1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved WMI Provider Host Pinning My Processor

Discussion in 'Malware and Virus Removal Archive' started by sledrew, 2014/12/29.

  1. 2014/12/29
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    [Solved] WMI Provider Host Pinning My Processor

    Hello,

    The WMI Provider Host process on my PC is chewing up a lot of my processor, consistently over 50%.

    I have followed the instructions on the virus an malware removal page http://www.windowsbbs.com/malware-virus-removal/announcements.html

    When I completed the scan with Malwarebytes, there were 6 files that were quarantined and removed. Here is the log per the instructions:

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 2014-12-29
    Scan Time: 9:52:13 AM
    Logfile:
    Administrator: Yes

    Version: 2.00.4.1028
    Malware Database: v2014.12.29.06
    Rootkit Database: v2014.12.23.02
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled

    OS: Windows 8.1
    CPU: x64
    File System: NTFS
    User: Shawn

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 379599
    Time Elapsed: 23 min, 10 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 1
    PUP.Optional.Softonic.A, HKU\S-1-5-21-1989184882-1871269664-67301077-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Softonic, Quarantined, [edadeb7dbbc14de98109124fba4911ef],

    Registry Values: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Folders: 0
    (No malicious items detected)

    Files: 5
    PUP.Optional.Conduit.A, C:\Users\Shawn\AppData\Local\Temp\nsa31F4.exe, Quarantined, [1d7d43253349a4929c7f4a586f92956b],
    PUP.Optional.SearchProtect.A, C:\Users\Shawn\AppData\Local\Temp\utt2A7A.tmp.exe, Quarantined, [5149e682f7850c2a3bca158c06fb6f91],
    PUP.Optional.SearchProtect.A, C:\Users\Shawn\AppData\Local\Temp\nsi789B.tmp, Quarantined, [e5b5a0c83f3d86b0f048416b48b936ca],
    PUP.Optional.Conduit.A, C:\Users\Shawn\AppData\Local\Temp\nsyA746.exe, Quarantined, [8614c6a286f6053146d58f13b64b08f8],
    PUP.Optional.Conduit.A, C:\Users\Shawn\AppData\Local\Temp\nsb71D1.exe, Quarantined, [1882b1b75b2140f6f7245052a0613dc3],

    Physical Sectors: 0
    (No malicious items detected)


    (end)

    I don't see a way to attach the log file, can someone help me with this?

    I was also no able to utilize the DDS utility, when I tried to run it I received a message stating "Unable to run in compatibility mode ".

    Even though I removed the files discovered by Malwarebytes during the scan, the WMI Provider Host is still using excessive processor resources.

    Any help that anyone can provide me with this is appreciated!

    Thank you.
     
  2. 2014/12/29
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,889
    Likes Received:
    386
    Copy & paste into your next post in this thread.
    Broni will advise on the appropriate action when he picks up this thread.
     

  3. to hide this advert.

  4. 2014/12/29
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ================================

    DDS is not compatible with Windows 8.1.

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download [​IMG] Malwarebytes Anti-Rootkit (MBAR) to your desktop.
    • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    • Double click on downloaded file. OK self extracting prompt.
    • MBAR will start. Click "Next" to continue.
    • Click in the following screen "Update" to obtain the latest malware definitions.
    • Once the update is complete select "Next" and click "Scan ".
    • When the scan is finished and no malware has been found select "Exit ".
    • If malware was detected, make sure to check all the items and click "Cleanup ". Reboot your computer.
    • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
      • "mbar-log-{date} (xx-xx-xx).txt "
      • "system-log.txt "
    NOTE. If you see This version requires you to completely exit the Anti Malware application message right click on the Malwarebytes Anti-Malware icon in the system tray and click on Exit.
     
  5. 2014/12/30
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    Hi,

    Thanks for your assistance.

    Here is the RogueKiller report:

    RogueKiller V10.1.1.0 [Dec 23 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
    Started in : Normal mode
    User : Shawn [Administrator]
    Mode : Delete -- Date : 12/30/2014 15:08:56

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 8 ¤¤¤
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.9 [UNITED STATES (US)] -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 192.168.1.254 75.153.176.9 [UNITED STATES (US)] -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4F4E9525-D14C-4135-AB26-3D7135C9BE8C} | DhcpNameServer : 192.168.1.254 75.153.176.9 [UNITED STATES (US)] -> Not selected
    [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4F4E9525-D14C-4135-AB26-3D7135C9BE8C} | DhcpNameServer : 192.168.1.254 75.153.176.9 [UNITED STATES (US)] -> Not selected
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
    [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected
    [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Not selected

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: Hitachi HDP725050GLA360 +++++
    --- User ---
    [MBR] 5d05210e3b6777793fddbc7286c28bd9
    [BSP] ceb84c3e7b096f62a58a22cb4210973b : Windows Vista/7/8 MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 466834 MB
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 956076345 | Size: 10103 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive1: Hitachi HDP725050GLA360 +++++
    --- User ---
    [MBR] d58dd8eda34bcf2ab057182ec3fb9f87
    [BSP] 4bf2d75d9d1191e119704f3ea5ededd1 : Windows XP MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB
    User = LL1 ... OK
    User = LL2 ... OK

    +++++ PhysicalDrive2: Seagate GoFlex Desk USB Device +++++
    --- User ---
    [MBR] a15455b64e5914eb6c1adeaccef798bb
    [BSP] 20f3989142a284e875d433b0ad16b1bd : Empty MBR Code
    Partition table:
    0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 1907726 MB
    User = LL1 ... OK
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive3: Generic USB SD Reader USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive4: Generic USB CF Reader USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive5: Generic USB xD/SM Reader USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )

    +++++ PhysicalDrive6: Generic USB MS Reader USB Device +++++
    Error reading User MBR! ([15] The device is not ready. )
    Error reading LL1 MBR! NOT VALID!
    Error reading LL2 MBR! ([32] The request is not supported. )


    ============================================
    RKreport_SCN_12302014_150658.log




    Here is the MBAR log:

    Malwarebytes Anti-Rootkit BETA 1.08.2.1001
    www.malwarebytes.org

    Database version: v2014.12.30.08

    Windows 8.1 x64 NTFS
    Internet Explorer 11.0.9600.17498
    Shawn :: LEDREW-PC [administrator]

    2014-12-30 3:19:05 PM
    mbar-log-2014-12-30 (15-19-05).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 384655
    Time elapsed: 34 minute(s), 13 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)





    Here is the system log:

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.08.2.1001

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.3.9200 Windows 8.1 x64

    Account is Administrative

    Internet Explorer version: 11.0.9600.17498

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, F:\ DRIVE_FIXED, G:\ DRIVE_FIXED
    CPU speed: 2.667000 GHz
    Memory total: 4294217728, free: 1891950592

