PDA

View Full Version : firefox IE hijacked proxy



mchase
2014-11-14, 08:57
Earlier I had an IE Proxy Hijack. I thought I had fixed it but it or something similar has raised its head again.

see:
http://forums.spybot.info/showthread.php?71114-IE-hijacked-proxy&p=457423&highlight=#post457423

IE and Firefox cannot connect to the web. If I restore my system to an earlier date of about 10 days ago Firefox will be able to connect to the web.
It comes up with The front page as the trovi.com search engine. Later I think Norton tries to remove the hijacker and Firefox loses connection to the internet again. IE complains it cannot connect to the proxy server, which as far as I know should not exist. I am now working of another computer and moving stuff with a flash drive to the effected one. So I cannot update aswMBR when it asks.

I have a 64bit W7 Machine

I ran minitoolbox and flushed the dns and reset IE:

------------------------------------------------------------
------------------------------------------------------------
MiniToolBox by Farbar Version: 21-07-2014
Ran by HANA (administrator) on 13-11-2014 at 22:22:09
Running from "F:\malware"
Microsoft Windows 7 Professional Service Pack 1 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

**** End of log ****
--------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------

I then ran aswMBR here is the Log:

---------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
aswMBR version 1.0.1.2201 Copyright(c) 2014 AVAST Software
Run date: 2014-11-13 22:25:42
-----------------------------
22:25:42.090 OS Version: Windows 6.1.7601 Service Pack 1
22:25:42.090 Number of processors: 2 586 0x6B02
22:25:42.090 ComputerName: HANA-PC UserName: HANA
22:25:42.652 Initialize success
22:25:42.652 VM: initialized successfully
22:25:42.652 VM: Amd CPU virtualization not supported
22:25:45.522 AVAST engine download error: 0
22:26:10.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
22:26:10.046 Disk 0 Vendor: ST325031 3.AH Size: 238475MB BusType: 3
22:26:10.139 Disk 0 MBR read successfully
22:26:10.139 Disk 0 MBR scan
22:26:10.155 Disk 0 Windows 7 default MBR code
22:26:10.155 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114668 MB offset 63
22:26:10.170 Disk 0 Boot: NTFS code=1
22:26:10.186 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 113550 MB offset 234842112
22:26:10.217 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10244 MB offset 467395110
22:26:10.217 Disk 0 scanning sectors +488376000
22:26:10.358 Disk 0 scanning C:\Windows\system32\drivers
22:26:16.176 Service scanning
22:26:18.048 Service BHDrvx86 C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\BASHDefs\20141107.001\BHDrvx86.sys **LOCKED** 5
22:26:18.423 Service ccSet_NIS C:\Windows\system32\drivers\NIS\1506000.020\ccSetx86.sys **LOCKED** 5
22:26:19.421 Service eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys **LOCKED** 5
22:26:19.718 Service EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5
22:26:21.434 Service IDSVix86 C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\IPSDefs\20141112.001\IDSvix86.sys **LOCKED** 5
22:26:24.507 Service NAVENG C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141112.020\NAVENG.SYS **LOCKED** 5
22:26:24.569 Service NAVEX15 C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141112.020\NAVEX15.SYS **LOCKED** 5
22:26:28.937 Service SRTSPX C:\Windows\system32\drivers\NIS\1506000.020\SRTSPX.SYS **LOCKED** 5
22:26:29.312 Service SymDS C:\Windows\system32\drivers\NIS\1506000.020\SYMDS.SYS **LOCKED** 5
22:26:29.468 Service SymEvent C:\Windows\system32\Drivers\SYMEVENT.SYS **LOCKED** 5
22:26:29.530 Service SymIRON C:\Windows\system32\drivers\NIS\1506000.020\Ironx86.SYS **LOCKED** 5
22:26:29.577 Service SymNetS C:\Windows\System32\Drivers\NIS\1506000.020\SYMNETS.SYS **LOCKED** 5
22:26:33.399 Modules scanning
22:26:39.467 Disk 0 trace - called modules:
22:26:39.483 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor32.sys
22:26:39.498 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x864a91c0]
22:26:39.498 3 CLASSPNP.SYS[8b46759e] -> nt!IofCallDriver -> [0x85df7b40]
22:26:39.514 5 ACPI.sys[833923d4] -> nt!IofCallDriver -> \Device\00000063[0x85dbda70]
22:26:39.514 Disk 0 statistics 182483/0/0 @ 8.11 MB/s
22:26:39.530 Scan finished successfully
22:26:53.070 Disk 0 MBR has been saved successfully to "F:\malware\MBR.dat"
22:26:53.133 The log file has been saved successfully to "F:\malware\aswMBR.txt"

---------------------------------------------------------------------
---------------------------------------------------------------------
Anything starting with service is highlighted in yellow. Should I shut off Norton?


Thanks -m

shelf life
2014-11-14, 19:48
hi,

You can try this; on the machine in question set IE back to its defaults. If you click on the "gear" looking icon or tools>internet options, under the connections tab Click on LAN settings and make sure Use a proxy server is not checked. If it is uncheck it. Then under the advanced tab click on the Reset button.

Laucnh IE and if you get a connection download and run Adwcleaner, or you can download it to a flash drive and transfer it to the machine in question.

Please download Adwcleaner.exe (http://www.bleepingcomputer.com/download/adwcleaner/) to your desktop.
Right click on AdwCleaner.exe, select "run as admin"
Click on the Scan button
Once the scan is done click on the Clean button
Machine may prompt for a reboot to finish the removal process.
At restart a log will be displayed that you can copy/paste in your reply
You can also find the logfile at C:\AdwCleaner[R1, R2].txt as well

Lets see what that drags up and we will go from there.

mchase
2014-11-15, 04:40
IE does not let me uncheck the Use proxy nor allow me to delete the proxies it has set 127.0.0.1:8800

I scanned anyway with AdwClean. OK, partial success. After the scan Firefox came back alive,
but IE is still stuck trying to connect to the proxy. Re are the AdwClean log files:

_______________________________________________________________________________________
AdwClean[0].txt:

# AdwCleaner v4.101 - Report created 14/11/2014 at 18:15:48
# Updated 09/11/2014 by Xplode
# Database : 2014-11-07.1 [Local]
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : HANA - HANA-PC
# Running from : F:\malware\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\UpdatusUser\Desktop\YouTube Accelerator.lnk
Folder Found : C:\ProgramData\pastaleads
Folder Found : C:\Users\HANA\AppData\LocalLow\HPAppData
Folder Found : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Alerts
Folder Found : C:\Users\HANA\AppData\Roaming\Systweak
Folder Found : C:\Users\HANA\AppData\Roaming\VOPackage

***** [ Scheduled Tasks ] *****

Task Found : BrowserSafeguard Update Task
Task Found : LaunchSignup
Task Found : Smp
Task Found : YTAUpdate_logon

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\systweak
Key Found : HKLM\SOFTWARE\BrowserSafeGuard
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
Key Found : HKLM\SOFTWARE\NpApp
Key Found : HKLM\SOFTWARE\systweak
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Mozilla Firefox v32.0.3 (x86 en-US)


*************************

AdwCleaner[R0].txt - [3258 octets] - [14/11/2014 18:15:48]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3318 octets] ##########
__________________________________________________________________________________________________________________
AdwClean[S0].txt:

# AdwCleaner v4.101 - Report created 14/11/2014 at 18:18:01
# Updated 09/11/2014 by Xplode
# Database : 2014-11-07.1 [Local]
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)
# Username : HANA - HANA-PC
# Running from : F:\malware\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\pastaleads
Folder Deleted : C:\Users\HANA\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\HANA\AppData\Roaming\Systweak
Folder Deleted : C:\Users\HANA\AppData\Roaming\VOPackage
Folder Deleted : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Alerts
File Deleted : C:\Users\UpdatusUser\Desktop\YouTube Accelerator.lnk

***** [ Scheduled Tasks ] *****

Task Deleted : BrowserSafeguard Update Task
Task Deleted : LaunchSignup
Task Deleted : Smp
Task Deleted : YTAUpdate_logon

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox (Safe Mode).lnk
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox.lnk
Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\systweak
Key Deleted : HKLM\SOFTWARE\BrowserSafeGuard
Key Deleted : HKLM\SOFTWARE\NpApp
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17420


-\\ Mozilla Firefox v32.0.3 (x86 en-US)


*************************

AdwCleaner[R0].txt - [3398 octets] - [14/11/2014 18:15:48]
AdwCleaner[S0].txt - [4111 octets] - [14/11/2014 18:18:01]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4171 octets] ##########

________________________________________________________________________________________

Thanks -m

mchase
2014-11-15, 04:42
Sorry, forgot to tell you, I did the IE reset as well after trying to uncheck the Use Proxy.

Cheers -m

shelf life
2014-11-15, 05:05
Lets get two more downloads to use. One is Roguekiller and the other is FRST.

1) Roguekiller:

Please download RogueKillerX64.exe and save to the desktop.
Close all windows and browsers
Right-click the program and select 'Run as Admin'
A prescan will start automatically.
Once the prescan is done click on the Scan button
When done press the Report button.
Please copy and past the results in your next reply.
File>Exit to quit RogueKiller.

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe

2) FRST:

Please download Farbar Recovery Scan Tool and save it to your Desktop.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
When the tool opens
When the tool opens click Yes to disclaimer.
Press the Scan button.
When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
Please copy and paste the log in your next reply.

The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.

mchase
2014-11-15, 06:29
Below is the RogueKiller Log:

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : HANA [Administrator]
Mode : Scan -- Date : 11/14/2014 20:14:49

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Found
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x867977a8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x86797840
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x86797ea0
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x866e2ab0
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x86797220
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x867975d0
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x86796e20
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x867503d8
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x86796ec8
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x867972b8
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x86797fc0
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x86797d30
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x86797678
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x86797710
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x86660958
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x86797c78
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x86797538
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x8676a1d8
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x86797f48
[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x86797408
[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x8676a130
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x86796f80
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x86796d78
[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x86796cd0
[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x867978d8
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x86797aa0
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x86797b38
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x86797350
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x867974a0
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x86797970
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x86753a08
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[371] : Unknown @ 0x86797a08
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x86797be0
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x86797dd8
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x865fc768
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x876ada68
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x865fb250
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x865fe3a0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x876a46d8
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x865f8378
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x87686570
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x876abe00
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x876a5080
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x876ace00

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] u92pxgrv.default-1410655612957 : user_pref("browser.startup.homepage", "www.google.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST325031 0AS SCSI Disk Device +++++
--- User ---
[MBR] af0f544114c0de711784d3ce2993ae63
[BSP] 8f4f837cf063111c987661cb4b876d36 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114668 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 234842112 | Size: 113550 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 467395110 | Size: 10244 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Generic Flash Disk USB Device +++++
--- User ---
[MBR] 4b1dc1298a474d448019742e4b214bd4
[BSP] fdbeab4aaf2ffaee89afb02bfc9c9d8e : Legit.Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 3899 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

________________________________________________________________________________________
Below is the FRST log file:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01
Ran by HANA (administrator) on HANA-PC on 14-11-2014 20:18:01
Running from F:\malware
Loaded Profiles: HANA & UpdatusUser (Available profiles: HANA & UpdatusUser)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Sage Software, Inc.) C:\Program Files\Sage Software\Peachtree\SmartPostingService2010.exe
(Pervasive Software Inc.) C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
() C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\UniKey\UniKeyNT.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
(Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
(Intuit Inc.) C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE
(Sony Corporation) C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe
() C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
(Yahoo! Inc.) C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
(Intuit, Inc.) C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBHelp.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [1394440 2010-08-09] (Intuit Inc. All rights reserved.)
HKLM\...\Run: [PeachtreePrefetcher.exe] => C:\Program Files\Sage Software\Peachtree\PeachtreePrefetcher.exe [23040 2009-02-19] (Sage Software, Inc.)
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\Run: [UniKey] => C:\Program Files\UniKey\UniKeyNT.exe [217088 2006-04-18] ()
HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\Run: [mtd2002Svr] => C:\Program Files\mtd2002\mtdserver.exe [544768 2002-10-05] ()
HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\MountPoints2: {7dde3ded-24fd-11e4-8831-001f29363fc4} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\MountPoints2: {98c2114b-4c56-11e3-9b6b-001f29363fc4} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [UniKey] => C:\Program Files\UniKey\UniKeyNT.exe [217088 2006-04-18] ()
HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [Logitech Vid] => "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [mtd2002Svr] => C:\Program Files\mtd2002\mtdserver.exe [544768 2002-10-05] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
ShortcutTarget: QuickBooks Web Connector.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe (Intuit)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
Startup: C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
ShortcutTarget: PMB Media Check Tool.lnk -> C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 192.168.1.254 192.168.11.1
Tcpip\..\Interfaces\{ECD732D2-4AF2-43E2-B8F9-19812C89FB7D}: [NameServer] 208.67.222.222,208.67.220.220

FireFox:
========
FF ProfilePath: C:\Users\HANA\AppData\Roaming\Mozilla\Firefox\Profiles\u92pxgrv.default-1410655612957
FF SearchEngineOrder.3: Google
FF Homepage: www.google.com
FF NetworkProxy: "type", 0
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\ddg.xml
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-08-31]
FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn [2014-11-14]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-22]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
R2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)
R2 Peachtree SmartPosting 2010; C:\Program Files\Sage Software\Peachtree\SmartPostingService2010.exe [38400 2009-02-19] (Sage Software, Inc.) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 psqlWGE; C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [435496 2009-02-19] (Pervasive Software Inc.)
S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\BASHDefs\20141107.001\BHDrvx86.sys [1138392 2014-11-07] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1506000.020\ccSetx86.sys [127064 2014-02-20] (Symantec Corporation)
R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-09-12] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-09-12] (Symantec Corporation)
R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\IPSDefs\20141114.001\IDSvix86.sys [476888 2014-09-12] (Symantec Corporation)
R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-06] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-10-01] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-11-14] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-10-01] (Malwarebytes Corporation)
R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141114.017\NAVENG.SYS [95704 2014-11-12] (Symantec Corporation)
R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141114.017\NAVEX15.SYS [1636696 2014-11-12] (Symantec Corporation)
R3 SRTSP; C:\Windows\System32\Drivers\NIS\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NIS\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NIS\1506000.020\SYMDS.SYS [367704 2014-07-22] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NIS\1506000.020\SYMEFA.SYS [936152 2014-07-22] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-09-13] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NIS\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NIS\1506000.020\SYMNETS.SYS [447704 2014-07-22] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-14 20:17 - 2014-11-14 20:18 - 00000000 ____D () C:\FRST
2014-11-14 19:56 - 2014-11-14 19:57 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-11-14 19:56 - 2014-11-14 19:56 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-11-14 18:16 - 2014-11-14 18:14 - 02140160 _____ () C:\Users\HANA\Desktop\AdwCleaner.exe
2014-11-14 18:15 - 2014-11-14 18:18 - 00000000 ____D () C:\AdwCleaner
2014-11-14 18:08 - 2014-11-14 18:08 - 00000000 __SHD () C:\Users\HANA\AppData\Local\EmieBrowserModeList
2014-11-13 17:21 - 2014-11-13 17:21 - 00186584 _____ () C:\Users\HANA\AppData\Local\GDIPFONTCACHEV1.DAT
2014-11-13 00:51 - 2014-11-14 19:39 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-13 00:50 - 2014-11-13 00:50 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-13 00:50 - 2014-11-13 00:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-13 00:50 - 2014-11-13 00:50 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-13 00:50 - 2014-10-01 11:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-13 00:50 - 2014-10-01 11:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-13 00:50 - 2014-10-01 11:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-13 00:37 - 2014-11-13 00:38 - 00000079 _____ () C:\Windows\wininit.ini
2014-11-13 00:33 - 2014-11-13 17:23 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-11-13 00:20 - 2014-10-17 17:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-13 00:20 - 2014-10-13 17:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-13 00:20 - 2014-08-11 17:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-13 00:19 - 2014-10-09 16:45 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-13 00:19 - 2014-10-02 17:44 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-13 00:19 - 2014-10-02 17:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-13 00:19 - 2014-10-02 17:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-13 00:19 - 2014-10-02 17:44 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-13 00:19 - 2014-10-02 17:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-13 00:19 - 2014-09-19 01:23 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-13 00:19 - 2014-09-19 01:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-13 00:19 - 2014-09-19 01:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-13 00:19 - 2014-09-19 01:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-13 00:19 - 2014-09-19 01:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-13 00:19 - 2014-09-19 01:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-13 00:19 - 2014-09-19 01:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-13 00:19 - 2014-08-20 22:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-13 00:19 - 2014-08-20 22:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-13 00:18 - 2014-11-05 09:50 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-13 00:18 - 2014-11-05 09:50 - 00203776 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-13 00:18 - 2014-11-05 09:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-13 00:17 - 2014-10-24 17:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-13 00:17 - 2014-10-13 17:56 - 00136632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-13 00:17 - 2014-10-13 17:50 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-13 00:17 - 2014-10-13 17:50 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-13 00:17 - 2014-10-13 17:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-13 00:17 - 2014-10-13 17:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-13 00:16 - 2014-11-07 11:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-13 00:16 - 2014-11-05 19:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-13 00:16 - 2014-11-05 19:28 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-13 00:16 - 2014-11-05 19:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-13 00:16 - 2014-11-05 19:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-13 00:16 - 2014-11-05 19:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-13 00:16 - 2014-11-05 19:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-13 00:16 - 2014-11-05 19:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-13 00:16 - 2014-11-05 19:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-13 00:16 - 2014-11-05 19:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-13 00:16 - 2014-11-05 19:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-13 00:16 - 2014-11-05 19:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-13 00:16 - 2014-11-05 18:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-13 00:16 - 2014-11-05 18:59 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-13 00:16 - 2014-11-05 18:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-13 00:16 - 2014-11-05 18:51 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-13 00:16 - 2014-11-05 18:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-13 00:16 - 2014-11-05 18:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-13 00:16 - 2014-11-05 18:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-13 00:16 - 2014-11-05 18:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-13 00:16 - 2014-11-05 18:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-13 00:16 - 2014-11-05 18:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-13 00:16 - 2014-11-05 18:22 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-13 00:16 - 2014-11-05 18:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-13 00:16 - 2014-11-05 18:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-13 00:16 - 2014-11-05 18:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-13 00:16 - 2014-11-05 18:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-13 00:16 - 2014-11-05 17:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-13 00:16 - 2014-11-05 17:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-13 00:16 - 2014-11-05 17:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-10-22 23:36 - 2014-10-22 23:37 - 00455706 _____ () C:\Users\HANA\Downloads\ACCT-567-14503 - Gvt & Not for Profit Acct files(1).zip

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-14 19:38 - 2013-09-16 21:57 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs
2014-11-14 19:38 - 2013-08-31 19:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-14 19:38 - 2013-08-31 17:33 - 01167280 _____ () C:\Windows\WindowsUpdate.log
2014-11-14 18:37 - 2009-07-13 20:34 - 00033936 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-14 18:37 - 2009-07-13 20:34 - 00033936 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-14 18:28 - 2010-11-20 13:01 - 00783040 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-14 18:20 - 2013-08-31 17:57 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-14 18:20 - 2010-11-20 13:48 - 01210118 _____ () C:\Windows\PFRO.log
2014-11-14 18:20 - 2009-07-13 20:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-14 18:20 - 2009-07-13 20:39 - 00048626 _____ () C:\Windows\setupact.log
2014-11-14 18:18 - 2013-09-01 17:55 - 00001140 _____ () C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-11-14 18:18 - 2013-08-31 17:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox
2014-11-13 17:23 - 2013-08-31 17:57 - 00001117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2014-11-13 17:23 - 2013-08-31 17:49 - 00001105 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-11-13 03:41 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-11-13 03:36 - 2009-07-13 20:53 - 00017902 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-13 03:32 - 2014-09-24 22:44 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2014-11-13 03:32 - 2009-07-13 20:33 - 00618040 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-13 03:30 - 2014-05-06 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-13 03:14 - 2013-08-31 18:00 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-11-13 03:06 - 2013-09-01 16:54 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-13 03:02 - 2013-09-01 16:54 - 100445232 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-13 03:02 - 2013-08-31 19:24 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-11-13 03:02 - 2013-08-31 19:24 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-11-13 00:38 - 2014-09-24 22:45 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-11-13 00:36 - 2013-08-31 19:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
2014-11-13 00:36 - 2013-08-31 19:14 - 00000000 ____D () C:\Program Files\Logitech
2014-11-13 00:07 - 2013-08-31 16:38 - 00000000 ____D () C:\Users\HANA
2014-11-13 00:06 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-11-13 00:05 - 2013-10-27 18:27 - 00000000 ____D () C:\Users\HANA\AppData\Local\Intuit
2014-11-13 00:05 - 2013-08-31 19:25 - 00000000 ____D () C:\ProgramData\Norton
2014-11-13 00:05 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-11-13 00:04 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\registration
2014-11-11 20:05 - 2010-11-20 16:47 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-11-11 16:45 - 2013-09-08 14:34 - 00000000 ____D () C:\Users\HANA\AppData\Local\CrashDumps
2014-10-15 03:25 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\rescache

Some content of TEMP:
====================
C:\Users\HANA\AppData\Local\Temp\dllnt_dump.dll
C:\Users\HANA\AppData\Local\Temp\ose00000.exe
C:\Users\HANA\AppData\Local\Temp\_is17CF.exe
C:\Users\HANA\AppData\Local\Temp\_is47E.exe
C:\Users\HANA\AppData\Local\Temp\_is6A23.exe
C:\Users\HANA\AppData\Local\Temp\_is7450.exe
C:\Users\HANA\AppData\Local\Temp\_is895E.exe
C:\Users\HANA\AppData\Local\Temp\_isB96B.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-11-09 20:19

==================== End Of Log ============================

____________________________________________________________
Below is the FRST Addtion Log file:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-11-2014 01
Ran by HANA at 2014-11-14 20:18:46
Running from F:\malware
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Internet Security (Disabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
AS: Norton Internet Security (Disabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
6500_E709_eDocs (Version: 1.00.0000 - Hewlett-Packard) Hidden
6500_E709_Help (Version: 1.00.0000 - Hewlett-Packard) Hidden
6500_E709a (Version: 140.0.000.000 - Hewlett-Packard) Hidden
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Audacity 2.0.5 (HKLM\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
bpd_scan (Version: 3.00.0000 - Hewlett-Packard) Hidden
BPDSoftware (Version: 140.0.000.000 - Hewlett-Packard) Hidden
BPDSoftware_Ini (Version: 1.00.0000 - Hewlett-Packard) Hidden
Brother MFL-Pro Suite HL-2280DW (HKLM\...\{3ACCCFB3-7B17-4E9F-ACB0-46868FCD4487}) (Version: 1.1.3.0 - Brother Industries, Ltd.)
BufferChm (Version: 140.0.213.000 - Hewlett-Packard) Hidden
COWON Media Center - jetAudio Plus VX (HKLM\...\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}) (Version: 8.0.6 - COWON)
Crystal Reports 2008 Runtime SP1 (HKLM\...\{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}) (Version: 12.1.0.882 - Business Objects)
Destinations (Version: 130.0.0.0 - Hewlett-Packard) Hidden
DeviceDiscovery (Version: 140.0.213.000 - Hewlett-Packard) Hidden
DocMgr (Version: 140.0.65.000 - Hewlett-Packard) Hidden
DocProc (Version: 140.0.100.000 - Hewlett-Packard) Hidden
Fax (Version: 140.0.213.000 - Hewlett-Packard) Hidden
FFmpeg v0.6.2 for Audacity (HKLM\...\FFmpeg for Audacity_is1) (Version: - )
GPBaseService2 (Version: 140.0.212.000 - Hewlett-Packard) Hidden
H&R Block Deluxe + Efile + State 2012 (HKLM\...\{89D20029-0578-4D8D-979A-695C8D868868}) (Version: 12.05.7803 - HRB Technology, LLC.)
HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
HP Document Manager 2.0 (HKLM\...\HP Document Manager) (Version: 2.0 - HP)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Officejet 6500 E709 Series (HKLM\...\{58D79E62-CFC8-4331-8469-3A1B16E1769C}) (Version: 14.0 - HP)
HP Smart Web Printing 4.60 (HKLM\...\HP Smart Web Printing) (Version: 4.60 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Update (HKLM\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
HPProductAssistant (Version: 140.0.213.000 - Hewlett-Packard) Hidden
HPSSupply (Version: 140.0.212.000 - Hewlett-Packard) Hidden
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
K-Lite Codec Pack 5.0.5 (Standard) (HKLM\...\KLiteCodecPack_is1) (Version: 5.0.5 - )
LADSPA_plugins-win-0.4.15 (HKLM\...\LADSPA_plugins-win_is1) (Version: - Audacity Team)
LAME v3.99.3 (for Windows) (HKLM\...\LAME_is1) (Version: - )
Logitech Webcam Software (HKLM\...\{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}) (Version: 12.10.1113 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
MarketResearch (Version: 140.0.214.000 - Hewlett-Packard) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Primary Interop Assemblies (HKLM\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Text-to-Speech Engine 4.0 (English) (HKLM\...\MSTTS) (Version: - )
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 32.0.3 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Network (Version: 140.0.215.000 - Hewlett-Packard) Hidden
Norton Internet Security (HKLM\...\NIS) (Version: 21.6.0.32 - Symantec Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.6 - NVIDIA Corporation)
NVIDIA Graphics Driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)
NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
OCR Software by I.R.I.S. 14.0 (HKLM\...\HPOCR) (Version: 14.0 - HP)
Peachtree Accounting 2010 (Version: 17.00.00 - Sage Software, Inc.) Hidden
Peachtree Quantum 2010 - Accountants' Edition (HKLM\...\InstallShield_{51EF69CF-70D3-4142-993D-AA97F36484CC}) (Version: 17.00.00 - Sage Software, Inc.)
PeachTree Signature Ready Forms (Version: 6.3.0 - Sage Software SB, Inc.) Hidden
Pervasive PSQL v10.10 Workgroup (32-bit) (HKLM\...\Pervasive PSQL v10.10 Workgroup (32-bit)) (Version: 10.10.126 - Pervasive Software)
Pervasive PSQL v10.10 Workgroup (32-bit) (Version: 10.12.025 - Pervasive Software) Hidden
Primo (Version: 1.00.0000 - Your Company Name) Hidden
ProductContext (Version: 140.0.000.000 - Hewlett-Packard) Hidden
QuickBooks (Version: 21.0.4001.904 - Intuit Inc.) Hidden
QuickBooks Enterprise Solutions: Accountant Edition 11.0 (HKLM\...\{11E0AC7D-6829-4F67-865F-EE1C13D28C38}) (Version: 21.0.4001.904 - Intuit Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: - )
Runtime (Version: 1.00.0000 - Your Company Name) Hidden
Sage 50 Accounts 2009 (HKLM\...\InstallShield_{FC9D0B7B-5D95-411B-B14D-CD074E5CCA4A}) (Version: - )
Sage Message Center (HKLM\...\{6798DD4E-BD16-4735-87EB-D712637CCB8C}) (Version: 2.00.0000 - Sage Software Inc.)
Sage Software Integration Services (HKLM\...\Integration Services) (Version: 2.2.2240 - Sage Technology)
Scan (Version: 140.0.167.000 - Hewlett-Packard) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 14.0 - HP)
SmartWebPrinting (Version: 140.0.213.000 - Hewlett-Packard) Hidden
SolutionCenter (Version: 140.0.214.000 - Hewlett-Packard) Hidden
Sony Picture Utility (HKLM\...\{D5068583-D569-468B-9755-5FBF5848F46F}) (Version: 4.2.00.15030 - Sony Corporation)
Status (Version: 140.0.256.000 - Hewlett-Packard) Hidden
TeamViewer 8 (HKLM\...\TeamViewer 8) (Version: 8.0.20202 - TeamViewer)
TeraCopy 2.27 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
Toolbox (Version: 140.0.428.000 - Hewlett-Packard) Hidden
Total Commander (Remove or Repair) (HKLM\...\Totalcmd) (Version: 7.50a - Ghisler Software GmbH)
TrayApp (Version: 140.0.213.000 - Hewlett-Packard) Hidden
UniKey 4.0 NT (HKLM\...\UniKey) (Version: 4.0 NT - Pham Kim Long)
Uninstall LAC VIET mtd2002-EVA (HKLM\...\LAC VIET mtd2002-EVA_is1) (Version: 4.0 - LAC VIET Corp.)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
WebReg (Version: 140.0.213.017 - Hewlett-Packard) Hidden
Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )
Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
Yahoo! Software Update (HKLM\...\Yahoo! Software Update) (Version: - )
Yahoo! Toolbar (HKLM\...\Yahoo! Companion) (Version: - Yahoo! Inc.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{3E1A2BBD-5707-4646-B268-518B997DC94D}\localserver32 -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{B0FF20F1-C857-4EA5-A2B8-A85372879B3D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{b2b568c8-3712-4a75-b806-4b3c2fdb06d5}\localserver32 -> C:\Users\HANA\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IDriver.NonElevated.exe No F (the data entry has 3 more characters).
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

==================== Restore Points =========================

30-10-2014 21:19:44 Scheduled Checkpoint
10-11-2014 04:26:13 Scheduled Checkpoint
12-11-2014 04:02:00 Restore Operation
12-11-2014 04:13:11 Windows Update
13-11-2014 07:40:36 Removed Logitech Vid.
13-11-2014 08:01:10 Restore Operation
13-11-2014 08:11:52 Windows Update
13-11-2014 08:35:48 Removed Logitech Vid.
13-11-2014 11:01:09 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:04 - 2014-09-24 23:04 - 00450709 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 1000 more lines.


==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2A4E1A9F-BE6D-4E40-9F48-11C9815BE5E3} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe [2014-09-20] (Symantec Corporation)
Task: {466106E4-528B-4FBF-AF53-8D72CA996951} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-13] (Adobe Systems Incorporated)
Task: {5B964B40-5117-4AE7-8E49-15D9C27FDE34} - \PastaQuotes No Task File <==== ATTENTION
Task: {5C9539F2-0505-47E7-A09A-084154A3D66B} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files\Norton Identity Safe\Engine\2014.7.6.15\SymErr.exe
Task: {62622537-855A-434E-9A96-86B390D48E18} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {91E371A5-490C-4EAD-A0FA-FB5E292469CC} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files\Norton Identity Safe\Engine\2014.7.6.15\SymErr.exe
Task: {C499B6C1-4E60-4993-BE25-7D306DC11458} - \YTAUpdate No Task File <==== ATTENTION
Task: {EFBA3F68-9EF9-4FCC-81BA-D3E81F3ECF6D} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2013-08-31 18:16 - 2013-01-31 01:00 - 00079648 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll
2009-02-19 15:27 - 2009-02-19 15:27 - 00383488 ____R () C:\Program Files\Sage Software\Peachtree\pchqb32.dll
2009-02-19 14:30 - 2009-02-19 14:30 - 00045056 ____R () C:\Program Files\Sage Software\Peachtree\ptsig.dll
2013-09-04 23:14 - 2013-09-04 23:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2006-04-18 15:53 - 2006-04-18 15:53 - 00188416 _____ () C:\Program Files\UniKey\UKHook40.dll
2009-10-14 11:36 - 2009-10-14 11:36 - 02793304 _____ () C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
2006-04-18 15:55 - 2006-04-18 15:55 - 00217088 _____ () C:\Program Files\UniKey\UniKeyNT.exe
2010-08-25 09:13 - 2010-08-25 09:13 - 00268064 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\boost_regex-vc90-mt-p-1_33.dll
2010-08-25 09:14 - 2010-08-25 09:14 - 00020256 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBCompressor.dll
2005-07-19 22:18 - 2005-07-19 22:18 - 00059904 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\zlib1.dll
2010-08-25 09:13 - 2010-08-25 09:13 - 00337184 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\BackupLib.dll
2010-08-25 09:14 - 2010-08-25 09:14 - 00124704 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBMAPILibrary.dll
2010-08-25 09:13 - 2010-08-25 09:13 - 00175904 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\boost_serialization-vc90-mt-p-1_33.dll
2010-08-25 09:14 - 2010-08-25 09:14 - 00041248 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\mbpopup.dll
2009-10-14 11:34 - 2009-10-14 11:34 - 00560472 _____ () C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
2013-08-31 19:24 - 2012-05-25 02:25 - 00921600 _____ () C:\Program Files\Yahoo!\Messenger\yui.dll
2014-11-13 00:33 - 2014-09-23 21:09 - 03715184 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:56E2E879

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-3606046635-1778293933-214485894-500 - Administrator - Disabled)
Guest (S-1-5-21-3606046635-1778293933-214485894-501 - Limited - Disabled)
HANA (S-1-5-21-3606046635-1778293933-214485894-1000 - Administrator - Enabled) => C:\Users\HANA
HomeGroupUser$ (S-1-5-21-3606046635-1778293933-214485894-1004 - Limited - Enabled)
UpdatusUser (S-1-5-21-3606046635-1778293933-214485894-1002 - Limited - Enabled) => C:\Users\UpdatusUser

==================== Faulty Device Manager Devices =============

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Centellax
Description: Flash Disk
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Generic
Service: WUDFRd
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/14/2014 06:23:43 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (11/14/2014 06:23:43 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (11/14/2014 06:23:43 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (11/14/2014 06:21:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/13/2014 05:20:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (11/13/2014 05:20:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (11/13/2014 05:20:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
Description: An unexpected error has occured in "QuickBooks":
Returning NULL QBWinInstance Handle

Error: (11/13/2014 03:36:51 AM) (Source: Schedule) (EventID: 0) (User: )
Description: Schedule error: 10106Initialize call failed, bailing out

Error: (11/13/2014 03:34:54 AM) (Source: Peachtree SmartPosting 2009) (EventID: 0) (User: )
Description: Service cannot be started. Pervasive.Data.SqlClient.PsqlException: A non-recoverable error occurred during a database lookup
at Pervasive.Data.SqlClient.PsqlConnection.Open()
at Sage.Peachtree.DataAccess.PervasiveDbManager.GetOperationContext(Boolean openConnection, ConnectionParameters parameters)
at Sage.SBD.ACS.Framework.DataAccess.DbManager.GetOperationContext(Boolean openConnection, String parameterSetName)
at Sage.Peachtree.SmartPostingService.Dispatcher.GetGlobalDBOContext()
at Sage.Peachtree.SmartPostingService.Dispatcher.Start()
at Sage.Peachtree.SmartPostingService.SmartPostingService.OnStart(String[] args)
at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (11/13/2014 03:33:49 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (11/14/2014 07:02:23 PM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
Description: The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.

Error: (11/14/2014 06:23:03 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

Error: (11/14/2014 06:19:07 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Print Spooler service failed to start due to the following error:
%%3

Error: (11/14/2014 06:18:37 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
%%1056

Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Pervasive PSQL Workgroup Engine service terminated unexpectedly. It has done this 1 time(s).

Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).

Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).

Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).

Error: (11/14/2014 06:18:07 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (11/14/2014 06:18:07 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.


Microsoft Office Sessions:
=========================
Error: (09/06/2014 03:16:14 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 239816 seconds with 780 seconds of active time. This session ended with a crash.

Error: (01/02/2014 11:55:53 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 16935 seconds with 13440 seconds of active time. This session ended with a crash.


==================== Memory info ===========================

Processor: AMD Athlon(tm) Dual Core Processor 4450B
Percentage of memory in use: 71%
Total physical RAM: 2942.49 MB
Available physical RAM: 851.73 MB
Total Pagefile: 5883.27 MB
Available Pagefile: 4174.34 MB
Total Virtual: 2047.88 MB
Available Virtual: 1898.29 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.98 GB) (Free:66.8 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (New Volume) (Fixed) (Total:110.89 GB) (Free:4.17 GB) NTFS
Drive f: (Centellax) (Removable) (Total:3.8 GB) (Free:0.81 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: D42AD42A)
Partition 1: (Active) - (Size=112 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=110.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 3.8 GB) (Disk ID: 000D826A)
Partition 1: (Not Active) - (Size=3.8 GB) - (Type=0C)

==================== End Of Log ============================
______________________________________________________________________

Cheers -m

shelf life
2014-11-15, 16:24
Hi,

We will use roguekiller again. Start it and after the pre-scan click the Scan button. Once the scan is done:
Under the Registry tab check the first two then click on the delete button. Then see how IE behaves.

[PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Found

mchase
2014-11-15, 21:41
Hi,

So I reran RogueKiller. I scanned as before then looked under the registery tab. I clicked the two PUM proxy items and deleted them.

I tried IE and the results are the same, it is looking for the proxy server 127.0.0.1:8800.
I Still cannot uncheck use proxy. Trying to resetting IE does not help. I tried to reboot
and retest IE but the results are the same. I Rescanned using RogueKiller. When I looked under
the registry tab and the two items I deleted (PUM.PROXY) are definitely gone. However, when I look at the
RogueKiller scan report I still see the same items in the report. See attached:

______________________________________________________________________________________________
RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : HANA [Administrator]
Mode : Scan -- Date : 11/15/2014 10:51:42

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 18 ¤¤¤
[PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
[PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Found
[PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/security_response/fix_homepage/index.jsp?lg=en&pid=NIS&pvid=20.4.0.40 -> Found
[PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 44 (Driver: Loaded) ¤¤¤
[SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x867977a8
[SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x86797840
[SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x86797ea0
[SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x866e2ab0
[SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x86797220
[SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x867975d0
[SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x86796e20
[SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x867503d8
[SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x86796ec8
[SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x867972b8
[SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x86797fc0
[SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x86797d30
[SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x86797678
[SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x86797710
[SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x86660958
[SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x86797c78
[SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x86797538
[SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x8676a1d8
[SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x86797f48
[SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x86797408
[SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x8676a130
[SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x86796f80
[SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x86796d78
[SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x86796cd0
[SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x867978d8
[SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x86797aa0
[SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x86797b38
[SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x86797350
[SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x867974a0
[SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x86797970
[SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x86753a08
[SSDT:Addr(Hook.SSDT)] NtTerminateThread[371] : Unknown @ 0x86797a08
[SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x86797be0
[SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x86797dd8
[ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x865fc768
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x876ada68
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x865fb250
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x865fe3a0
[ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x876a46d8
[ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x865f8378
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x87686570
[ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x876abe00
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x876a5080
[ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x876ace00

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] u92pxgrv.default-1410655612957 : user_pref("browser.startup.homepage", "www.google.com"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST325031 0AS SCSI Disk Device +++++
--- User ---
[MBR] af0f544114c0de711784d3ce2993ae63
[BSP] 8f4f837cf063111c987661cb4b876d36 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114668 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 234842112 | Size: 113550 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 467395110 | Size: 10244 MB
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: Generic Flash Disk USB Device +++++
--- User ---
[MBR] 4b1dc1298a474d448019742e4b214bd4
[BSP] fdbeab4aaf2ffaee89afb02bfc9c9d8e : Legit.Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 3899 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_11142014_201449.log - RKreport_SCN_11152014_103924.log - RKreport_DEL_11152014_104449.log


_____________________________________________________________________________________________________

Thanks -m

shelf life
2014-11-16, 00:11
Lets try this, although its a long shot. Shut down your antivirus, Norton- Malwarebytes, Spybot etc. Usually whats running will have a icon near the clock. Maybe a right click on the icon > exit.
This is just to be sure one of them is not interfering with the fix. Once its good, rerun Roguekiller like before and select the two entries under the registry tab. then click the delete button. See how it goes.

mchase
2014-11-16, 09:42
That looks like it worked. After the scan it acted like it was still there Still could not uncheck the use proxy.
However, after I did a reboot the Use proxy was unchecked and both IE and Firefox appeared to be working.
So that machine seems to be cured.

On the computer I am currently working I took a look at the Firefox Tools>options>Network>settings It has
"use system proxy settings" checked. However I do not seem to notice any ill effects. Should I worry?

Thanks -m

shelf life
2014-11-16, 16:50
Ok good. Having "use system proxy settings" checked shouldnt be a problem since the system dosn't have any settings. You could change it to No proxy if you wanted to or just leave it the way it is.
Does a updated Malwarebytes come up clean after a scan?

mchase
2014-11-19, 06:27
All looks fine, Malware reports everything is clean. Thanks for your help.

-m

shelf life
2014-11-20, 03:17
Ok your welcome. One last thing you can do to remove the tools we used:

Please download Delfix.exe by Xplode and save it to your desktop.
https://toolslib.net/downloads/viewdownload/2-delfix/
Start it and check the box next to "Remove disinfection tools" and click on the run button.
The tool will delete itself once it finishes.

Some prevention tips in link below. Happy safe surfing out there.