Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: firefox IE hijacked proxy

  1. #1
    Junior Member
    Join Date
    Nov 2007
    Location
    California
    Posts
    23

    Default firefox IE hijacked proxy

    Earlier I had an IE Proxy Hijack. I thought I had fixed it but it or something similar has raised its head again.

    see:
    http://forums.spybot.info/showthread...ht=#post457423

    IE and Firefox cannot connect to the web. If I restore my system to an earlier date of about 10 days ago Firefox will be able to connect to the web.
    It comes up with The front page as the trovi.com search engine. Later I think Norton tries to remove the hijacker and Firefox loses connection to the internet again. IE complains it cannot connect to the proxy server, which as far as I know should not exist. I am now working of another computer and moving stuff with a flash drive to the effected one. So I cannot update aswMBR when it asks.

    I have a 64bit W7 Machine

    I ran minitoolbox and flushed the dns and reset IE:

    ------------------------------------------------------------
    ------------------------------------------------------------
    MiniToolBox by Farbar Version: 21-07-2014
    Ran by HANA (administrator) on 13-11-2014 at 22:22:09
    Running from "F:\malware"
    Microsoft Windows 7 Professional Service Pack 1 (X86)
    Boot Mode: Normal
    ***************************************************************************

    ========================= Flush DNS: ===================================

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    "Reset IE Proxy Settings": IE Proxy Settings were reset.

    **** End of log ****
    --------------------------------------------------------------------------------------
    -----------------------------------------------------------------------------------------

    I then ran aswMBR here is the Log:

    ---------------------------------------------------------------------------------------
    ----------------------------------------------------------------------------------------
    aswMBR version 1.0.1.2201 Copyright(c) 2014 AVAST Software
    Run date: 2014-11-13 22:25:42
    -----------------------------
    22:25:42.090 OS Version: Windows 6.1.7601 Service Pack 1
    22:25:42.090 Number of processors: 2 586 0x6B02
    22:25:42.090 ComputerName: HANA-PC UserName: HANA
    22:25:42.652 Initialize success
    22:25:42.652 VM: initialized successfully
    22:25:42.652 VM: Amd CPU virtualization not supported
    22:25:45.522 AVAST engine download error: 0
    22:26:10.046 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
    22:26:10.046 Disk 0 Vendor: ST325031 3.AH Size: 238475MB BusType: 3
    22:26:10.139 Disk 0 MBR read successfully
    22:26:10.139 Disk 0 MBR scan
    22:26:10.155 Disk 0 Windows 7 default MBR code
    22:26:10.155 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114668 MB offset 63
    22:26:10.170 Disk 0 Boot: NTFS code=1
    22:26:10.186 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 113550 MB offset 234842112
    22:26:10.217 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10244 MB offset 467395110
    22:26:10.217 Disk 0 scanning sectors +488376000
    22:26:10.358 Disk 0 scanning C:\Windows\system32\drivers
    22:26:16.176 Service scanning
    22:26:18.048 Service BHDrvx86 C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\BASHDefs\20141107.001\BHDrvx86.sys **LOCKED** 5
    22:26:18.423 Service ccSet_NIS C:\Windows\system32\drivers\NIS\1506000.020\ccSetx86.sys **LOCKED** 5
    22:26:19.421 Service eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys **LOCKED** 5
    22:26:19.718 Service EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5
    22:26:21.434 Service IDSVix86 C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\IPSDefs\20141112.001\IDSvix86.sys **LOCKED** 5
    22:26:24.507 Service NAVENG C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141112.020\NAVENG.SYS **LOCKED** 5
    22:26:24.569 Service NAVEX15 C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141112.020\NAVEX15.SYS **LOCKED** 5
    22:26:28.937 Service SRTSPX C:\Windows\system32\drivers\NIS\1506000.020\SRTSPX.SYS **LOCKED** 5
    22:26:29.312 Service SymDS C:\Windows\system32\drivers\NIS\1506000.020\SYMDS.SYS **LOCKED** 5
    22:26:29.468 Service SymEvent C:\Windows\system32\Drivers\SYMEVENT.SYS **LOCKED** 5
    22:26:29.530 Service SymIRON C:\Windows\system32\drivers\NIS\1506000.020\Ironx86.SYS **LOCKED** 5
    22:26:29.577 Service SymNetS C:\Windows\System32\Drivers\NIS\1506000.020\SYMNETS.SYS **LOCKED** 5
    22:26:33.399 Modules scanning
    22:26:39.467 Disk 0 trace - called modules:
    22:26:39.483 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll storport.sys nvstor32.sys
    22:26:39.498 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x864a91c0]
    22:26:39.498 3 CLASSPNP.SYS[8b46759e] -> nt!IofCallDriver -> [0x85df7b40]
    22:26:39.514 5 ACPI.sys[833923d4] -> nt!IofCallDriver -> \Device\00000063[0x85dbda70]
    22:26:39.514 Disk 0 statistics 182483/0/0 @ 8.11 MB/s
    22:26:39.530 Scan finished successfully
    22:26:53.070 Disk 0 MBR has been saved successfully to "F:\malware\MBR.dat"
    22:26:53.133 The log file has been saved successfully to "F:\malware\aswMBR.txt"

    ---------------------------------------------------------------------
    ---------------------------------------------------------------------
    Anything starting with service is highlighted in yellow. Should I shut off Norton?


    Thanks -m

  2. #2
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    hi,

    You can try this; on the machine in question set IE back to its defaults. If you click on the "gear" looking icon or tools>internet options, under the connections tab Click on LAN settings and make sure Use a proxy server is not checked. If it is uncheck it. Then under the advanced tab click on the Reset button.

    Laucnh IE and if you get a connection download and run Adwcleaner, or you can download it to a flash drive and transfer it to the machine in question.

    Please download Adwcleaner.exe to your desktop.
    Right click on AdwCleaner.exe, select "run as admin"
    Click on the Scan button
    Once the scan is done click on the Clean button
    Machine may prompt for a reboot to finish the removal process.
    At restart a log will be displayed that you can copy/paste in your reply
    You can also find the logfile at C:\AdwCleaner[R1, R2].txt as well

    Lets see what that drags up and we will go from there.
    How Can I Reduce My Risk?

  3. #3
    Junior Member
    Join Date
    Nov 2007
    Location
    California
    Posts
    23

    Default

    IE does not let me uncheck the Use proxy nor allow me to delete the proxies it has set 127.0.0.1:8800

    I scanned anyway with AdwClean. OK, partial success. After the scan Firefox came back alive,
    but IE is still stuck trying to connect to the proxy. Re are the AdwClean log files:

    _______________________________________________________________________________________
    AdwClean[0].txt:

    # AdwCleaner v4.101 - Report created 14/11/2014 at 18:15:48
    # Updated 09/11/2014 by Xplode
    # Database : 2014-11-07.1 [Local]
    # Operating System : Windows 7 Professional Service Pack 1 (32 bits)
    # Username : HANA - HANA-PC
    # Running from : F:\malware\AdwCleaner.exe
    # Option : Scan

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    File Found : C:\Users\UpdatusUser\Desktop\YouTube Accelerator.lnk
    Folder Found : C:\ProgramData\pastaleads
    Folder Found : C:\Users\HANA\AppData\LocalLow\HPAppData
    Folder Found : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Alerts
    Folder Found : C:\Users\HANA\AppData\Roaming\Systweak
    Folder Found : C:\Users\HANA\AppData\Roaming\VOPackage

    ***** [ Scheduled Tasks ] *****

    Task Found : BrowserSafeguard Update Task
    Task Found : LaunchSignup
    Task Found : Smp
    Task Found : YTAUpdate_logon

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : HKCU\Software\systweak
    Key Found : HKLM\SOFTWARE\BrowserSafeGuard
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Found : HKLM\SOFTWARE\Classes\S
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
    Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
    Key Found : HKLM\SOFTWARE\NpApp
    Key Found : HKLM\SOFTWARE\systweak
    Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17420


    -\\ Mozilla Firefox v32.0.3 (x86 en-US)


    *************************

    AdwCleaner[R0].txt - [3258 octets] - [14/11/2014 18:15:48]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3318 octets] ##########
    __________________________________________________________________________________________________________________
    AdwClean[S0].txt:

    # AdwCleaner v4.101 - Report created 14/11/2014 at 18:18:01
    # Updated 09/11/2014 by Xplode
    # Database : 2014-11-07.1 [Local]
    # Operating System : Windows 7 Professional Service Pack 1 (32 bits)
    # Username : HANA - HANA-PC
    # Running from : F:\malware\AdwCleaner.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\pastaleads
    Folder Deleted : C:\Users\HANA\AppData\LocalLow\HPAppData
    Folder Deleted : C:\Users\HANA\AppData\Roaming\Systweak
    Folder Deleted : C:\Users\HANA\AppData\Roaming\VOPackage
    Folder Deleted : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Alerts
    File Deleted : C:\Users\UpdatusUser\Desktop\YouTube Accelerator.lnk

    ***** [ Scheduled Tasks ] *****

    Task Deleted : BrowserSafeguard Update Task
    Task Deleted : LaunchSignup
    Task Deleted : Smp
    Task Deleted : YTAUpdate_logon

    ***** [ Shortcuts ] *****

    Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox (Safe Mode).lnk
    Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox\Mozilla Firefox.lnk
    Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
    Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
    Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
    Shortcut Disinfected : C:\Users\HANA\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk

    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Classes\S
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
    Key Deleted : HKCU\Software\systweak
    Key Deleted : HKLM\SOFTWARE\BrowserSafeGuard
    Key Deleted : HKLM\SOFTWARE\NpApp
    Key Deleted : HKLM\SOFTWARE\systweak
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17420


    -\\ Mozilla Firefox v32.0.3 (x86 en-US)


    *************************

    AdwCleaner[R0].txt - [3398 octets] - [14/11/2014 18:15:48]
    AdwCleaner[S0].txt - [4111 octets] - [14/11/2014 18:18:01]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4171 octets] ##########

    ________________________________________________________________________________________

    Thanks -m

  4. #4
    Junior Member
    Join Date
    Nov 2007
    Location
    California
    Posts
    23

    Default

    Sorry, forgot to tell you, I did the IE reset as well after trying to uncheck the Use Proxy.

    Cheers -m

  5. #5
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    Lets get two more downloads to use. One is Roguekiller and the other is FRST.

    1) Roguekiller:

    Please download RogueKillerX64.exe and save to the desktop.
    Close all windows and browsers
    Right-click the program and select 'Run as Admin'
    A prescan will start automatically.
    Once the prescan is done click on the Scan button
    When done press the Report button.
    Please copy and past the results in your next reply.
    File>Exit to quit RogueKiller.

    http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe

    2) FRST:

    Please download Farbar Recovery Scan Tool and save it to your Desktop.

    http://www.bleepingcomputer.com/down...ery-scan-tool/

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
    When the tool opens
    When the tool opens click Yes to disclaimer.
    Press the Scan button.
    When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
    Please copy and paste the log in your next reply.

    The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
    How Can I Reduce My Risk?

  6. #6
    Junior Member
    Join Date
    Nov 2007
    Location
    California
    Posts
    23

    Default

    Below is the RogueKiller Log:

    RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : HANA [Administrator]
    Mode : Scan -- Date : 11/14/2014 20:14:49

    Processes : 0

    Registry : 18
    [PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Found
    [PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

    Tasks : 0

    Files : 0

    Hosts File : 0 [Too big!]

    Antirootkit : 44 (Driver: Loaded)
    [SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x867977a8
    [SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x86797840
    [SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x86797ea0
    [SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x866e2ab0
    [SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x86797220
    [SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x867975d0
    [SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x86796e20
    [SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x867503d8
    [SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x86796ec8
    [SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x867972b8
    [SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x86797fc0
    [SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x86797d30
    [SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x86797678
    [SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x86797710
    [SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x86660958
    [SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x86797c78
    [SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x86797538
    [SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x8676a1d8
    [SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x86797f48
    [SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x86797408
    [SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x8676a130
    [SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x86796f80
    [SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x86796d78
    [SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x86796cd0
    [SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x867978d8
    [SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x86797aa0
    [SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x86797b38
    [SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x86797350
    [SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x867974a0
    [SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x86797970
    [SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x86753a08
    [SSDT:Addr(Hook.SSDT)] NtTerminateThread[371] : Unknown @ 0x86797a08
    [SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x86797be0
    [SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x86797dd8
    [ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x865fc768
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x876ada68
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x865fb250
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x865fe3a0
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x876a46d8
    [ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x865f8378
    [ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x87686570
    [ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x876abe00
    [ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x876a5080
    [ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x876ace00

    Web browsers : 1
    [PUM.HomePage][FIREFX:Config] u92pxgrv.default-1410655612957 : user_pref("browser.startup.homepage", "www.google.com"); -> Found

    MBR Check :
    +++++ PhysicalDrive0: ST325031 0AS SCSI Disk Device +++++
    --- User ---
    [MBR] af0f544114c0de711784d3ce2993ae63
    [BSP] 8f4f837cf063111c987661cb4b876d36 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114668 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 234842112 | Size: 113550 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 467395110 | Size: 10244 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([1] Incorrect function. )

    +++++ PhysicalDrive1: Generic Flash Disk USB Device +++++
    --- User ---
    [MBR] 4b1dc1298a474d448019742e4b214bd4
    [BSP] fdbeab4aaf2ffaee89afb02bfc9c9d8e : Legit.Unknown MBR Code
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 3899 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )

    ________________________________________________________________________________________
    Below is the FRST log file:

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01
    Ran by HANA (administrator) on HANA-PC on 14-11-2014 20:18:01
    Running from F:\malware
    Loaded Profiles: HANA & UpdatusUser (Available profiles: HANA & UpdatusUser)
    Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
    Internet Explorer Version 11
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
    (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\mdm.exe
    (Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe
    (Sage Software, Inc.) C:\Program Files\Sage Software\Peachtree\SmartPostingService2010.exe
    (Pervasive Software Inc.) C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
    (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    (TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
    (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
    (Yahoo! Inc.) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    (Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
    () C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    (Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
    (Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
    () C:\Program Files\UniKey\UniKeyNT.exe
    (Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    (Intuit Inc.) C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    (Intuit) C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
    (Intuit Inc.) C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE
    (Sony Corporation) C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    (Symantec Corporation) C:\Program Files\Norton Internet Security\Engine\21.6.0.32\nis.exe
    () C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
    (Yahoo! Inc.) C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
    (Intuit, Inc.) C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBHelp.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [LogitechQuickCamRibbon] => C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe [2793304 2009-10-14] ()
    HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
    HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
    HKLM\...\Run: [] => [X]
    HKLM\...\Run: [Intuit SyncManager] => C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [1394440 2010-08-09] (Intuit Inc. All rights reserved.)
    HKLM\...\Run: [PeachtreePrefetcher.exe] => C:\Program Files\Sage Software\Peachtree\PeachtreePrefetcher.exe [23040 2009-02-19] (Sage Software, Inc.)
    HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
    HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
    HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\Run: [UniKey] => C:\Program Files\UniKey\UniKeyNT.exe [217088 2006-04-18] ()
    HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
    HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\Run: [mtd2002Svr] => C:\Program Files\mtd2002\mtdserver.exe [544768 2002-10-05] ()
    HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\MountPoints2: {7dde3ded-24fd-11e4-8831-001f29363fc4} - F:\LaunchU3.exe -a
    HKU\S-1-5-21-3606046635-1778293933-214485894-1000\...\MountPoints2: {98c2114b-4c56-11e3-9b6b-001f29363fc4} - F:\LaunchU3.exe -a
    HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [UniKey] => C:\Program Files\UniKey\UniKeyNT.exe [217088 2006-04-18] ()
    HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [Logitech Vid] => "C:\Program Files\Logitech\Logitech Vid\vid.exe" -bootmode
    HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [Messenger (Yahoo!)] => C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [6595928 2012-05-25] (Yahoo! Inc.)
    HKU\S-1-5-21-3606046635-1778293933-214485894-1002\...\Run: [mtd2002Svr] => C:\Program Files\mtd2002\mtdserver.exe [544768 2002-10-05] ()
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Intuit Data Protect.lnk
    ShortcutTarget: Intuit Data Protect.lnk -> C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe (Intuit)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Web Connector.lnk
    ShortcutTarget: QuickBooks Web Connector.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe (Intuit)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks_Standard_21.lnk
    ShortcutTarget: QuickBooks_Standard_21.lnk -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
    Startup: C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
    ShortcutTarget: PMB Media Check Tool.lnk -> C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe (Sony Corporation)
    BootExecute: autocheck autochk * sdnclean.exe

