-26 14:00 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2015-08-24 16:04 - 2015-08-24 16:04 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2015-08-24 16:04 - 2015-08-24 16:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2015-08-24 16:04 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2015-08-24 16:04 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2015-08-24 16:04 - 2015-06-18 08:41 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2015-08-24 13:44 - 2015-08-24 14:10 - 00012805 _____ C:\Users\chris\Desktop\2015 bims scores.xlsx

2015-08-24 08:45 - 2015-08-24 08:45 - 00000881 _____ C:\Users\chris\Desktop\JTAW32.EXE.lnk

2015-08-18 16:03 - 2015-08-18 16:04 - 00014359 _____ C:\Users\chris\Desktop\mm fair coupon.wpd

2015-08-14 14:03 - 2015-08-14 13:57 - 00171067 _____ C:\Users\chris\Desktop\201508141357_FC01_91.zip

2015-07-29 14:16 - 2015-07-29 14:16 - 00006636 _____ C:\Users\chris\Documents\personell policy.wpd

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-27 08:27 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2015-08-27 08:27 - 2009-07-13 23:34 - 00014848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2015-08-27 08:25 - 2013-11-26 15:36 - 00910090 _____ C:\Windows\system32\PerfStringBackup.INI

2015-08-27 08:23 - 2013-11-26 15:33 - 01049256 _____ C:\Windows\WindowsUpdate.log

2015-08-27 08:21 - 2013-11-26 15:35 - 00000136 _____ C:\Windows\system32\config\netlogon.ftl

2015-08-27 08:20 - 2014-04-22 13:57 - 00000000 ____D C:\ProgramData\VMware

2015-08-27 08:20 - 2013-11-26 16:25 - 00014710 _____ C:\Windows\PFRO.log

2015-08-27 08:20 - 2009-07-13 23:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2015-08-27 08:20 - 2009-07-13 23:39 - 00059445 _____ C:\Windows\setupact.log

2015-08-26 16:08 - 2015-07-11 22:10 - 00000000 ____D C:\Qoobox

2015-08-26 16:06 - 2009-07-13 21:04 - 00000215 _____ C:\Windows\system.ini

2015-08-26 16:00 - 2015-07-12 14:10 - 05635162 ____R (Swearware) C:\Users\chris\Desktop\ComboFix.exe

2015-08-26 15:49 - 2014-04-23 14:48 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job

2015-08-26 15:35 - 2015-06-04 10:30 - 00000610 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job

2015-08-26 15:34 - 2015-02-05 13:49 - 00000514 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job

2015-08-26 12:48 - 2015-03-02 13:52 - 00000000 ____D C:\ProgramData\Roxio

2015-08-25 12:39 - 2015-07-06 09:52 - 00000000 ____D C:\ProgramData\BlueZone

2015-08-25 12:18 - 2013-11-26 18:17 - 00000848 ___SH C:\ProgramData\KGyGaAvL.sys

2015-08-25 12:18 - 2009-07-13 23:52 - 00000000 ____D C:\Windows\system32\FxsTmp

2015-08-25 08:29 - 2009-07-13 23:53 - 00032594 _____ C:\Windows\Tasks\SCHEDLGU.TXT

2015-08-24 16:04 - 2015-07-11 23:12 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware

2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOB.FOR

2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXOA.FOR

2015-08-24 12:29 - 2014-10-23 12:36 - 00001409 _____ C:\Windows\system32\BCFXMR.FOR

2015-08-24 09:37 - 2013-11-26 18:22 - 00002032 ____H C:\Users\chris\Documents\Default.rdp

2015-08-24 08:39 - 2014-06-16 12:18 - 00000000 ____D C:\Users\chris\Desktop\move

2015-08-18 15:57 - 2013-11-26 18:17 - 00000000 ____D C:\Users\chris\Documents\Corel User Files

2015-08-13 09:49 - 2013-12-05 16:47 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

2015-08-13 09:49 - 2013-12-05 16:47 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2014-02-06 13:16 - 2014-02-06 13:16 - 0000218 _____ () C:\Users\chris\AppData\Roaming\default.rss

2014-12-24 14:17 - 2014-12-24 14:17 - 0000000 _____ () C:\Users\chris\AppData\Local\rx_image32.Cache

2014-01-02 12:09 - 2014-01-02 14:05 - 0004180 _____ () C:\ProgramData\hpzinstall.log