    Downloaded database version: v2014.12.30.08
    Downloaded database version: v2014.12.30.01
    Downloaded database version: v2014.12.06.01
    =======================================
    Initializing...
    This version of Malwarebytes Anti-Rootkit requires you to completely exit the Malwarebytes Anti-Malware application to continue.
    Initializing...
    ======================
    This version of Malwarebytes Anti-Rootkit requires you to completely exit the Malwarebytes Anti-Malware application to continue.
    =======================================
    Initializing...
    ------------ Kernel report ------------
    12/30/2014 15:18:50
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntoskrnl.exe
    \SystemRoot\system32\hal.dll
    \SystemRoot\system32\kd.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\System32\drivers\werkernel.sys
    \SystemRoot\System32\drivers\CLFS.SYS
    \SystemRoot\System32\drivers\tm.sys
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CI.dll
    \SystemRoot\System32\drivers\msrpc.sys
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\System32\Drivers\acpiex.sys
    \SystemRoot\System32\Drivers\WppRecorder.sys
    \SystemRoot\System32\drivers\ACPI.sys
    \SystemRoot\System32\drivers\WMILIB.SYS
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\msisadrv.sys
    \SystemRoot\System32\drivers\pci.sys
    \SystemRoot\System32\drivers\vdrvroot.sys
    \SystemRoot\system32\drivers\pdc.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\System32\drivers\spaceport.sys
    \SystemRoot\System32\drivers\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\System32\drivers\iaStorAV.sys
    \SystemRoot\System32\drivers\storport.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\System32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Wof.sys
    \SystemRoot\system32\drivers\WdFilter.sys
    \SystemRoot\System32\drivers\PxHlpa64.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\wfplwfs.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\System32\drivers\volsnap.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\RapportHades64.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\intelpep.sys
    \SystemRoot\System32\drivers\disk.sys
    \SystemRoot\System32\drivers\CLASSPNP.SYS
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\drivers\cdrom.sys
    \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys
    \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80083.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\BasicRender.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\System32\drivers\BasicDisplay.sys
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\vwififlt.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \SystemRoot\system32\drivers\csc.sys
    \??\C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\System32\drivers\npsvctrig.sys
    \SystemRoot\System32\drivers\mssmbios.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\ctxusbm.sys
    \SystemRoot\system32\DRIVERS\CLVirtualDrive.sys
    \SystemRoot\system32\DRIVERS\ahcache.sys
    \SystemRoot\System32\drivers\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\serscan.sys
    \SystemRoot\system32\drivers\ksthunk.sys
    \SystemRoot\system32\drivers\ks.sys
    \SystemRoot\system32\DRIVERS\kdnic.sys
    \SystemRoot\System32\drivers\umbus.sys
    \SystemRoot\System32\drivers\intelppm.sys
    \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    \SystemRoot\System32\drivers\usbuhci.sys
    \SystemRoot\System32\drivers\USBPORT.SYS
    \SystemRoot\System32\drivers\usbehci.sys
    \SystemRoot\System32\drivers\HDAudBus.sys
    \SystemRoot\system32\drivers\HCW85BDA.sys
    \SystemRoot\system32\drivers\BdaSup.SYS
    \SystemRoot\system32\DRIVERS\Rt630x64.sys
    \SystemRoot\system32\DRIVERS\VSTBS26.SYS
    \SystemRoot\system32\DRIVERS\VSTDPV6.SYS
    \SystemRoot\system32\DRIVERS\VSTCNXT6.SYS
    \SystemRoot\system32\drivers\modem.sys
    \SystemRoot\System32\drivers\1394ohci.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\System32\drivers\NdisVirtualBus.sys
    \SystemRoot\System32\drivers\swenum.sys
    \SystemRoot\System32\drivers\circlass.sys
    \SystemRoot\System32\drivers\rdpbus.sys
    \SystemRoot\System32\drivers\usbhub.sys
    \SystemRoot\System32\drivers\USBD.SYS
    \SystemRoot\system32\drivers\HdAudio.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\HIDPARSE.SYS
    \SystemRoot\System32\Drivers\dump_diskdump.sys
    \SystemRoot\System32\Drivers\dump_iaStorAV.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\drivers\USBSTOR.SYS
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\cdd.dll
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\drivers\luafv.sys
    \SystemRoot\System32\drivers\monitor.sys
    \SystemRoot\System32\drivers\usbccgp.sys
    \SystemRoot\System32\drivers\hidusb.sys
    \SystemRoot\System32\drivers\HIDCLASS.SYS
    \SystemRoot\System32\drivers\kbdhid.sys
    \SystemRoot\System32\drivers\kbdclass.sys
    \SystemRoot\System32\drivers\mouhid.sys
    \SystemRoot\System32\drivers\mouclass.sys
    \SystemRoot\System32\drivers\usbcir.sys
    \SystemRoot\System32\drivers\hidir.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\drivers\Ndu.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\mslldp.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\System32\drivers\rdpvideominiport.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\WUDFRd.sys
    \SystemRoot\System32\drivers\WpdUpFltr.sys
    \SystemRoot\System32\drivers\rdpdr.sys
    \SystemRoot\system32\Drivers\WdNisDrv.sys
    \SystemRoot\System32\drivers\condrv.sys
    \SystemRoot\system32\DRIVERS\cdfs.sys
    \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
    \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk6\DR6
    Upper Device Object: 0xffffe001883c2640
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000005d\
    Lower Device Object: 0xffffe00188385060
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk5\DR5
    Upper Device Object: 0xffffe001883f6060
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000005c\
    Lower Device Object: 0xffffe00188388610
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk4\DR4
    Upper Device Object: 0xffffe001883fc060
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000005b\
    Lower Device Object: 0xffffe0018838f4f0
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk3\DR3
    Upper Device Object: 0xffffe0018837f060
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000005a\
    Lower Device Object: 0xffffe0018838a060
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk2\DR2
    Upper Device Object: 0xffffe00184926060
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000003f\
    Lower Device Object: 0xffffe0018492e710
    Lower Device Driver Name: \Driver\USBSTOR\
    <<<1>>>
    Upper Device Name: \Device\Harddisk1\DR1
    Upper Device Object: 0xffffe001865fd060
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000002d\
    Lower Device Object: 0xffffe00185d15060
    Lower Device Driver Name: \Driver\iaStorAV\
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffe001865ff450
    Upper Device Driver Name: \Driver\disk\
    Lower Device Name: \Device\0000002b\
    Lower Device Object: 0xffffe00185d19060
    Lower Device Driver Name: \Driver\iaStorAV\
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffe001865ff450, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffe001865fe040, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffe001865ff450, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    DevicePointer: 0xffffe00185d19ba0, DeviceName: Unknown, DriverName: \Driver\ACPI\
    DevicePointer: 0xffffe00185d19060, DeviceName: \Device\0000002b\, DriverName: \Driver\iaStorAV\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    File "C:\Windows\System32\drivers\1394ohci.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\1394ohci.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\acpi.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\acpi.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\acpipagr.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\acpipagr.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\acpipmi.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\acpipmi.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\acpitime.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\acpitime.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\AGP440.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\AGP440.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\amdk8.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\amdk8.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\amdppm.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\amdppm.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\atapi.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\atapi.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\ataport.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\ataport.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\intelpep.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\intelpep.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\intelppm.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\intelppm.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\isapnp.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\isapnp.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\kbdclass.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\kbdclass.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\kbdhid.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\kbdhid.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\kdnic.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\kdnic.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\BasicRender.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\BasicRender.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\battc.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\battc.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\BtaMPM.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\BtaMPM.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\BthAvrcpTg.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\BthAvrcpTg.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\bthhfenum.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\bthhfenum.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\BthhfHid.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\BthhfHid.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\bthmodem.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\bthmodem.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\cdrom.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\cdrom.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\dumpsd.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\dumpsd.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\EhStorTcgDrv.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\EhStorTcgDrv.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\errdev.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\errdev.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\fdc.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\fdc.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\flpydisk.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\flpydisk.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\parport.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\parport.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\pci.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\pci.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\pciide.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\pciide.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\pciidex.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\pciidex.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\pcmcia.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\pcmcia.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\portcls.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\portcls.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\processr.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\processr.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\monitor.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\monitor.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\mouclass.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\mouclass.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\mouhid.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\mouhid.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\msgpiowin32.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\msgpiowin32.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\msisadrv.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\msisadrv.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\msiscsi.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\msiscsi.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\BasicDisplay.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\BasicDisplay.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\circlass.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\circlass.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\sdbus.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\sdbus.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\sdstor.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\sdstor.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\serenum.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\serenum.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\serial.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\serial.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\sermouse.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\sermouse.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\sfloppy.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\sfloppy.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\spaceport.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\spaceport.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\stornvme.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\stornvme.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\swenum.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\swenum.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\terminpt.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\terminpt.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\tpm.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\tpm.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\TsUsbGD.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\TsUsbGD.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\uaspstor.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\uaspstor.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\UCX01000.SYS" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\UCX01000.SYS" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\uefi.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\uefi.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\umbus.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\umbus.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\umpass.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\umpass.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbccgp.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbccgp.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbcir.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbcir.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbd.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbd.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbehci.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbehci.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbhub.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbhub.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\USBHUB3.SYS" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\USBHUB3.SYS" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbohci.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbohci.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbport.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbport.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbprint.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbprint.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\USBSTOR.SYS" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\USBSTOR.SYS" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\usbuhci.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\usbuhci.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\USBXHCI.SYS" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\USBXHCI.SYS" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\vdrvroot.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\vdrvroot.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\vhdmp.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\vhdmp.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\volmgr.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\volmgr.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\fxppm.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\fxppm.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\hdaudbus.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\hdaudbus.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\HdAudio.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\HdAudio.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\hidbatt.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\hidbatt.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\hidbth.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\hidbth.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\hidclass.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\hidclass.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\hidi2c.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\hidi2c.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\hidparse.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\hidparse.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\hidusb.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\hidusb.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\i8042prt.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\i8042prt.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\mssmbios.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\mssmbios.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\MTConfig.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\MTConfig.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\npsvctrig.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\npsvctrig.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\volsnap.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\volsnap.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\vwifibus.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\vwifibus.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\wacompen.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\wacompen.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\winusb.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\winusb.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\wmiacpi.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\wmiacpi.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\WSDPrint.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\WSDPrint.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\rdpbus.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\rdpbus.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\sbp2port.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\sbp2port.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\CmBatt.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\CmBatt.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\CompositeBus.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\CompositeBus.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\disk.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\disk.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\drmk.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\drmk.sys" is compressed (flags = 1)
    File "C:\Windows\System32\drivers\drmkaud.sys" is compressed (flags = 1)
    File "C:\WINDOWS\SYSTEM32\drivers\drmkaud.sys" is compressed (flags = 1)
    Done!
    Drive 0
    This is a System drive
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 1549F232

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 63 Numsec = 956076282
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 956076345 Numsec = 20691720

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Done!
    Physical Sector Size: 512
    Drive: 1, DevicePointer: 0xffffe001865fd060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffe001865fe630, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffe001865fd060, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
    DevicePointer: 0xffffe00185d15060, DeviceName: \Device\0000002d\, DriverName: \Driver\iaStorAV\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    Drive 1
    Scanning MBR on drive 1...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 3324897A

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 976768002

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Done!
    Physical Sector Size: 512
    Drive: 2, DevicePointer: 0xffffe00184926060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffe0018491a340, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffe00184926060, DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
    DevicePointer: 0xffffe0018492e710, DeviceName: \Device\0000003f\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk2\DR2\, DriverName: \Driver\disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    Drive 2
    Scanning MBR on drive 2...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: C75FF4DB

    Partition information:

    Partition 0 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 3907024065

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 2000398933504 bytes
    Sector size: 512 bytes

    Done!
    Physical Sector Size: 0
    Drive: 3, DevicePointer: 0xffffe0018837f060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffe0018837fb20, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffe0018837f060, DeviceName: \Device\Harddisk3\DR3\, DriverName: \Driver\disk\
    DevicePointer: 0xffffe0018838a060, DeviceName: \Device\0000005a\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 4, DevicePointer: 0xffffe001883fc060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffe001883fcb20, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffe001883fc060, DeviceName: \Device\Harddisk4\DR4\, DriverName: \Driver\disk\
    DevicePointer: 0xffffe0018838f4f0, DeviceName: \Device\0000005b\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 5, DevicePointer: 0xffffe001883f6060, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffe001883f6b20, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffe001883f6060, DeviceName: \Device\Harddisk5\DR5\, DriverName: \Driver\disk\
    DevicePointer: 0xffffe00188388610, DeviceName: \Device\0000005c\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Physical Sector Size: 0
    Drive: 6, DevicePointer: 0xffffe001883c2640, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffe001883f3040, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffe001883c2640, DeviceName: \Device\Harddisk6\DR6\, DriverName: \Driver\disk\
    DevicePointer: 0xffffe00188385060, DeviceName: \Device\0000005d\, DriverName: \Driver\USBSTOR\
    ------------ End ----------
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-0-63-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-1-r.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-2-r.mbam...
    Removal finished
     