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
    BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
    BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
    BHO: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
    BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
    Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
    Handler: intu-help-qb4 - {ACE22922-D07C-4860-B51B-8CF472FEC2CB} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)
    Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\system32\mscoree.dll (Microsoft Corporation)
    Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
    Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 192.168.1.254 192.168.11.1
    Tcpip\..\Interfaces\{ECD732D2-4AF2-43E2-B8F9-19812C89FB7D}: [NameServer] 208.67.222.222,208.67.220.220

    FireFox:
    ========
    FF ProfilePath: C:\Users\HANA\AppData\Roaming\Mozilla\Firefox\Profiles\u92pxgrv.default-1410655612957
    FF SearchEngineOrder.3: Google
    FF Homepage: www.google.com
    FF NetworkProxy: "type", 0
    FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_223.dll ()
    FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\ddg.xml
    FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
    FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-08-31]
    FF HKLM\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn
    FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.5.0.19\coFFPlgn [2014-11-14]

    Chrome:
    =======
    CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-22]

    ========================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
    R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-10-01] (Malwarebytes Corporation)
    R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [968504 2014-10-01] (Malwarebytes Corporation)
    R2 MDM; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
    S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
    R2 NIS; C:\Program Files\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)
    R2 Peachtree SmartPosting 2010; C:\Program Files\Sage Software\Peachtree\SmartPostingService2010.exe [38400 2009-02-19] (Sage Software, Inc.) [File not signed]
    S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
    R2 psqlWGE; C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [435496 2009-02-19] (Pervasive Software Inc.)
    S3 QBFCService; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [61440 2009-07-23] (Intuit Inc.) [File not signed]

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R1 BHDrvx86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\BASHDefs\20141107.001\BHDrvx86.sys [1138392 2014-11-07] (Symantec Corporation)
    R1 ccSet_NIS; C:\Windows\system32\drivers\NIS\1506000.020\ccSetx86.sys [127064 2014-02-20] (Symantec Corporation)
    R1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [378672 2014-09-12] (Symantec Corporation)
    R3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [111408 2014-09-12] (Symantec Corporation)
    R1 IDSVix86; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\IPSDefs\20141114.001\IDSvix86.sys [476888 2014-09-12] (Symantec Corporation)
    R3 LVPr2Mon; C:\Windows\System32\DRIVERS\LVPr2Mon.sys [25752 2009-10-06] ()
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-10-01] (Malwarebytes Corporation)
    R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [114904 2014-11-14] (Malwarebytes Corporation)
    R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-10-01] (Malwarebytes Corporation)
    R3 NAVENG; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141114.017\NAVENG.SYS [95704 2014-11-12] (Symantec Corporation)
    R3 NAVEX15; C:\Program Files\Norton Internet Security\NortonData\21.5.0.19\Definitions\VirusDefs\20141114.017\NAVEX15.SYS [1636696 2014-11-12] (Symantec Corporation)
    R3 SRTSP; C:\Windows\System32\Drivers\NIS\1506000.020\SRTSP.SYS [664792 2014-08-25] (Symantec Corporation)
    R1 SRTSPX; C:\Windows\system32\drivers\NIS\1506000.020\SRTSPX.SYS [32984 2014-08-25] (Symantec Corporation)
    R0 SymDS; C:\Windows\System32\drivers\NIS\1506000.020\SYMDS.SYS [367704 2014-07-22] (Symantec Corporation)
    R0 SymEFA; C:\Windows\System32\drivers\NIS\1506000.020\SYMEFA.SYS [936152 2014-07-22] (Symantec Corporation)
    R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT.SYS [142936 2014-09-13] (Symantec Corporation)
    R1 SymIRON; C:\Windows\system32\drivers\NIS\1506000.020\Ironx86.SYS [209624 2014-08-06] (Symantec Corporation)
    R1 SymNetS; C:\Windows\System32\Drivers\NIS\1506000.020\SYMNETS.SYS [447704 2014-07-22] (Symantec Corporation)

    ==================== NetSvcs (Whitelisted) ===================


    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-11-14 20:17 - 2014-11-14 20:18 - 00000000 ____D () C:\FRST
    2014-11-14 19:56 - 2014-11-14 19:57 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
    2014-11-14 19:56 - 2014-11-14 19:56 - 00000000 ____D () C:\ProgramData\RogueKiller
    2014-11-14 18:16 - 2014-11-14 18:14 - 02140160 _____ () C:\Users\HANA\Desktop\AdwCleaner.exe
    2014-11-14 18:15 - 2014-11-14 18:18 - 00000000 ____D () C:\AdwCleaner
    2014-11-14 18:08 - 2014-11-14 18:08 - 00000000 __SHD () C:\Users\HANA\AppData\Local\EmieBrowserModeList
    2014-11-13 17:21 - 2014-11-13 17:21 - 00186584 _____ () C:\Users\HANA\AppData\Local\GDIPFONTCACHEV1.DAT
    2014-11-13 00:51 - 2014-11-14 19:39 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2014-11-13 00:50 - 2014-11-13 00:50 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2014-11-13 00:50 - 2014-11-13 00:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2014-11-13 00:50 - 2014-11-13 00:50 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
    2014-11-13 00:50 - 2014-10-01 11:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
    2014-11-13 00:50 - 2014-10-01 11:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
    2014-11-13 00:50 - 2014-10-01 11:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
    2014-11-13 00:37 - 2014-11-13 00:38 - 00000079 _____ () C:\Windows\wininit.ini
    2014-11-13 00:33 - 2014-11-13 17:23 - 00000000 ____D () C:\Program Files\Mozilla Firefox
    2014-11-13 00:20 - 2014-10-17 17:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
    2014-11-13 00:20 - 2014-10-13 17:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
    2014-11-13 00:20 - 2014-08-11 17:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
    2014-11-13 00:19 - 2014-10-09 16:45 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
    2014-11-13 00:19 - 2014-10-02 17:44 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
    2014-11-13 00:19 - 2014-10-02 17:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
    2014-11-13 00:19 - 2014-10-02 17:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
    2014-11-13 00:19 - 2014-10-02 17:44 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
    2014-11-13 00:19 - 2014-10-02 17:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
    2014-11-13 00:19 - 2014-09-19 01:23 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
    2014-11-13 00:19 - 2014-09-19 01:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
    2014-11-13 00:19 - 2014-09-19 01:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
    2014-11-13 00:19 - 2014-09-19 01:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
    2014-11-13 00:19 - 2014-09-19 01:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
    2014-11-13 00:19 - 2014-09-19 01:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
    2014-11-13 00:19 - 2014-09-19 01:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
    2014-11-13 00:19 - 2014-08-20 22:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
    2014-11-13 00:19 - 2014-08-20 22:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
    2014-11-13 00:18 - 2014-11-05 09:50 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
    2014-11-13 00:18 - 2014-11-05 09:50 - 00203776 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
    2014-11-13 00:18 - 2014-11-05 09:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
    2014-11-13 00:17 - 2014-10-24 17:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
    2014-11-13 00:17 - 2014-10-13 17:56 - 00136632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
    2014-11-13 00:17 - 2014-10-13 17:50 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
    2014-11-13 00:17 - 2014-10-13 17:50 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
    2014-11-13 00:17 - 2014-10-13 17:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
    2014-11-13 00:17 - 2014-10-13 17:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
    2014-11-13 00:16 - 2014-11-07 11:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
    2014-11-13 00:16 - 2014-11-05 19:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
    2014-11-13 00:16 - 2014-11-05 19:28 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
    2014-11-13 00:16 - 2014-11-05 19:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
    2014-11-13 00:16 - 2014-11-05 19:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
    2014-11-13 00:16 - 2014-11-05 19:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
    2014-11-13 00:16 - 2014-11-05 19:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
    2014-11-13 00:16 - 2014-11-05 19:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
    2014-11-13 00:16 - 2014-11-05 19:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
    2014-11-13 00:16 - 2014-11-05 19:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
    2014-11-13 00:16 - 2014-11-05 19:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
    2014-11-13 00:16 - 2014-11-05 19:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
    2014-11-13 00:16 - 2014-11-05 18:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
    2014-11-13 00:16 - 2014-11-05 18:59 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
    2014-11-13 00:16 - 2014-11-05 18:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
    2014-11-13 00:16 - 2014-11-05 18:51 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
    2014-11-13 00:16 - 2014-11-05 18:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
    2014-11-13 00:16 - 2014-11-05 18:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
    2014-11-13 00:16 - 2014-11-05 18:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
    2014-11-13 00:16 - 2014-11-05 18:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
    2014-11-13 00:16 - 2014-11-05 18:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
    2014-11-13 00:16 - 2014-11-05 18:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
    2014-11-13 00:16 - 2014-11-05 18:22 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
    2014-11-13 00:16 - 2014-11-05 18:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
    2014-11-13 00:16 - 2014-11-05 18:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
    2014-11-13 00:16 - 2014-11-05 18:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
    2014-11-13 00:16 - 2014-11-05 18:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
    2014-11-13 00:16 - 2014-11-05 17:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
    2014-11-13 00:16 - 2014-11-05 17:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
    2014-11-13 00:16 - 2014-11-05 17:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
    2014-10-22 23:36 - 2014-10-22 23:37 - 00455706 _____ () C:\Users\HANA\Downloads\ACCT-567-14503 - Gvt & Not for Profit Acct files(1).zip