2013-11-26 18:17 - 2015-08-25 12:18 - 0000848 ___SH () C:\ProgramData\KGyGaAvL.sys

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-08-24 10:43

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version:24-08-2015

Ran by chris (2015-08-27 08:33:32)

Running from C:\Users\chris\Desktop

Boot Mode: Normal

==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-777155561-1165665369-343804298-500 - Administrator - Disabled)

ASPNET (S-1-5-21-777155561-1165665369-343804298-1008 - Limited - Enabled)

Guest (S-1-5-21-777155561-1165665369-343804298-501 - Limited - Disabled)

user (S-1-5-21-777155561-1165665369-343804298-1001 - Administrator - Enabled) => C:\Users\user

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 7.1.4 - Hewlett-Packard) Hidden

Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.232 - Adobe Systems Incorporated)

Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.232 - Adobe Systems Incorporated)

Adobe Reader XI (11.0.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)

Advertising Center (Version: 0.0.0.1 - Nero AG) Hidden

Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)

Citrix Online Launcher (HKLM\...\{1EFF9E6C-76E1-43F9-81FB-BC8C037B0902}) (Version: 1.0.258 - Citrix)

Corel WordPerfect Office - iFilter (HKLM\...\{1DF03ECE-6AF4-414E-B118-C316F151A9A2}) (Version: 1.00.000 - Corel Corporation)

Crystal Reports Basic Runtime for Visual Studio 2008 (HKLM\...\{CE26F10F-C80F-4377-908B-1B7882AE2CE3}) (Version: 10.5.0.0 - Business Objects)

CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden

DolbyFiles (Version: 0.1 - Nero AG) Hidden

ESET Online Scanner v3 (HKLM\...\ESET Online Scanner) (Version: - )

FIS DCC Driver Package 2011 (HKLM\...\FIS DCC Driver Package 2011) (Version: 2014.1.0.0 - FIS)

Fujitsu NetCOBOL Free Run-time (HKLM\...\InstallShield_{F84C7212-9DC4-4963-A564-73C2EFA18935}) (Version: 10.1.0000.0000 - FUJITSU LIMITED)

Fujitsu NetCOBOL Free Run-time (Version: 10.1.0000.0000 - FUJITSU LIMITED) Hidden

GoToMeeting 7.2.4.3215 (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\GoToMeeting) (Version: 7.2.4.3215 - CitrixOnline)

HP Customer Participation Program 10.0 (HKLM\...\HPExtendedCapabilities) (Version: 10.0 - HP)

HP Easy Scan (HKLM\...\{0007FD40-3ED2-4FDC-B45B-0C3A1C1A8C17}) (Version: 1.0.7.0 - Hewlett-Packard Company)

HP LaserJet P2050 Series 6.0 (HKLM\...\{6F801026-6AF0-4520-9153-4C9B4CAAB361}) (Version: 6.0 - HP)

HP Scanjet 3000 s2 ISIS Driver (HKLM\...\{20D6301E-0A14-4238-841D-45ECA567DB69}) (Version: 1.0.2597 - EMC Corporation)

HP Scanjet Pro 3000 s2 (HKLM\...\{1868D30B-72C7-41E8-9657-69C5DFE1C768}) (Version: 1.00.0000 - HP)

hppFonts (Version: 001.001.00061 - Hewlett-Packard) Hidden

hppQFolderP2050 (Version: 1.00.0000 - Hewlett-Packard) Hidden

hppusgP2050 (Version: 1.1.0.1 - Hewlett-Packard) Hidden

ImagXpress (Version: 7.0.74.0 - Nero AG) Hidden

InventoryControl (HKLM\...\{97C0445D-E7B6-4320-A541-50A5AB345422}) (Version: 5 - Wasp Technologies)

Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)

Juniper Networks Network Connect 7.4.0 (HKLM\...\Juniper Network Connect 7.4.0) (Version: 7.4.0.30667 - Juniper Networks)

Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\Juniper_Setup_Client) (Version: 7.4.9.45013 - Juniper Networks, Inc.)