  6. 2014/12/30
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator ".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Please download Farbar Recovery Scan Tool and save it to your Desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
     
  7. 2014/12/31
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    Hello,

    Here is the AdwCleaner log:

    # AdwCleaner v4.106 - Report created 31/12/2014 at 09:46:42
    # Updated 21/12/2014 by Xplode
    # Database : 2014-12-30.1 [Live]
    # Operating System : Windows 8.1 Pro with Media Center (64 bits)
    # Username : Shawn - LEDREW-PC
    # Running from : C:\Users\Shawn\Desktop\adwcleaner_4.106.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\Software
    File Deleted : C:\WINDOWS\Downloaded Program Files\popcaploader.inf

    ***** [ Scheduled Tasks ] *****


    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2
    Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA}
    Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE}
    Key Deleted : HKCU\Software\APN PIP
    Key Deleted : HKLM\SOFTWARE\PIP
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\property.trovit.ca
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\trovit.ca

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17416


    -\\ Google Chrome v39.0.2171.95

    [C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

    *************************

    AdwCleaner[R0].txt - [2319 octets] - [31/12/2014 09:35:16]
    AdwCleaner[S0].txt - [2229 octets] - [31/12/2014 09:46:42]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2289 octets] ##########





    Here is the Junkware Removal tool Log:

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.4.1 (12.28.2014:1)
    OS: Windows 8.1 Pro with Media Center x64
    Ran by Shawn on 2014-12-31 at 9:59:50.75
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys



    ~~~ Files



    ~~~ Folders



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 2014-12-31 at 10:04:40.03
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





    Here is the FRST log:

    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 28-12-2014
    Ran by Shawn (administrator) on LEDREW-PC on 31-12-2014 10:05:34
    Running from C:\Users\Shawn\Desktop
    Loaded Profile: Shawn (Available profiles: Shawn & janet_000)
    Platform: Windows 8.1 Pro with Media Center (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

    ==================== Processes (Whitelisted) =================

    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    (NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
    (IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe
    (Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
    (Microsoft Corporation) C:\Windows\System32\dasHost.exe
    () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
    (Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe
    (IBM Corp.) C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    (Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
    (Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe
    (GoPro) C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe
    (CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\groove.exe
    (Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
    (Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe
    (Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
    (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
    (Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicatorCom.exe
    (Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
    (Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
    (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe
    (Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\msosync.exe


    ==================== Registry (Whitelisted) ==================

    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

    HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
    HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472984 2013-06-03] (Adobe Systems Incorporated)
    HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
    HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [110144 2013-03-04] (CyberLink)
    HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [492096 2013-03-04] (CyberLink Corp.)
    HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
    HKLM-x32\...\Run: [] => [X]
    HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
    HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [305088 2011-04-25] (Citrix Systems, Inc.)
    HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
    HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
    HKU\S-1-5-21-1989184882-1871269664-67301077-1001\...\Run: [Power2GoExpress8] => (the data entry has 824 more characters).
    HKU\S-1-5-21-1989184882-1871269664-67301077-1001\...\Run: [HP Officejet Pro 8600 (NET)] => C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
    HKU\S-1-5-21-1989184882-1871269664-67301077-1001\...\Run: [CAHeadless] => C:\Program Files (x86)\Adobe\Elements 12 Organizer\CAHeadless\ElementsAutoAnalyzer.exe [1401064 2014-04-07] (Adobe Systems Incorporated)
    Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GoPro Importer.lnk
    ShortcutTarget: GoPro Importer.lnk -> C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe (GoPro)
    Startup: C:\Users\Shawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk
    ShortcutTarget: Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk -> C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
    Startup: C:\Users\Shawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive for Business.lnk
    ShortcutTarget: OneDrive for Business.lnk -> C:\Program Files\Microsoft Office 15\root\office15\groove.exe (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
    ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)

    ==================== Internet (Whitelisted) ====================

    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

    HKU\S-1-5-21-1989184882-1871269664-67301077-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://t.ca.msn.com/
    HKU\S-1-5-21-1989184882-1871269664-67301077-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.ca.msn.com/
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll (Microsoft Corporation)
    BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL (Microsoft Corporation)
    BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
    BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
    DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect121.cab
    DPF: HKLM-x32 {82E5DF24-51E8-47CD-864A-F4BD5005AA73} https://www.icloud.com/system/iCloud.cab
    DPF: HKLM-x32 {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
    DPF: HKLM-x32 {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://games.ca.zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
    DPF: HKLM-x32 {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
    Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL (Microsoft Corporation)
    Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
    Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
    Tcpip\Parameters: [DhcpNameServer] 192.168.1.254 75.153.176.9

    FireFox:
    ========
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Microsoft Office\Office15\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
    FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
    FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    FF Plugin HKU\S-1-5-21-1989184882-1871269664-67301077-1001: @citrixonline.com/appdetectorplugin -> C:\Users\Shawn\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)

    Chrome:
    =======
    CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\PepperFlash\pepflashplayer.dll No File
    CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\ppGoogleNaClPluginChrome.dll No File
    CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\pdf.dll No File
    CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL No File
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL No File
    CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
    CHR Plugin: (Java(TM) Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
    CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
    CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
    CHR Plugin: (Citrix Online Web Deployment Plugin 1.0.0.94) - C:\Users\Shawn\AppData\Local\Citrix\Plugins\94\npappdetector.dll (Citrix Online)
    CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll No File
    CHR Profile: C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default
    CHR Extension: (Google Docs) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-07-15]
    CHR Extension: (Google Drive) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-07-15]
    CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-19]
    CHR Extension: (YouTube) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-07-15]
    CHR Extension: (Google Search) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-07-15]
    CHR Extension: (Google Wallet) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-08]
    CHR Extension: (Gmail) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-07-15]

    ==================== Services (Whitelisted) =================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R2 AdobeActiveFileMonitor12.0; C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe [181152 2013-09-25] (Adobe Systems Incorporated)
    R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2449592 2014-11-12] (Microsoft Corporation)
    S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
    S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
    R2 RapportMgmtService; C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe [1919256 2014-11-21] (IBM Corp.)
    R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2013-03-06] ()
    S4 TlntSvr; C:\Windows\System32\tlntsvr.exe [146944 2013-11-16] (Microsoft Corporation)
    S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
    S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)

    ==================== Drivers (Whitelisted) ====================

    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

    R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-05] (CyberLink)
    S3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
    S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2014-11-21] (Malwarebytes Corporation)
    R0 PxHlpa64; C:\Windows\System32\drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation)
    R1 RapportCerberus_80083; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus64_80083.sys [761720 2014-12-14] ()
    R1 RapportEI64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportEI64.sys [445912 2014-11-21] (IBM Corp.)
    R0 RapportHades64; C:\Windows\System32\Drivers\RapportHades64.sys [289656 2014-11-21] (IBM Corp.)
    S3 RapportKE64; C:\Windows\System32\Drivers\RapportKE64.sys [534104 2014-11-21] (IBM Corp.)
    R1 RapportPG64; C:\Program Files (x86)\Trusteer\Rapport\bin\x64\RapportPG64.sys [557656 2014-11-21] (IBM Corp.)
    U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2014-12-30] ()
    R3 VST64HWBS2; C:\Windows\system32\DRIVERS\VSTBS26.SYS [411136 2013-06-18] (Conexant Systems, Inc.)
    R3 VST64_DPV; C:\Windows\system32\DRIVERS\VSTDPV6.SYS [1485312 2013-06-18] (Conexant Systems, Inc.)
    S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)

    ==================== NetSvcs (Whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