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-11-14 19:38 - 2013-09-16 21:57 - 00000000 _____ () C:\Windows\system32\Drivers\lvuvc.hs
    2014-11-14 19:38 - 2013-08-31 19:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
    2014-11-14 19:38 - 2013-08-31 17:33 - 01167280 _____ () C:\Windows\WindowsUpdate.log
    2014-11-14 18:37 - 2009-07-13 20:34 - 00033936 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2014-11-14 18:37 - 2009-07-13 20:34 - 00033936 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2014-11-14 18:28 - 2010-11-20 13:01 - 00783040 _____ () C:\Windows\system32\PerfStringBackup.INI
    2014-11-14 18:20 - 2013-08-31 17:57 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
    2014-11-14 18:20 - 2010-11-20 13:48 - 01210118 _____ () C:\Windows\PFRO.log
    2014-11-14 18:20 - 2009-07-13 20:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2014-11-14 18:20 - 2009-07-13 20:39 - 00048626 _____ () C:\Windows\setupact.log
    2014-11-14 18:18 - 2013-09-01 17:55 - 00001140 _____ () C:\Users\HANA\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2014-11-14 18:18 - 2013-08-31 17:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox
    2014-11-13 17:23 - 2013-08-31 17:57 - 00001117 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
    2014-11-13 17:23 - 2013-08-31 17:49 - 00001105 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
    2014-11-13 03:41 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\Microsoft.NET
    2014-11-13 03:36 - 2009-07-13 20:53 - 00017902 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
    2014-11-13 03:32 - 2014-09-24 22:44 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
    2014-11-13 03:32 - 2009-07-13 20:33 - 00618040 _____ () C:\Windows\system32\FNTCACHE.DAT
    2014-11-13 03:30 - 2014-05-06 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
    2014-11-13 03:14 - 2013-08-31 18:00 - 00000000 ____D () C:\ProgramData\Microsoft Help
    2014-11-13 03:06 - 2013-09-01 16:54 - 00000000 ____D () C:\Windows\system32\MRT
    2014-11-13 03:02 - 2013-09-01 16:54 - 100445232 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2014-11-13 03:02 - 2013-08-31 19:24 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
    2014-11-13 03:02 - 2013-08-31 19:24 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
    2014-11-13 00:38 - 2014-09-24 22:45 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
    2014-11-13 00:36 - 2013-08-31 19:14 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Logitech
    2014-11-13 00:36 - 2013-08-31 19:14 - 00000000 ____D () C:\Program Files\Logitech
    2014-11-13 00:07 - 2013-08-31 16:38 - 00000000 ____D () C:\Users\HANA
    2014-11-13 00:06 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\system32\wfp
    2014-11-13 00:05 - 2013-10-27 18:27 - 00000000 ____D () C:\Users\HANA\AppData\Local\Intuit
    2014-11-13 00:05 - 2013-08-31 19:25 - 00000000 ____D () C:\ProgramData\Norton
    2014-11-13 00:05 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\system32\NDF
    2014-11-13 00:04 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\registration
    2014-11-11 20:05 - 2010-11-20 16:47 - 00000000 ___RD () C:\Users\Public\Recorded TV
    2014-11-11 16:45 - 2013-09-08 14:34 - 00000000 ____D () C:\Users\HANA\AppData\Local\CrashDumps
    2014-10-15 03:25 - 2009-07-13 18:37 - 00000000 ____D () C:\Windows\rescache

    Some content of TEMP:
    ====================
    C:\Users\HANA\AppData\Local\Temp\dllnt_dump.dll
    C:\Users\HANA\AppData\Local\Temp\ose00000.exe
    C:\Users\HANA\AppData\Local\Temp\_is17CF.exe
    C:\Users\HANA\AppData\Local\Temp\_is47E.exe
    C:\Users\HANA\AppData\Local\Temp\_is6A23.exe
    C:\Users\HANA\AppData\Local\Temp\_is7450.exe
    C:\Users\HANA\AppData\Local\Temp\_is895E.exe
    C:\Users\HANA\AppData\Local\Temp\_isB96B.exe


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\system32\winlogon.exe => File is digitally signed
    C:\Windows\system32\wininit.exe => File is digitally signed
    C:\Windows\system32\svchost.exe => File is digitally signed
    C:\Windows\system32\services.exe => File is digitally signed
    C:\Windows\system32\User32.dll => File is digitally signed
    C:\Windows\system32\userinit.exe => File is digitally signed
    C:\Windows\system32\rpcss.dll => File is digitally signed
    C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2014-11-09 20:19

    ==================== End Of Log ============================

    ____________________________________________________________
    Below is the FRST Addtion Log file:

    Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-11-2014 01
    Ran by HANA at 2014-11-14 20:18:46
    Running from F:\malware
    Boot Mode: Normal
    ==========================================================


    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Norton Internet Security (Disabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
    AS: Norton Internet Security (Disabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    FW: Norton Internet Security (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}

    ==================== Installed Programs ======================

    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
    6500_E709_eDocs (Version: 1.00.0000 - Hewlett-Packard) Hidden
    6500_E709_Help (Version: 1.00.0000 - Hewlett-Packard) Hidden
    6500_E709a (Version: 140.0.000.000 - Hewlett-Packard) Hidden
    Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
    Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
    Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
    Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
    Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated)
    Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
    Audacity 2.0.5 (HKLM\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
    bpd_scan (Version: 3.00.0000 - Hewlett-Packard) Hidden
    BPDSoftware (Version: 140.0.000.000 - Hewlett-Packard) Hidden
    BPDSoftware_Ini (Version: 1.00.0000 - Hewlett-Packard) Hidden
    Brother MFL-Pro Suite HL-2280DW (HKLM\...\{3ACCCFB3-7B17-4E9F-ACB0-46868FCD4487}) (Version: 1.1.3.0 - Brother Industries, Ltd.)
    BufferChm (Version: 140.0.213.000 - Hewlett-Packard) Hidden
    COWON Media Center - jetAudio Plus VX (HKLM\...\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}) (Version: 8.0.6 - COWON)
    Crystal Reports 2008 Runtime SP1 (HKLM\...\{C484CC8D-03CF-4022-89C4-DB4F02E8A15B}) (Version: 12.1.0.882 - Business Objects)
    Destinations (Version: 130.0.0.0 - Hewlett-Packard) Hidden
    DeviceDiscovery (Version: 140.0.213.000 - Hewlett-Packard) Hidden
    DocMgr (Version: 140.0.65.000 - Hewlett-Packard) Hidden
    DocProc (Version: 140.0.100.000 - Hewlett-Packard) Hidden
    Fax (Version: 140.0.213.000 - Hewlett-Packard) Hidden
    FFmpeg v0.6.2 for Audacity (HKLM\...\FFmpeg for Audacity_is1) (Version: - )
    GPBaseService2 (Version: 140.0.212.000 - Hewlett-Packard) Hidden
    H&R Block Deluxe + Efile + State 2012 (HKLM\...\{89D20029-0578-4D8D-979A-695C8D868868}) (Version: 12.05.7803 - HRB Technology, LLC.)
    HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
    HP Document Manager 2.0 (HKLM\...\HP Document Manager) (Version: 2.0 - HP)
    HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
    HP Officejet 6500 E709 Series (HKLM\...\{58D79E62-CFC8-4331-8469-3A1B16E1769C}) (Version: 14.0 - HP)
    HP Smart Web Printing 4.60 (HKLM\...\HP Smart Web Printing) (Version: 4.60 - HP)
    HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
    HP Update (HKLM\...\{97486FBE-A3FC-4783-8D55-EA37E9D171CC}) (Version: 5.005.000.002 - Hewlett-Packard)
    HPProductAssistant (Version: 140.0.213.000 - Hewlett-Packard) Hidden
    HPSSupply (Version: 140.0.212.000 - Hewlett-Packard) Hidden
    Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
    K-Lite Codec Pack 5.0.5 (Standard) (HKLM\...\KLiteCodecPack_is1) (Version: 5.0.5 - )
    LADSPA_plugins-win-0.4.15 (HKLM\...\LADSPA_plugins-win_is1) (Version: - Audacity Team)
    LAME v3.99.3 (for Windows) (HKLM\...\LAME_is1) (Version: - )
    Logitech Webcam Software (HKLM\...\{C27BC2A2-30DD-4014-B22E-63EB0DB572F9}) (Version: 12.10.1113 - Logitech Inc.)
    Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
    MarketResearch (Version: 140.0.214.000 - Hewlett-Packard) Hidden
    Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
    Microsoft Office 2007 Primary Interop Assemblies (HKLM\...\{50120000-1105-0000-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
    Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
    Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
    Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
    Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft Text-to-Speech Engine 4.0 (English) (HKLM\...\MSTTS) (Version: - )
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual Studio 2005 Tools for Office Runtime (HKLM\...\Microsoft Visual Studio 2005 Tools for Office Runtime) (Version: - Microsoft Corporation)
    Mozilla Firefox 32.0.3 (x86 en-US) (HKLM\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
    Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 32.0.3 - Mozilla)
    MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
    MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
    MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
    Network (Version: 140.0.215.000 - Hewlett-Packard) Hidden
    Norton Internet Security (HKLM\...\NIS) (Version: 21.6.0.32 - Symantec Corporation)
    NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.6 - NVIDIA Corporation)
    NVIDIA Graphics Driver 307.83 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 307.83 - NVIDIA Corporation)
    NVIDIA Update 1.10.8 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update) (Version: 1.10.8 - NVIDIA Corporation)
    OCR Software by I.R.I.S. 14.0 (HKLM\...\HPOCR) (Version: 14.0 - HP)
    Peachtree Accounting 2010 (Version: 17.00.00 - Sage Software, Inc.) Hidden
    Peachtree Quantum 2010 - Accountants' Edition (HKLM\...\InstallShield_{51EF69CF-70D3-4142-993D-AA97F36484CC}) (Version: 17.00.00 - Sage Software, Inc.)
    PeachTree Signature Ready Forms (Version: 6.3.0 - Sage Software SB, Inc.) Hidden
    Pervasive PSQL v10.10 Workgroup (32-bit) (HKLM\...\Pervasive PSQL v10.10 Workgroup (32-bit)) (Version: 10.10.126 - Pervasive Software)
    Pervasive PSQL v10.10 Workgroup (32-bit) (Version: 10.12.025 - Pervasive Software) Hidden
    Primo (Version: 1.00.0000 - Your Company Name) Hidden
    ProductContext (Version: 140.0.000.000 - Hewlett-Packard) Hidden
    QuickBooks (Version: 21.0.4001.904 - Intuit Inc.) Hidden
    QuickBooks Enterprise Solutions: Accountant Edition 11.0 (HKLM\...\{11E0AC7D-6829-4F67-865F-EE1C13D28C38}) (Version: 21.0.4001.904 - Intuit Inc.)
    Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: - )
    Runtime (Version: 1.00.0000 - Your Company Name) Hidden
    Sage 50 Accounts 2009 (HKLM\...\InstallShield_{FC9D0B7B-5D95-411B-B14D-CD074E5CCA4A}) (Version: - )
    Sage Message Center (HKLM\...\{6798DD4E-BD16-4735-87EB-D712637CCB8C}) (Version: 2.00.0000 - Sage Software Inc.)
    Sage Software Integration Services (HKLM\...\Integration Services) (Version: 2.2.2240 - Sage Technology)
    Scan (Version: 140.0.167.000 - Hewlett-Packard) Hidden
    Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
    Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 14.0 - HP)
    SmartWebPrinting (Version: 140.0.213.000 - Hewlett-Packard) Hidden
    SolutionCenter (Version: 140.0.214.000 - Hewlett-Packard) Hidden
    Sony Picture Utility (HKLM\...\{D5068583-D569-468B-9755-5FBF5848F46F}) (Version: 4.2.00.15030 - Sony Corporation)
    Status (Version: 140.0.256.000 - Hewlett-Packard) Hidden
    TeamViewer 8 (HKLM\...\TeamViewer 8) (Version: 8.0.20202 - TeamViewer)
    TeraCopy 2.27 (HKLM\...\TeraCopy_is1) (Version: - Code Sector)
    Toolbox (Version: 140.0.428.000 - Hewlett-Packard) Hidden
    Total Commander (Remove or Repair) (HKLM\...\Totalcmd) (Version: 7.50a - Ghisler Software GmbH)
    TrayApp (Version: 140.0.213.000 - Hewlett-Packard) Hidden
    UniKey 4.0 NT (HKLM\...\UniKey) (Version: 4.0 NT - Pham Kim Long)
    Uninstall LAC VIET mtd2002-EVA (HKLM\...\LAC VIET mtd2002-EVA_is1) (Version: 4.0 - LAC VIET Corp.)
    Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
    WebReg (Version: 140.0.213.017 - Hewlett-Packard) Hidden
    Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
    WinRAR archiver (HKLM\...\WinRAR archiver) (Version: - )
    Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
    Yahoo! Software Update (HKLM\...\Yahoo! Software Update) (Version: - )
    Yahoo! Toolbar (HKLM\...\Yahoo! Companion) (Version: - Yahoo! Inc.)

    ==================== Custom CLSID (selected items): ==========================

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{05EC5C13-D255-4592-9CCB-98615172F0D6}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{0ADF9C35-0D5E-4B75-88DD-B64868907E17}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{123FAF7F-3FB1-4B8F-AD18-0047401D436A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{1B3210AF-E236-46D4-83EF-6421F2FF543C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{1E78DD72-771E-42BF-8B4B-363CEB18E07B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTVIEW.OCx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{22664BE2-0806-4BA4-8643-DE40C9149176}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{2A9EBDB5-0600-4E8C-B910-4001BEB2DD8C}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{349D777D-F7A2-4AAE-967F-A54F05A7FF3B}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBFinder.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{37A2FC00-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{37A2FC02-1795-4679-94A3-A153F1A8BB54}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58721-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\COMObjectFactory.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58742-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58743-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{38F58744-5F93-11D5-9F94-0008C7AA5BD9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{3E1A2BBD-5707-4646-B268-518B997DC94D}\localserver32 -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4716D3CE-55DB-4D2A-818C-87D912895890}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4844F3F7-2161-4AC4-B219-B3B4311782AA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4A56F19E-9F50-4F43-93C8-050E44AA83A9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{4E5E74B5-8EB5-4859-A335-837EED412620}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5249684A-D7A2-4DBE-94F4-B90923A7BC64}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5428A9ED-6CD8-11D6-9C8A-0001023DCAA2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{547C8F00-5567-4AE3-8BB0-CC3CE2AB9070}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{57D590F1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{596801D8-2C9D-4627-9C67-195CB81B655A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5B7331FA-8910-4748-A8A4-60B445041F28}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{5ED8AC89-B2DE-476D-8EEA-E170B2FCB058}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{70478C56-E77F-4134-B3E3-3B18EE036D71}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{7694F1CD-A55B-4B7C-8820-A90892EB4E9E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{7DBF8260-30AD-4D1B-876A-8032B87B809F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{828E5386-74CF-4019-B356-C857CD028A7D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{82CC31B3-53B4-4161-A4E9-6B4F1290A6C8}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{8572570D-12D9-4F2C-8BB8-EB8848178B94}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{8E590317-1329-11D1-B70B-00805F29CD16}\localserver32 -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{8FEDE364-AB37-4551-80C9-6D468E222AB2}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F2-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F3-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F4-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F5-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F6-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{9D9B61F7-9E2B-492A-81B3-AA5A1CCFBC3A}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{A58C4EAB-2DB8-445E-9CAE-2AE197A5C708}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{A63E42D0-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{A63E42D2-9C63-47B5-ABF2-0C839EC20778}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{AF5E0A13-CEAB-47CE-991D-77E82CD1BF3F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{B0FF20F1-C857-4EA5-A2B8-A85372879B3D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{B10BFAC3-EFF1-40D9-ADA0-BEBE037C24CA}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{b2b568c8-3712-4a75-b806-4b3c2fdb06d5}\localserver32 -> C:\Users\HANA\AppData\Local\Temp\{e9513610-f218-4dda-b954-2c7e6ba7cabb}\IDriver.NonElevated.exe No F (the data entry has 3 more characters).
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{B66F2BF1-91EB-44CE-8088-AE4AE19D30A1}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{BCD594EA-15C3-4FD8-B92B-114BB9694537}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBCtrIPMDS2.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{CE18240D-F3F8-43AE-9EA0-A0DC85A95375}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D14FD6B3-6A9F-4537-9460-07B836707127}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D4A12AAF-E15E-470B-A6B6-63032186F91F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9B9C060-0954-11D3-9E07-00104BD2BE34}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSource.dll (Intuit, Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6F81-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6F84-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6F87-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\cominifile.dll (Intuit, Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FA1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FA6-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\GraphSeriesCol.dll (Intuit, Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FB2-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\StorageClasses.dll (Intuit, Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{D9BC6FC1-A54B-11D4-A516-0050DA68678D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\ViewSrcColumns.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{DCB2B478-EFF6-48F6-B718-13E98876854E}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{DFD0AF10-B86C-4AF3-B609-1348D513E565}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E1A173E1-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E1A173E3-D957-4C3E-A098-43756A3DB454}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E6E4DF8B-17CE-43ED-B2C7-2CE10457552D}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{E7D2D0F6-B754-438D-B5C9-BF848D311A0F}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBDTRatios.dll No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{EADA914E-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{EAEF733D-5B08-4E85-8440-5A087504DF87}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{F2C593CC-74B2-4F71-8556-DD4D426D0409}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{F9EF917A-E55E-4242-B205-E778395AC313}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\BbfDepCalc.ocx No File
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{FAC93D42-FFC2-11d1-9DEB-0008C7A08EBA}\localserver32 -> C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE (Intuit Inc.)
    CustomCLSID: HKU\S-1-5-21-3606046635-1778293933-214485894-1000_Classes\CLSID\{FB17915F-06D1-4214-A902-CC5EE05186E9}\InprocServer32 -> C:\Program Files\Common Files\Intuit\QuickBooks\QBObjProxy.dll (Intuit Inc.)

    ==================== Restore Points =========================

    30-10-2014 21:19:44 Scheduled Checkpoint
    10-11-2014 04:26:13 Scheduled Checkpoint
    12-11-2014 04:02:00 Restore Operation
    12-11-2014 04:13:11 Windows Update
    13-11-2014 07:40:36 Removed Logitech Vid.
    13-11-2014 08:01:10 Restore Operation
    13-11-2014 08:11:52 Windows Update
    13-11-2014 08:35:48 Removed Logitech Vid.
    13-11-2014 11:01:09 Windows Update

    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2009-07-13 18:04 - 2014-09-24 23:04 - 00450709 ____N C:\Windows\system32\Drivers\etc\hosts
    127.0.0.1 www.007guard.com
    127.0.0.1 007guard.com
    127.0.0.1 008i.com
    127.0.0.1 www.008k.com
    127.0.0.1 008k.com
    127.0.0.1 www.00hq.com
    127.0.0.1 00hq.com
    127.0.0.1 010402.com
    127.0.0.1 www.032439.com
    127.0.0.1 032439.com
    127.0.0.1 www.0scan.com
    127.0.0.1 0scan.com
    127.0.0.1 1000gratisproben.com
    127.0.0.1 www.1000gratisproben.com
    127.0.0.1 1001namen.com
    127.0.0.1 www.1001namen.com
    127.0.0.1 100888290cs.com
    127.0.0.1 www.100888290cs.com
    127.0.0.1 www.100sexlinks.com
    127.0.0.1 100sexlinks.com
    127.0.0.1 10sek.com
    127.0.0.1 www.10sek.com
    127.0.0.1 www.1-2005-search.com
    127.0.0.1 1-2005-search.com
    127.0.0.1 123fporn.info
    127.0.0.1 www.123fporn.info
    127.0.0.1 123haustiereundmehr.com
    127.0.0.1 www.123haustiereundmehr.com
    127.0.0.1 123moviedownload.com

    There are 1000 more lines.


    ==================== Scheduled Tasks (whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

    Task: {2A4E1A9F-BE6D-4E40-9F48-11C9815BE5E3} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe [2014-09-20] (Symantec Corporation)
    Task: {466106E4-528B-4FBF-AF53-8D72CA996951} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-13] (Adobe Systems Incorporated)
    Task: {5B964B40-5117-4AE7-8E49-15D9C27FDE34} - \PastaQuotes No Task File <==== ATTENTION
    Task: {5C9539F2-0505-47E7-A09A-084154A3D66B} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files\Norton Identity Safe\Engine\2014.7.6.15\SymErr.exe
    Task: {62622537-855A-434E-9A96-86B390D48E18} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
    Task: {91E371A5-490C-4EAD-A0FA-FB5E292469CC} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files\Norton Identity Safe\Engine\2014.7.6.15\SymErr.exe
    Task: {C499B6C1-4E60-4993-BE25-7D306DC11458} - \YTAUpdate No Task File <==== ATTENTION
    Task: {EFBA3F68-9EF9-4FCC-81BA-D3E81F3ECF6D} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)

    (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

    Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

    ==================== Loaded Modules (whitelisted) =============

    2013-08-31 18:16 - 2013-01-31 01:00 - 00079648 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll
    2009-02-19 15:27 - 2009-02-19 15:27 - 00383488 ____R () C:\Program Files\Sage Software\Peachtree\pchqb32.dll
    2009-02-19 14:30 - 2009-02-19 14:30 - 00045056 ____R () C:\Program Files\Sage Software\Peachtree\ptsig.dll
    2013-09-04 23:14 - 2013-09-04 23:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
    2010-10-20 14:45 - 2010-10-20 14:45 - 08801120 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2006-04-18 15:53 - 2006-04-18 15:53 - 00188416 _____ () C:\Program Files\UniKey\UKHook40.dll
    2009-10-14 11:36 - 2009-10-14 11:36 - 02793304 _____ () C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
    2006-04-18 15:55 - 2006-04-18 15:55 - 00217088 _____ () C:\Program Files\UniKey\UniKeyNT.exe
    2010-08-25 09:13 - 2010-08-25 09:13 - 00268064 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\boost_regex-vc90-mt-p-1_33.dll
    2010-08-25 09:14 - 2010-08-25 09:14 - 00020256 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBCompressor.dll
    2005-07-19 22:18 - 2005-07-19 22:18 - 00059904 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\zlib1.dll
    2010-08-25 09:13 - 2010-08-25 09:13 - 00337184 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\BackupLib.dll
    2010-08-25 09:14 - 2010-08-25 09:14 - 00124704 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBMAPILibrary.dll
    2010-08-25 09:13 - 2010-08-25 09:13 - 00175904 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\boost_serialization-vc90-mt-p-1_33.dll
    2010-08-25 09:14 - 2010-08-25 09:14 - 00041248 _____ () C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\mbpopup.dll
    2009-10-14 11:34 - 2009-10-14 11:34 - 00560472 _____ () C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    2013-08-31 19:24 - 2012-05-25 02:25 - 00921600 _____ () C:\Program Files\Yahoo!\Messenger\yui.dll
    2014-11-13 00:33 - 2014-09-23 21:09 - 03715184 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

    ==================== Alternate Data Streams (whitelisted) =========

    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

    AlternateDataStreams: C:\ProgramData\TEMP:56E2E879

    ==================== Safe Mode (whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== EXE Association (whitelisted) =============

    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


    ==================== MSCONFIG/TASK MANAGER disabled items =========

    (Currently there is no automatic fix for this section.)


    ========================= Accounts: ==========================

    Administrator (S-1-5-21-3606046635-1778293933-214485894-500 - Administrator - Disabled)
    Guest (S-1-5-21-3606046635-1778293933-214485894-501 - Limited - Disabled)
    HANA (S-1-5-21-3606046635-1778293933-214485894-1000 - Administrator - Enabled) => C:\Users\HANA
    HomeGroupUser$ (S-1-5-21-3606046635-1778293933-214485894-1004 - Limited - Enabled)
    UpdatusUser (S-1-5-21-3606046635-1778293933-214485894-1002 - Limited - Enabled) => C:\Users\UpdatusUser

    ==================== Faulty Device Manager Devices =============

    Name: Teredo Tunneling Pseudo-Interface
    Description: Microsoft Teredo Tunneling Adapter
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: Microsoft
    Service: tunnel
    Problem: : This device cannot start. (Code10)
    Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
    On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

    Name: Centellax
    Description: Flash Disk
    Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
    Manufacturer: Generic
    Service: WUDFRd
    Problem: : Windows has stopped this device because it has reported problems. (Code 43)
    Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

    Name: Standard PS/2 Keyboard
    Description: Standard PS/2 Keyboard
    Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
    Manufacturer: (Standard keyboards)
    Service: i8042prt
    Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
    Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
    Devices stay in this state if they have been prepared for removal.
    After you remove the device, this error disappears.Remove the device, and this error should be resolved.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (11/14/2014 06:23:43 PM) (Source: QuickBooks) (EventID: 4) (User: )
    Description: An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle

    Error: (11/14/2014 06:23:43 PM) (Source: QuickBooks) (EventID: 4) (User: )
    Description: An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle

    Error: (11/14/2014 06:23:43 PM) (Source: QuickBooks) (EventID: 4) (User: )
    Description: An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle

    Error: (11/14/2014 06:21:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

    Error: (11/13/2014 05:20:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
    Description: An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle

    Error: (11/13/2014 05:20:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
    Description: An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle

    Error: (11/13/2014 05:20:26 PM) (Source: QuickBooks) (EventID: 4) (User: )
    Description: An unexpected error has occured in "QuickBooks":
    Returning NULL QBWinInstance Handle

    Error: (11/13/2014 03:36:51 AM) (Source: Schedule) (EventID: 0) (User: )
    Description: Schedule error: 10106Initialize call failed, bailing out

    Error: (11/13/2014 03:34:54 AM) (Source: Peachtree SmartPosting 2009) (EventID: 0) (User: )
    Description: Service cannot be started. Pervasive.Data.SqlClient.PsqlException: A non-recoverable error occurred during a database lookup
    at Pervasive.Data.SqlClient.PsqlConnection.Open()
    at Sage.Peachtree.DataAccess.PervasiveDbManager.GetOperationContext(Boolean openConnection, ConnectionParameters parameters)
    at Sage.SBD.ACS.Framework.DataAccess.DbManager.GetOperationContext(Boolean openConnection, String parameterSetName)
    at Sage.Peachtree.SmartPostingService.Dispatcher.GetGlobalDBOContext()
    at Sage.Peachtree.SmartPostingService.Dispatcher.Start()
    at Sage.Peachtree.SmartPostingService.SmartPostingService.OnStart(String[] args)
    at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

    Error: (11/13/2014 03:33:49 AM) (Source: WinMgmt) (EventID: 10) (User: )
    Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


    System errors:
    =============
    Error: (11/14/2014 07:02:23 PM) (Source: Microsoft-Windows-HAL) (EventID: 12) (User: )
    Description: The platform firmware has corrupted memory across the previous system power transition. Please check for updated firmware for your system.

    Error: (11/14/2014 06:23:03 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
    Description: application-specificLocalLaunch{C97FCC79-E628-407D-AE68-A06AD6D8B4D1}{344ED43D-D086-4961-86A6-1106F4ACAD9B}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)

    Error: (11/14/2014 06:19:07 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
    Description: The Print Spooler service failed to start due to the following error:
    %%3

    Error: (11/14/2014 06:18:37 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
    Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
    %%1056

    Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The Pervasive PSQL Workgroup Engine service terminated unexpectedly. It has done this 1 time(s).

    Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).

    Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The MBAMScheduler service terminated unexpectedly. It has done this 1 time(s).

    Error: (11/14/2014 06:18:08 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
    Description: The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).

    Error: (11/14/2014 06:18:07 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

    Error: (11/14/2014 06:18:07 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
    Description: The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.


    Microsoft Office Sessions:
    =========================
    Error: (09/06/2014 03:16:14 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
    Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6700.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 239816 seconds with 780 seconds of active time. This session ended with a crash.

    Error: (01/02/2014 11:55:53 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
    Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 16935 seconds with 13440 seconds of active time. This session ended with a crash.


    ==================== Memory info ===========================

    Processor: AMD Athlon(tm) Dual Core Processor 4450B
    Percentage of memory in use: 71%
    Total physical RAM: 2942.49 MB
    Available physical RAM: 851.73 MB
    Total Pagefile: 5883.27 MB
    Available Pagefile: 4174.34 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1898.29 MB

    ==================== Drives ================================

    Drive c: () (Fixed) (Total:111.98 GB) (Free:66.8 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    Drive d: (New Volume) (Fixed) (Total:110.89 GB) (Free:4.17 GB) NTFS
    Drive f: (Centellax) (Removable) (Total:3.8 GB) (Free:0.81 GB) FAT32

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: D42AD42A)
    Partition 1: (Active) - (Size=112 GB) - (Type=07 NTFS)
    Partition 2: (Not Active) - (Size=110.9 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=10 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 3.8 GB) (Disk ID: 000D826A)
    Partition 1: (Not Active) - (Size=3.8 GB) - (Type=0C)

    ==================== End Of Log ============================
    ______________________________________________________________________

    Cheers -m

  7. #7
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    Hi,

    We will use roguekiller again. Start it and after the pre-scan click the Scan button. Once the scan is done:
    Under the Registry tab check the first two then click on the delete button. Then see how IE behaves.

    [PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Found
    How Can I Reduce My Risk?

  8. #8
    Junior Member
    Join Date
    Nov 2007
    Location
    California
    Posts
    23

    Default

    Hi,

    So I reran RogueKiller. I scanned as before then looked under the registery tab. I clicked the two PUM proxy items and deleted them.

    I tried IE and the results are the same, it is looking for the proxy server 127.0.0.1:8800.
    I Still cannot uncheck use proxy. Trying to resetting IE does not help. I tried to reboot
    and retest IE but the results are the same. I Rescanned using RogueKiller. When I looked under
    the registry tab and the two items I deleted (PUM.PROXY) are definitely gone. However, when I look at the
    RogueKiller scan report I still see the same items in the report. See attached:

    ______________________________________________________________________________________________
    RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
    Started in : Normal mode
    User : HANA [Administrator]
    Mode : Scan -- Date : 11/15/2014 10:51:42

    Processes : 0

    Registry : 18
    [PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    [PUM.Proxy] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8800;https=127.0.0.1:8800 -> Found
    [PUM.HomePage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.HomePage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/redirects/se...pvid=20.4.0.40 -> Found
    [PUM.SearchPage] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.SearchPage] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.StartMenu] HKEY_USERS\S-1-5-21-3606046635-1778293933-214485894-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Found
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
    [PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found

    Tasks : 0

    Files : 0

    Hosts File : 0 [Too big!]

    Antirootkit : 44 (Driver: Loaded)
    [SSDT:Addr(Hook.SSDT)] NtAlertResumeThread[13] : Unknown @ 0x867977a8
    [SSDT:Addr(Hook.SSDT)] NtAlertThread[14] : Unknown @ 0x86797840
    [SSDT:Addr(Hook.SSDT)] NtAllocateVirtualMemory[19] : Unknown @ 0x86797ea0
    [SSDT:Addr(Hook.SSDT)] NtAlpcConnectPort[22] : Unknown @ 0x866e2ab0
    [SSDT:Addr(Hook.SSDT)] NtAssignProcessToJobObject[43] : Unknown @ 0x86797220
    [SSDT:Addr(Hook.SSDT)] NtCreateMutant[74] : Unknown @ 0x867975d0
    [SSDT:Addr(Hook.SSDT)] NtCreateSymbolicLinkObject[86] : Unknown @ 0x86796e20
    [SSDT:Addr(Hook.SSDT)] NtCreateThread[87] : Unknown @ 0x867503d8
    [SSDT:Addr(Hook.SSDT)] NtCreateThreadEx[88] : Unknown @ 0x86796ec8
    [SSDT:Addr(Hook.SSDT)] NtDebugActiveProcess[96] : Unknown @ 0x867972b8
    [SSDT:Addr(Hook.SSDT)] NtDuplicateObject[111] : Unknown @ 0x86797fc0
    [SSDT:Addr(Hook.SSDT)] NtFreeVirtualMemory[131] : Unknown @ 0x86797d30
    [SSDT:Addr(Hook.SSDT)] NtImpersonateAnonymousToken[145] : Unknown @ 0x86797678
    [SSDT:Addr(Hook.SSDT)] NtImpersonateThread[147] : Unknown @ 0x86797710
    [SSDT:Addr(Hook.SSDT)] NtLoadDriver[155] : Unknown @ 0x86660958
    [SSDT:Addr(Hook.SSDT)] NtMapViewOfSection[168] : Unknown @ 0x86797c78
    [SSDT:Addr(Hook.SSDT)] NtOpenEvent[177] : Unknown @ 0x86797538
    [SSDT:Addr(Hook.SSDT)] NtOpenProcess[190] : Unknown @ 0x8676a1d8
    [SSDT:Addr(Hook.SSDT)] NtOpenProcessToken[191] : Unknown @ 0x86797f48
    [SSDT:Addr(Hook.SSDT)] NtOpenSection[194] : Unknown @ 0x86797408
    [SSDT:Addr(Hook.SSDT)] NtOpenThread[198] : Unknown @ 0x8676a130
    [SSDT:Addr(Hook.SSDT)] NtProtectVirtualMemory[215] : Unknown @ 0x86796f80
    [SSDT:Addr(Hook.SSDT)] NtQueueApcThread[269] : Unknown @ 0x86796d78
    [SSDT:Addr(Hook.SSDT)] NtQueueApcThreadEx[270] : Unknown @ 0x86796cd0
    [SSDT:Addr(Hook.SSDT)] NtResumeThread[304] : Unknown @ 0x867978d8
    [SSDT:Addr(Hook.SSDT)] NtSetContextThread[316] : Unknown @ 0x86797aa0
    [SSDT:Addr(Hook.SSDT)] NtSetInformationProcess[333] : Unknown @ 0x86797b38
    [SSDT:Addr(Hook.SSDT)] NtSetSystemInformation[350] : Unknown @ 0x86797350
    [SSDT:Addr(Hook.SSDT)] NtSuspendProcess[366] : Unknown @ 0x867974a0
    [SSDT:Addr(Hook.SSDT)] NtSuspendThread[367] : Unknown @ 0x86797970
    [SSDT:Addr(Hook.SSDT)] NtTerminateProcess[370] : Unknown @ 0x86753a08
    [SSDT:Addr(Hook.SSDT)] NtTerminateThread[371] : Unknown @ 0x86797a08
    [SSDT:Addr(Hook.SSDT)] NtUnmapViewOfSection[385] : Unknown @ 0x86797be0
    [SSDT:Addr(Hook.SSDT)] NtWriteVirtualMemory[399] : Unknown @ 0x86797dd8
    [ShwSSDT:Addr(Hook.Shadow)] NtUserAttachThreadInput[318] : Unknown @ 0x865fc768
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetAsyncKeyState[402] : Unknown @ 0x876ada68
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyboardState[434] : Unknown @ 0x865fb250
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetKeyState[436] : Unknown @ 0x865fe3a0
    [ShwSSDT:Addr(Hook.Shadow)] NtUserGetRawInputData[448] : Unknown @ 0x876a46d8
    [ShwSSDT:Addr(Hook.Shadow)] NtUserMessageCall[490] : Unknown @ 0x865f8378
    [ShwSSDT:Addr(Hook.Shadow)] NtUserPostMessage[508] : Unknown @ 0x87686570
    [ShwSSDT:Addr(Hook.Shadow)] NtUserPostThreadMessage[509] : Unknown @ 0x876abe00
    [ShwSSDT:Addr(Hook.Shadow)] NtUserSetWindowsHookEx[585] : Unknown @ 0x876a5080
    [ShwSSDT:Addr(Hook.Shadow)] NtUserSetWinEventHook[588] : Unknown @ 0x876ace00

    Web browsers : 1
    [PUM.HomePage][FIREFX:Config] u92pxgrv.default-1410655612957 : user_pref("browser.startup.homepage", "www.google.com"); -> Found

    MBR Check :
    +++++ PhysicalDrive0: ST325031 0AS SCSI Disk Device +++++
    --- User ---
    [MBR] af0f544114c0de711784d3ce2993ae63
    [BSP] 8f4f837cf063111c987661cb4b876d36 : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 114668 MB
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 234842112 | Size: 113550 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 467395110 | Size: 10244 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([1] Incorrect function. )

    +++++ PhysicalDrive1: Generic Flash Disk USB Device +++++
    --- User ---
    [MBR] 4b1dc1298a474d448019742e4b214bd4
    [BSP] fdbeab4aaf2ffaee89afb02bfc9c9d8e : Legit.Unknown MBR Code
    Partition table:
    0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 2048 | Size: 3899 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_SCN_11142014_201449.log - RKreport_SCN_11152014_103924.log - RKreport_DEL_11152014_104449.log


    _____________________________________________________________________________________________________

    Thanks -m

  9. #9
    Emeritus
    Join Date
    Nov 2005
    Location
    @localhost
    Posts
    6,067

    Default

    Lets try this, although its a long shot. Shut down your antivirus, Norton- Malwarebytes, Spybot etc. Usually whats running will have a icon near the clock. Maybe a right click on the icon > exit.
    This is just to be sure one of them is not interfering with the fix. Once its good, rerun Roguekiller like before and select the two entries under the registry tab. then click the delete button. See how it goes.
    How Can I Reduce My Risk?

  10. #10
    Junior Member
    Join Date
    Nov 2007
    Location
    California
    Posts
    23

    Default

    That looks like it worked. After the scan it acted like it was still there Still could not uncheck the use proxy.
    However, after I did a reboot the Use proxy was unchecked and both IE and Firefox appeared to be working.
    So that machine seems to be cured.

    On the computer I am currently working I took a look at the Firefox Tools>options>Network>settings It has
    "use system proxy settings" checked. However I do not seem to notice any ill effects. Should I worry?

    Thanks -m

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •