yellowdog232 Posted September 1, 2015 ID:986584 Share Posted September 1, 2015 Here are my logs... Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-08-2015Ran by JimW (ATTENTION: The user is not administrator) on SEG-JIMW4 (01-09-2015 15:09:12)Running from C:\Users\jimw\DesktopLoaded Profiles: JimW & Administrator (Available Profiles: JimW & Super_RIM & Super_RF & admin & Administrator)Platform: Windows 8.1 Pro (X64) Language: English (United States)Internet Explorer Version 11 (Default browser: IE)Boot Mode: NormalTutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/==================== Processes (Whitelisted) =================(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)Failed to access process -> smss.exeFailed to access process -> csrss.exeFailed to access process -> wininit.exeFailed to access process -> csrss.exeFailed to access process -> services.exeFailed to access process -> lsass.exeFailed to access process -> svchost.exeFailed to access process -> svchost.exeFailed to access process -> winlogon.exeFailed to access process -> MsMpEng.exeFailed to access process -> dwm.exeFailed to access process -> svchost.exeFailed to access process -> svchost.exeFailed to access process -> svchost.exeFailed to access process -> igfxCUIService.exeFailed to access process -> svchost.exeFailed to access process -> svchost.exeFailed to access process -> spoolsv.exeFailed to access process -> svchost.exeFailed to access process -> armsvc.exeFailed to access process -> officeclicktorun.exeFailed to access process -> DWRCS.EXEFailed to access process -> dasHost.exeFailed to access process -> NTRTScan.exeFailed to access process -> svchost.exeFailed to access process -> TeamViewer_Service.exeFailed to access process -> wepsvc.exeFailed to access process -> TmListen.exeFailed to access process -> NisSrv.exeFailed to access process -> svchost.exeFailed to access process -> svchost.exeFailed to access process -> WUDFHost.exeFailed to access process -> CNTAoSMgr.exeFailed to access process -> conhost.exe(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exeFailed to access process -> SearchIndexer.exe(Websense, Inc.) C:\Program Files\Websense\Websense Endpoint\ProxyUI.exe(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe(Box, Inc.) C:\Program Files\Box\Box Sync\BoxSync.exeFailed to access process -> WmiPrvSE.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe() C:\Program Files\Box\Box Sync\BoxSyncMonitor.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe(Symantec Corporation) C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe(Symantec Corporation) C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPcbt64.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exeFailed to access process -> CcmExec.exeFailed to access process -> WmiPrvSE.exeFailed to access process -> CmRcService.exeFailed to access process -> wmpnetwk.exeFailed to access process -> WmiPrvSE.exeFailed to access process -> WmiPrvSE.exeFailed to access process -> WmiPrvSE.exe(Microsoft Corporation) C:\Windows\CCM\SCNotification.exe(DameWare Development) C:\Windows\SysWOW64\DWRCST.EXE(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\Evernote.exe(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\EvernoteTray.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfService.exe(Microsoft Corporation) C:\Windows\splwow64.exeFailed to access process -> svchost.exeFailed to access process -> WUDFHost.exeFailed to access process -> WUDFHost.exeFailed to access process -> WmiPrvSE.exeFailed to access process -> svchost.exeFailed to access process -> svchost.exeFailed to access process -> SearchFilterHost.exeFailed to access process -> SearchProtocolHost.exe==================== Registry (Whitelisted) ===========================(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)HKLM\...\Run: [boxSync] => C:\Program Files\Box\Box Sync\BoxSync.exe [5827136 2015-08-11] (Box, Inc.)HKLM-x32\...\Run: [OfficeScanNT Monitor] => C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe [1340720 2009-09-08] (Trend Micro Inc.)HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395616 2014-09-03] (Citrix Systems, Inc.)HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153952 2014-09-03] (Citrix Systems, Inc.)HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)HKLM-x32\...\Run: [DameWare MRC Agent] => C:\windows\SysWOW64\DWRCST.exe [85528 2010-08-06] (DameWare Development)HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\Run: [FlickrUploadr] => "C:\Users\jimw\AppData\Local\FlickrUploadrWindows\Update.exe" --processStart Flickr.exeHKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\Run: [GoogleChromeAutoLaunch_3DFB2D6035BBC91D23ED01E4F4F145C5] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [813896 2015-08-18] (Google Inc.)HKU\S-1-5-18\...\RunOnce: [Application Restart #1] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [372408 2014-11-08] (Microsoft Corporation)AppInit_DLLs: PGPmapih.dll => C:\windows\system32\PGPmapih.dll [81248 2014-10-06] (Symantec Corporation)AppInit_DLLs-x32: PGPmapih.dll => C:\windows\SysWOW64\PGPmapih.dll [53432 2014-10-06] (Symantec Corporation)Lsa: [Notification Packages] scecli PGPpwfltShellIconOverlayIdentifiers: [ BoxSyncFileLocked] -> {2a607da5-abe8-358e-a881-c0f5faf2d3a5} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncFileLockedByOther] -> {f7d2951f-0b6b-346c-99ec-69cffc30a364} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncNotSynced] -> {5ea95e3d-3e46-3812-b03c-49785fa67d41} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncProblem] -> {a88b7184-bfa1-3d14-8efb-2225df9699bc} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncSynced] -> {c89f9943-8f58-3eca-bd55-a658f53b2f48} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [1IconOverlayHandlerAccessible] -> {3DBF5F01-3287-46EB-82CF-45AA5C241162} => C:\windows\system32\PGPfsshl.dll [2014-10-06] (Symantec Corporation)ShellIconOverlayIdentifiers: [QIPOverlay] -> {245D03BE-03F7-4b52-B8B9-7FC41F60C49F} => C:\Windows\system32\QIPOverlay.dll [2014-08-05] (Websense, Inc.)ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)ShellIconOverlayIdentifiers-x32: [1IconOverlayHandlerAccessible] -> {3DBF5F01-3287-46EB-82CF-45AA5C241162} => C:\windows\SysWow64\PGPfsshl.dll [2014-10-06] (Symantec Corporation)Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PGPtray.exe.lnk [2015-01-13]ShortcutTarget: PGPtray.exe.lnk -> C:\Windows\Installer\{884992EC-F486-4BC6-B48D-5707B755D59B}\Icon9426BF75.exe ()Startup: C:\Users\jimw\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2014-11-03]ShortcutTarget: EvernoteClipper.lnk -> C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)==================== Internet (Whitelisted) ====================(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)AutoConfigURL: [s-1-5-21-2232656509-361406962-1938170613-2940] => http://webdefence.global.blackspider.com:8082/proxy.pac?p=88vb7276Winsock: Catalog9 01 C:\windows\SysWOW64\PGPlsp.dll [65768 2014-10-06] (Symantec Corporation)Winsock: Catalog9 13 C:\windows\SysWOW64\PGPlsp.dll [65768 2014-10-06] (Symantec Corporation)Winsock: Catalog9-x64 01 C:\windows\system32\PGPlsp.dll [76128 2014-10-06] (Symantec Corporation)Winsock: Catalog9-x64 13 C:\windows\system32\PGPlsp.dll [76128 2014-10-06] (Symantec Corporation)Tcpip\Parameters: [DhcpNameServer] 172.16.160.115 172.16.160.116Tcpip\..\Interfaces\{8250DB6B-3240-46DC-B521-883FC3CACE4E}: [DhcpNameServer] 172.16.160.115 172.16.160.116Tcpip\..\Interfaces\{9D57E6F7-5AAF-42F4-A907-7399A5BC973B}: [DhcpNameServer] 192.168.43.1Internet Explorer:==================HKU\S-1-5-21-2232656509-361406962-1938170613-2940\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONURLSearchHook: [s-1-5-21-4053884242-254580842-3275359498-500] ATTENTION => Default URLSearchHook is missingBHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-07-14] (Microsoft Corporation)BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2015-07-14] (Microsoft Corporation)BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-04-27] (Oracle Corporation)BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-27] (Oracle Corporation)Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)FireFox:========FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2014-09-03] (Citrix Systems, Inc.)FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-27] (Oracle Corporation)FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-27] (Oracle Corporation)FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-02-17] (Microsoft Corporation)FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-01-08] (Microsoft Corporation)FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)FF Plugin ProgramFiles/Appdata: C:\Users\jimw\AppData\Roaming\mozilla\plugins\npatgpc.dll [2015-02-05] (Cisco WebEx LLC)Chrome:=======CHR Profile: C:\Users\jimw\AppData\Local\Google\Chrome\User Data\DefaultCHR Extension: (Google Slides) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-03]CHR Extension: (Yahoo Web) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\acjpdakpjonkfmggcmanlhdakfkhloii [2015-03-23]CHR Extension: (Google Docs) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-03]CHR Extension: (Google Drive) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-03]CHR Extension: (YouTube) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-03]CHR Extension: (Google Search) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-03]CHR Extension: (Button for Pinterest™) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbfjhllmkehmdajjlkolhdjjlfcmmlpl [2015-07-14]CHR Extension: (Google Sheets) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-03]CHR Extension: (Cisco WebEx Extension) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2015-02-05]CHR Extension: (Chrome Hotword Shared Module) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-20]CHR Extension: (Save to Pocket) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\niloccemoadcdkdjlinkgdfekeahmflj [2014-11-03]CHR Extension: (Google Wallet) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-03]CHR Extension: (Gmail) - C:\Users\jimw\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-03]==================== Services (Whitelisted) ========================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [28696 2014-10-13] (Box, Inc.)R2 CcmExec; C:\windows\CCM\CcmExec.exe [1571000 2013-09-11] (Microsoft Corporation)R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2765496 2015-07-14] (Microsoft Corporation)R2 CmRcService; C:\windows\CCM\RemCtrl\CmRcService.exe [577720 2013-09-11] (Microsoft Corporation)R2 DWMRCS; C:\Windows\SysWOW64\DWRCS.EXE [242200 2010-08-06] (DameWare Development LLC)R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282096 2014-03-24] (Intel Corporation)R2 lmhosts; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)R2 lmhosts; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)S3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)R2 NlaSvc; C:\Windows\System32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)R2 NlaSvc; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)R2 nsi; C:\Windows\system32\svchost.exe [38792 2014-10-29] (Microsoft Corporation)R2 nsi; C:\Windows\SysWOW64\svchost.exe [33088 2014-10-28] (Microsoft Corporation)R2 ntrtscan; C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [1915696 2010-02-02] (Trend Micro Inc.)S3 smstsmgr; C:\windows\CCM\TSManager.exe [276152 2013-09-11] () [File not signed]R2 tmlisten; C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe [1986448 2010-02-02] (Trend Micro Inc.)S3 TmProxy; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [917768 2009-07-15] (Trend Micro Inc.)S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2014-05-08] (Microsoft Corporation)S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-05-08] (Microsoft Corporation)S4 WSDLP; C:\Program Files\Websense\Websense Endpoint\DSEMain.dll [328192 2014-08-05] (Websense, Inc.) [File not signed]R2 WSPXY; C:\Program Files\Websense\Websense Endpoint\ProxyMain.dll [202240 2014-08-05] () [File not signed]S4 WSRF; C:\Program Files\Websense\Websense Endpoint\RFMain.dll [236032 2014-08-05] (Websense, Inc.) [File not signed]===================== Drivers (Whitelisted) ==========================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)S3 AX88179; C:\Windows\system32\DRIVERS\ax88179_178a.sys [73216 2014-08-07] (ASIX Electronics Corp.)S3 AX88772; C:\Windows\system32\DRIVERS\ax88772.sys [113864 2013-07-18] (ASIX Electronics Corp.)R3 BthA2DP; C:\Windows\system32\drivers\BthA2DP.sys [131328 2014-10-08] (Microsoft Corporation)R3 BthHFAud; C:\Windows\system32\DRIVERS\BthHfAud.sys [32768 2014-10-08] (Microsoft Corporation)R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-05-08] (Microsoft Corporation)R3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [146856 2013-06-04] (Windows ® Win 7 DDK provider)R3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [21928 2013-06-04] (Windows ® Win 7 DDK provider)R1 dwvkbd; C:\Windows\system32\DRIVERS\dwvkbd64.sys [30720 2007-02-15] (DameWare)S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)R3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-10-07] (Intel Corporation)R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [99320 2013-10-07] (Intel Corporation)R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)S3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-08-28] (Malwarebytes Corporation)S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100312 2014-01-31] (Intel Corporation)S0 MpBoot; C:\Windows\System32\DRIVERS\MpBoot.sys [34744 2013-09-27] (Microsoft Corporation)R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)R3 mrvlpcie8897; C:\Windows\system32\DRIVERS\mrvlpcie8897.sys [990720 2014-09-18] (Marvell Semiconductors Inc.)R3 msu30x64w8; C:\Windows\system32\DRIVERS\msu30x64w8.sys [100864 2014-07-11] (Microsoft)S3 Nep; C:\Windows\System32\DRIVERS\cwNep.sys [143560 2014-08-05] (Websense, Inc.)R2 NisDrv; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)R2 PGPdisk; C:\Windows\System32\Drivers\PGPdisk.sys [275496 2014-10-06] (Symantec Corporation)R0 pgpfs; C:\Windows\System32\Drivers\PGPfsfd.sys [184856 2014-10-06] (Symantec Corporation)R1 PGPsdkDriver; C:\Windows\System32\Drivers\PGPsdk.sys [52968 2014-10-06] (Symantec Corporation)R0 PGPwded; C:\Windows\System32\Drivers\PGPwded.sys [399072 2014-10-06] (Symantec Corporation)R0 Pgpwdefs; C:\Windows\System32\DRIVERS\Pgpwdefs.sys [20536 2014-10-06] (Symantec Corporation)S3 prepdrvr; C:\Windows\system32\DRIVERS\prepdrv.sys [26984 2013-09-11] (Microsoft Corporation)R1 QIP; C:\Windows\system32\DRIVERS\Qip.sys [76488 2014-08-05] (Websense, Inc.)R3 SensorsServiceDriver; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-28] (Microsoft Corporation)R3 SurfaceAccessoryDevice; C:\Windows\System32\drivers\SurfaceAccessoryDevice.sys [51856 2014-05-30] (Microsoft Corporation)R3 SurfaceCapacitiveHomeButton; C:\Windows\System32\drivers\SurfaceCapacitiveHomeButton.sys [43152 2014-03-14] (Microsoft Corporation)R3 SurfaceDisplayCalibration; C:\Windows\System32\drivers\SurfaceDisplayCalibration.sys [41616 2014-05-02] (Microsoft Corporation)R3 SurfaceIntegrationDriver; C:\Windows\System32\drivers\SurfaceIntegrationDriver.sys [49768 2014-10-13] (Microsoft Corporation)R0 SurfacePciController; C:\Windows\System32\drivers\SurfacePciController.sys [35440 2014-10-08] (Microsoft Corporation)R3 SurfacePenDriver; C:\Windows\system32\DRIVERS\SurfacePenDriver.sys [63592 2014-09-26] (Microsoft Corporation)S3 SurfaceTouchCover; C:\Windows\System32\drivers\SurfaceTouchCover.sys [35976 2014-04-14] (Microsoft Corporation)S3 SurfaceTypeCover; C:\Windows\System32\drivers\SurfaceTypeCover.sys [35984 2014-03-19] (Microsoft Corporation)R2 TmFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [344864 2013-08-14] (Trend Micro Inc.)R2 TmPreFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [42272 2013-08-14] (Trend Micro Inc.)R1 tmtdi; C:\Windows\system32\DRIVERS\tmtdi.sys [107536 2009-07-15] (Trend Micro Inc.)R3 TrueColor; C:\Windows\system32\DRIVERS\TrueColor.sys [35952 2014-07-07] ()R2 VSApiNt; C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys [2260768 2013-08-14] (Trend Micro Inc.)R3 WiFiClass; C:\Windows\system32\DRIVERS\wificlass.sys [411136 2014-09-18] (Microsoft Corporation)R3 WsNetFlt; C:\Windows\system32\DRIVERS\WsNetFlt.sys [61640 2014-08-05] (Websense, Inc.)S3 WsWfpRF; C:\Windows\system32\DRIVERS\WsWfpRF.sys [48328 2014-08-05] (Websense, Inc.)S1 knvjklmu; \??\C:\windows\system32\drivers\knvjklmu.sys [X]==================== NetSvcs (Whitelisted) ===================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)==================== One Month Created files and folders ========(If an entry is included in the fixlist, the file/folder will be moved.)2015-09-01 15:04 - 2015-09-01 15:09 - 00027329 _____ C:\Users\jimw\Desktop\FRST.txt2015-09-01 15:04 - 2015-09-01 15:09 - 00000000 ____D C:\FRST2015-09-01 14:49 - 2015-09-01 14:49 - 02188800 _____ (Farbar) C:\Users\jimw\Desktop\FRST64.exe2015-08-31 11:10 - 2015-08-31 11:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DraftDominator2015-08-31 11:10 - 2015-08-31 11:10 - 00000000 ____D C:\FBG2015-08-31 11:10 - 2006-03-08 09:27 - 01353360 _____ (FarPoint Technologies, Inc.) C:\windows\SysWOW64\fpSpr60.ocx2015-08-31 11:10 - 2004-12-07 13:03 - 00451760 _____ (FarPoint Technologies, Inc.) C:\windows\SysWOW64\Tab32x30.ocx2015-08-31 11:10 - 2002-12-20 15:02 - 01077336 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSCOMCTL.OCX2015-08-31 11:10 - 2001-03-13 15:49 - 00140288 _____ (Microsoft Corporation) C:\windows\SysWOW64\comdlg32.ocx2015-08-31 11:10 - 2000-05-22 01:00 - 00115920 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSINET.OCX2015-08-31 11:10 - 1999-01-06 18:50 - 00228864 _____ (Microsoft Corporation) C:\windows\SysWOW64\xl5en32.olb2015-08-31 11:05 - 2015-08-31 11:06 - 05523273 _____ ( ) C:\Users\jimw\Downloads\DD160k_Setup.exe2015-08-28 09:24 - 2015-08-28 09:24 - 00000180 _____ C:\windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat2015-08-28 09:15 - 2015-08-28 09:15 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys2015-08-28 09:15 - 2015-08-28 09:15 - 00001121 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2015-08-28 09:15 - 2015-08-28 09:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware2015-08-28 09:15 - 2015-08-28 09:15 - 00000000 ____D C:\ProgramData\Malwarebytes2015-08-28 09:15 - 2015-08-28 09:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware2015-08-28 09:15 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys2015-08-28 09:15 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys2015-08-28 09:15 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys2015-08-28 09:07 - 2015-08-28 09:09 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\jimw\Downloads\mbam-setup-2.1.8.1057.exe2015-08-14 09:57 - 2015-08-14 09:57 - 01965568 _____ C:\Users\jimw\Desktop\july monthly pl prelim.xls2015-08-11 14:54 - 2015-08-13 10:26 - 00000000 ____D C:\Users\jimw\AppData\Local\FlickrUploadrWindows2015-08-11 14:54 - 2015-08-11 14:54 - 00002379 _____ C:\Users\jimw\Desktop\Flickr Uploadr.lnk2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Flickr2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Local\SquirrelTemp2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Local\IsolatedStorage2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Local\Flickr2015-08-11 14:52 - 2015-08-11 14:53 - 21879792 _____ (Flickr) C:\Users\jimw\Downloads\FlickrUploadrInstallr.exe2015-08-11 09:21 - 2015-08-11 09:23 - 36284404 _____ C:\Users\jimw\Downloads\VID_20150810_083347.mp42015-08-05 15:18 - 2015-08-05 15:18 - 00930872 _____ C:\Users\jimw\Downloads\35733dir.txt==================== One Month Modified files and folders ========(If an entry is included in the fixlist, the file/folder will be moved.)2015-09-01 15:02 - 2013-08-22 11:36 - 00000000 ____D C:\windows\AppReadiness2015-09-01 15:00 - 2013-08-22 11:36 - 00000000 ____D C:\windows\system32\sru2015-09-01 14:50 - 2014-10-31 14:47 - 01320240 _____ C:\windows\WindowsUpdate.log2015-09-01 14:40 - 2014-10-31 15:23 - 00000000 ____D C:\Users\jimw\AppData\Roaming\ClassicShell2015-09-01 14:37 - 2014-11-03 16:59 - 00000922 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job2015-09-01 14:35 - 2013-08-22 10:46 - 00099056 _____ C:\windows\setupact.log2015-09-01 13:36 - 2014-10-31 15:03 - 00000000 ____D C:\windows\ccmcache2015-09-01 09:35 - 2014-11-03 14:54 - 00016382 _____ C:\windows\cfgall.ini2015-08-31 14:32 - 2014-10-31 15:01 - 00027139 __RSH C:\ProgramData\ntuser.pol2015-08-30 08:36 - 2014-11-03 16:59 - 00000918 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job2015-08-28 13:56 - 2014-10-31 15:22 - 00000000 ____D C:\Users\jimw\AppData\Local\Packages2015-08-28 12:51 - 2014-05-08 23:06 - 00868872 _____ C:\windows\system32\PerfStringBackup.INI2015-08-28 12:49 - 2014-10-31 15:03 - 00000589 _____ C:\windows\SMSCFG.ini2015-08-28 12:46 - 2014-11-03 23:10 - 00000000 ____D C:\Users\jimw\AppData\Local\Box Sync2015-08-28 12:45 - 2014-05-08 22:57 - 00025872 _____ C:\windows\PFRO.log2015-08-28 12:45 - 2013-08-22 10:45 - 00000006 ____H C:\windows\Tasks\SA.DAT2015-08-28 12:00 - 2014-11-03 14:57 - 00002554 _____ C:\windows\TMFilter.log2015-08-28 09:24 - 2014-10-31 15:22 - 00006252 __RSH C:\Users\jimw\ntuser.pol2015-08-28 09:24 - 2014-10-31 15:20 - 00000000 ____D C:\Users\jimw2015-08-25 06:02 - 2015-01-06 13:51 - 00000000 ____D C:\Program Files\Microsoft Office 152015-08-24 17:03 - 2006-06-10 16:02 - 00000000 ____D C:\Users\jimw\Documents\transfer to backup2015-08-22 04:09 - 2014-11-03 17:05 - 00002210 _____ C:\Users\Public\Desktop\Google Chrome.lnk2015-08-20 22:08 - 2013-08-22 11:36 - 00000000 ____D C:\windows\LiveKernelReports2015-08-20 21:01 - 2014-11-03 23:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync2015-08-13 10:26 - 2014-10-31 15:22 - 00000000 ____D C:\Users\jimw\AppData\Local\VirtualStore2015-08-05 12:59 - 2013-08-22 11:36 - 00000000 ___HD C:\windows\system32\GroupPolicy==================== Files in the root of some directories =======2014-05-08 22:58 - 2014-05-08 22:58 - 0000000 ____H () C:\ProgramData\DP45977C.lfl==================== Bamital & volsnap =================(There is no automatic fix for files that do not pass verification.)C:\windows\system32\winlogon.exe => File is digitally signedC:\windows\system32\wininit.exe => File is digitally signedC:\windows\explorer.exe => File is digitally signedC:\windows\SysWOW64\explorer.exe => File is digitally signedC:\windows\system32\svchost.exe => File is digitally signedC:\windows\SysWOW64\svchost.exe => File is digitally signedC:\windows\system32\services.exe => File is digitally signedC:\windows\system32\User32.dll => File is digitally signedC:\windows\SysWOW64\User32.dll => File is digitally signedC:\windows\system32\userinit.exe => File is digitally signedC:\windows\SysWOW64\userinit.exe => File is digitally signedC:\windows\system32\rpcss.dll => File is digitally signedC:\windows\system32\dnsapi.dll => File is digitally signedC:\windows\SysWOW64\dnsapi.dll => File is digitally signedC:\windows\system32\Drivers\volsnap.sys => File is digitally signedATTENTION: ==> Could not access BCD. The user is not administrator==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version:31-08-2015Ran by JimW (2015-09-01 15:09:33)Running from C:\Users\jimw\DesktopBoot Mode: Normal============================================================================== Accounts: =============================admin (S-1-5-21-4053884242-254580842-3275359498-1001 - Limited - Enabled) => C:\Users\adminAdministrator (S-1-5-21-4053884242-254580842-3275359498-500 - Administrator - Enabled) => C:\Users\AdministratorGuest (S-1-5-21-4053884242-254580842-3275359498-501 - Limited - Disabled)==================== Security Center ========================(If an entry is included in the fixlist, it will be removed.)AV: System Center Endpoint Protection (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AV: Trend Micro OfficeScan Antivirus (Enabled - Up to date) {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}AS: Trend Micro OfficeScan Anti-spyware (Enabled - Up to date) {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AS: System Center Endpoint Protection (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}==================== Installed Programs ======================(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 15.0.0.293 - Adobe Systems Incorporated)Adobe Reader XI (11.0.12) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)Box Sync (HKLM\...\{64995E36-82A9-4AD6-BACD-38DE87A04ED2}) (Version: 4.0.6567.0 - Box, Inc.)Box Sync (x32 Version: 4.0.5500.0 - Box Inc.) HiddenCisco WebEx Meetings (HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.1.200.13 - Citrix Systems, Inc.)Classic Shell (HKLM\...\{840C85B7-D3D6-4143-9AF9-DAE80FD54CFC}) (Version: 4.1.0 - IvoSoft)ConfigMgr Client Setup Bootstrap (x32 Version: 5.00.7958.1000 - Microsoft Corporation) HiddenConfiguration Manager Client (Version: 5.00.7958.1000 - Microsoft Corporation) HiddenDraftDominator Version 16.0k (HKLM-x32\...\DraftDominator_is1) (Version: - )Evernote v. 5.7 (HKLM-x32\...\{94049072-5FE7-11E4-8AF1-00163E98E7D6}) (Version: 5.7.0.5492 - Evernote Corp.)Flickr Uploadr for Windows (HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\FlickrUploadrWindows) (Version: 0.9.90.246 - Flickr)Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.157 - Google Inc.)Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) HiddenGoogle Update Helper (x32 Version: 1.3.28.13 - Google Inc.) HiddenJava 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)K-Lite Codec Pack 10.8.0 Full (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.8.0 - )Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4745.1002 - Microsoft Corporation)Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)Mozilla Firefox 33.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0.2 (x86 en-US)) (Version: 33.0.2 - Mozilla)Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 33.0.2 - Mozilla)Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4745.1002 - Microsoft Corporation) HiddenOffice 15 Click-to-Run Licensing Component (Version: 15.0.4745.1002 - Microsoft Corporation) HiddenOffice 15 Click-to-Run Localization Component (x32 Version: 15.0.4745.1002 - Microsoft Corporation) HiddenOnline Plug-in (x32 Version: 14.1.200.13 - Citrix Systems, Inc.) HiddenPassword Reset Server Login Client (HKLM-x32\...\{05F20509-E65E-42D6-8197-8950CFDDFB21}) (Version: 1.3.0 - Thycotic Software Ltd)Self-service Plug-in (x32 Version: 4.1.200.588 - Citrix Systems, Inc.) HiddenSkype™ 6.21 (HKLM-x32\...\{1845470B-EB14-4ABC-835B-E36C693DC07D}) (Version: 6.21.104 - Skype Technologies S.A.)swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) HiddenSymantec Encryption Desktop (HKLM\...\{884992EC-F486-4BC6-B48D-5707B755D59B}) (Version: 10.3.2.15661 - Symantec Corporation)System Center Endpoint Protection (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)Trend Micro OfficeScan Client (HKLM-x32\...\{ECEA7878-2100-4525-915D-B09174E36971}) (Version: 10.0.1736 - Trend Micro)Websense Endpoint (HKLM\...\{77702A35-F85E-4072-B449-C632C0D37C2A}) (Version: 7.8.1921 - Websense, Inc.)Windows Firewall Configuration Provider (HKLM\...\{109A5A16-E09E-4B82-A784-D1780F1190D6}) (Version: 1.2.3412.0 - Microsoft Corporation)==================== Custom CLSID (Whitelisted): ==========================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)==================== Restore Points =========================ATTENTION: System Restore is disabledCheck "winmgmt" service or repair WMI.==================== Hosts content: ===============================(If needed Hosts: directive could be included in the fixlist to reset Hosts.)2013-08-22 09:25 - 2013-08-22 09:25 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts==================== Scheduled Tasks (Whitelisted) =============(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job =>Task: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job =>==================== Loaded Modules (Whitelisted) ==============2015-03-20 12:26 - 2015-01-27 11:29 - 08898720 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll2014-12-10 12:28 - 2014-12-10 12:28 - 01152000 _____ () C:\Program Files\Box\Box Sync\_hashlib.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00128512 _____ () C:\Program Files\Box\Box Sync\win32api.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00137728 _____ () C:\Program Files\Box\Box Sync\pywintypes27.dll2012-10-27 08:29 - 2012-10-27 08:29 - 00503808 _____ () C:\Program Files\Box\Box Sync\pythoncom27.dll2014-12-10 12:28 - 2014-12-10 12:28 - 00112128 _____ () C:\Program Files\Box\Box Sync\_ctypes.pyd2013-10-09 18:05 - 2013-10-09 18:05 - 00003584 _____ () C:\Program Files\Box\Box Sync\clr.pyd2013-10-09 18:05 - 2013-10-09 18:05 - 00103424 _____ () C:\Program Files\Box\Box Sync\Python.Runtime.dll2014-12-10 12:28 - 2014-12-10 12:28 - 00047616 _____ () C:\Program Files\Box\Box Sync\_socket.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 01745920 _____ () C:\Program Files\Box\Box Sync\_ssl.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00027136 _____ () C:\Program Files\Box\Box Sync\ujson.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00044544 _____ () C:\Program Files\Box\Box Sync\_psutil_windows.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00010752 _____ () C:\Program Files\Box\Box Sync\select.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00166912 _____ () C:\Program Files\Box\Box Sync\_elementtree.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00164352 _____ () C:\Program Files\Box\Box Sync\pyexpat.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00689664 _____ () C:\Program Files\Box\Box Sync\unicodedata.pyd2012-10-27 08:31 - 2012-10-27 08:31 - 00438784 _____ () C:\Program Files\Box\Box Sync\win32com.shell.shell.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00023040 _____ () C:\Program Files\Box\Box Sync\win32event.pyd2015-06-11 14:48 - 2015-06-11 14:48 - 00059392 _____ () C:\Program Files\Box\Box Sync\_sqlite3.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00149504 _____ () C:\Program Files\Box\Box Sync\win32file.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00136192 _____ () C:\Program Files\Box\Box Sync\win32security.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00044032 _____ () C:\Program Files\Box\Box Sync\win32process.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00030720 _____ () C:\Program Files\Box\Box Sync\win32cred.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00030208 _____ () C:\Program Files\Box\Box Sync\Crypto.Cipher._AES.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00008192 _____ () C:\Program Files\Box\Box Sync\Crypto.Util.strxor.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00010752 _____ () C:\Program Files\Box\Box Sync\Crypto.Random.OSRNG.winrandom.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00011264 _____ () C:\Program Files\Box\Box Sync\Crypto.Util._counter.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00053760 _____ () C:\Program Files\Box\Box Sync\win32service.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00026112 _____ () C:\Program Files\Box\Box Sync\_yappi.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00031744 _____ () C:\Program Files\Box\Box Sync\_multiprocessing.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00021504 _____ () C:\Program Files\Box\Box Sync\win32clipboard.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00223232 _____ () C:\Program Files\Box\Box Sync\win32gui.pyd2014-10-13 11:59 - 2014-10-13 11:59 - 00068096 _____ () C:\Program Files\Box\Box Sync\SystemWrapper.dll2015-08-11 22:39 - 2015-08-11 22:39 - 00030384 _____ () C:\Program Files\Box\Box Sync\BoxSyncMonitor.exe==================== Alternate Data Streams (Whitelisted) =========(If an entry is included in the fixlist, only the ADS will be removed.)==================== Safe Mode (Whitelisted) ===================(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)==================== EXE Association (Whitelisted) ===============(If an entry is included in the fixlist, the registry item will be restored to default or removed.)==================== Internet Explorer trusted/restricted ===============(If an entry is included in the fixlist, it will be removed from the registry.)IE trusted site: HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\sharepoint.com -> hxxps://steinerleisure.sharepoint.com==================== Other Areas ============================(Currently there is no automatic fix for this section.)HKU\S-1-5-21-2232656509-361406962-1938170613-2940\Control Panel\Desktop\\Wallpaper -> C:\Users\jimw\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaperDNS Servers: 172.16.160.115 - 172.16.160.116HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)Windows Firewall is disabled.==================== MSCONFIG/TASK MANAGER disabled items ==(Currently there is no automatic fix for this section.)==================== FirewallRules (Whitelisted) ===============(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppextcomobj.exeFirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppextcomobj.exeFirewallRules: [{78A46111-05C1-49FC-9D1A-66C7F0226F3F}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exeFirewallRules: [{6790201A-48CB-46D6-A8B7-F4E8E0CC3086}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exeFirewallRules: [{592AFB87-CE62-4FE3-820D-DA134B3AD63E}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exeFirewallRules: [{5148D84E-3BE8-444A-AF21-62D7D3F4B9AC}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exeFirewallRules: [{EE316439-D10A-43D5-9226-150D7E584F9E}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exeFirewallRules: [{69953D67-844F-4CF8-AA68-37E9094F578E}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exeFirewallRules: [{5DEFD7B4-BAA8-42B3-89AC-B5BB0CD215B6}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exeFirewallRules: [{860A272A-A0D1-40BB-8F87-42193580C532}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exeFirewallRules: [{396A03F9-4DD9-488F-BCB0-53423E1AE44D}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exeFirewallRules: [{D6EA0C8A-95F8-40B9-B0CD-9F4FB34E8685}] => (Allow) LPort=44668FirewallRules: [{1CBB47E1-FD2B-4012-A201-A5625F60F172}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exeFirewallRules: [{60EFCF11-3F26-4452-8C01-0C6E18359A6A}] => (Allow) C:\windows\SysWOW64\DWRCS.EXE==================== Faulty Device Manager Devices ================================= Event log errors: =========================Application errors:==================Error: (09/01/2015 03:08:23 PM) (Source: Application Hang) (EventID: 1002) (User: )Description: The program FRST64.exe version 31.8.2015.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.Process ID: 1d08Start Time: 01d0e4e8f8e4d5a7Termination Time: 58685Application Path: C:\Users\jimw\Desktop\FRST64.exeReport Id: ab1143e1-50dc-11e5-8296-600292f0274eFaulting package full name:Faulting package-relative application ID:Error: (09/01/2015 10:06:42 AM) (Source: Outlook) (EventID: 62) (User: )Description: Unable to instantiate policy nudges text extraction module - error code 0x80040154.Error: (08/31/2015 01:55:58 PM) (Source: SideBySide) (EventID: 35) (User: )Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.Component identity found in manifest does not match the identity of the component requested.Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".Please use sxstrace.exe for detailed diagnosis.Error: (08/31/2015 01:51:14 PM) (Source: SideBySide) (EventID: 35) (User: )Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.Component identity found in manifest does not match the identity of the component requested.Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".Please use sxstrace.exe for detailed diagnosis.Error: (08/31/2015 01:50:13 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.Details:AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.System Error:Access is denied..Error: (08/30/2015 01:20:19 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )Description: Subscription licensing service failed: -2143485936Error: (08/30/2015 01:20:19 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {2A772980-6240-49D1-8445-349E11D42A13}Error: (08/30/2015 01:18:18 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {2A772980-6240-49D1-8445-349E11D42A13}Error: (08/29/2015 01:19:25 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )Description: Subscription licensing service failed: -2143485946Error: (08/29/2015 01:19:25 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0006; CorrelationId: {823CC2DA-8391-4EC7-B38E-EBEE1DF23B15}System errors:=============Error: (09/01/2015 02:39:43 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1006) (User: NT AUTHORITY)Description: The processing of Group Policy failed. Windows could not authenticate to the Active Directory service on a domain controller. (LDAP Bind function call failed). Look in the details tab for error code and description.Error: (09/01/2015 02:38:05 PM) (Source: bowser) (EventID: 8003) (User: )Description: The master browser has received a server announcement from the computer SEG-LISAL1that believes that it is the master browser for the domain on transport NetBT_Tcpip_{8250DB6B-3240-46DC-B521-883FC3CACE4E}.The master browser is stopping or an election is being forced.Error: (09/01/2015 02:35:01 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.Error: (09/01/2015 02:34:57 PM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: STEINER)Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:a) Name Resolution failure on the current domain controller.b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).Error: (09/01/2015 02:00:52 PM) (Source: DCOM) (EventID: 10010) (User: STEINER)Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}Error: (09/01/2015 01:35:04 PM) (Source: Kerberos) (EventID: 4) (User: )Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server edcsc01$. The target name used was HTTP/edcsc01.steiner.sll.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (STEINER.SLL.COM) is different from the client domain (STEINER.SLL.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.Error: (09/01/2015 12:35:03 PM) (Source: Kerberos) (EventID: 4) (User: )Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server edcsc01$. The target name used was HTTP/edcsc01.steiner.sll.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (STEINER.SLL.COM) is different from the client domain (STEINER.SLL.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.Error: (09/01/2015 11:35:03 AM) (Source: Kerberos) (EventID: 4) (User: )Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server edcsc01$. The target name used was HTTP/edcsc01.steiner.sll.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (STEINER.SLL.COM) is different from the client domain (STEINER.SLL.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.Error: (09/01/2015 10:05:06 AM) (Source: Kerberos) (EventID: 4) (User: )Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server edcsc01$. The target name used was HTTP/edcsc01.steiner.sll.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (STEINER.SLL.COM) is different from the client domain (STEINER.SLL.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.Error: (09/01/2015 09:34:35 AM) (Source: BTHUSB) (EventID: 17) (User: )Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.Microsoft Office:=========================Error: (09/01/2015 03:08:23 PM) (Source: Application Hang) (EventID: 1002) (User: )Description: FRST64.exe31.8.2015.01d0801d0e4e8f8e4d5a758685C:\Users\jimw\Desktop\FRST64.exeab1143e1-50dc-11e5-8296-600292f0274eError: (09/01/2015 10:06:42 AM) (Source: Outlook) (EventID: 62) (User: )Description: Unable to instantiate policy nudges text extraction module - error code 0x80040154.Error: (08/31/2015 01:55:58 PM) (Source: SideBySide) (EventID: 35) (User: )Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"C:\Program Files\Microsoft Office 15\root\office15\lync.exe.ManifestC:\Program Files\Microsoft Office 15\root\office15\UccApi.DLL1Error: (08/31/2015 01:51:14 PM) (Source: SideBySide) (EventID: 35) (User: )Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"C:\Program Files\Microsoft Office 15\root\office15\lync.exe.ManifestC:\Program Files\Microsoft Office 15\root\office15\UccApi.DLL1Error: (08/31/2015 01:50:13 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )Description: Details:AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.System Error:Access is denied.Error: (08/30/2015 01:20:19 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )Description: Subscription licensing service failed: -2143485936Error: (08/30/2015 01:20:19 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {2A772980-6240-49D1-8445-349E11D42A13}Error: (08/30/2015 01:18:18 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0010; CorrelationId: {2A772980-6240-49D1-8445-349E11D42A13}Error: (08/29/2015 01:19:25 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )Description: Subscription licensing service failed: -2143485946Error: (08/29/2015 01:19:25 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0006; CorrelationId: {823CC2DA-8391-4EC7-B38E-EBEE1DF23B15}CodeIntegrity:=================================== Date: 2015-02-13 22:31:47.933 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system. Date: 2015-02-13 22:25:04.172 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system. Date: 2015-02-13 21:24:38.516 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system. Date: 2015-02-13 21:19:24.472 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system.==================== Memory info ===========================Processor: Intel® Core i7-4650U CPU @ 1.70GHzPercentage of memory in use: 39%Total physical RAM: 8097.07 MBAvailable physical RAM: 4875.53 MBTotal Virtual: 9953.07 MBAvailable Virtual: 6546.64 MB==================== Drives ================================Drive c: (Windows) (Fixed) (Total:232.73 GB) (Free:110.25 GB) NTFSDrive d: (My Passport) (Fixed) (Total:931.48 GB) (Free:373.9 GB) NTFSDrive h: () (Network) (Total:67.82 GB) (Free:7.54 GB)Drive k: (Functional) (Network) (Total:1512 GB) (Free:347.76 GB) NTFSDrive r: (Functional) (Network) (Total:1512 GB) (Free:347.76 GB) NTFS==================== MBR & Partition Table ====================================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
Maniac Posted September 2, 2015 ID:986709 Share Posted September 2, 2015 Hello yellowdog232 and ! My name is Borislav and I will be glad to help you solve your malware problem. Please note:If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.Make sure you read all of the instructions and fixes thoroughly before continuing with them.Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.You should run FRST with administrator rights. Link to post Share on other sites More sharing options...
yellowdog232 Posted September 2, 2015 Author ID:986731 Share Posted September 2, 2015 Hi Borislav, I would like to continue with your help. Thanks in advance. I rebooted and ran FRST as administrator. Here are the logs... Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-08-2015Ran by Administrator (administrator) on SEG-JIMW4 (02-09-2015 09:05:15)Running from C:\Users\Administrator\DesktopLoaded Profiles: JimW & Administrator (Available Profiles: JimW & Super_RIM & Super_RF & admin & Administrator)Platform: Windows 8.1 Pro (X64) Language: English (United States)Internet Explorer Version 11 (Default browser: IE)Boot Mode: NormalTutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/==================== Processes (Whitelisted) =================(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe(Intel Corporation) C:\Windows\System32\igfxCUIService.exe(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe(DameWare Development LLC) C:\Windows\SysWOW64\DWRCS.EXE(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\NTRTScan.exe(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe(Websense, Inc.) C:\Program Files\Websense\Websense Endpoint\wepsvc.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmListen.exe(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\CNTAoSMgr.exe(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe(Websense, Inc.) C:\Program Files\Websense\Websense Endpoint\ProxyUI.exe(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe(Box, Inc.) C:\Program Files\Box\Box Sync\BoxSync.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe(Symantec Corporation) C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPtray.exe(Evernote Corp., 305 Walnut Street, Redwood City, CA 94063) C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe() C:\Program Files\Box\Box Sync\BoxSyncMonitor.exe(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe(Symantec Corporation) C:\Program Files (x86)\PGP Corporation\PGP Desktop\PGPcbt64.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe(Microsoft Corporation) C:\Windows\CCM\CcmExec.exe(Microsoft Corporation) C:\Windows\CCM\RemCtrl\CmRcService.exe(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe(Websense, Inc.) C:\Program Files\Websense\Websense Endpoint\ProxyUI.exe(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe(Trend Micro Inc.) C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTMon.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe==================== Registry (Whitelisted) ===========================(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation)HKLM\...\Run: [boxSync] => C:\Program Files\Box\Box Sync\BoxSync.exe [5827136 2015-08-11] (Box, Inc.)HKLM-x32\...\Run: [OfficeScanNT Monitor] => C:\Program Files (x86)\Trend Micro\OfficeScan Client\pccntmon.exe [1340720 2009-09-08] (Trend Micro Inc.)HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395616 2014-09-03] (Citrix Systems, Inc.)HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153952 2014-09-03] (Citrix Systems, Inc.)HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)HKLM-x32\...\Run: [DameWare MRC Agent] => C:\windows\SysWOW64\DWRCST.exe [85528 2010-08-06] (DameWare Development)HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\Run: [FlickrUploadr] => "C:\Users\jimw\AppData\Local\FlickrUploadrWindows\Update.exe" --processStart Flickr.exeHKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\Run: [GoogleChromeAutoLaunch_3DFB2D6035BBC91D23ED01E4F4F145C5] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [815944 2015-08-27] (Google Inc.)HKU\S-1-5-18\...\RunOnce: [Application Restart #1] => C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe [372408 2014-11-08] (Microsoft Corporation)AppInit_DLLs: PGPmapih.dll => C:\windows\system32\PGPmapih.dll [81248 2014-10-06] (Symantec Corporation)AppInit_DLLs-x32: PGPmapih.dll => C:\windows\SysWOW64\PGPmapih.dll [53432 2014-10-06] (Symantec Corporation)Lsa: [Notification Packages] scecli PGPpwfltShellIconOverlayIdentifiers: [ BoxSyncFileLocked] -> {2a607da5-abe8-358e-a881-c0f5faf2d3a5} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncFileLockedByOther] -> {f7d2951f-0b6b-346c-99ec-69cffc30a364} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncNotSynced] -> {5ea95e3d-3e46-3812-b03c-49785fa67d41} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncProblem] -> {a88b7184-bfa1-3d14-8efb-2225df9699bc} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [ BoxSyncSynced] -> {c89f9943-8f58-3eca-bd55-a658f53b2f48} => C:\windows\system32\mscoree.dll [2013-08-22] (Microsoft Corporation)ShellIconOverlayIdentifiers: [1IconOverlayHandlerAccessible] -> {3DBF5F01-3287-46EB-82CF-45AA5C241162} => C:\windows\system32\PGPfsshl.dll [2014-10-06] (Symantec Corporation)ShellIconOverlayIdentifiers: [QIPOverlay] -> {245D03BE-03F7-4b52-B8B9-7FC41F60C49F} => C:\Windows\system32\QIPOverlay.dll [2014-08-05] (Websense, Inc.)ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)ShellIconOverlayIdentifiers-x32: [1IconOverlayHandlerAccessible] -> {3DBF5F01-3287-46EB-82CF-45AA5C241162} => C:\windows\SysWow64\PGPfsshl.dll [2014-10-06] (Symantec Corporation)Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PGPtray.exe.lnk [2015-01-13]ShortcutTarget: PGPtray.exe.lnk -> C:\Windows\Installer\{884992EC-F486-4BC6-B48D-5707B755D59B}\Icon9426BF75.exe ()Startup: C:\Users\jimw\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2014-11-03]ShortcutTarget: EvernoteClipper.lnk -> C:\Users\Administrator\AppData\Local\Apps\Evernote\Evernote\EvernoteClipper.exe (No File)==================== Internet (Whitelisted) ====================(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)AutoConfigURL: [s-1-5-21-2232656509-361406962-1938170613-2940] => http://webdefence.global.blackspider.com:8082/proxy.pac?p=88vb7276AutoConfigURL: [s-1-5-21-4053884242-254580842-3275359498-500] => http://webdefence.global.blackspider.com:8082/proxy.pac?p=88vb7276Winsock: Catalog9 01 C:\windows\SysWOW64\PGPlsp.dll [65768 2014-10-06] (Symantec Corporation)Winsock: Catalog9 13 C:\windows\SysWOW64\PGPlsp.dll [65768 2014-10-06] (Symantec Corporation)Winsock: Catalog9-x64 01 C:\windows\system32\PGPlsp.dll [76128 2014-10-06] (Symantec Corporation)Winsock: Catalog9-x64 13 C:\windows\system32\PGPlsp.dll [76128 2014-10-06] (Symantec Corporation)Tcpip\Parameters: [DhcpNameServer] 172.16.160.115 172.16.160.116Tcpip\..