    ==================== One Month Created Files and Folders ========

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-12-31 10:05 - 2014-12-31 10:06 - 00020612 _____ () C:\Users\Shawn\Desktop\FRST.txt
    2014-12-31 10:05 - 2014-12-31 10:05 - 00000000 ____D () C:\FRST
    2014-12-31 10:04 - 2014-12-31 10:04 - 00000636 _____ () C:\Users\Shawn\Desktop\JRT.txt
    2014-12-31 09:59 - 2014-12-31 09:59 - 00000000 ____D () C:\WINDOWS\ERUNT
    2014-12-31 09:51 - 2014-12-31 09:51 - 00002377 _____ () C:\Users\Shawn\Desktop\AdwCleaner[S0].txt
    2014-12-31 09:35 - 2014-12-31 09:46 - 00000000 ____D () C:\AdwCleaner
    2014-12-31 09:33 - 2014-12-31 09:33 - 02123264 _____ (Farbar) C:\Users\Shawn\Desktop\FRST64.exe
    2014-12-31 09:32 - 2014-12-31 09:32 - 02173952 _____ () C:\Users\Shawn\Desktop\adwcleaner_4.106.exe
    2014-12-31 09:32 - 2014-12-31 09:32 - 01707939 _____ (Thisisu) C:\Users\Shawn\Desktop\JRT.exe
    2014-12-30 15:18 - 2014-12-30 15:54 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    2014-12-30 15:17 - 2014-12-30 15:54 - 00000000 ____D () C:\Users\Shawn\Desktop\mbar
    2014-12-30 15:10 - 2014-12-30 15:10 - 00004188 _____ () C:\Users\Shawn\Desktop\RKreport_DEL_12302014_150856.log
    2014-12-30 15:01 - 2014-12-30 15:01 - 00035064 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
    2014-12-30 15:01 - 2014-12-30 15:01 - 00000000 ____D () C:\ProgramData\RogueKiller
    2014-12-30 14:59 - 2014-12-30 14:59 - 16448208 _____ (Malwarebytes Corp.) C:\Users\Shawn\Desktop\mbar-1.08.2.1001.exe
    2014-12-30 14:58 - 2014-12-30 14:59 - 15298136 _____ () C:\Users\Shawn\Desktop\RogueKiller.exe
    2014-12-29 11:51 - 2014-12-29 11:51 - 00000810 _____ () C:\Users\Public\Desktop\Speccy.lnk
    2014-12-29 11:51 - 2014-12-29 11:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Speccy
    2014-12-29 11:51 - 2014-12-29 11:51 - 00000000 ____D () C:\Program Files\Speccy
    2014-12-29 10:37 - 2014-12-29 10:37 - 00688992 _____ (Swearware) C:\Users\Shawn\Desktop\dds.com
    2014-12-29 09:52 - 2014-12-31 09:50 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
    2014-12-29 09:51 - 2014-12-30 15:17 - 00096472 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
    2014-12-29 09:51 - 2014-12-29 09:51 - 00001116 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2014-12-29 09:51 - 2014-12-29 09:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2014-12-29 09:51 - 2014-12-29 09:51 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2014-12-29 09:51 - 2014-12-29 09:51 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
    2014-12-29 09:51 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
    2014-12-29 09:51 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
    2014-12-27 16:00 - 2014-12-27 16:00 - 00003886 _____ () C:\WINDOWS\System32\Tasks\Adobe Acrobat Update Task
    2014-12-19 12:24 - 2014-10-30 15:37 - 00129536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\poqexec.exe
    2014-12-19 12:24 - 2014-10-30 15:34 - 00146432 _____ (Microsoft Corporation) C:\WINDOWS\system32\poqexec.exe
    2014-12-10 05:39 - 2014-10-30 16:39 - 01970432 _____ (Microsoft Corporation) C:\WINDOWS\system32\crypt32.dll
    2014-12-10 05:39 - 2014-10-30 16:38 - 01612992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\crypt32.dll
    2014-12-10 05:24 - 2014-11-09 19:29 - 00034304 _____ (Microsoft Corporation) C:\WINDOWS\system32\DeviceSetupStatusProvider.dll
    2014-12-10 05:24 - 2014-11-09 18:51 - 00028672 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\DeviceSetupStatusProvider.dll
    2014-12-10 05:23 - 2014-11-06 21:16 - 01762840 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowsCodecs.dll
    2014-12-10 05:23 - 2014-11-06 20:26 - 01489072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WindowsCodecs.dll
    2014-12-10 05:22 - 2014-11-21 20:13 - 25059840 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
    2014-12-10 05:22 - 2014-11-21 19:50 - 00580096 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
    2014-12-10 05:22 - 2014-11-21 19:49 - 02885120 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
    2014-12-10 05:22 - 2014-11-21 19:49 - 00417280 _____ (Microsoft Corporation) C:\WINDOWS\system32\html.iec
    2014-12-10 05:22 - 2014-11-21 19:48 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
    2014-12-10 05:22 - 2014-11-21 19:35 - 00812544 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
    2014-12-10 05:22 - 2014-11-21 19:34 - 06039552 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
    2014-12-10 05:22 - 2014-11-21 19:22 - 19749376 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
    2014-12-10 05:22 - 2014-11-21 19:08 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
    2014-12-10 05:22 - 2014-11-21 19:07 - 00501248 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
    2014-12-10 05:22 - 2014-11-21 19:06 - 00340992 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\html.iec
    2014-12-10 05:22 - 2014-11-21 19:06 - 00145408 _____ (Microsoft Corporation) C:\WINDOWS\system32\iepeers.dll
    2014-12-10 05:22 - 2014-11-21 19:05 - 00316928 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
    2014-12-10 05:22 - 2014-11-21 19:05 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
    2014-12-10 05:22 - 2014-11-21 19:01 - 02277888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
    2014-12-10 05:22 - 2014-11-21 18:59 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
    2014-12-10 05:22 - 2014-11-21 18:55 - 00661504 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
    2014-12-10 05:22 - 2014-11-21 18:52 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
    2014-12-10 05:22 - 2014-11-21 18:49 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
    2014-12-10 05:22 - 2014-11-21 18:49 - 00718848 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
    2014-12-10 05:22 - 2014-11-21 18:49 - 00373760 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
    2014-12-10 05:22 - 2014-11-21 18:46 - 02125312 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
    2014-12-10 05:22 - 2014-11-21 18:43 - 14412800 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
    2014-12-10 05:22 - 2014-11-21 18:35 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
    2014-12-10 05:22 - 2014-11-21 18:34 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
    2014-12-10 05:22 - 2014-11-21 18:33 - 00285696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
    2014-12-10 05:22 - 2014-11-21 18:29 - 04299264 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
    2014-12-10 05:22 - 2014-11-21 18:29 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
    2014-12-10 05:22 - 2014-11-21 18:28 - 02358272 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
    2014-12-10 05:22 - 2014-11-21 18:25 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
    2014-12-10 05:22 - 2014-11-21 18:23 - 00688640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
    2014-12-10 05:22 - 2014-11-21 18:23 - 00326656 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
    2014-12-10 05:22 - 2014-11-21 18:22 - 02052096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
    2014-12-10 05:22 - 2014-11-21 18:15 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
    2014-12-10 05:22 - 2014-11-21 18:13 - 12836864 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
    2014-12-10 05:22 - 2014-11-21 18:03 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
    2014-12-10 05:22 - 2014-11-21 18:00 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
    2014-12-10 05:22 - 2014-11-21 17:56 - 01307136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
    2014-12-10 05:22 - 2014-11-21 17:54 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
    2014-12-10 05:22 - 2014-10-31 16:57 - 01091072 _____ (Microsoft Corporation) C:\WINDOWS\system32\MrmCoreR.dll
    2014-12-10 05:22 - 2014-10-31 16:47 - 00790528 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MrmCoreR.dll
    2014-12-10 05:22 - 2014-10-12 19:43 - 00238912 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\sdbus.sys
    2014-12-10 05:22 - 2014-10-12 19:43 - 00153920 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\dumpsd.sys
    2014-12-10 05:22 - 2014-10-12 19:43 - 00086336 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\pdc.sys
    2014-12-10 05:22 - 2014-10-12 19:43 - 00039744 ____C (Microsoft Corporation) C:\WINDOWS\system32\Drivers\intelpep.sys
    2014-12-06 10:14 - 2014-12-06 10:14 - 00072268 _____ () C:\Users\Shawn\Desktop\9.01 Vendor and Project List R1.xlsx
    2014-12-06 09:47 - 2014-12-06 09:46 - 00272808 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\javaws.exe
    2014-12-06 09:46 - 2014-12-06 09:46 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\javaw.exe
    2014-12-06 09:46 - 2014-12-06 09:46 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\java.exe
    2014-12-06 09:46 - 2014-12-06 09:46 - 00098216 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
    2014-12-06 09:46 - 2014-12-06 09:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
    2014-12-06 09:46 - 2014-12-06 09:46 - 00000000 ____D () C:\Program Files (x86)\Java
    2014-12-06 09:44 - 2014-12-06 09:44 - 00001126 _____ () C:\Users\Shawn\Desktop\GoPro Studio.lnk
    2014-12-06 09:44 - 2014-12-06 09:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GoPro
    2014-12-06 09:42 - 2014-12-06 09:43 - 00000000 ____D () C:\ProgramData\Package Cache

    ==================== One Month Modified Files and Folders =======

    (If an entry is included in the fixlist, the file\folder will be moved.)

    2014-12-31 10:02 - 2014-10-13 08:30 - 00004978 _____ () C:\WINDOWS\System32\Tasks\Microsoft Office 15 Sync Maintenance for LEDREW-PC-Shawn ledrew-pc
    2014-12-31 10:02 - 2013-08-22 08:36 - 00000000 ____D () C:\WINDOWS\system32\sru
    2014-12-31 09:57 - 2013-11-16 14:13 - 01281229 _____ () C:\WINDOWS\WindowsUpdate.log
    2014-12-31 09:54 - 2013-07-15 19:07 - 00000926 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    2014-12-31 09:54 - 2012-11-12 11:18 - 00003594 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1989184882-1871269664-67301077-1001
    2014-12-31 09:51 - 2013-11-16 14:53 - 00000000 ____D () C:\Users\Shawn\SkyDrive
    2014-12-31 09:49 - 2013-07-15 19:07 - 00000922 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    2014-12-31 09:48 - 2013-11-16 14:15 - 00000000 ____D () C:\ProgramData\NVIDIA
    2014-12-31 09:48 - 2013-09-29 21:03 - 00016910 _____ () C:\WINDOWS\PFRO.log
    2014-12-31 09:48 - 2013-08-22 07:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
    2014-12-31 09:47 - 2013-08-22 06:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
    2014-12-31 09:25 - 2014-07-02 13:34 - 00000582 _____ () C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1989184882-1871269664-67301077-1001.job
    2014-12-31 05:11 - 2013-11-16 15:03 - 00003930 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{4FDECC5D-7C0B-445B-AC24-3E3A4BD0022E}
    2014-12-31 02:00 - 2012-11-12 12:53 - 00000000 ____D () C:\Users\Shawn\AppData\Local\Adobe
    2014-12-30 20:54 - 2014-10-13 19:06 - 00000000 ___RD () C:\Users\Shawn\ODBA
    2014-12-30 20:54 - 2013-11-16 14:21 - 00000000 ____D () C:\Users\Shawn
    2014-12-30 18:30 - 2012-11-12 14:31 - 00003594 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1989184882-1871269664-67301077-1004
    2014-12-30 18:25 - 2013-11-16 15:07 - 00000000 ___DO () C:\Users\janet_000\SkyDrive
    2014-12-30 10:46 - 2013-08-22 08:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
    2014-12-29 11:55 - 2013-11-02 13:33 - 00000000 ____D () C:\Users\Shawn\AppData\Roaming\HpUpdate
    2014-12-29 10:30 - 2014-04-06 08:05 - 00000000 ____D () C:\WINDOWS\en
    2014-12-27 16:11 - 2014-10-13 08:05 - 00000000 ____D () C:\Program Files\Microsoft Office 15
    2014-12-27 16:05 - 2013-11-20 09:11 - 00003946 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{4FAFFAE1-03CB-47BF-AF1F-AE1C994E2D56}
    2014-12-20 04:07 - 2012-07-26 00:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
    2014-12-17 12:23 - 2013-08-22 08:36 - 00000000 ____D () C:\WINDOWS\rescache
    2014-12-15 19:49 - 2012-11-12 11:09 - 00000000 ____D () C:\Users\Shawn\AppData\Local\Packages
    2014-12-15 16:55 - 2013-07-15 19:08 - 00002205 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
    2014-12-15 16:29 - 2014-01-20 12:01 - 00002457 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
    2014-12-14 21:11 - 2013-08-29 16:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Trusteer Endpoint Protection
    2014-12-11 00:53 - 2013-08-22 08:36 - 00000000 ____D () C:\WINDOWS\system32\sr-Latn-RS
    2014-12-11 00:53 - 2013-08-22 08:36 - 00000000 ____D () C:\WINDOWS\system32\sr-Latn-CS
    2014-12-11 00:53 - 2013-08-22 08:36 - 00000000 ____D () C:\WINDOWS\PolicyDefinitions
    2014-12-11 00:41 - 2013-08-15 02:25 - 00000000 ____D () C:\WINDOWS\system32\MRT
    2014-12-11 00:37 - 2012-12-15 09:28 - 112710672 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
    2014-12-07 15:19 - 2013-05-03 10:02 - 00000000 ____D () C:\Users\janet_000\AppData\Local\GoPro
    2014-12-06 10:45 - 2014-07-02 13:34 - 00003584 _____ () C:\WINDOWS\System32\Tasks\G2MUpdateTask-S-1-5-21-1989184882-1871269664-67301077-1001
    2014-12-06 09:53 - 2012-11-12 14:04 - 00000000 ____D () C:\Users\Shawn\AppData\Local\Microsoft Help
    2014-12-06 09:47 - 2013-10-20 11:01 - 00000000 ____D () C:\ProgramData\Oracle
    2014-12-06 09:44 - 2013-04-28 20:24 - 00000000 ____D () C:\Users\Shawn\AppData\Local\GoPro
    2014-12-06 09:43 - 2013-04-28 07:40 - 00000000 ____D () C:\Program Files (x86)\GoPro
    2014-12-06 09:43 - 2012-12-01 17:47 - 00029454 _____ () C:\WINDOWS\DPINST.LOG

    Files to move or delete:
    ====================
    C:\Users\Shawn\PowerDirector_2902_GM5_Trial_Trial_VDE130412-01.exe


    Some content of TEMP:
    ====================
    C:\Users\janet_000\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\BoxForOffice.exe
    C:\Users\Shawn\AppData\Local\Temp\dllnt_dump.dll
    C:\Users\Shawn\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\Quarantine.exe
    C:\Users\Shawn\AppData\Local\Temp\readSTILog.dll
    C:\Users\Shawn\AppData\Local\Temp\sqlite3.dll


    ==================== Bamital & volsnap Check =================

    (There is no automatic fix for files that do not pass verification.)

    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


    LastRegBack: 2014-12-29 12:15

    ==================== End Of Log ============================



    I will need to add the Addition.txt log to another post, if I include it in this reply the reply exceeds the maximul number of characters.
     
  8. 2014/12/31
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    Here is the Addition.txt log:

    Additional scan result of Farbar Recovery Scan Tool (x64) Version: 28-12-2014
    Ran by Shawn at 2014-12-31 10:06:37
    Running from C:\Users\Shawn\Desktop
    Boot Mode: Normal
    ==========================================================


    ==================== Security Center ========================

    (If an entry is included in the fixlist, it will be removed.)

    AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ==================== Installed Programs ======================

    (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

    µTorrent (HKU\S-1-5-21-1989184882-1871269664-67301077-1001\...\uTorrent) (Version: 3.4.2.34944 - BitTorrent Inc.)
    7-Zip 9.21beta (HKLM-x32\...\7-Zip) (Version: - )
    Adobe Premiere Elements 12 (HKLM\...\PremElem120) (Version: 12.1.0.0 - Adobe Systems Incorporated)
    Adobe Premiere Elements 12 (Version: 12.0 - Adobe Systems Incorporated) Hidden
    Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
    Adolix Split and Merge PDF v2.1 (HKLM-x32\...\Adolix Split and Merge PDF_is1) (Version: - Adolix Software)
    Aleesoft Free iPad Video Converter 2.5.71 (HKLM-x32\...\Aleesoft Free iPad Video Converter_is1) (Version: - Aleesoft Studio.)
    Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
    Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
    Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
    Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
    Citrix Online Launcher (HKLM-x32\...\{AC7E7905-8C59-4806-A96D-30936A2B1FC5}) (Version: 1.0.168 - Citrix)
    Citrix online plug-in - web (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 12.1.44.1 - Citrix Systems, Inc.)
    CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version: 3.0 - CutePDF.com)
    CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.0.2126b - CyberLink Corp.)
    CyberLink PowerDirector 11 (HKLM-x32\...\InstallShield_{551F492A-01B0-4DC4-866F-875EC4EDC0A8}) (Version: 11.0.0.2902 - CyberLink Corp.)
    CyberLink PowerDirector 11 (Version: 11.0.0.2902 - CyberLink Corp.) Hidden
    CyberLink WaveEditor 2 (HKLM-x32\...\InstallShield_{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}) (Version: 2.0.3206 - CyberLink Corp.)
    D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
    Elements 12 Organizer (x32 Version: 12.0 - Adobe Systems Incorporated) Hidden
    Garmin USB Drivers (HKLM-x32\...\{3D5D6CFC-3097-425A-8D8F-7EAF5D57641D}) (Version: 2.3.1.0 - Garmin Ltd or its subsidiaries)
    Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
    Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
    GoPro Studio 2.5.3 (HKLM-x32\...\GoPro Studio) (Version: 2.5.3 - GoPro, Inc.)
    GoToMeeting 7.0.4.2033 (HKU\S-1-5-21-1989184882-1871269664-67301077-1001\...\GoToMeeting) (Version: 7.0.4.2033 - CitrixOnline)
    HP Officejet Pro 8600 Basic Device Software (HKLM\...\{791A06E2-340F-43B0-8FAB-62D151339362}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
    HP Officejet Pro 8600 Help (HKLM-x32\...\{46235FF7-2CBE-4A84-BEDA-87348D1F7850}) (Version: 28.0.0 - Hewlett Packard)
    HP Officejet Pro 8600 Product Improvement Study (HKLM\...\{2BF5E9CC-C55D-4B0F-ACAF-FFE77F333CD8}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
    HP Product Detection (HKLM-x32\...\{42D10994-A566-495D-A5E7-D0C6B5C6B35C}) (Version: 11.14.0006 - HP)
    HP Update (HKLM-x32\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
    I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
    iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
    Java 7 Update 71 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
    Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
    Microsoft Office 365 ProPlus - en-us (HKLM\...\O365ProPlusRetail - en-us) (Version: 15.0.4675.1003 - Microsoft Corporation)
    Microsoft OneDrive for Business 2013 - en-us (HKLM\...\GrooveRetail - en-us) (Version: 15.0.4675.1003 - Microsoft Corporation)
    Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
    Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
    Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
    Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
    Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
    Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
    Movie Maker (x32 Version: 16.4.3522.0110 - Microsoft Corporation) Hidden
    Newblue Art Effects for PowerDirector (HKLM\...\NewBlue Art Effects for PowerDirector) (Version: 2.0 - NewBlue)
    NVIDIA 3D Vision Driver 327.02 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 327.02 - NVIDIA Corporation)
    NVIDIA Graphics Driver 327.02 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 327.02 - NVIDIA Corporation)
    Office 15 Click-to-Run Extensibility Component (Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
    Office 15 Click-to-Run Licensing Component (Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
    Office 15 Click-to-Run Localization Component (Version: 15.0.4675.1003 - Microsoft Corporation) Hidden
    PRE12 STI 64Installer (x32 Version: 12.0 - Adobe Systems Incorporated) Hidden
    proDAD ProDRENALIN 1.0 (64bit) (HKLM\...\proDAD-ProDRENALIN-1.0) (Version: 1.0.22.1 - proDAD GmbH)
    QuickTime 7 (HKLM-x32\...\{111EE7DF-FC45-40C7-98A7-753AC46B12FB}) (Version: 7.75.80.95 - Apple Inc.)
    Rapport (x32 Version: 3.5.1404.34 - Trusteer) Hidden
    Speccy (HKLM\...\Speccy) (Version: 1.27 - Piriform)
    Trusteer Endpoint Protection (HKLM-x32\...\Rapport_msi) (Version: 3.5.1404.34 - Trusteer)
    Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0) (HKLM\...\98157A226B40B173301B0F53C8E98C47805D5152) (Version: 04/19/2012 2.3.1.0 - Garmin)
    Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices (03/07/2012 ) (HKLM\...\0B624A43DD66DBF5CF3EDFA9741A364E688062A4) (Version: 03/07/2012 - GoPro)
    Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3522.0110 - Microsoft Corporation)
    WinRAR 5.11 beta 1 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.11.1 - win.rar GmbH)

    ==================== Custom CLSID (selected items): ==========================

    (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

    CustomCLSID: HKU\S-1-5-21-1989184882-1871269664-67301077-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Citrix\GoToMeeting\1440\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)

    ==================== Restore Points =========================

    14-12-2014 21:09:59 Installed Rapport
    19-12-2014 06:57:46 Windows Update
    27-12-2014 17:18:06 Scheduled Checkpoint
    30-12-2014 15:14:44 Pre Malwarebytes Scan

    ==================== Hosts content: ==========================

    (If needed Hosts: directive could be included in the fixlist to reset Hosts.)

    2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts

    ==================== Scheduled Tasks (whitelisted) =============

    (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

    Task: {1BDDCBD1-8DF4-445F-A6F2-D739BD86EBDC} - System32\Tasks\AdobeAAMUpdater-1.0-MicrosoftAccount-shawnledrew@hotmail.com => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2013-06-03] (Adobe Systems Incorporated)
    Task: {3C0B3C72-E1B8-4C97-9325-8E8073E7F92D} - System32\Tasks\HPCustParticipation HP Officejet Pro 8600 => C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17] (Hewlett-Packard Co.)
    Task: {5DD00D09-A7B8-4C8C-85D7-B1D4D5C09FBC} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2014-12-11] (Microsoft Corporation)
    Task: {5FC54D4A-3850-46E2-A95E-B5F562165A7D} - System32\Tasks\Microsoft\Office\Office Automatic Updates => C:\Program Files\Microsoft Office 15\ClientX64\OfficeC2RClient.exe [2014-11-04] (Microsoft Corporation)
    Task: {6342AC09-7029-42E7-8354-6CF0136CD062} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-15] (Google Inc.)
    Task: {6B7615D8-0280-4A5B-9C03-15ACEC3CFAB5} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
    Task: {71242B12-D371-4BB6-AAC6-922D451C0DB8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-15] (Google Inc.)
    Task: {72995EB4-61B8-4C4B-AEB4-0B83FA1EE846} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-07] (Microsoft Corporation)
    Task: {757341A5-34F1-4196-BA9F-6AE5AC4C2910} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
    Task: {86B0653D-4A29-4EB4-9507-47FB2FF86E02} - System32\Tasks\Microsoft Office 15 Sync Maintenance for LEDREW-PC-Shawn ledrew-pc => C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe [2014-11-04] (Microsoft Corporation)
    Task: {8D013ACD-0AB0-41ED-BAC0-187362FF7D49} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
    Task: {90259520-6A72-4872-9730-9CB50D6186C9} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office 15\root\Office15\msoia.exe [2014-10-07] (Microsoft Corporation)
    Task: {D83A55A8-EA4F-4966-9849-BB58088274A4} - System32\Tasks\Microsoft\Office\Office Subscription Maintenance => C:\Program Files\Microsoft Office 15\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE15\OLicenseHeartbeat.exe [2014-11-12] (Microsoft Corporation)
    Task: {FFB58E3D-E091-4CE5-AA99-6FA69665DBEB} - System32\Tasks\G2MUpdateTask-S-1-5-21-1989184882-1871269664-67301077-1001 => C:\Users\Shawn\AppData\Local\Citrix\GoToMeeting\2033\g2mupdate.exe [2014-12-06] (Citrix Online, a division of Citrix Systems, Inc.)
    Task: C:\WINDOWS\Tasks\G2MUpdateTask-S-1-5-21-1989184882-1871269664-67301077-1001.job => C:\Users\Shawn\AppData\Local\Citrix\GoToMeeting\2033\g2mupdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
    Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

    ==================== Loaded Modules (whitelisted) =============

    2012-12-01 17:33 - 2012-10-04 19:49 - 00087152 _____ () C:\WINDOWS\System32\cpwmon64.dll
    2014-10-13 08:05 - 2014-05-20 08:19 - 00105640 _____ () C:\Program Files\Microsoft Office 15\ClientX64\ApiClient.dll
    2013-05-19 17:02 - 2013-03-06 13:42 - 00389896 _____ () C:\Program Files\CyberLink\Shared files\RichVideo64.exe
    2014-11-21 05:45 - 2014-11-21 05:45 - 00393376 _____ () C:\Program Files\Microsoft Office 15\root\office15\AppVIsvStream64.dll
    2014-11-21 05:47 - 2014-09-23 06:36 - 08897696 _____ () C:\Program Files\Microsoft Office 15\root\office15\1033\GrooveIntlResource.dll
    2014-11-21 05:47 - 2014-09-23 06:36 - 08897696 _____ () C:\Program Files\Microsoft Office 15\root\Office15\1033\GrooveIntlResource.dll
    2014-11-21 05:45 - 2014-11-21 05:45 - 00393376 _____ () C:\Program Files\Microsoft Office 15\Root\Office15\AppVIsvStream64.dll
    2014-02-06 00:52 - 2014-02-06 00:52 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
    2014-10-11 12:05 - 2014-10-11 12:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
    2014-03-23 16:04 - 2014-03-23 16:04 - 00557056 _____ () C:\Program Files (x86)\Trusteer\Rapport\bin\js32.dll
    2014-11-04 17:01 - 2014-11-04 17:01 - 01794560 _____ () C:\Program Files (x86)\GoPro\Tools\Importer\GPSDKAnalyticsNet.dll
    2013-04-28 18:27 - 2013-03-04 20:40 - 00626240 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
    2013-03-05 10:41 - 2013-03-05 10:41 - 00015424 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll

    ==================== Alternate Data Streams (whitelisted) =========

    (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

    AlternateDataStreams: C:\ProgramData\Temp:054203E4
    AlternateDataStreams: C:\Users\janet_000\SkyDrive:ms-properties
    AlternateDataStreams: C:\Users\Shawn\OneDrive:ms-properties
    AlternateDataStreams: C:\Users\Shawn\SkyDrive:ms-properties

    ==================== Safe Mode (whitelisted) ===================

    (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


    ==================== EXE Association (whitelisted) =============

    (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


    ==================== MSCONFIG/TASK MANAGER disabled items =========

    (Currently there is no automatic fix for this section.)


    ========================= Accounts: ==========================

    Administrator (S-1-5-21-1989184882-1871269664-67301077-500 - Administrator - Disabled)
    Guest (S-1-5-21-1989184882-1871269664-67301077-501 - Limited - Disabled)
    HomeGroupUser$ (S-1-5-21-1989184882-1871269664-67301077-1008 - Limited - Enabled)
    janet_000 (S-1-5-21-1989184882-1871269664-67301077-1004 - Administrator - Enabled) => C:\Users\janet_000
    Shawn (S-1-5-21-1989184882-1871269664-67301077-1001 - Administrator - Enabled) => C:\Users\Shawn
    UpdatusUser (S-1-5-21-1989184882-1871269664-67301077-1006 - Limited - Enabled)

    ==================== Faulty Device Manager Devices =============

    Name: USB Wireless 802.11 b/g Adaptor
    Description: USB Wireless 802.11 b/g Adaptor
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: Lite-On
    Service: netr7364
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action ", and then click "Enable Device ". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================

    System errors:
    =============

    Microsoft Office Sessions:
    =========================

    CodeIntegrity Errors:
    ===================================
    Date: 2014-12-31 09:33:47.891
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-31 09:33:47.750
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-30 15:00:42.558
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-30 15:00:42.417
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-21 19:23:56.547
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-21 19:23:56.406
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-21 19:23:56.156
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-21 19:23:56.000
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-21 19:23:55.765
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    Date: 2014-12-21 19:23:55.484
    Description: Code Integrity determined that a process (\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume1\Program Files\Microsoft Silverlight\xapauthenticodesip.dll that did not meet the Custom 3 / Antimalware signing level requirements.


    ==================== Memory info ===========================

    Processor: Intel(R) Core(TM)2 Quad CPU Q6700 @ 2.66GHz
    Percentage of memory in use: 32%
    Total physical RAM: 4095.29 MB
    Available physical RAM: 2747.46 MB
    Total Pagefile: 4799.29 MB
    Available Pagefile: 3510.47 MB
    Total Virtual: 131072 MB
    Available Virtual: 131071.8 MB

    ==================== Drives ================================

    Drive c: (HP) (Fixed) (Total:455.89 GB) (Free:179.79 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
    Drive d: (HP2) (Fixed) (Total:465.76 GB) (Free:209.04 GB) NTFS
    Drive f: (FACTORY_IMAGE) (Fixed) (Total:9.87 GB) (Free:1.37 GB) NTFS ==>[System with boot components (obtained from reading drive)]
    Drive g: (FreeAgent GoFlex Drive) (Fixed) (Total:1863.01 GB) (Free:1460.97 GB) NTFS

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 1549F232)
    Partition 1: (Active) - (Size=455.9 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=9.9 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 1 (Size: 465.8 GB) (Disk ID: 3324897A)
    Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)

    ========================================================
    Disk: 2 (Size: 1863 GB) (Disk ID: C75FF4DB)
    Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

    ==================== End Of Log ============================
     
  9. 2014/12/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
     

    Attached Files:

  10. 2014/12/31
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    Here is the Fixtxt log:

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 28-12-2014
    Ran by Shawn at 2014-12-31 15:45:19 Run:1
    Running from C:\Users\Shawn\Desktop
    Loaded Profile: Shawn (Available profiles: Shawn & janet_000)
    Boot Mode: Normal
    ==============================================

    Content of fixlist:
    *****************
    HKLM-x32\...\Run: [] => [X]
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\PepperFlash\pepflashplayer.dll No File
    CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\pdf.dll No File
    CHR Plugin: (QuickTime Plug-in 7.7.4) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL No File
    CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL No File
    CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
    CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll No File
    CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll No File
    C:\Users\Shawn\PowerDirector_2902_GM5_Trial_Trial_VDE130412-01.exe
    C:\Users\janet_000\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\BoxForOffice.exe
    C:\Users\Shawn\AppData\Local\Temp\dllnt_dump.dll
    C:\Users\Shawn\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
    C:\Users\Shawn\AppData\Local\Temp\Quarantine.exe
    C:\Users\Shawn\AppData\Local\Temp\readSTILog.dll
    C:\Users\Shawn\AppData\Local\Temp\sqlite3.dll
    AlternateDataStreams: C:\ProgramData\Temp:054203E4
    AlternateDataStreams: C:\Users\janet_000\SkyDrive:ms-properties
    AlternateDataStreams: C:\Users\Shawn\OneDrive:ms-properties
    AlternateDataStreams: C:\Users\Shawn\SkyDrive:ms-properties


    *****************

    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
    HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
    HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
    C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\PepperFlash\pepflashplayer.dll not found.
    C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.104\pdf.dll not found.
    C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll not found.
    C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL not found.
    C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL not found.
    C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll not found.
    C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll not found.
    C:\Windows\SysWOW64\npDeployJava1.dll not found.
    C:\Users\Shawn\PowerDirector_2902_GM5_Trial_Trial_VDE130412-01.exe => Moved successfully.
    C:\Users\janet_000\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\BoxForOffice.exe => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\Quarantine.exe => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\readSTILog.dll => Moved successfully.
    C:\Users\Shawn\AppData\Local\Temp\sqlite3.dll => Moved successfully.
    C:\ProgramData\Temp => ":054203E4" ADS removed successfully.
    C:\Users\janet_000\SkyDrive => ":ms-properties" ADS removed successfully.
    "C:\Users\Shawn\OneDrive" => ":ms-properties" ADS not found.
    "C:\Users\Shawn\SkyDrive" => ":ms-properties" ADS not found.

    ==== End of Fixlog 15:45:21 ====
     
  11. 2014/12/31
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Last scans....

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
    NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
      • Other Services
    • Press "Scan ".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    [​IMG] Download Sophos Free Virus Removal Tool and save it to your desktop.
    • Double click the icon and select Run
    • Click Next
    • Select I accept the terms in this license agreement, then click Next twice
    • Click Install
    • Click Finish to launch the program
    • Once the virus database has been updated click Start Scanning
    • If any threats are found click Details, then View log file... (bottom left hand corner)
    • Copy and paste the results in your reply
    • Close the Notepad document, close the Threat Details screen, then click Start cleanup
    • Click Exit to close the program
     
  12. 2015/01/01
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    Hello,

    Here is the Security Check log:

    Results of screen317's Security Check version 0.99.93
    x64 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Windows Defender
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Java 7 Update 71
    Adobe Reader XI
    Google Chrome (39.0.2171.71)
    Google Chrome (39.0.2171.95)
    ````````Process Check: objlist.exe by Laurent````````
    Windows Defender MSMpEng.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: %
    ````````````````````End of Log``````````````````````





    Here is the FSS log:

    Farbar Service Scanner Version: 21-07-2014
    Ran by Shawn (administrator) on 01-01-2015 at 11:14:49
    Running from "C:\Users\Shawn\Desktop "
    Microsoft Windows 8.1 Pro with Media Center (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============

    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\dhcpcore.dll => File is digitally signed
    C:\Windows\System32\drivers\afd.sys => File is digitally signed
    C:\Windows\System32\drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****




    The Sophos Virus removal tool did not find any threats during it's scan.
     
  13. 2015/01/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Update your Java version here: http://www.java.com/en/download/manual.jsp
    Alternate download: http://www.filehippo.com/search?q=java

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.
    Note 2: If you're running 64-bit system make sure you install BOTH, 32-bit and 64-bit Java.
    Note 3: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    ==============================

    Your computer is clean [​IMG]

    1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
    This is a very crucial step so make sure you don't skip it.
    Download [​IMG]DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

    Double-click Delfix.exe to start the tool.
    Make sure the following items are checked:
    • Activate UAC (optional; some users prefer to keep it off)
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore
    • Reset system settings
    Now click "Run" and wait patiently.
    Once finished a logfile will be created. You don't have to attach it to your next reply.

    2. Make sure Windows Updates are current.

    3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    4. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now ")

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    11. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
    About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

    12. Please, let me know, how your computer is doing.
     
  14. 2015/01/01
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    My computer seems to be running normally now, the speed is much improved and the WMI Provider Host process is not gobbling up the processor.

    Thank you for your help!
     
  15. 2015/01/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Way to go!! [​IMG]
    Good luck and stay safe :)
     
  16. 2015/01/01
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    I spoke too soon... I rebooted and the issue has returned.
     
  17. 2015/01/01
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
    Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
    NOTE. Windows Vista, 7 and 8 users right click on procexp.exe, click "Run As Administrator ".
    Click on View > Select Colunms.
    In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
    Go File>Save As, and save the report as Procexp.txt.
    Attach the file to your next reply.
     
  18. 2015/01/10
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    Hello,

    Sorry for the delay, here is the file from the Process Explorer.



    Process CPU Private Bytes Working Set PID Description Company Name Command Line
    System Idle Process 44.54 0 K 4 K 0
    System 0.28 4,288 K 21,180 K 4
    Interrupts 0.54 0 K 0 K n/a Hardware Interrupts and DPCs
    smss.exe 280 K 1,056 K 332 Windows Session Manager Microsoft Corporation \SystemRoot\System32\smss.exe
    csrss.exe < 0.01 2,924 K 5,300 K 432 Client Server Runtime Process Microsoft Corporation %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    wininit.exe 964 K 4,228 K 528 Windows Start-Up Application Microsoft Corporation wininit.exe
    services.exe 3,300 K 7,484 K 632 Services and Controller app Microsoft Corporation C:\WINDOWS\system32\services.exe
    svchost.exe 5,788 K 13,412 K 712 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k DcomLaunch
    dllhost.exe 1,244 K 6,280 K 3268 COM Surrogate Microsoft Corporation C:\WINDOWS\SYSTEM32\DLLHOST.EXE /PROCESSID:{30D49246-D217-465F-B00B-AC9DDD652EB7}
    livecomm.exe Suspended 18,448 K 14,632 K 4524 Communications Service Microsoft Corporation "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\LiveComm.exe" -ServerName:Microsoft.WindowsLive.Platform.Server
    SkyDrive.exe 8,804 K 15,888 K 4480 OneDrive Sync Engine Microsoft Corporation C:\Windows\System32\skydrive.exe -Embedding
    RuntimeBroker.exe 5,112 K 15,552 K 5308 Runtime Broker Microsoft Corporation C:\Windows\System32\RuntimeBroker.exe -Embedding
    SettingSyncHost.exe < 0.01 20,720 K 32,716 K 1324 Host Process for Setting Synchronization Microsoft Corporation "C:\Windows\System32\SettingSyncHost.exe" -Embedding
    WmiPrvSE.exe 49.42 14,464 K 20,776 K 5672 WMI Provider Host Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe
    HPNetworkCommunicatorCom.exe 0.49 2,656 K 9,024 K 6000 HPNetworkCommunicatorCom Hewlett-Packard Co. "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicatorCom.exe" -Embedding
    wfcrun32.exe < 0.01 2,456 K 10,012 K 5664 Citrix Citrix Systems, Inc. "C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe" -Embedding
    FlashUtil_ActiveX.exe 3,928 K 9,492 K 5472 Adobe® Flash® Player Utility Adobe Systems Incorporated "C:\WINDOWS\System32\Macromed\Flash\FlashUtil_ActiveX.exe" -Embedding
    InputPersonalization.exe 2,720 K 17,072 K 3536 Input Personalization Server Microsoft Corporation "C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe" -Embedding
    WmiPrvSE.exe 1,776 K 5,620 K 3872 WMI Provider Host Microsoft Corporation C:\WINDOWS\system32\wbem\wmiprvse.exe
    svchost.exe 0.01 5,908 K 9,884 K 760 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k RPCSS
    nvvsvc.exe 1,996 K 6,808 K 844 NVIDIA Driver Helper Service, Version 327.02 NVIDIA Corporation "C:\WINDOWS\system32\nvvsvc.exe "
    nvxdsync.exe 5,636 K 17,332 K 2564 NVIDIA User Experience Driver Component NVIDIA Corporation "C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe "
    nvtray.exe 2,076 K 7,444 K 5880 NVIDIA Settings NVIDIA Corporation "C:/Program Files/NVIDIA Corporation/Display/nvtray.exe" -user_has_logged_in 1
    nvvsvc.exe < 0.01 3,964 K 12,020 K 5444 NVIDIA Driver Helper Service, Version 327.02 NVIDIA Corporation C:\WINDOWS\system32\nvvsvc.exe -session
    nvSCPAPISvr.exe 2,436 K 4,192 K 944 Stereo Vision Control Panel API Server NVIDIA Corporation "C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe "
    RapportMgmtService.exe 0.06 75,976 K 40,280 K 1012 RapportMgmtService IBM Corp. "C:\Program Files (x86)\Trusteer\Rapport\bin\RapportMgmtService.exe "
    svchost.exe 0.01 20,944 K 29,432 K 740 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalServiceNetworkRestricted
    audiodg.exe 5,696 K 8,472 K 1728 Windows Audio Device Graph Isolation Microsoft Corporation C:\WINDOWS\system32\AUDIODG.EXE 0xcfc
    svchost.exe < 0.01 98,472 K 105,184 K 1008 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted
    dasHost.exe 6,788 K 15,000 K 1772 Device Association Framework Provider Host Microsoft Corporation dashost.exe {90095b03-ba9c-4cb8-a86a285e902ad0e3}
    WUDFHost.exe 1,656 K 6,304 K 2476 Windows Driver Foundation - User-mode Driver Framework Host Process Microsoft Corporation "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:HostProcess-352978af-53a1-40b8-9370-135b7cd160be -SystemEventPortName:HostProcess-7061a462-5d02-4c55-9a21-631128e202c4 -IoCancelEventPortName:HostProcess-014a1e1a-2bc8-4c5d-ba81-51dd30aa0c4e -NonStateChangingEventPortName:HostProcess-001bfb2d-37e9-4a08-8156-4b3410582854 -ServiceSID:S-1-5-80-2652678385-582572993-1835434367-1344795993-749280709 -LifetimeId:5a07abe7-9e9b-45f2-995d-1e66e088317e -DeviceGroupId:WpdFsGroup
    svchost.exe < 0.01 61,888 K 74,480 K 396 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k netsvcs
    taskeng.exe 1,176 K 4,632 K 4904 Task Scheduler Engine Microsoft Corporation taskeng.exe {D74F592E-10D9-499B-A850-8BB0C3600F17}
    GoogleUpdate.exe 1,740 K 5,204 K 5740 Google Installer Google Inc. "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
    taskhostex.exe 28,564 K 34,804 K 3516 Host Process for Windows Tasks Microsoft Corporation taskhostex.exe
    svchost.exe 13,488 K 25,220 K 1112 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalService
    svchost.exe 14,732 K 25,232 K 1292 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k NetworkService
    spoolsv.exe 0.06 5,776 K 14,836 K 1440 Spooler SubSystem App Microsoft Corporation C:\WINDOWS\System32\spoolsv.exe
    svchost.exe < 0.01 20,532 K 28,272 K 1468 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork
    armsvc.exe 976 K 2,784 K 1628 Adobe Acrobat Update Service Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "
    AppleMobileDeviceService.exe 0.01 4,900 K 11,632 K 1644 MobileDeviceService Apple Inc. "C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe "
    mDNSResponder.exe 1,444 K 4,936 K 1684 Bonjour Service Apple Inc. "C:\Program Files\Bonjour\mDNSResponder.exe "
    officeclicktorun.exe < 0.01 31,524 K 40,440 K 1704 Microsoft Office Click-to-Run Microsoft Corporation "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" /service
    RichVideo64.exe 1,060 K 4,512 K 1912 RichVideo Module "C:\Program Files\CyberLink\Shared files\RichVideo64.exe "
    svchost.exe 2,720 K 9,536 K 1944 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k imgsvc
    MsMpEng.exe 0.07 122,332 K 105,872 K 2012 Antimalware Service Executable Microsoft Corporation "C:\Program Files\Windows Defender\MsMpEng.exe "
    svchost.exe 6,148 K 14,016 K 2116 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k LocalServiceAndNoImpersonation
    svchost.exe 1,448 K 4,640 K 2156 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\system32\svchost.exe -k NetworkServiceNetworkRestricted
    svchost.exe 5,632 K 13,216 K 2712 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k LocalServicePeerNet
    NisSrv.exe 10,004 K 6,292 K 3356 Microsoft Network Realtime Inspection Service Microsoft Corporation "C:\Program Files\Windows Defender\NisSrv.exe "
    SearchIndexer.exe 48,208 K 54,832 K 3900 Microsoft Windows Search Indexer Microsoft Corporation C:\WINDOWS\system32\SearchIndexer.exe /Embedding
    SearchProtocolHost.exe 3,752 K 8,444 K 3824 Microsoft Windows Search Protocol Host Microsoft Corporation "C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe27_ Global\UsGthrCtrlFltPipeMssGthrPipe27 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
    SearchFilterHost.exe 2,104 K 7,068 K 6972 Microsoft Windows Search Filter Host Microsoft Corporation "C:\WINDOWS\system32\SearchFilterHost.exe" 0 568 572 580 65536 576
    SearchProtocolHost.exe 1,892 K 7,012 K 2784 Microsoft Windows Search Protocol Host Microsoft Corporation "C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-1989184882-1871269664-67301077-100129_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-1989184882-1871269664-67301077-100129 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1 "
    iPodService.exe < 0.01 2,216 K 7,012 K 4996 iPodService Module (64-bit) Apple Inc. "C:\Program Files\iPod\bin\iPodService.exe "
    PhotoshopElementsFileAgent.exe < 0.01 1,688 K 1,120 K 2748 Adobe Photoshop Elements 12.0 (component) Adobe Systems Incorporated "C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe "
    wmpnetwk.exe 6,836 K 5,156 K 4448 Windows Media Player Network Sharing Service Microsoft Corporation "C:\Program Files\Windows Media Player\wmpnetwk.exe "
    ehrecvr.exe 2,760 K 9,020 K 5712 Windows Media Center Receiver Service Microsoft Corporation C:\WINDOWS\ehome\ehRecvr.exe
    svchost.exe 1,224 K 4,820 K 3980 Host Process for Windows Services Microsoft Corporation C:\WINDOWS\System32\svchost.exe -k swprv
    lsass.exe 8,588 K 16,236 K 640 Local Security Authority Process Microsoft Corporation C:\WINDOWS\system32\lsass.exe
    csrss.exe 0.13 2,280 K 6,480 K 5152 Client Server Runtime Process Microsoft Corporation %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    winlogon.exe 1,176 K 5,268 K 3464 Windows Logon Application Microsoft Corporation winlogon.exe
    dwm.exe 0.48 18,552 K 23,672 K 4728 Desktop Window Manager Microsoft Corporation "dwm.exe "
    explorer.exe 1.47 63,120 K 110,088 K 5464 Windows Explorer Microsoft Corporation C:\WINDOWS\Explorer.EXE
    ScanToPCActivationApp.exe < 0.01 3,568 K 11,644 K 4432 ScanToPCActivationApp Hewlett-Packard Co. "C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe" -deviceID "CN37QD2K9T05KD:NW" -scfn "HP Officejet Pro 8600 (NET)" -AutoStart 1
    HPNetworkCommunicator.exe < 0.01 2,008 K 7,620 K 368 HPNetworkCommunicator Hewlett-Packard Co. "C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicator.exe "
    GoPro Importer.exe 30,172 K 41,188 K 2520 GoPro Importer GoPro "C:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe"
    rundll32.exe 0.69 4,284 K 13,852 K 5936 Windows host process (Rundll32) Microsoft Corporation "C:\WINDOWS\system32\RunDll32.exe" "C:\Program Files\HP\HP Officejet Pro 8600\bin\HPStatusBL.dll ",RunDLLEntry SERIALNUMBER=CN37QD2K9T05KD;CONNECTION=NW;MONITOR=1;
    groove.exe 51,712 K 95,600 K 472 Microsoft OneDrive for Business Microsoft Corporation "C:\Program Files\Microsoft Office 15\root\office15\GROOVE.EXE" /RunFolderSync /TrayOnly
    msosync.exe 14,536 K 28,812 K 1636 Microsoft Office Document Cache Microsoft Corporation "C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe "
    iexplore.exe 0.02 48,136 K 83,612 K 4376 Internet Explorer Microsoft Corporation "C:\Program Files\Internet Explorer\iexplore.exe"
    iexplore.exe 0.53 125,740 K 150,636 K 5808 Internet Explorer Microsoft Corporation "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4376 CREDAT:267521 /prefetch:2
    iexplore.exe 0.13 129,192 K 148,300 K 5468 Internet Explorer Microsoft Corporation "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4376 CREDAT:1119538 /prefetch:2
    iexplore.exe 0.33 96,240 K 116,852 K 5412 Internet Explorer Microsoft Corporation "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4376 CREDAT:1840409 /prefetch:2
    procexp.exe 2,168 K 7,704 K 3100 Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Shawn\Desktop\ProcessExplorer\procexp.exe"
    procexp64.exe 0.68 23,092 K 50,952 K 3008 Sysinternals Process Explorer Sysinternals - www.sysinternals.com "C:\Users\Shawn\Desktop\ProcessExplorer\procexp.exe"
    RapportService.exe 0.02 44,240 K 34,664 K 3716 RapportService IBM Corp. "C:\Program Files (x86)\Trusteer\Rapport\bin\RapportService.exe" -servicelaunch=true
    CLMLSvc_P2G8.exe 0.01 3,608 K 8,812 K 4792 CyberLink MediaLibray Service CyberLink "C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe"
    hpwuschd2.exe 828 K 3,792 K 5736 hpwuSchd Application Hewlett-Packard "C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe"
    concentr.exe 1,668 K 6,792 K 1236 Citrix online plug-in Connection Center Citrix Systems, Inc. "C:\Program Files (x86)\Citrix\ICA Client\concentr.exe" /startup
    iTunesHelper.exe < 0.01 3,316 K 11,572 K 3004 iTunesHelper Apple Inc. "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
    jusched.exe 1,052 K 4,420 K 3524 Java Update Scheduler Oracle Corporation "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe "
     
  19. 2015/01/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Press Windows logo key [​IMG] and start typing the following:
    services.msc
    Press Enter.

    Services window will open.
    Scroll down to “Windows Management Instrumentation” service.
    Right click on it, click "Restart ".
    See if that will bring CPU usage down.
     
  20. 2015/01/14
    sledrew

    sledrew Inactive Thread Starter

    Joined:
    2014/12/29
    Messages:
    11
    Likes Received:
    0
    Hello,

    When I restart the service, my PC processor returns to normal. However, if I wait long enough or restart, the issue re appears.
     
  21. 2015/01/14
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    At this point...

    In this forum, we make sure, your computer is free of malware and your computer is clean :)
    Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
    You'll get more attention.

    Good luck :)
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.