Labeler (HKLM\...\{78DA4EC4-8E94-45D4-B047-027B662EC6A6}) (Version: 6.0 - Wasp Technologies)

LightScribe System Software (HKLM\...\{CC8E94A2-55C7-4460-953C-2A790180578C}) (Version: 1.18.8.1 - LightScribe)

Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)

MarketResearch (Version: 100.0.170.000 - Hewlett-Packard) Hidden

MCRIF32 - SNF (HKLM\...\{79EEAD1F-AD83-4F0C-A783-CD77C0BC1F2A}) (Version: 5.14.153.0 - Health Financial Systems)

Menu Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden

Microsoft .NET Framework 1.1 (HKLM\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)

Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)

Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)

Microsoft Office 2007 Primary Interop Assemblies (HKLM\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)

Microsoft Office Small Business 2007 (HKLM\...\SMALLBUSINESSR) (Version: 12.0.4518.1014 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.1.10329.0 - Microsoft Corporation)

Microsoft SQL Server 2005 (HKLM\...\Microsoft SQL Server 2005) (Version: - Microsoft Corporation)

Microsoft SQL Server Management Studio Express (HKLM\...\{F43867C9-68FD-46C7-B0AF-214356305B5E}) (Version: 9.00.4035.00 - Microsoft Corporation)

Microsoft SQL Server Native Client (HKLM\...\{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}) (Version: 9.00.4035.00 - Microsoft Corporation)

Microsoft SQL Server Setup Support Files (English) (HKLM\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.4035.00 - Microsoft Corporation)

Microsoft SQL Server VSS Writer (HKLM\...\{56B4002F-671C-49F4-984C-C760FE3806B5}) (Version: 9.00.4035.00 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4048 (HKLM\...\{5B1F2843-B379-3FF2-B0D3-64DD143ED53A}) (Version: 9.0.30729.4048 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)

Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)

Microsoft Web Publishing Wizard 1.52 (HKLM\...\WebPost) (Version: - )

MM Backup (HKLM\...\{34A6764B-D838-4E93-A6C0-9D67BE564691}) (Version: 5.5.4 - M & M Computer Solutions, LLC)

Movie Templates - Starter Kit (Version: 9.4.2.0 - Nero AG) Hidden

Mozilla Firefox 31.0 (x86 en-US) (HKLM\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla)

Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)

MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)

MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)

MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)

Nero 9 Essentials (HKLM\...\{1008cf13-3650-46d1-8ed6-31c0945215f6}) (Version: - Nero AG)

Nuance PaperPort 14 (HKLM\...\{2C92D969-468E-4711-8CCA-01AD9C7EB4E7}) (Version: 14.2.0000 - Nuance Communications, Inc.)

Nuance PDF Viewer Plus (HKLM\...\{FC984E39-43D0-4AB2-ACC7-A7B87977B009}) (Version: 7.20.3274 - Nuance Communications, Inc.)

PaperPort Image Printer (HKLM\...\{6EF2FDAB-7FBF-4AB9-92CD-594BDDB6A56B}) (Version: 14.00.0000 - Nuance Communications, Inc.)

PrintMaster Platinum 18 (HKLM\...\{EBD9A954-6C1A-4E9F-A098-C98653035381}) (Version: 18.00.0000 - Broderbund Software)

QuickBooks (Version: 20.0.4017.807 - Intuit Inc.) Hidden

QuickBooks Pro 2010 (HKLM\...\{0700E22B-A422-40A5-BD20-04BF618CA0F9}) (Version: 20.0.4017.807 - Intuit Inc.)

QuickTime (HKLM\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)

Readiris Pro 14 (HKLM\...\{C34A50FC-2B95-4E69-809C-96310E9D7852}) (Version: 14.00.2719 - I.R.I.S.)

Roxio Creator LE 10 (HKLM\...\{537BF16E-7412-448C-95D8-846E85A1D817}) (Version: 10.1 - Roxio)

Scansoft PDF Professional (Version: - ) Hidden

Software Update Wizard (Redist) 4.5 (HKLM\...\Software Update Wizard (Redist)) (Version: 4.5 - PowerProgrammer)

TellerScan 32-bit and 64-bit Combined Driver v4.2 (HKLM\...\{95D2D2E3-2FC4-4245-8DC2-C6202BE704CB}) (Version: 4.02.0000 - Precision Software Technologies, Inc.)

UB-04 ICD10 (HKLM\...\{2D0C2A6F-CD38-47C8-8C73-5586A8C73804}) (Version: 1.0.1.90 - SpeedySoft USA)

Visual Foxpro 6.0 Runtime version 6.00 (HKLM\...\{6016312C-6BA3-4AEA-B73D-8FC405508E8D}_is1) (Version: 6.00 - )

VMware Player (HKLM\...\VMware_Player) (Version: 5.0.2 - VMware, Inc)

VMware Player (Version: 5.0.2 - VMware, Inc.) Hidden

WebReg (Version: 100.0.170.000 - Hewlett-Packard) Hidden

WordPerfect Office X4 - Common (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - Content (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - EN (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - Filters (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - Graphics (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - ICA (Version: 14.1 - Corel Corporation) Hidden

WordPerfect Office X4 - IPM (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - IPM EN (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - Migration Manager (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - PerfectExperts (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - PR (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - QP (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - Skins (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 - System (Version: 14.1 - Corel Corporation) Hidden

WordPerfect Office X4 - WP (Version: 14.2 - Corel Corporation) Hidden

WordPerfect Office X4 (HKLM\...\_{DCDAB2ED-5741-4C30-A1A4-0FCB8A529001}) (Version: - Corel Corporation)

WordPerfect Office X4 (Version: 14.2 - Corel Corporation) Hidden

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{810CADD9-2658-4820-BA95-30199625191E}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Program Files\Citrix\GoToMeeting\2185\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks 2010\qbw32.exe (Intuit Inc.)

CustomCLSID: HKU\S-1-5-21-712691609-890981738-2795466230-1107_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

==================== Restore Points =========================

29-07-2015 11:51:06 Scheduled Checkpoint

10-08-2015 10:38:00 Scheduled Checkpoint

18-08-2015 09:18:55 Scheduled Checkpoint

25-08-2015 11:14:36 Scheduled Checkpoint

26-08-2015 13:06:27 Restore Point Created by FRST

26-08-2015 13:33:58 JRT Pre-Junkware Removal

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:04 - 2015-08-14 14:04 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {25A01E62-3698-47F8-B578-400F1F9A0D9A} - System32\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.)

Task: {33B991F4-BED6-416D-9DCC-41B44CDC4E80} - System32\Tasks\{5EF5189C-3E71-4B71-B665-40BC9FDEFD6A} => pcalua.exe -a D:\Setup.exe -d D:\

Task: {6E6FC9A2-11DD-4899-A5A3-1E18FD44FBE6} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-08-13] (Adobe Systems Incorporated)

Task: {996FA9DF-2204-485B-8A3B-3B6CFE1DFDDD} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)

Task: {C1FDB8BF-262E-4E40-864C-5A2EDDED79F8} - System32\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107 => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe [2015-08-14] (Citrix Online, a division of Citrix Systems, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupdate.exe

Task: C:\Windows\Tasks\G2MUploadTask-S-1-5-21-712691609-890981738-2795466230-1107.job => C:\Program Files\Citrix\GoToMeeting\3215\g2mupload.exe

==================== Loaded Modules (Whitelisted) ==============

2015-05-22 11:15 - 2015-05-22 11:15 - 00016896 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vds.Common.dll

2015-05-22 11:15 - 2015-05-22 11:15 - 00124928 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\VDS.Platform.dll

2015-05-22 11:15 - 2015-05-22 11:15 - 01711616 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vim25Service.dll

2015-05-22 11:15 - 2015-05-22 11:15 - 03685456 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\gvmomi.dll

2015-05-22 11:15 - 2015-05-22 11:15 - 01229904 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libxml2.dll

2015-05-22 11:15 - 2015-05-22 11:15 - 00329808 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libcurl.dll

2015-05-22 11:15 - 2015-05-22 11:15 - 00318032 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\libldap_r.dll

2015-05-22 11:15 - 2015-05-22 11:15 - 00144976 _____ () C:\Program Files\M & M Computer Solutions, LLC\MM Backup\lib\Vddk\liblber.dll

2012-04-04 20:54 - 2012-04-04 20:54 - 00015360 _____ () C:\Program Files\EMC Captiva\Captiva Cloud Runtime\SSLSupport.dll

2013-02-26 02:28 - 2013-02-26 02:28 - 01260624 _____ () C:\Program Files\VMware\VMware Player\libxml2.dll

2006-10-26 21:30 - 2006-10-26 21:30 - 00065312 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\ColleagueImport.dll

2006-10-27 15:35 - 2006-10-27 15:35 - 00436512 _____ () C:\Program Files\Microsoft Office\Office12\ADDINS\UmOutlookAddin.dll

2006-10-26 13:56 - 2006-10-26 13:56 - 00757008 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\ecorpnet.com -> hxxps://navigator.ecorpnet.com

IE trusted site: HKU\S-1-5-21-712691609-890981738-2795466230-1107\...\server1 -> hxxp://server1

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-712691609-890981738-2795466230-1107\Control Panel\Desktop\\Wallpaper -> C:\Users\chris\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

DNS Servers: 192.168.0.10

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)

Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AdobeARMservice => 2

MSCONFIG\Services: LightScribeService => 2

MSCONFIG\Services: Nero BackItUp Scheduler 4.0 => 2

MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

MSCONFIG\startupreg: LightScribe Control Panel => C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

MSCONFIG\startupreg: PDFProHook => "C:\Program Files\Nuance\PDF Viewer Plus\pdfpro7hook.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe

FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe

FirewallRules: [{8DF9BE9A-F03A-4B49-A92B-4CE446187EB4}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe

FirewallRules: [{6EDDD859-D085-4685-87AD-0947A111A474}] => (Allow) C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

FirewallRules: [{EE4DDED9-EBCA-45C3-B1C1-B4EDF29DA501}] => (Allow) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

FirewallRules: [{970A4628-B556-44E3-800E-9B552E22A0EC}] => (Allow) LPort=6160

FirewallRules: [{CB1FC5CF-6B22-40F2-8B6E-4475D3E7AC77}] => (Allow) C:\Program Files\Wasp Technologies\InventoryControl\InventoryControl.exe

FirewallRules: [{13946AFF-2682-4264-A80A-8223D67B6310}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupMonitor.exe

FirewallRules: [{635F315A-F94E-4523-B825-FE6F33AFAD85}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupStatusIcon.exe

FirewallRules: [{43EEB0EB-7F12-4784-B56C-955422B0F0B4}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe

FirewallRules: [{FAB54C15-84EC-4ABF-AB1A-F9F7ABC6C55B}] => (Allow) C:\Program Files\VMware\VMware Player\vmware-authd.exe

FirewallRules: [{71F50830-FA10-4D91-9C41-69D5E172859A}] => (Allow) C:\Program Files\Artisteer 4\bin\Artisteer.exe

FirewallRules: [{05FE104F-C24D-45B8-881A-66FFC781E2DC}] => (Allow) C:\Program Files\M & M Computer Solutions, LLC\MM Backup\BackupExtender.exe

FirewallRules: [{29E25875-15B7-42F7-A7C6-F7EF091FC596}] => (Allow) LPort=8877

FirewallRules: [{0357C77A-FBF0-4FEC-B282-B124C9A5E834}] => (Allow) LPort=8878

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:

==================

Error: (08/27/2015 08:20:53 AM) (Source: BackupAgent) (EventID: 0) (User: )

Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD

Error: (08/26/2015 02:56:34 PM) (Source: QuickBooks) (EventID: 4) (User: )

Description: An unexpected error has occured in "QuickBooks":

Returning NULL QBWinInstance Handle

Error: (08/26/2015 02:56:34 PM) (Source: QuickBooks) (EventID: 4) (User: )

Description: An unexpected error has occured in "QuickBooks":

Returning NULL QBWinInstance Handle

Error: (08/26/2015 02:56:34 PM) (Source: QuickBooks) (EventID: 4) (User: )

Description: An unexpected error has occured in "QuickBooks":

Returning NULL QBWinInstance Handle

Error: (08/26/2015 01:09:33 PM) (Source: BackupAgent) (EventID: 0) (User: )

Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD

Error: (08/26/2015 01:06:26 PM) (Source: VSS) (EventID: 8194) (User: )

Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.

.

This is often caused by incorrect security settings in either the writer or requestor process.

Operation:

Gathering Writer Data

Context:

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer

Writer Instance ID: {02a3a31d-f266-4ed5-9a00-0bdef541d0a4}

Error: (08/26/2015 12:00:28 PM) (Source: VSS) (EventID: 8194) (User: )

Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.

.

This is often caused by incorrect security settings in either the writer or requestor process.

Operation:

Gathering Writer Data

Context:

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer

Writer Instance ID: {02a3a31d-f266-4ed5-9a00-0bdef541d0a4}

Error: (08/26/2015 12:00:18 PM) (Source: VSS) (EventID: 8194) (User: )

Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.

.

This is often caused by incorrect security settings in either the writer or requestor process.

Operation:

Gathering Writer Data

Context:

Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}

Writer Name: System Writer

Writer Instance ID: {02a3a31d-f266-4ed5-9a00-0bdef541d0a4}

Error: (08/26/2015 10:24:52 AM) (Source: SideBySide) (EventID: 33) (User: )

Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".

Dependent Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.

Please use sxstrace.exe for detailed diagnosis.

Error: (08/26/2015 08:45:24 AM) (Source: BackupAgent) (EventID: 0) (User: )

Description: Access to remote file failed with status code NameResolutionFailure. Local File: , Remote File: CheckSubscriptionValue, Action: DOWNLOAD

System errors:

=============

Error: (08/27/2015 08:20:36 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: NT AUTHORITY)

Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:

a) Name Resolution failure on the current domain controller.

b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).

Error: (08/27/2015 08:20:34 AM) (Source: NETLOGON) (EventID: 5719) (User: )

Description: This computer was not able to set up a secure session with a domain

controller in domain GLENHAVEN due to the following:

%%1311

This may lead to authentication problems. Make sure that this

computer is connected to the network. If the problem persists,

please contact your domain administrator.

ADDITIONAL INFO

If this computer is a domain controller for the specified domain, it

sets up the secure session to the primary domain controller emulator in the specified

domain. Otherwise, this computer sets up the secure session to any domain controller

in the specified domain.

Error: (08/26/2015 04:06:54 PM) (Source: Service Control Manager) (EventID: 7030) (User: )

Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (08/26/2015 04:04:34 PM) (Source: Service Control Manager) (EventID: 7030) (User: )

Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (08/26/2015 04:02:13 PM) (Source: Service Control Manager) (EventID: 7030) (User: )

Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Virtual Disk service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The VMware USB Arbitration Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (08/26/2015 01:34:22 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: The VMware DHCP Service service terminated unexpectedly. It has done this 1 time(s).

Error: (08/26/2015 01:34:21 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: The VMware Authorization Service service terminated unexpectedly. It has done this 1 time(s).

Microsoft Office:

=========================

==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E8400 @ 3.00GHz

Percentage of memory in use: 47%

Total physical RAM: 3033.82 MB

Available physical RAM: 1597.5 MB

Total Virtual: 7032.11 MB

Available Virtual: 5325.46 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.99 GB) (Free:245.58 GB) NTFS

Drive f: (apps) (Network) (Total:488.28 GB) (Free:391.48 GB) NTFS

==================== MBR & Partition Table ==================

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 3136FBFA)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=298 GB) - (Type=07 NTFS)

==================== End of FRST.txt ============================

Link to post
Share on other sites

This may be the culprit, we're going to delete it:
 

Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html [2015-07-10] ()

 





Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
Run FRST.exe/FRST64.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

Reboot....let me know


MrC

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x86) Version:24-08-2015

Ran by chris (2015-08-27 09:44:30) Run:2

Running from C:\Users\chris\Desktop

Loaded Profiles: chris (Available Profiles: chris & Administrator & user)

Boot Mode: Normal

==============================================

fixlist content:

*****************

Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html [2015-07-10] ()

Startup: C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt [2015-07-10] ()

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION

C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html

*****************

C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html => moved successfully

C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.txt => moved successfully

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.

"HKU\S-1-5-21-712691609-890981738-2795466230-1107\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.

"C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\help_restore_files_ohymd.html" => File/Folder not found.

==== End of Fixlog 09:44:30 ====

Link to post
Share on other sites

OK...please run this scan and see what it finds:

Please run a free online scan with the ESET Online Scanner (it may take a while to run)

Note: You will need to use Internet Explorer for this scan.

First please Disable any Antivirus you have active, as shown in This Topic

FAQ

Note: Don't forget to re-enable it after the scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unsafe applications is checked

Click Advanced settings and select the following:

ceba8c51-8f88-44b9-ad41-5f07ba8351b1.png

Click Start

Wait for the scan to finish

If threats were found:

Click on "list of threats found"

Click on "export to text file" and save it as ESET SCAN and save to the desktop

Click on back

Put a checkmark in "Uninstall application on close"

Click on finish

Post back the log.....MrC

Link to post
Share on other sites

Great! If there's no other problems......

A little clean up to do....

Please Uninstall ComboFix: (------->if you used it<-------)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /

cf2.jpg

Then hit enter. (it may look like CF is re-installing but it's not)

This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)

---------------------------------

bwebb7v.jpgDownload Delfix from here and save it to your desktop. (you may already have this)

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot
Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)

-------------------------------

Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again.

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.