\Interfaces\{8250DB6B-3240-46DC-B521-883FC3CACE4E}: [DhcpNameServer] 172.16.160.115 172.16.160.116Tcpip\..\Interfaces\{9D57E6F7-5AAF-42F4-A907-7399A5BC973B}: [DhcpNameServer] 192.168.1.1Internet Explorer:==================HKU\S-1-5-21-2232656509-361406962-1938170613-2940\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONBHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2015-07-14] (Microsoft Corporation)BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2015-07-14] (Microsoft Corporation)BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-04-27] (Oracle Corporation)BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2015-07-14] (Microsoft Corporation)BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-27] (Oracle Corporation)Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll [2014-09-03] (Citrix Systems, Inc.)FireFox:========FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll [2014-09-03] (Citrix Systems, Inc.)FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-27] (Oracle Corporation)FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-27] (Oracle Corporation)FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-02-17] (Microsoft Corporation)FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2015-01-08] (Microsoft Corporation)FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)Chrome:=======CHR Profile: C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\DefaultCHR Extension: (Google Slides) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-28]CHR Extension: (Docs) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-28]CHR Extension: (Google Drive) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-08-28]CHR Extension: (YouTube) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-08-28]CHR Extension: (Google Search) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-08-28]CHR Extension: (Google Sheets) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-28]CHR Extension: (Gmail) - C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-28]==================== Services (Whitelisted) ========================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)S3 BoxSyncUpdateService; C:\Program Files\Box\Box Sync\SyncUpdaterService.exe [28696 2014-10-13] (Box, Inc.)R2 CcmExec; C:\windows\CCM\CcmExec.exe [1571000 2013-09-11] (Microsoft Corporation)R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2765496 2015-07-14] (Microsoft Corporation)R2 CmRcService; C:\windows\CCM\RemCtrl\CmRcService.exe [577720 2013-09-11] (Microsoft Corporation)R2 DWMRCS; C:\Windows\SysWOW64\DWRCS.EXE [242200 2010-08-06] (DameWare Development LLC)R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [282096 2014-03-24] (Intel Corporation)R3 lpasvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)S3 lppsvc; C:\Program Files\Microsoft Policy Platform\policyHost.exe [50280 2012-08-02] (Microsoft Corporation)S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation)R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation)R2 ntrtscan; C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe [1915696 2010-02-02] (Trend Micro Inc.)S3 smstsmgr; C:\windows\CCM\TSManager.exe [276152 2013-09-11] (Microsoft Corporation)R2 tmlisten; C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe [1986448 2010-02-02] (Trend Micro Inc.)S3 TmProxy; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmProxy.exe [917768 2009-07-15] (Trend Micro Inc.)S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [348392 2014-05-08] (Microsoft Corporation)S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2014-05-08] (Microsoft Corporation)S4 WSDLP; C:\Program Files\Websense\Websense Endpoint\DSEMain.dll [328192 2014-08-05] (Websense, Inc.) [File not signed]R2 WSPXY; C:\Program Files\Websense\Websense Endpoint\ProxyMain.dll [202240 2014-08-05] () [File not signed]S4 WSRF; C:\Program Files\Websense\Websense Endpoint\RFMain.dll [236032 2014-08-05] (Websense, Inc.) [File not signed]===================== Drivers (Whitelisted) ==========================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)S3 AX88179; C:\Windows\system32\DRIVERS\ax88179_178a.sys [73216 2014-08-07] (ASIX Electronics Corp.)S3 AX88772; C:\Windows\system32\DRIVERS\ax88772.sys [113864 2013-07-18] (ASIX Electronics Corp.)R3 BthA2DP; C:\Windows\system32\drivers\BthA2DP.sys [131328 2014-10-08] (Microsoft Corporation)R3 BthHFAud; C:\Windows\system32\DRIVERS\BthHfAud.sys [32768 2014-10-08] (Microsoft Corporation)R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-05-08] (Microsoft Corporation)R3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [146856 2013-06-04] (Windows ® Win 7 DDK provider)R3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [21928 2013-06-04] (Windows ® Win 7 DDK provider)R1 dwvkbd; C:\Windows\system32\DRIVERS\dwvkbd64.sys [30720 2007-02-15] (DameWare)S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)R3 iaLPSS_GPIO; C:\Windows\System32\drivers\iaLPSS_GPIO.sys [24568 2013-10-07] (Intel Corporation)R3 iaLPSS_I2C; C:\Windows\System32\drivers\iaLPSS_I2C.sys [99320 2013-10-07] (Intel Corporation)R3 MBAMProtector; C:\windows\system32\drivers\mbam.sys [25816 2015-06-18] (Malwarebytes Corporation)S3 MBAMSwissArmy; C:\windows\system32\drivers\MBAMSwissArmy.sys [113880 2015-08-28] (Malwarebytes Corporation)S3 MBAMWebAccessControl; C:\windows\system32\drivers\mwac.sys [64216 2015-06-18] (Malwarebytes Corporation)R3 MEIx64; C:\Windows\System32\drivers\TeeDriverx64.sys [100312 2014-01-31] (Intel Corporation)S0 MpBoot; C:\Windows\System32\DRIVERS\MpBoot.sys [34744 2013-09-27] (Microsoft Corporation)R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation)R3 mrvlpcie8897; C:\Windows\system32\DRIVERS\mrvlpcie8897.sys [990720 2014-09-18] (Marvell Semiconductors Inc.)R3 msu30x64w8; C:\Windows\system32\DRIVERS\msu30x64w8.sys [100864 2014-07-11] (Microsoft)S3 Nep; C:\Windows\System32\DRIVERS\cwNep.sys [143560 2014-08-05] (Websense, Inc.)R2 NisDrv; C:\Windows\system32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation)R2 PGPdisk; C:\Windows\System32\Drivers\PGPdisk.sys [275496 2014-10-06] (Symantec Corporation)R0 pgpfs; C:\Windows\System32\Drivers\PGPfsfd.sys [184856 2014-10-06] (Symantec Corporation)R1 PGPsdkDriver; C:\Windows\System32\Drivers\PGPsdk.sys [52968 2014-10-06] (Symantec Corporation)R0 PGPwded; C:\Windows\System32\Drivers\PGPwded.sys [399072 2014-10-06] (Symantec Corporation)R0 Pgpwdefs; C:\Windows\System32\DRIVERS\Pgpwdefs.sys [20536 2014-10-06] (Symantec Corporation)S3 prepdrvr; C:\Windows\system32\DRIVERS\prepdrv.sys [26984 2013-09-11] (Microsoft Corporation)R1 QIP; C:\Windows\system32\DRIVERS\Qip.sys [76488 2014-08-05] (Websense, Inc.)R3 SensorsServiceDriver; C:\Windows\System32\drivers\WUDFRd.sys [226304 2014-10-28] (Microsoft Corporation)R3 SurfaceAccessoryDevice; C:\Windows\System32\drivers\SurfaceAccessoryDevice.sys [51856 2014-05-30] (Microsoft Corporation)R3 SurfaceCapacitiveHomeButton; C:\Windows\System32\drivers\SurfaceCapacitiveHomeButton.sys [43152 2014-03-14] (Microsoft Corporation)R3 SurfaceDisplayCalibration; C:\Windows\System32\drivers\SurfaceDisplayCalibration.sys [41616 2014-05-02] (Microsoft Corporation)R3 SurfaceIntegrationDriver; C:\Windows\System32\drivers\SurfaceIntegrationDriver.sys [49768 2014-10-13] (Microsoft Corporation)R0 SurfacePciController; C:\Windows\System32\drivers\SurfacePciController.sys [35440 2014-10-08] (Microsoft Corporation)R3 SurfacePenDriver; C:\Windows\system32\DRIVERS\SurfacePenDriver.sys [63592 2014-09-26] (Microsoft Corporation)S3 SurfaceTouchCover; C:\Windows\System32\drivers\SurfaceTouchCover.sys [35976 2014-04-14] (Microsoft Corporation)S3 SurfaceTypeCover; C:\Windows\System32\drivers\SurfaceTypeCover.sys [35984 2014-03-19] (Microsoft Corporation)R2 TmFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmXPFlt.sys [344864 2013-08-14] (Trend Micro Inc.)R2 TmPreFilter; C:\Program Files (x86)\Trend Micro\OfficeScan Client\TmPreFlt.sys [42272 2013-08-14] (Trend Micro Inc.)R1 tmtdi; C:\Windows\system32\DRIVERS\tmtdi.sys [107536 2009-07-15] (Trend Micro Inc.)R3 TrueColor; C:\Windows\system32\DRIVERS\TrueColor.sys [35952 2014-07-07] ()R2 VSApiNt; C:\Program Files (x86)\Trend Micro\OfficeScan Client\VSApiNt.sys [2260768 2013-08-14] (Trend Micro Inc.)R3 WiFiClass; C:\Windows\system32\DRIVERS\wificlass.sys [411136 2014-09-18] (Microsoft Corporation)R3 WsNetFlt; C:\Windows\system32\DRIVERS\WsNetFlt.sys [61640 2014-08-05] (Websense, Inc.)S3 WsWfpRF; C:\Windows\system32\DRIVERS\WsWfpRF.sys [48328 2014-08-05] (Websense, Inc.)S1 knvjklmu; \??\C:\windows\system32\drivers\knvjklmu.sys [X]==================== NetSvcs (Whitelisted) ===================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)==================== One Month Created files and folders ========(If an entry is included in the fixlist, the file/folder will be moved.)2015-09-02 09:05 - 2015-09-02 09:09 - 00024755 _____ C:\Users\Administrator\Desktop\FRST.txt2015-09-02 09:04 - 2015-09-01 14:49 - 02188800 _____ (Farbar) C:\Users\Administrator\Desktop\FRST64.exe2015-09-01 15:09 - 2015-09-01 15:09 - 00028416 _____ C:\Users\jimw\Desktop\Addition.txt2015-09-01 15:04 - 2015-09-02 09:09 - 00000000 ____D C:\FRST2015-09-01 15:04 - 2015-09-01 15:09 - 00034591 _____ C:\Users\jimw\Desktop\FRST.txt2015-09-01 14:49 - 2015-09-01 14:49 - 02188800 _____ (Farbar) C:\Users\jimw\Desktop\FRST64.exe2015-08-31 11:10 - 2015-08-31 11:10 - 00000743 _____ C:\Users\Administrator\Desktop\Draft Dominator.lnk2015-08-31 11:10 - 2015-08-31 11:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DraftDominator2015-08-31 11:10 - 2015-08-31 11:10 - 00000000 ____D C:\FBG2015-08-31 11:10 - 2006-03-08 09:27 - 01353360 _____ (FarPoint Technologies, Inc.) C:\windows\SysWOW64\fpSpr60.ocx2015-08-31 11:10 - 2004-12-07 13:03 - 00451760 _____ (FarPoint Technologies, Inc.) C:\windows\SysWOW64\Tab32x30.ocx2015-08-31 11:10 - 2002-12-20 15:02 - 01077336 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSCOMCTL.OCX2015-08-31 11:10 - 2001-03-13 15:49 - 00140288 _____ (Microsoft Corporation) C:\windows\SysWOW64\comdlg32.ocx2015-08-31 11:10 - 2000-05-22 01:00 - 00115920 _____ (Microsoft Corporation) C:\windows\SysWOW64\MSINET.OCX2015-08-31 11:10 - 1999-01-06 18:50 - 00228864 _____ (Microsoft Corporation) C:\windows\SysWOW64\xl5en32.olb2015-08-31 11:05 - 2015-08-31 11:06 - 05523273 _____ ( ) C:\Users\jimw\Downloads\DD160k_Setup.exe2015-08-28 09:17 - 2015-08-28 09:17 - 00000000 __SHD C:\Users\Administrator\AppData\Local\EmieBrowserModeList2015-08-28 09:15 - 2015-08-28 09:15 - 00113880 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys2015-08-28 09:15 - 2015-08-28 09:15 - 00001121 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk2015-08-28 09:15 - 2015-08-28 09:15 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware2015-08-28 09:15 - 2015-08-28 09:15 - 00000000 ____D C:\ProgramData\Malwarebytes2015-08-28 09:15 - 2015-08-28 09:15 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware2015-08-28 09:15 - 2015-06-18 08:42 - 00064216 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys2015-08-28 09:15 - 2015-06-18 08:41 - 00109272 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys2015-08-28 09:15 - 2015-06-18 08:41 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys2015-08-28 09:14 - 2015-08-28 09:14 - 00000000 ____D C:\Users\Administrator\Documents\PGP2015-08-28 09:14 - 2015-08-28 09:14 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\PGP Corporation2015-08-28 09:14 - 2015-08-28 09:14 - 00000000 ____D C:\Users\Administrator\AppData\Local\PGP Corporation2015-08-28 09:07 - 2015-08-28 09:09 - 24345872 _____ (Malwarebytes Corporation ) C:\Users\jimw\Downloads\mbam-setup-2.1.8.1057.exe2015-08-12 13:41 - 2015-08-13 22:14 - 00004966 _____ C:\windows\System32\Tasks\Microsoft Office 15 Sync Maintenance for {94cf404f-7f48-4a47-8958-9b9be70bce99} SEG-JimW4.steiner.sll.com2015-08-11 14:54 - 2015-08-13 10:26 - 00000000 ____D C:\Users\jimw\AppData\Local\FlickrUploadrWindows2015-08-11 14:54 - 2015-08-11 14:54 - 00002379 _____ C:\Users\jimw\Desktop\Flickr Uploadr.lnk2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Flickr2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Local\SquirrelTemp2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Local\IsolatedStorage2015-08-11 14:54 - 2015-08-11 14:54 - 00000000 ____D C:\Users\jimw\AppData\Local\Flickr2015-08-11 14:52 - 2015-08-11 14:53 - 21879792 _____ (Flickr) C:\Users\jimw\Downloads\FlickrUploadrInstallr.exe2015-08-11 09:21 - 2015-08-11 09:23 - 36284404 _____ C:\Users\jimw\Downloads\VID_20150810_083347.mp42015-08-05 15:18 - 2015-08-05 15:18 - 00930872 _____ C:\Users\jimw\Downloads\35733dir.txt==================== One Month Modified files and folders ========(If an entry is included in the fixlist, the file/folder will be moved.)2015-09-02 09:09 - 2014-10-31 14:47 - 01915131 _____ C:\windows\WindowsUpdate.log2015-09-02 09:08 - 2014-11-03 15:00 - 00003594 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4053884242-254580842-3275359498-5002015-09-02 09:07 - 2014-10-31 15:27 - 00003596 _____ C:\windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2232656509-361406962-1938170613-29402015-09-02 09:07 - 2014-05-08 23:06 - 00868872 _____ C:\windows\system32\PerfStringBackup.INI2015-09-02 09:05 - 2014-10-31 15:03 - 00000589 _____ C:\windows\SMSCFG.ini2015-09-02 09:03 - 2015-07-08 14:17 - 00003736 _____ C:\windows\System32\Tasks\WinRM2015-09-02 09:03 - 2014-11-03 16:59 - 00000918 _____ C:\windows\Tasks\GoogleUpdateTaskMachineCore.job2015-09-02 09:03 - 2014-10-31 15:22 - 00006252 __RSH C:\Users\jimw\ntuser.pol2015-09-02 09:03 - 2014-10-31 15:20 - 00000000 ____D C:\Users\jimw2015-09-02 09:03 - 2014-10-31 15:01 - 00027139 __RSH C:\ProgramData\ntuser.pol2015-09-02 09:02 - 2014-11-03 23:10 - 00000000 ____D C:\Users\jimw\AppData\Local\Box Sync2015-09-02 09:02 - 2014-10-31 15:23 - 00000000 ____D C:\Users\jimw\AppData\Roaming\ClassicShell2015-09-02 09:01 - 2014-10-31 14:58 - 00000224 _____ C:\windows\system32\config\netlogon.ftl2015-09-02 09:01 - 2013-08-22 10:46 - 00100448 _____ C:\windows\setupact.log2015-09-02 09:01 - 2013-08-22 10:45 - 00000006 ____H C:\windows\Tasks\SA.DAT2015-09-02 09:00 - 2014-11-03 14:57 - 00002620 _____ C:\windows\TMFilter.log2015-09-02 08:54 - 2014-11-03 14:54 - 00016382 _____ C:\windows\cfgall.ini2015-09-02 08:36 - 2014-11-03 16:59 - 00000922 _____ C:\windows\Tasks\GoogleUpdateTaskMachineUA.job2015-09-02 08:09 - 2013-08-22 11:36 - 00000000 ____D C:\windows\system32\sru2015-09-02 04:15 - 2013-08-22 11:36 - 00000000 ____D C:\windows\AppReadiness2015-09-02 04:11 - 2014-11-03 12:57 - 00003918 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{2328317E-DA4E-43B0-BC5E-DDB4E100C05A}2015-09-01 20:37 - 2014-11-03 17:05 - 00002210 _____ C:\Users\Public\Desktop\Google Chrome.lnk2015-09-01 13:36 - 2014-10-31 15:03 - 00000000 ____D C:\windows\ccmcache2015-08-30 08:31 - 2014-11-03 16:59 - 00003894 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineUA2015-08-30 08:31 - 2014-11-03 16:59 - 00003658 _____ C:\windows\System32\Tasks\GoogleUpdateTaskMachineCore2015-08-28 13:56 - 2014-10-31 15:22 - 00000000 ____D C:\Users\jimw\AppData\Local\Packages2015-08-28 12:45 - 2014-05-08 22:57 - 00025872 _____ C:\windows\PFRO.log2015-08-28 09:23 - 2014-11-03 15:05 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\ClassicShell2015-08-28 09:21 - 2014-11-03 16:32 - 00003962 _____ C:\windows\System32\Tasks\User_Feed_Synchronization-{7E9519FD-C60C-4DFD-958E-BEFC05813697}2015-08-26 15:37 - 2013-08-22 09:25 - 00524288 ___SH C:\windows\system32\config\BBI2015-08-25 06:02 - 2015-01-06 13:51 - 00000000 ____D C:\Program Files\Microsoft Office 152015-08-24 17:03 - 2006-06-10 16:02 - 00000000 ____D C:\Users\jimw\Documents\transfer to backup2015-08-20 22:08 - 2013-08-22 11:36 - 00000000 ____D C:\windows\LiveKernelReports2015-08-20 21:01 - 2014-11-03 23:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Box Sync2015-08-13 10:26 - 2014-10-31 15:22 - 00000000 ____D C:\Users\jimw\AppData\Local\VirtualStore2015-08-05 12:59 - 2013-08-22 11:36 - 00000000 ___HD C:\windows\system32\GroupPolicy==================== Files in the root of some directories =======2014-05-08 22:58 - 2014-05-08 22:58 - 0000000 ____H () C:\ProgramData\DP45977C.lfl==================== Bamital & volsnap =================(There is no automatic fix for files that do not pass verification.)C:\windows\system32\winlogon.exe => File is digitally signedC:\windows\system32\wininit.exe => File is digitally signedC:\windows\explorer.exe => File is digitally signedC:\windows\SysWOW64\explorer.exe => File is digitally signedC:\windows\system32\svchost.exe => File is digitally signedC:\windows\SysWOW64\svchost.exe => File is digitally signedC:\windows\system32\services.exe => File is digitally signedC:\windows\system32\User32.dll => File is digitally signedC:\windows\SysWOW64\User32.dll => File is digitally signedC:\windows\system32\userinit.exe => File is digitally signedC:\windows\SysWOW64\userinit.exe => File is digitally signedC:\windows\system32\rpcss.dll => File is digitally signedC:\windows\system32\dnsapi.dll => File is digitally signedC:\windows\SysWOW64\dnsapi.dll => File is digitally signedC:\windows\system32\Drivers\volsnap.sys => File is digitally signedLastRegBack: 2015-09-02 04:10==================== End of FRST.txt ============================ Additional scan result of Farbar Recovery Scan Tool (x64) Version:31-08-2015Ran by Administrator (2015-09-02 09:09:53)Running from C:\Users\Administrator\DesktopBoot Mode: Normal============================================================================== Accounts: =============================admin (S-1-5-21-4053884242-254580842-3275359498-1001 - Limited - Enabled) => C:\Users\adminAdministrator (S-1-5-21-4053884242-254580842-3275359498-500 - Administrator - Enabled) => C:\Users\AdministratorGuest (S-1-5-21-4053884242-254580842-3275359498-501 - Limited - Disabled)==================== Security Center ========================(If an entry is included in the fixlist, it will be removed.)AV: System Center Endpoint Protection (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AV: Trend Micro OfficeScan Antivirus (Enabled - Up to date) {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}AS: Trend Micro OfficeScan Anti-spyware (Enabled - Up to date) {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}AS: System Center Endpoint Protection (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}==================== Installed Programs ======================(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 15.0.0.293 - Adobe Systems Incorporated)Adobe Reader XI (11.0.12) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)Box Sync (HKLM\...\{64995E36-82A9-4AD6-BACD-38DE87A04ED2}) (Version: 4.0.6567.0 - Box, Inc.)Box Sync (x32 Version: 4.0.5500.0 - Box Inc.) HiddenCisco WebEx Meetings (HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.1.200.13 - Citrix Systems, Inc.)Classic Shell (HKLM\...\{840C85B7-D3D6-4143-9AF9-DAE80FD54CFC}) (Version: 4.1.0 - IvoSoft)ConfigMgr Client Setup Bootstrap (x32 Version: 5.00.7958.1000 - Microsoft Corporation) HiddenConfiguration Manager Client (Version: 5.00.7958.1000 - Microsoft Corporation) HiddenDraftDominator Version 16.0k (HKLM-x32\...\DraftDominator_is1) (Version: - )Evernote v. 5.7 (HKLM-x32\...\{94049072-5FE7-11E4-8AF1-00163E98E7D6}) (Version: 5.7.0.5492 - Evernote Corp.)Flickr Uploadr for Windows (HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\FlickrUploadrWindows) (Version: 0.9.90.246 - Flickr)Google Chrome (HKLM-x32\...\Google Chrome) (Version: 45.0.2454.85 - Google Inc.)Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) HiddenGoogle Update Helper (x32 Version: 1.3.28.13 - Google Inc.) HiddenJava 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)K-Lite Codec Pack 10.8.0 Full (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.8.0 - )Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4745.1002 - Microsoft Corporation)Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)Mozilla Firefox 33.0.2 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0.2 (x86 en-US)) (Version: 33.0.2 - Mozilla)Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 33.0.2 - Mozilla)Office 15 Click-to-Run Extensibility Component (x32 Version: 15.0.4745.1002 - Microsoft Corporation) HiddenOffice 15 Click-to-Run Licensing Component (Version: 15.0.4745.1002 - Microsoft Corporation) HiddenOffice 15 Click-to-Run Localization Component (x32 Version: 15.0.4745.1002 - Microsoft Corporation) HiddenOnline Plug-in (x32 Version: 14.1.200.13 - Citrix Systems, Inc.) HiddenPassword Reset Server Login Client (HKLM-x32\...\{05F20509-E65E-42D6-8197-8950CFDDFB21}) (Version: 1.3.0 - Thycotic Software Ltd)Self-service Plug-in (x32 Version: 4.1.200.588 - Citrix Systems, Inc.) HiddenSkype™ 6.21 (HKLM-x32\...\{1845470B-EB14-4ABC-835B-E36C693DC07D}) (Version: 6.21.104 - Skype Technologies S.A.)swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) HiddenSymantec Encryption Desktop (HKLM\...\{884992EC-F486-4BC6-B48D-5707B755D59B}) (Version: 10.3.2.15661 - Symantec Corporation)System Center Endpoint Protection (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation)TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)Trend Micro OfficeScan Client (HKLM-x32\...\{ECEA7878-2100-4525-915D-B09174E36971}) (Version: 10.0.1736 - Trend Micro)Websense Endpoint (HKLM\...\{77702A35-F85E-4072-B449-C632C0D37C2A}) (Version: 7.8.1921 - Websense, Inc.)Windows Firewall Configuration Provider (HKLM\...\{109A5A16-E09E-4B82-A784-D1780F1190D6}) (Version: 1.2.3412.0 - Microsoft Corporation)==================== Custom CLSID (Whitelisted): ==========================(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)CustomCLSID: HKU\S-1-5-21-2232656509-361406962-1938170613-2940_Classes\CLSID\{53B2AC1B-7B81-47FC-8D3B-595CDE21D0BA}\InprocServer32 -> C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\EvernoteCCx64.dll (Evernote Corp., 333 W Evelyn Ave. Mountain View, CA 94041)CustomCLSID: HKU\S-1-5-21-2232656509-361406962-1938170613-2940_Classes\CLSID\{92EF2EAD-A7CE-4424-B0DB-499CF856608E}\InprocServer32 -> C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\EvernoteIEx64.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)CustomCLSID: HKU\S-1-5-21-2232656509-361406962-1938170613-2940_Classes\CLSID\{BD6BEEE8-64CE-4814-B319-990645883E89}\InprocServer32 -> C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\EvernoteOLx64.dll (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)==================== Restore Points =========================09-08-2015 12:48:49 Scheduled Checkpoint21-08-2015 12:19:45 Scheduled Checkpoint31-08-2015 13:50:08 Scheduled Checkpoint==================== Hosts content: ===============================(If needed Hosts: directive could be included in the fixlist to reset Hosts.)2013-08-22 09:25 - 2013-08-22 09:25 - 00000824 ____A C:\windows\system32\Drivers\etc\hosts==================== Scheduled Tasks (Whitelisted) =============(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)Task: {083898B2-8139-4A6D-97A6-1326294EAA4F} - System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2015-07-14] (Microsoft Corporation)Task: {0F60521F-E757-4245-8F44-FF6240D2CA0C} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx86\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2015-07-14] (Microsoft Corporation)Task: {1AF2B001-A621-47D9-B983-B5FFCC985516} - System32\Tasks\klcp_update => C:\Program Files (x86)\K-Lite Codec Pack\Tools\CodecTweakTool.exe [2014-10-06] ()Task: {37C31A10-3B8E-4C39-8D04-DF6D29AC1553} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-05-12] (Microsoft Corporation)Task: {435CB807-2AEC-45B7-984A-3D575CE725F0} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager MaintenanceTask: {51B22717-748D-4DE5-B88B-CC047B37AC1B} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2015-05-12] (Microsoft Corporation)Task: {6CCF7D4E-9DC4-46E2-91C3-946BE7523FEA} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Health Evaluation => C:\windows\CCM\ccmeval.exe [2013-09-11] (Microsoft Corporation)Task: {6D0E4ACD-1362-4F2D-9C58-98EEC3DA2D96} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2015-07-14] (Microsoft Corporation)Task: {91949F76-B1B4-48E7-B633-47CBF595D17C} - System32\Tasks\Turn Off Firewall => netshTask: {99E7EAB3-348C-4BB9-9D14-2DB7E7E0DA3F} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)Task: {A754D405-AFE3-4DCA-BD49-4A14E37B8211} - System32\Tasks\Microsoft Office 15 Sync Maintenance for {94cf404f-7f48-4a47-8958-9b9be70bce99} SEG-JimW4.steiner.sll.com => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2015-06-02] (Microsoft Corporation)Task: {AD4FF3BA-2912-4FD0-B1CC-80BDAC38C1DF} - System32\Tasks\Microsoft\Windows\GroupPolicy\{A7719E0F-10DB-4640-AD8C-490CC6AD5202}Task: {B5FA60ED-1105-487B-9788-8D159391D9C9} - System32\Tasks\WinRM => winrmTask: {C14B746E-4899-44B1-A4A6-CD25E8137481} - System32\Tasks\Microsoft\Windows\GroupPolicy\{3E0A038B-D834-4930-9981-E89C9BFF83AA}Task: {C1D17295-D168-4DA9-A9AA-CDE80A1247DD} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)Task: {C3903B20-C981-4574-9E1B-B378DFFDA92A} - System32\Tasks\Start Websense => netTask: {E4B76490-95D4-4C6F-8209-1D40E54F81D7} - System32\Tasks\Microsoft\Configuration Manager\Configuration Manager Idle DetectionTask: {EC1C95C5-A3B6-46F5-A3D1-5804583BBEFD} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)Task: C:\windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exeTask: C:\windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe==================== Loaded Modules (Whitelisted) ==============2015-01-06 13:51 - 2014-05-20 09:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll2014-08-05 16:43 - 2014-08-05 16:43 - 01633280 _____ () C:\Program Files\Websense\Websense Endpoint\libxml2.dll2014-08-05 17:30 - 2014-08-05 17:30 - 00202240 _____ () C:\Program Files\Websense\Websense Endpoint\ProxyMain.dll2007-05-16 12:42 - 2007-05-16 12:42 - 00089088 _____ () C:\Program Files (x86)\Trend Micro\OfficeScan Client\zlibwapi.dll2015-03-20 12:26 - 2015-01-27 11:29 - 08898720 _____ () C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\1033\GrooveIntlResource.dll2014-12-10 12:28 - 2014-12-10 12:28 - 01152000 _____ () C:\Program Files\Box\Box Sync\_hashlib.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00128512 _____ () C:\Program Files\Box\Box Sync\win32api.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00137728 _____ () C:\Program Files\Box\Box Sync\pywintypes27.dll2012-10-27 08:29 - 2012-10-27 08:29 - 00503808 _____ () C:\Program Files\Box\Box Sync\pythoncom27.dll2014-12-10 12:28 - 2014-12-10 12:28 - 00112128 _____ () C:\Program Files\Box\Box Sync\_ctypes.pyd2013-10-09 18:05 - 2013-10-09 18:05 - 00003584 _____ () C:\Program Files\Box\Box Sync\clr.pyd2013-10-09 18:05 - 2013-10-09 18:05 - 00103424 _____ () C:\Program Files\Box\Box Sync\Python.Runtime.dll2014-12-10 12:28 - 2014-12-10 12:28 - 00047616 _____ () C:\Program Files\Box\Box Sync\_socket.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 01745920 _____ () C:\Program Files\Box\Box Sync\_ssl.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00027136 _____ () C:\Program Files\Box\Box Sync\ujson.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00044544 _____ () C:\Program Files\Box\Box Sync\_psutil_windows.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00010752 _____ () C:\Program Files\Box\Box Sync\select.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00166912 _____ () C:\Program Files\Box\Box Sync\_elementtree.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00164352 _____ () C:\Program Files\Box\Box Sync\pyexpat.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00689664 _____ () C:\Program Files\Box\Box Sync\unicodedata.pyd2012-10-27 08:31 - 2012-10-27 08:31 - 00438784 _____ () C:\Program Files\Box\Box Sync\win32com.shell.shell.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00023040 _____ () C:\Program Files\Box\Box Sync\win32event.pyd2015-06-11 14:48 - 2015-06-11 14:48 - 00059392 _____ () C:\Program Files\Box\Box Sync\_sqlite3.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00149504 _____ () C:\Program Files\Box\Box Sync\win32file.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00136192 _____ () C:\Program Files\Box\Box Sync\win32security.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00044032 _____ () C:\Program Files\Box\Box Sync\win32process.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00030720 _____ () C:\Program Files\Box\Box Sync\win32cred.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00030208 _____ () C:\Program Files\Box\Box Sync\Crypto.Cipher._AES.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00008192 _____ () C:\Program Files\Box\Box Sync\Crypto.Util.strxor.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00010752 _____ () C:\Program Files\Box\Box Sync\Crypto.Random.OSRNG.winrandom.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00011264 _____ () C:\Program Files\Box\Box Sync\Crypto.Util._counter.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00053760 _____ () C:\Program Files\Box\Box Sync\win32service.pyd2015-05-28 16:42 - 2015-05-28 16:42 - 00026112 _____ () C:\Program Files\Box\Box Sync\_yappi.pyd2014-12-10 12:28 - 2014-12-10 12:28 - 00031744 _____ () C:\Program Files\Box\Box Sync\_multiprocessing.pyd2012-10-27 08:27 - 2012-10-27 08:27 - 00021504 _____ () C:\Program Files\Box\Box Sync\win32clipboard.pyd2012-10-27 08:28 - 2012-10-27 08:28 - 00223232 _____ () C:\Program Files\Box\Box Sync\win32gui.pyd2014-10-13 11:59 - 2014-10-13 11:59 - 00068096 _____ () C:\Program Files\Box\Box Sync\SystemWrapper.dll2015-08-11 22:39 - 2015-08-11 22:39 - 00030384 _____ () C:\Program Files\Box\Box Sync\BoxSyncMonitor.exe2014-10-29 23:17 - 2014-10-29 23:17 - 00436576 _____ () C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\libxml2.dll2014-10-29 23:17 - 2014-10-29 23:17 - 00318304 _____ () C:\Users\jimw\AppData\Local\Apps\Evernote\Evernote\libtidy.dll2015-09-01 20:37 - 2015-08-27 20:17 - 01501512 _____ () C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\libglesv2.dll2015-09-01 20:37 - 2015-08-27 20:17 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.85\libegl.dll==================== Alternate Data Streams (Whitelisted) =========(If an entry is included in the fixlist, only the ADS will be removed.)==================== Safe Mode (Whitelisted) ===================(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)==================== EXE Association (Whitelisted) ===============(If an entry is included in the fixlist, the registry item will be restored to default or removed.)==================== Internet Explorer trusted/restricted ===============(If an entry is included in the fixlist, it will be removed from the registry.)IE trusted site: HKU\S-1-5-21-2232656509-361406962-1938170613-2940\...\sharepoint.com -> hxxps://steinerleisure.sharepoint.com==================== Other Areas ============================(Currently there is no automatic fix for this section.)HKU\S-1-5-21-2232656509-361406962-1938170613-2940\Control Panel\Desktop\\Wallpaper -> C:\Users\jimw\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaperHKU\S-1-5-21-4053884242-254580842-3275359498-500\Control Panel\Desktop\\Wallpaper -> C:\windows\web\wallpaper\Surface\Surface.jpgDNS Servers: 172.16.160.115 - 172.16.160.116HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)Windows Firewall is disabled.==================== MSCONFIG/TASK MANAGER disabled items ==(Currently there is no automatic fix for this section.)==================== FirewallRules (Whitelisted) ===============(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppextcomobj.exeFirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppextcomobj.exeFirewallRules: [{78A46111-05C1-49FC-9D1A-66C7F0226F3F}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exeFirewallRules: [{6790201A-48CB-46D6-A8B7-F4E8E0CC3086}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exeFirewallRules: [{592AFB87-CE62-4FE3-820D-DA134B3AD63E}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exeFirewallRules: [{5148D84E-3BE8-444A-AF21-62D7D3F4B9AC}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exeFirewallRules: [{EE316439-D10A-43D5-9226-150D7E584F9E}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\outlook.exeFirewallRules: [{69953D67-844F-4CF8-AA68-37E9094F578E}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exeFirewallRules: [{5DEFD7B4-BAA8-42B3-89AC-B5BB0CD215B6}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exeFirewallRules: [{860A272A-A0D1-40BB-8F87-42193580C532}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\Lync.exeFirewallRules: [{396A03F9-4DD9-488F-BCB0-53423E1AE44D}] => (Allow) C:\Program Files\Microsoft Office 15\root\Office15\UcMapi.exeFirewallRules: [{D6EA0C8A-95F8-40B9-B0CD-9F4FB34E8685}] => (Allow) LPort=44668FirewallRules: [{E4ED828D-3F6F-4934-81FB-1953665C53A9}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exeFirewallRules: [{7656D52D-25B0-4466-8F11-8403B4E1E494}] => (Allow) C:\windows\SysWOW64\DWRCS.EXE==================== Faulty Device Manager Devices ================================= Event log errors: =========================Application errors:==================Error: (09/02/2015 09:03:44 AM) (Source: SideBySide) (EventID: 35) (User: )Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".Error in manifest or policy file "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"2" on line Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"3.Component identity found in manifest does not match the identity of the component requested.Reference is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".Definition is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762".Please use sxstrace.exe for detailed diagnosis.Error: (09/02/2015 09:02:39 AM) (Source: SideBySide) (EventID: 35) (User: )Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".Error in manifest or policy file "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"2" on line Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"3.Component identity found in manifest does not match the identity of the component requested.Reference is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".Definition is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762".Please use sxstrace.exe for detailed diagnosis.Error: (09/02/2015 04:10:48 AM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )Description: The volume Windows RE tools was not optimized because an error was encountered: The parameter is incorrect. (0x80070057)Error: (09/02/2015 04:10:22 AM) (Source: SideBySide) (EventID: 35) (User: )Description: Activation context generation failed for "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"1".Error in manifest or policy file "UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"2" on line UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"3.Component identity found in manifest does not match the identity of the component requested.Reference is UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0".Definition is UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0".Please use sxstrace.exe for detailed diagnosis.Error: (09/02/2015 01:18:30 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )Description: Subscription licensing service failed: -2143485946Error: (09/02/2015 01:18:30 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0006; CorrelationId: {DB07C64A-C755-4D59-964F-3169CE90D65A}Error: (09/01/2015 10:03:45 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )Description: 80070005Error: (09/01/2015 03:31:00 PM) (Source: SideBySide) (EventID: 35) (User: )Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".Error in manifest or policy file "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"2" on line Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"3.Component identity found in manifest does not match the identity of the component requested.Reference is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".Definition is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762".Please use sxstrace.exe for detailed diagnosis.Error: (09/01/2015 03:19:07 PM) (Source: SideBySide) (EventID: 35) (User: )Description: Activation context generation failed for "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".Error in manifest or policy file "Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"2" on line Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"3.Component identity found in manifest does not match the identity of the component requested.Reference is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0".Definition is Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762".Please use sxstrace.exe for detailed diagnosis.Error: (09/01/2015 03:08:23 PM) (Source: Application Hang) (EventID: 1002) (User: )Description: The program FRST64.exe version 31.8.2015.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.Process ID: 1d08Start Time: 01d0e4e8f8e4d5a7Termination Time: 58685Application Path: C:\Users\jimw\Desktop\FRST64.exeReport Id: ab1143e1-50dc-11e5-8296-600292f0274eFaulting package full name:Faulting package-relative application ID:System errors:=============Error: (09/02/2015 09:05:49 AM) (Source: Kerberos) (EventID: 4) (User: )Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server edcsc01$. The target name used was HTTP/edcsc01.steiner.sll.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (STEINER.SLL.COM) is different from the client domain (STEINER.SLL.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.Error: (09/02/2015 09:01:12 AM) (Source: Microsoft-Windows-Directory-Services-SAM) (EventID: 16953) (User: NT AUTHORITY)Description: The password notification DLL PGPpwflt failed to load with error 126. Please verify that the notification DLL path defined in the registry, HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages, refers to a correct and absolute path (<drive>:\<path>\<filename>.<ext>) and not a relative or invalid path. If the DLL path is correct, please validate that any supporting files are located in the same directory, and that the system account has read access to both the DLL path and any supporting files. Contact the provider of the notification DLL for additional support. Further details can be found on the web at http://go.microsoft.com/fwlink/?LinkId=245898.Error: (09/02/2015 09:00:39 AM) (Source: DCOM) (EventID: 10029) (User: NT AUTHORITY)Description: {8BC3F05E-D86B-11D0-A075-00C04FB68820}winmgmtError: (09/02/2015 08:54:13 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1129) (User: NT AUTHORITY)Description: The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.Error: (09/02/2015 08:54:13 AM) (Source: Microsoft-Windows-GroupPolicy) (EventID: 1055) (User: STEINER)Description: The processing of Group Policy failed. Windows could not resolve the computer name. This could be caused by one of more of the following:a) Name Resolution failure on the current domain controller.b) Active Directory Replication Latency (an account created on another domain controller has not replicated to the current domain controller).Error: (09/02/2015 08:54:13 AM) (Source: NETLOGON) (EventID: 5719) (User: )Description: This computer was not able to set up a secure session with a domaincontroller in domain STEINER due to the following:%%1311This may lead to authentication problems. Make sure that thiscomputer is connected to the network. If the problem persists,please contact your domain administrator. ADDITIONAL INFOIf this computer is a domain controller for the specified domain, itsets up the secure session to the primary domain controller emulator in the specifieddomain. Otherwise, this computer sets up the secure session to any domain controllerin the specified domain.Error: (09/02/2015 07:43:16 AM) (Source: DCOM) (EventID: 10010) (User: STEINER)Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Error: (09/02/2015 07:41:45 AM) (Source: DCOM) (EventID: 10010) (User: STEINER)Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Error: (09/02/2015 07:40:14 AM) (Source: DCOM) (EventID: 10010) (User: STEINER)Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Error: (09/02/2015 07:38:43 AM) (Source: DCOM) (EventID: 10010) (User: STEINER)Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}Microsoft Office:=========================Error: (09/02/2015 09:03:44 AM) (Source: SideBySide) (EventID: 35) (User: )Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"C:\Program Files (x86)\Citrix\ICA Client\MFC80.DLLC:\Program Files (x86)\Citrix\ICA Client\Microsoft.VC80.MFCLOC.MANIFEST5Error: (09/02/2015 09:02:39 AM) (Source: SideBySide) (EventID: 35) (User: )Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"C:\Program Files (x86)\Citrix\ICA Client\MFC80.DLLC:\Program Files (x86)\Citrix\ICA Client\Microsoft.VC80.MFCLOC.MANIFEST5Error: (09/02/2015 04:10:48 AM) (Source: Microsoft-Windows-Defrag) (EventID: 257) (User: )Description: Windows RE toolsThe parameter is incorrect. (0x80070057)Error: (09/02/2015 04:10:22 AM) (Source: SideBySide) (EventID: 35) (User: )Description: UccApi,processorArchitecture="AMD64",type="win32",version="15.0.0.0"UccApi,processorArchitecture="x86",type="win32",version="15.0.0.0"C:\Program Files\Microsoft Office 15\root\office15\lync.exe.ManifestC:\Program Files\Microsoft Office 15\root\office15\UccApi.DLL1Error: (09/02/2015 01:18:30 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )Description: Subscription licensing service failed: -2143485946Error: (09/02/2015 01:18:30 AM) (Source: Microsoft Office 15) (EventID: 2011) (User: )Description: Office Subscription licensing exception: Error Code: 0x803D0006; CorrelationId: {DB07C64A-C755-4D59-964F-3169CE90D65A}Error: (09/01/2015 10:03:45 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )Description: 80070005Error: (09/01/2015 03:31:00 PM) (Source: SideBySide) (EventID: 35) (User: )Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"C:\Program Files (x86)\Citrix\ICA Client\MFC80.DLLC:\Program Files (x86)\Citrix\ICA Client\Microsoft.VC80.MFCLOC.MANIFEST5Error: (09/01/2015 03:19:07 PM) (Source: SideBySide) (EventID: 35) (User: )Description: Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"Microsoft.VC80.MFCLOC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.762"C:\Program Files (x86)\Citrix\ICA Client\MFC80.DLLC:\Program Files (x86)\Citrix\ICA Client\Microsoft.VC80.MFCLOC.MANIFEST5Error: (09/01/2015 03:08:23 PM) (Source: Application Hang) (EventID: 1002) (User: )Description: FRST64.exe31.8.2015.01d0801d0e4e8f8e4d5a758685C:\Users\jimw\Desktop\FRST64.exeab1143e1-50dc-11e5-8296-600292f0274eCodeIntegrity:=================================== Date: 2015-02-13 22:31:47.933 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system. Date: 2015-02-13 22:25:04.172 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system. Date: 2015-02-13 21:24:38.516 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system. Date: 2015-02-13 21:19:24.472 Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\QIPCAP64.dll because the set of per-page image hashes could not be found on the system.==================== Memory info ===========================Processor: Intel® Core i7-4650U CPU @ 1.70GHzPercentage of memory in use: 30%Total physical RAM: 8097.07 MBAvailable physical RAM: 5616.9 MBTotal Virtual: 9377.07 MBAvailable Virtual: 6445.51 MB==================== Drives ================================Drive c: (Windows) (Fixed) (Total:232.73 GB) (Free:110.38 GB) NTFS==================== MBR & Partition Table ==========================================================================Disk: 0 (Size: 238.5 GB) (Disk ID: 4B58FC52)Partition: GPT.==================== End of Addition.txt ============================ Link to post Share on other sites More sharing options...
Maniac Posted September 2, 2015 ID:986733 Share Posted September 2, 2015 Please explain your problems. Link to post Share on other sites More sharing options...
yellowdog232 Posted September 2, 2015 Author ID:986737 Share Posted September 2, 2015 My browsing in both chrome and internet explorer is extremely slow. Other machines on same connection are fine and the speed on the actual connection tests well. I'm also seeing a lot of "malware detected and quarantined" alerts from windows message center. Link to post Share on other sites More sharing options...
Maniac Posted September 2, 2015 ID:986742 Share Posted September 2, 2015 Step 1 I notice that you are using more than one antivirus program.System Center Endpoint ProtectionTrend Micro OfficeScan ClientThis is very dangerous, as multiple Antivirus programs can interfere with one another and actually allow more viruses to get through. It is important that only one antivirus program is running realtime protection. Please uninstall one of them and then reboot your system. Step 2 Please update your Malwarebytes Anti-Malware and perform a threat scan. Post your log file. Step 3 Download aswMBR.exe to your desktop. Double click the aswMBR.exe to run it Click the "Scan" button to start scan On completion of the scan click save log, save it to your desktop and post in your next reply In your next reply, post the following log files:Malwarebytes' Anti-Malware logaswMBR log Link to post Share on other sites More sharing options...
yellowdog232 Posted September 2, 2015 Author ID:986762 Share Posted September 2, 2015 Aswmbr wants to download the avast virus definitions. Should I click yes ? Link to post Share on other sites More sharing options...
yellowdog232 Posted September 2, 2015 Author ID:986767 Share Posted September 2, 2015 I also get a aswmbr message stating " this computer supports virtualization technology. Would you like to use it for rootkit detection? ". Yes/no Link to post Share on other sites More sharing options...
Maniac Posted September 7, 2015 ID:987625 Share Posted September 7, 2015 Sorry for delay! Please choose Yes. Link to post Share on other sites More sharing options...
yellowdog232 Posted September 7, 2015 Author ID:987639 Share Posted September 7, 2015 No problem. I ran MBAM with no detected items but cannot locate the logs in Windows 8?? From googling I thought they should be under --- user\appdata\roaming\ --- but there isn't a directory there?? I've shown hidden files and directories so I don't think that's it. Anyway, here is the other log... aswMBR version 1.0.1.2252 Copyright© 2014 AVAST SoftwareRun date: 2015-09-07 09:06:57-----------------------------09:06:57.451 OS Version: Windows x64 6.2.920009:06:57.451 Number of processors: 4 586 0x450109:06:57.451 ComputerName: SEG-JIMW4 UserName:09:06:57.857 Initialize success09:06:57.873 VM: initialized successfully09:06:57.873 VM: Intel CPU supported virtualizedSuspended09:06:59.831 VM: supported disk I/O storport.sys09:10:02.308 AVAST engine defs: 1509070009:10:06.870 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000003409:10:06.870 Disk 0 Vendor: HFS256G3AMNB-2200A 10108L00 Size: 244198MB BusType: 1109:10:06.870 Disk 0 MBR read successfully09:10:06.870 Disk 0 MBR scan09:10:06.870 Disk 0 unknown MBR code09:10:06.870 Disk 0 Partition 1 00 EE GPT 2097151 MB offset 109:10:06.886 Disk 0 scanning C:\windows\system32\drivers09:10:06.886 Service scanning09:10:22.136 Modules scanning09:10:22.136 Disk 0 trace - called modules:09:10:22.136 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll storahci.sys09:10:22.136 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe00061523060]09:10:22.152 3 CLASSPNP.SYS[fffff800ef349170] -> nt!IofCallDriver -> [0xffffe00060b59bd0]09:10:22.152 5 ACPI.sys[fffff800eef2ac21] -> nt!IofCallDriver -> [0xffffe00060b57790]09:10:22.152 7 ACPI.sys[fffff800eef2ac21] -> nt!IofCallDriver -> \Device\00000034[0xffffe00060b56060]09:10:22.574 AVAST engine scan C:\windows09:10:22.590 AVAST engine scan C:\windows\system3209:10:22.590 AVAST engine scan C:\windows\system32\drivers09:10:22.590 AVAST engine scan C:\Users\Administrator09:10:22.605 AVAST engine scan C:\ProgramData09:10:22.605 Disk 0 statistics 210/0/0 @ 6.41 MB/s09:10:22.605 Scan finished successfully09:10:38.307 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"09:10:38.307 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt" Link to post Share on other sites More sharing options...
Maniac Posted September 8, 2015 ID:987797 Share Posted September 8, 2015 This is the right log file. How is your system now? Link to post Share on other sites More sharing options...
yellowdog232 Posted September 8, 2015 Author ID:987892 Share Posted September 8, 2015 seems good. Link to post Share on other sites More sharing options...
Maniac Posted September 12, 2015 ID:989258 Share Posted September 12, 2015 Glad I could help! Last steps: Step 1 Please download DelFix by Xplode and save it to your desktop. Please launch it and make sure that this one is checked: Remove disinfection tools. Click on Run button. The program will run for a few seconds and display a notepad report. You do not need to attach it. Step 2 Malware preventions: https://forums.malwarebytes.org/index.php?/topic/81386-so-how-did-i-get-infected-in-the-first-place/ Safe surfing! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 30, 2015 Root Admin ID:1009803 Share Posted December 30, 2015 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts