Solved dllhost.exe problem urgh

kdawg · Dec 2, 2014

My computer has been really slow and viruses keep popping up. I tried the installed virusscan software and bought cc cleaner with no success. Tonight I got malwarebytes and I keep getting a pop up message that a malicious website is blocked and the process is "windows\syswow64\dllhost.exe.

Also, not sure if this is relevant, but the windows defender on my computer will not work.

I greatly appreciate help in fixing this.

TwinHeadedEagle · Dec 3, 2014

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
Please attach all report using

button below. Doing this, you make it easier for me to analyze and fix your problem.
Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Download

Malwarebytes Anti-Rootkit to your desktop.

Double-click the icon to start the tool.
It will ask you where to extract it, then it will start.
Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
Click in the introduction screen "next" to continue.
Click in the following screen "Update" to obtain the latest malware definitions.
Once the update is complete select "Next" and click "Scan".
When the scan is finished and no malware has been found select "Exit".
If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
Open the MBAR folder and paste the content of the following files in your next reply:
- "mbar-log-{date} (xx-xx-xx).txt"
- "system-log.txt"

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

Right-click on

icon and select

Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Make sure that Addition option is checked.
Press Scan button and wait.
The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

kdawg · Dec 3, 2014

Here is the mbar folder info:

Malwarebytes Anti-Rootkit BETA 1.08.2.1001
www.malwarebytes.org
Database version: v2014.12.04.01
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17420
KNORWALK :: LSA01702038 [administrator]
12/3/2014 8:58:49 PM
mbar-log-2014-12-03 (20-58-49).txt
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 406424
Time elapsed: 31 minute(s), 20 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 2
HKU\S-1-5-21-105209337-1629855012-1527486392-1003_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} (Trojan.Poweliks.B) -> Delete on reboot. [af2286d8eb91a88ee187a260817fff01]
HKU\S-1-5-21-105209337-1629855012-1527486392-1003_Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}\LOCALSERVER32\^ (Trojan.Poweliks) -> Delete on reboot. [923f06588fed61d50c5fdd25e31d837d]
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Physical Sectors Detected: 0
(No malicious items detected)
(end)

Here is the FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-12-2014
Ran by KNORWALK (administrator) on LSA01702038 on 03-12-2014 22:16:18
Running from C:\Users\KNORWALK\Downloads
Loaded Profile: KNORWALK (Available profiles: lsaadmin & Home & KNORWALK)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\VS7DEBUG\mdm.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(Protexis Inc.) C:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
(McAfee, Inc.) C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
() C:\Users\KNORWALK\AppData\Roaming\ChromeUpdate.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Apple Inc.) G:\Itunes stuff\iTunesHelper.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Macrovision Europe Ltd.) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(McAfee, Inc.) C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM-x32\...\Run: [QuickFinder Scheduler] => c:\Program Files (x86)\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE [136600 2011-06-02] (Corel Corporation)
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe [624248 2007-05-10] (Adobe Systems Inc.)
HKLM-x32\...\Run: [PDVDDXSrv] => C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe [128232 2009-02-04] (CyberLink Corp.)
HKLM-x32\...\Run: [McAfeeUpdaterUI] => C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe [161088 2011-01-12] (McAfee, Inc.)
HKLM-x32\...\Run: [ShStatEXE] => C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE [215360 2011-09-14] (McAfee, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [703888 2013-06-19] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => G:\Itunes stuff\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer: [NoFolderOptions] 0
HKLM\...\Policies\Explorer: [NoControlPanel] 0
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\...\Run: [ChromeUpdate] => C:\Users\KNORWALK\AppData\Roaming\ChromeUpdate.exe [17150638 2014-10-28] ()
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7063832 2014-11-21] (Piriform Ltd)
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\...\Policies\Explorer: [NoFolderOptions] 0
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\...\Policies\Explorer: [NoControlPanel] 0
Startup: C:\Users\KNORWALK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet Pro 8610.lnk
ShortcutTarget: Monitor Ink Alerts - HP Officejet Pro 8610.lnk -> C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xE6A855975A31CE01
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKU\S-1-5-21-105209337-1629855012-1527486392-1003\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://indystar.com/
http://gmail.com/
http://facebook.com/
http://chase.com/
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
SearchScopes: HKU\S-1-5-21-105209337-1629855012-1527486392-1003 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-105209337-1629855012-1527486392-1003 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = https://www.google.com/search?q={searchTerms}
BHO: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20130404132041.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: scriptproxy -> {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -> C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20130404132041.dll (McAfee, Inc.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKU\S-1-5-21-105209337-1629855012-1527486392-1003 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Toolbar: HKU\S-1-5-21-105209337-1629855012-1527486392-1003 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
DPF: HKLM-x32 {BEA7310D-06C4-4339-A784-DC3804819809} http://www.cvsphoto.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
Hosts: 207.250.189.4 vpn.iga.in.gov
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> G:\Itunes stuff\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF Extension: IDS_SS_NAME - C:\Program Files (x86)\Common Files\McAfee\SystemCore [2013-04-04]
Chrome:
=======
CHR Profile: C:\Users\KNORWALK\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\KNORWALK\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-30]
CHR Extension: (Google Wallet) - C:\Users\KNORWALK\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-30]
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [654848 2011-09-21] (Macrovision Europe Ltd.) [File not signed]
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 McAfeeFramework; C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe [120128 2011-01-12] (McAfee, Inc.)
R2 McShield; C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe [199008 2013-04-04] (McAfee, Inc.)
R2 McTaskManager; C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe [209760 2011-09-14] (McAfee, Inc.)
R2 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
R2 mfevtp; C:\Windows\system32\mfevtps.exe [158832 2013-04-04] (McAfee, Inc.)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-12-03] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
S3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [158712 2013-04-04] (McAfee, Inc.)
R3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [228752 2013-04-04] (McAfee, Inc.)
U3 mfeavfk01; No ImagePath
R0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [642952 2013-04-04] (McAfee, Inc.)
S3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [100904 2013-04-04] (McAfee, Inc.)
R0 mfewfpk; C:\Windows\System32\drivers\mfewfpk.sys [283744 2013-04-04] (McAfee, Inc.)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52080 2013-06-19] (Cisco Systems, Inc.)
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-12-03 22:15 - 2014-12-03 22:15 - 00000000 ____D () C:\Users\KNORWALK\Downloads\FRST-OlderVersion
2014-12-03 20:24 - 2014-12-03 21:43 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-12-03 20:13 - 2014-12-03 21:33 - 00000000 ____D () C:\Users\KNORWALK\Desktop\mbar
2014-12-03 20:10 - 2014-12-03 20:11 - 16448208 _____ (Malwarebytes Corp.) C:\Users\KNORWALK\Desktop\mbar-1.08.2.1001.exe
2014-12-02 21:27 - 2014-12-02 21:29 - 00021391 _____ () C:\Users\KNORWALK\Downloads\Addition.txt
2014-12-02 21:25 - 2014-12-03 22:17 - 00014085 _____ () C:\Users\KNORWALK\Downloads\FRST.txt
2014-12-02 21:24 - 2014-12-03 22:16 - 00000000 ____D () C:\FRST
2014-12-02 21:23 - 2014-12-03 22:15 - 02117632 _____ (Farbar) C:\Users\KNORWALK\Downloads\FRST64.exe
2014-12-02 20:46 - 2014-12-03 21:41 - 00000168 _____ () C:\Windows\setupact.log
2014-12-02 20:46 - 2014-12-03 19:48 - 00000932 _____ () C:\Windows\PFRO.log
2014-12-02 20:46 - 2014-12-02 20:46 - 00000000 _____ () C:\Windows\setuperr.log
2014-12-02 20:18 - 2014-12-03 21:45 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-12-02 20:17 - 2014-12-03 20:56 - 00096472 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-12-02 20:17 - 2014-12-02 20:17 - 00001104 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-02 20:17 - 2014-12-02 20:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-02 20:17 - 2014-12-02 20:17 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-12-02 20:17 - 2014-12-02 20:17 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-12-02 20:17 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-12-02 20:17 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-12-02 20:16 - 2014-12-02 20:16 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\KNORWALK\Downloads\mbam-setup-2.0.4.1028.exe
2014-11-18 20:56 - 2014-11-10 22:08 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-18 20:56 - 2014-11-10 22:08 - 00241152 _____ (Microsoft Corporation) C:\Windows\system32\pku2u.dll
2014-11-18 20:56 - 2014-11-10 21:44 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-18 20:56 - 2014-11-10 21:44 - 00186880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\pku2u.dll
2014-11-16 10:48 - 2014-11-16 10:48 - 00000000 ____D () C:\Users\KNORWALK\Desktop\photos from amys phone 11-16-14
2014-11-16 03:55 - 2014-11-16 03:57 - 00000000 ____D () C:\Windows\rescache
2014-11-15 15:17 - 2014-11-16 10:50 - 00000000 ____D () C:\new photos
2014-11-15 14:18 - 2014-08-28 21:07 - 03179520 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-11-15 14:18 - 2014-05-08 04:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2014-11-15 14:10 - 2014-12-01 04:48 - 00000000 ____D () C:\Program Files\CCleaner
2014-11-15 14:10 - 2014-11-15 14:10 - 00002778 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-11-15 14:10 - 2014-11-15 14:10 - 00000824 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-11-15 14:10 - 2014-11-15 14:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-11-15 10:32 - 2014-11-15 10:32 - 00000000 ____D () C:\Users\KNORWALK\AppData\Local\VirtualStore
2014-11-14 20:28 - 2012-08-23 09:13 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2014-11-14 20:28 - 2012-08-23 09:10 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2014-11-14 20:28 - 2012-08-23 06:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpendp_winip.dll
2014-11-14 20:28 - 2012-08-23 05:51 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
2014-11-14 19:22 - 2014-11-14 19:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iCloud
2014-11-13 19:50 - 2014-09-04 21:11 - 06584320 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-11-13 19:50 - 2014-09-04 20:52 - 05703168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-11-13 00:05 - 2013-10-01 21:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2014-11-13 00:05 - 2013-10-01 21:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-11-13 00:05 - 2013-10-01 21:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-11-13 00:05 - 2013-10-01 20:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2014-11-13 00:05 - 2013-10-01 20:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2014-11-13 00:05 - 2013-10-01 20:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-11-13 00:05 - 2013-10-01 20:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2014-11-13 00:05 - 2013-10-01 19:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2014-11-13 00:05 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll
2014-11-13 00:05 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll
2014-11-13 00:05 - 2013-10-01 19:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2014-11-13 00:05 - 2013-10-01 19:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2014-11-13 00:05 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2014-11-13 00:05 - 2013-10-01 18:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-11-13 00:05 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll
2014-11-13 00:05 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2014-11-12 20:56 - 2014-11-12 20:56 - 00000000 __SHD () C:\Users\Home\AppData\Local\EmieBrowserModeList
2014-11-12 18:40 - 2014-11-12 18:40 - 00000000 __SHD () C:\Users\KNORWALK\AppData\Local\EmieBrowserModeList
2014-11-12 00:01 - 2014-11-05 12:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-12 00:01 - 2014-11-05 12:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-12 00:01 - 2014-11-05 12:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-12 00:00 - 2014-10-13 21:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-12 00:00 - 2014-10-13 21:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-12 00:00 - 2014-10-13 21:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-12 00:00 - 2014-10-13 21:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-12 00:00 - 2014-10-13 21:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-12 00:00 - 2014-10-13 20:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-12 00:00 - 2014-10-13 20:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-11-12 00:00 - 2014-10-13 20:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-12 00:00 - 2014-10-13 20:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-11 23:59 - 2014-11-07 14:49 - 00388272 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-11 23:59 - 2014-11-07 14:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-11 23:59 - 2014-11-05 23:04 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-11 23:59 - 2014-11-05 23:03 - 25110016 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-11 23:59 - 2014-11-05 23:03 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-11 23:59 - 2014-11-05 22:47 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-11 23:59 - 2014-11-05 22:46 - 00580096 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-11 23:59 - 2014-11-05 22:46 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-11 23:59 - 2014-11-05 22:44 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-11 23:59 - 2014-11-05 22:43 - 02884096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-11 23:59 - 2014-11-05 22:36 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-11 23:59 - 2014-11-05 22:35 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-11 23:59 - 2014-11-05 22:31 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-11 23:59 - 2014-11-05 22:30 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-11 23:59 - 2014-11-05 22:30 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-11 23:59 - 2014-11-05 22:29 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-11 23:59 - 2014-11-05 22:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-11 23:59 - 2014-11-05 22:23 - 06040064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-11 23:59 - 2014-11-05 22:20 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-11 23:59 - 2014-11-05 22:16 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-11 23:59 - 2014-11-05 22:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-11 23:59 - 2014-11-05 22:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-11 23:59 - 2014-11-05 22:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-11-11 23:59 - 2014-11-05 22:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-11 23:59 - 2014-11-05 22:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-11-11 23:59 - 2014-11-05 22:07 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-11 23:59 - 2014-11-05 22:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-11 23:59 - 2014-11-05 22:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-11 23:59 - 2014-11-05 22:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-11 23:59 - 2014-11-05 22:02 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-11 23:59 - 2014-11-05 22:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-11 23:59 - 2014-11-05 22:00 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-11 23:59 - 2014-11-05 21:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-11-11 23:59 - 2014-11-05 21:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-11-11 23:59 - 2014-11-05 21:57 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-11 23:59 - 2014-11-05 21:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-11 23:59 - 2014-11-05 21:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-11-11 23:59 - 2014-11-05 21:41 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-11 23:59 - 2014-11-05 21:41 - 00716800 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-11 23:59 - 2014-11-05 21:39 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-11 23:59 - 2014-11-05 21:38 - 02124288 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-11 23:59 - 2014-11-05 21:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-11 23:59 - 2014-11-05 21:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-11 23:59 - 2014-11-05 21:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-11 23:59 - 2014-11-05 21:30 - 14390272 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-11 23:59 - 2014-11-05 21:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-11 23:59 - 2014-11-05 21:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-11 23:59 - 2014-11-05 21:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-11 23:59 - 2014-11-05 21:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-11-11 23:59 - 2014-11-05 21:17 - 02365440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-11 23:59 - 2014-11-05 21:04 - 01550336 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-11 23:59 - 2014-11-05 21:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-11 23:59 - 2014-11-05 20:53 - 00799232 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-11 23:59 - 2014-11-05 20:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-11 23:59 - 2014-11-05 20:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-11 23:59 - 2014-11-05 20:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-11-11 23:57 - 2014-10-02 21:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-11 23:57 - 2014-10-02 21:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-11 23:57 - 2014-10-02 21:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-11 23:57 - 2014-10-02 21:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-11 23:57 - 2014-10-02 21:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-11 23:57 - 2014-10-02 20:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-11 23:57 - 2014-10-02 20:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-11 23:57 - 2014-10-02 20:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-11 23:57 - 2014-09-19 04:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-11 23:57 - 2014-09-19 04:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-11 23:57 - 2014-09-19 04:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-11 23:57 - 2014-09-19 04:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-11 23:57 - 2014-09-19 04:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-11 23:57 - 2014-09-19 04:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-11 23:57 - 2014-09-19 04:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-11-11 23:57 - 2014-09-19 04:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-11 23:57 - 2014-09-19 04:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-11-11 23:57 - 2014-09-19 04:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-11-11 23:57 - 2014-09-19 04:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-11-11 23:57 - 2014-09-19 04:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-11-11 23:57 - 2014-08-21 01:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-11 23:57 - 2014-08-21 01:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-11 23:57 - 2014-08-21 01:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-11 23:57 - 2014-08-21 01:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-11 23:57 - 2014-08-11 21:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-11 23:57 - 2014-08-11 20:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-11 23:55 - 2014-10-24 20:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-11 23:55 - 2014-10-24 20:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-11 23:55 - 2014-10-13 21:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-11 23:55 - 2014-10-13 20:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-11 23:55 - 2014-10-09 19:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-11 23:54 - 2014-10-17 21:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-11 23:54 - 2014-10-17 20:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-11 16:47 - 2014-11-30 22:16 - 00087200 _____ () C:\ProgramData\wrnhoah.tmp
2014-11-05 20:52 - 2014-11-05 20:56 - 29727656 _____ (Oracle Corporation) C:\Users\KNORWALK\Downloads\jre-8u25-windows-i586 (1).com
2014-11-05 20:21 - 2014-11-05 20:58 - 00000000 ____D () C:\ProgramData\Oracle
2014-11-05 20:21 - 2014-11-05 20:21 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-11-05 20:21 - 2014-11-05 20:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-11-04 20:38 - 2014-11-30 21:43 - 00001368 _____ () C:\ProgramData\@system.att
2014-11-03 21:05 - 2007-03-23 15:55 - 00035928 _____ (Adobe Systems Incorporated.) C:\Windows\system32\AdobePDF64.dll
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-12-03 22:14 - 2013-05-12 20:53 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-12-03 21:49 - 2009-07-13 23:45 - 00029296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-03 21:49 - 2009-07-13 23:45 - 00029296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-03 21:45 - 2012-07-16 17:23 - 01644992 _____ () C:\Windows\WindowsUpdate.log
2014-12-03 21:44 - 2013-05-12 14:26 - 00000000 ____D () C:\QUARANTINE
2014-12-03 21:41 - 2013-11-17 18:54 - 00065536 _____ () C:\Windows\system32\Ikeext.etl
2014-12-03 21:41 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-03 19:49 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\tracing
2014-11-30 21:44 - 2014-10-28 19:08 - 00001104 ____H () C:\ProgramData\@system2.att
2014-11-30 20:20 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-11-26 07:54 - 2013-04-04 21:14 - 00000000 ____D () C:\Users\KNORWALK\AppData\Roaming\HpUpdate
2014-11-25 21:14 - 2013-05-12 20:53 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-11-25 21:14 - 2013-05-12 20:53 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-11-25 21:14 - 2011-09-21 14:30 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-11-23 21:51 - 2013-04-04 12:56 - 00002320 ____H () C:\Users\KNORWALK\Documents\Default.rdp
2014-11-23 21:47 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2014-11-20 20:50 - 2009-07-14 00:13 - 00786578 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-15 15:19 - 2013-04-06 14:31 - 00000000 ____D () C:\Users\KNORWALK\AppData\Roaming\Apple Computer
2014-11-15 15:16 - 2013-04-04 12:31 - 00000000 ____D () C:\Users\KNORWALK
2014-11-15 14:30 - 2011-09-21 15:48 - 00000000 ____D () C:\Windows\Panther
2014-11-14 21:03 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-11-13 06:49 - 2013-04-05 19:47 - 00000000 ____D () C:\ProgramData\Cisco
2014-11-13 06:48 - 2014-09-09 20:58 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-11-13 00:18 - 2009-07-13 22:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-11-12 20:34 - 2014-10-28 21:12 - 00000000 ____D () C:\Program Files\Google
2014-11-12 20:34 - 2014-10-28 21:11 - 00000000 ____D () C:\Program Files (x86)\Google
2014-11-12 20:01 - 2014-10-28 21:11 - 00000000 ____D () C:\Users\KNORWALK\AppData\Local\Google
2014-11-12 04:14 - 2009-07-13 23:45 - 00437664 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 04:12 - 2014-05-07 02:00 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-12 03:53 - 2011-09-21 14:04 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-11-12 03:18 - 2013-08-18 02:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-12 03:05 - 2011-09-21 08:18 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-05 20:21 - 2011-09-21 14:31 - 00000000 ____D () C:\Program Files (x86)\Java
2014-11-04 22:55 - 2014-10-28 21:27 - 00000000 ____D () C:\Users\KNORWALK\AppData\Roaming\Google
2014-11-04 14:30 - 2011-09-21 08:13 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-11-03 21:05 - 2011-09-21 14:22 - 00002507 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Acrobat 8 Standard.lnk
2014-11-03 21:05 - 2011-09-21 14:22 - 00002465 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Distiller 8.lnk
2014-11-03 21:02 - 2011-09-21 14:21 - 00000000 ____D () C:\ProgramData\Adobe
Some content of TEMP:
====================
C:\Users\Home\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-25 21:11

Here is the Addition.txt
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 03-12-2014
Ran by KNORWALK at 2014-12-03 22:17:39
Running from C:\Users\KNORWALK\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: McAfee VirusScan Enterprise (Enabled - Up to date) {86355677-4064-3EA7-ABB3-1B136EB04637}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee VirusScan Enterprise Antispyware Module (Enabled - Up to date) {3D54B793-665E-3129-9103-206115370C8A}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Acrobat 8.1.0 Standard (HKLM-x32\...\Adobe Acrobat 8 Standard) (Version: 8.1.0 - Adobe Systems)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bing Rewards Client Installer (x32 Version: 16.0.345.0 - Microsoft Corporation) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.00 - Piriform)
Cisco AnyConnect Secure Mobility Client (HKLM-x32\...\Cisco AnyConnect Secure Mobility Client) (Version: 3.1.04059 - Cisco Systems, Inc.)
Cisco AnyConnect Secure Mobility Client (x32 Version: 3.1.04059 - Cisco Systems, Inc.) Hidden
Corel WordPerfect Office - iFilter 64 Bit (HKLM\...\{1B45B85C-99E8-4523-8FB3-0248B3DECFC8}) (Version: 1.01.000 - Corel Corporation)
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP Officejet Pro 8610 Basic Device Software (HKLM\...\{3082CB96-66E8-456D-8326-118A4F5DC0C6}) (Version: 32.0.90.45518 - Hewlett-Packard Co.)
HP Officejet Pro 8610 Help (HKLM-x32\...\{F9569D00-4576-46C8-B6C7-207A4FD39745}) (Version: 32.0.0 - Hewlett Packard)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPDiagnosticAlert (x32 Version: 1.00.0000 - Microsoft) Hidden
HPOJ6700FWUpdateAlert (x32 Version: 1.00.0000 - HP) Hidden
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
iCloud (HKLM\...\{2AAF09D5-4B3F-4975-B6A9-ECE2631FC942}) (Version: 4.0.5.20 - Apple Inc.)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
iSEEK AnswerWorks English Runtime (HKLM-x32\...\{18A8E78B-9EF2-496E-B310-BCD8E4C1DAB3}) (Version: 010.000.0101 - Vantage Linguistics)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Java(TM) 6 Update 27 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216027FF}) (Version: 6.0.270 - Oracle)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
McAfee Agent (HKLM-x32\...\{2AAB21C2-4CDA-4189-A0EC-5ED666113F84}) (Version: 4.5.0.1810 - McAfee, Inc.)
McAfee VirusScan Enterprise (HKLM-x32\...\{CE15D1B6-19B6-4D4D-8F43-CF5D2C3356FF}) (Version: 8.8.01000 - McAfee, Inc.)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
PowerDVD DX (HKLM-x32\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 8.2.5024 - CyberLink Corp.)
Product Improvement Study for HP Officejet Pro 8610 (HKLM\...\{1A57F90C-DAC0-44A5-8726-46C008DE69C8}) (Version: 32.0.90.45518 - Hewlett-Packard Co.)
Quicken 2013 (HKLM-x32\...\{034DD4BB-F0D6-4ECF-B064-8E39E3EF7076}) (Version: 22.1.12.7 - Intuit)
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Roxio Creator DE 10.3 (HKLM-x32\...\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}) (Version: 10.3 - Roxio)
TurboTax 2013 (HKLM-x32\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
update (x32 Version: 2.00.0000 - Your Company Name) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
WordPerfect Lightning - IPM (x32 Version: 1.0 - Corel Corporation) Hidden
WordPerfect Lightning - Messages (x32 Version: 1.0 - Corel Corporation) Hidden
WordPerfect Lightning - MSOM (x32 Version: 1.1 - Corel Corporation) Hidden
WordPerfect Office X5 - Common (x32 Version: 15.3 - Corel Corporation) Hidden
Wordperfect Office X5 - EN (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Filters (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Graphics (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - IPM (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - LegalTools (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Migration Manager (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Oxford (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - PerfectExperts EN (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - PR (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - QP (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Setup Files (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Sharepoint (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - Skins (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - System EN (x32 Version: 15.0 - Corel Corporation) Hidden
WordPerfect Office X5 - Templates (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - WP (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 - WT (x32 Version: 15.3 - Corel Corporation) Hidden
WordPerfect Office X5 (HKLM-x32\...\_{DE6DE4A1-0343-4DBE-9DC2-E667AA03F579}) (Version: 15.0.0.505 - Corel Corporation)
WordPerfect Office X5 (x32 Version: 15.3 - Corel Corporation) Hidden
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 21:34 - 2013-09-08 11:37 - 00000881 ____A C:\Windows\system32\Drivers\etc\hosts
207.250.189.4 vpn.iga.in.gov
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {45BCD882-5614-48F7-97B0-4C0497390CA4} - System32\Tasks\HPCustParticipation HP Officejet Pro 8610 => C:\Program Files\HP\HP Officejet Pro 8610\Bin\HPCustPartic.exe [2013-09-11] (Hewlett-Packard Co.)
Task: {845C0026-94FB-45A6-B4E0-4F14D75E799F} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {8DAF04CE-5A87-450D-9EFA-35F217A2A287} - System32\Tasks\{ACEABB7A-D250-E1AA-EF6A-6215FDEF4692} => C:\Windows\system32\afoajd.dll/s "C:\Windows\system32\afoajd.dll"
Task: {CF86E666-7397-4733-A007-8F355B516A48} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-25] (Adobe Systems Incorporated)
Task: {FC95C391-C330-4573-BD96-A7523B184219} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-11-21] (Piriform Ltd)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
==================== Loaded Modules (whitelisted) =============
2014-10-28 19:08 - 2014-10-28 19:10 - 17150638 _____ () C:\Users\KNORWALK\AppData\Roaming\ChromeUpdate.exe
2014-04-14 14:41 - 2014-04-14 14:41 - 00039192 _____ () C:\Program Files\CCleaner\branding.dll
2013-06-19 10:00 - 2013-06-19 10:00 - 00063376 _____ () C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\zlib1.dll
2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 12:05 - 2014-10-11 12:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2007-04-18 18:30 - 2007-04-18 18:30 - 00393216 _____ () C:\Program Files (x86)\McAfee\Common Framework\cryptocme2.dll
2007-04-18 18:30 - 2007-04-18 18:30 - 00471040 _____ () C:\Program Files (x86)\McAfee\Common Framework\ccme_base.dll
2011-01-12 15:05 - 2011-01-12 15:05 - 00065536 _____ () C:\Program Files (x86)\McAfee\Common Framework\boost_thread-vc80-mt-1_32.dll
2011-09-14 19:08 - 2011-09-14 19:08 - 00150032 _____ () C:\Program Files (x86)\McAfee\VirusScan Enterprise\WscAv.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfehidk.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mfevtp => ""="Driver"
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\startupreg: Spotify => "C:\Users\KNORWALK\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
========================= Accounts: ==========================
Administrator (S-1-5-21-105209337-1629855012-1527486392-500 - Administrator - Disabled)
Guest (S-1-5-21-105209337-1629855012-1527486392-501 - Limited - Disabled)
Home (S-1-5-21-105209337-1629855012-1527486392-1002 - Administrator - Enabled) => C:\Users\Home
KNORWALK (S-1-5-21-105209337-1629855012-1527486392-1003 - Administrator - Enabled) => C:\Users\KNORWALK
lsaadmin (S-1-5-21-105209337-1629855012-1527486392-1000 - Administrator - Enabled) => C:\Users\lsaadmin
==================== Faulty Device Manager Devices =============
Name: PCI Serial Port
Description: PCI Serial Port
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Cisco Systems
Service: vpnva
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================
Application errors:
==================
Error: (12/02/2014 11:25:03 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <10, 0x80070005, "">.
Error: (12/02/2014 11:25:02 PM) (Source: Windows Search Service) (EventID: 1019) (User: )
Description: Windows Search Service failed to process the list of included and excluded locations with the error <10, 0x80070005, "">.
Error: (12/01/2014 00:25:49 AM) (Source: McLogEvent) (EventID: 5022) (User: NT AUTHORITY)
Description: MCSCAN32 Engine Initialisation failed.
Engine returned error : 8
Error: (11/30/2014 11:25:27 PM) (Source: ESENT) (EventID: 482) (User: )
Description: taskhost (1976) WebCacheLocal: An attempt to write to the file "C:\Users\KNORWALK\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat" at offset 2916352 (0x00000000002c8000) for 32768 (0x00008000) bytes failed after taskhost0 seconds with system error 8 (0x00000008): "Not enough storage is available to process this command. ". The write operation will fail with error -1011 (0xfffffc0d). If this error persists then the file may be damaged and may need to be restored from a previous backup.
Error: (11/30/2014 09:18:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17420, time stamp: 0x545ad233
Faulting module name: Flash32_15_0_0_239.ocx, version: 15.0.0.239, time stamp: 0x546d16a5
Exception code: 0xc0000005
Fault offset: 0x001ea029
Faulting process id: 0x30bc
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Error: (11/29/2014 07:31:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Explorer.EXE, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: wscinterop.dll, version: 6.1.7600.16385, time stamp: 0x4a5be09b
Exception code: 0xc0000005
Fault offset: 0x000000000000afb0
Faulting process id: 0x398
Faulting application start time: 0xExplorer.EXE0
Faulting application path: Explorer.EXE1
Faulting module path: Explorer.EXE2
Report Id: Explorer.EXE3
Error: (11/29/2014 07:31:12 PM) (Source: McLogEvent) (EventID: 5059) (User: )
Description: Exception in ShStat.Exe
Exception details follow :

Crash address 0x6607c949
Code 0xc0000005 Flags 0x00000000
2 Parameters : 0x00000000 0x00000010
Thread = MainWindow
Error: (11/19/2014 03:18:56 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Error: (11/19/2014 03:18:56 AM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.
Context: Windows Application

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)
Error: (11/19/2014 03:18:56 AM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.
Context: Windows Application, SystemIndex Catalog

Details:
The content index catalog is corrupt. (HRESULT : 0xc0041801) (0xc0041801)

System errors:
=============
Error: (12/03/2014 09:41:29 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147014847
Error: (12/03/2014 07:52:00 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Error: (12/02/2014 09:09:10 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.
Error: (12/02/2014 08:52:27 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Error: (12/02/2014 08:18:30 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Error: (12/02/2014 05:54:37 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.
Error: (12/02/2014 05:54:35 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.
Error: (12/02/2014 05:31:56 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 50.
Error: (12/01/2014 07:45:01 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Error: (12/01/2014 07:08:17 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 7:06:12 PM on ‎12/‎1/‎2014 was unexpected.

Microsoft Office Sessions:
=========================
CodeIntegrity Errors:
===================================
Date: 2014-11-15 15:11:06.997
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Date: 2014-11-15 15:11:06.907
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Date: 2014-11-15 15:09:19.565
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Date: 2014-11-15 15:09:19.464
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================
Processor: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz
Percentage of memory in use: 60%
Total physical RAM: 3956.61 MB
Available physical RAM: 1552.47 MB
Total Pagefile: 7911.41 MB
Available Pagefile: 5602.42 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:74.5 GB) (Free:8.77 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive g: (FreeAgent Drive) (Fixed) (Total:1397.26 GB) (Free:946 GB) NTFS
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 74.5 GB) (Disk ID: 462453EB)
Partition 1: (Active) - (Size=74.5 GB) - (Type=07 NTFS)
========================================================
Disk: 2 (MBR Code: Windows XP) (Size: 1397.3 GB) (Disk ID: 2AC9F58F)
Partition 1: (Not Active) - (Size=1397.3 GB) - (Type=07 NTFS)
==================== End Of Log ============================

One problem now. My mcaffee virus scan says I have a Ransom C Trojan --- AF51.tmp. I've run malwarebytes and mcaffee and can't get rid of it. Any ideas?

Thanks for all your help. I really, really appreciate it.

TwinHeadedEagle · Dec 4, 2014

We will get rid of McAfee warning in the next step I suppose.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

Right-click on

icon and select

Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
Press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

Right-click on

icon and select

Run as Administrator to start the tool.
Accept the disclaimer and agree if prompted to install Recovery Console.
Do not take any actions while ComboFix goes through your System - it may cause it to stall!
This scan may take some time!
When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

kdawg · Dec 4, 2014

Here is the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-12-2014
Ran by KNORWALK at 2014-12-04 12:16:47 Run:1
Running from C:\Users\KNORWALK\Desktop
Loaded Profile: KNORWALK (Available profiles: lsaadmin & Home & KNORWALK)
Boot Mode: Normal
==============================================
Content of fixlist:
*****************
closeprocesses:
emptytemp:
*****************
Processes closed successfully.
EmptyTemp: => Removed 6.5 GB temporary data.

The system needed a reboot.
==== End of Fixlog ====

Here is the combo fix log:
ComboFix 14-12-04.01 - KNORWALK 12/04/2014 12:48:28.1.2 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3957.2385 [GMT -5:00]
Running from: c:\users\KNORWALK\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: McAfee VirusScan Enterprise Antispyware Module *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Local Settings\Temp
c:\programdata\wrnhoah.tmp
c:\users\KNORWALK\AppData\Roaming\ChromeUpdate.exe
G:\Autorun.inf
G:\Setup.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-11-04 to 2014-12-04 )))))))))))))))))))))))))))))))
.
.
2014-12-04 01:24 . 2014-12-04 13:45 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-12-03 02:24 . 2014-12-04 17:29 -------- d-----w- C:\FRST
2014-12-03 01:18 . 2014-12-04 17:34 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-03 01:17 . 2014-12-04 01:56 96472 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-12-03 01:17 . 2014-11-21 11:14 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-12-03 01:17 . 2014-11-21 11:14 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-12-03 01:17 . 2014-12-03 01:17 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-12-03 01:17 . 2014-12-03 01:17 -------- d-----w- c:\programdata\Malwarebytes
2014-12-03 01:16 . 2014-12-03 01:16 -------- d-----w- c:\users\KNORWALK\AppData\Local\Programs
2014-12-01 01:20 . 2014-12-01 01:21 -------- d-----w- c:\users\KNORWALK\AppData\Local\Diagnostics
2014-11-30 01:35 . 2014-11-02 04:20 11632448 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A3228782-A7CB-49DB-B237-C76437CAC0E5}\mpengine.dll
2014-11-19 01:56 . 2014-11-11 03:08 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-19 01:56 . 2014-11-11 03:08 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-19 01:56 . 2014-11-11 02:44 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-19 01:56 . 2014-11-11 02:44 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-11-16 08:55 . 2014-11-16 08:57 -------- d-----w- c:\windows\rescache
2014-11-15 20:17 . 2014-11-16 15:50 -------- d-----w- C:\new photos
2014-11-15 19:18 . 2014-08-29 02:07 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2014-11-15 19:18 . 2014-05-08 09:32 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2014-11-15 19:10 . 2014-12-01 09:48 -------- d-----w- c:\program files\CCleaner
2014-11-15 15:32 . 2014-11-15 15:32 -------- d-----w- c:\users\KNORWALK\AppData\Local\VirtualStore
2014-11-15 01:28 . 2012-08-23 14:10 19456 ----a-w- c:\windows\system32\drivers\rdpvideominiport.sys
2014-11-15 01:28 . 2012-08-23 14:13 243200 ----a-w- c:\windows\system32\rdpudd.dll
2014-11-15 01:28 . 2012-08-23 11:12 192000 ----a-w- c:\windows\SysWow64\rdpendp_winip.dll
2014-11-15 01:28 . 2012-08-23 10:51 228864 ----a-w- c:\windows\system32\rdpendp_winip.dll
2014-11-14 00:50 . 2014-09-05 01:52 5703168 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-11-14 00:50 . 2014-09-05 02:11 6584320 ----a-w- c:\windows\system32\mstscax.dll
2014-11-13 01:56 . 2014-11-13 01:56 -------- d-sh--w- c:\users\Home\AppData\Local\EmieBrowserModeList
2014-11-12 23:40 . 2014-11-12 23:40 -------- d-sh--w- c:\users\KNORWALK\AppData\Local\EmieBrowserModeList
2014-11-12 05:01 . 2014-11-05 17:56 304640 ----a-w- c:\windows\system32\generaltel.dll
2014-11-12 05:01 . 2014-11-05 17:56 228864 ----a-w- c:\windows\system32\aepdu.dll
2014-11-12 05:01 . 2014-11-05 17:52 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-11-12 05:00 . 2014-10-14 02:13 683520 ----a-w- c:\windows\system32\termsrv.dll
2014-11-12 05:00 . 2014-10-14 02:16 155064 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-11-12 05:00 . 2014-10-14 02:12 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-11-12 05:00 . 2014-10-14 02:07 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-11-12 05:00 . 2014-10-14 01:46 681984 ----a-w- c:\windows\SysWow64\adtschema.dll
2014-11-12 05:00 . 2014-10-14 02:09 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-11-12 05:00 . 2014-10-14 01:47 146432 ----a-w- c:\windows\SysWow64\msaudite.dll
2014-11-12 05:00 . 2014-10-14 01:50 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-11-12 05:00 . 2014-10-14 01:49 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-11-12 04:57 . 2014-08-21 06:43 1882624 ----a-w- c:\windows\system32\msxml3.dll
2014-11-12 04:55 . 2014-10-25 01:57 77824 ----a-w- c:\windows\system32\packager.dll
2014-11-12 04:55 . 2014-10-25 01:32 67584 ----a-w- c:\windows\SysWow64\packager.dll
2014-11-12 04:55 . 2014-10-10 00:57 3198976 ----a-w- c:\windows\system32\win32k.sys
2014-11-12 04:55 . 2014-10-14 02:13 3241984 ----a-w- c:\windows\system32\msi.dll
2014-11-12 04:55 . 2014-10-14 01:50 2363904 ----a-w- c:\windows\SysWow64\msi.dll
2014-11-12 04:54 . 2014-10-18 02:05 861696 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-12 04:54 . 2014-10-18 01:33 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2014-11-06 01:58 . 2014-11-06 01:58 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-11-06 01:21 . 2014-11-06 01:21 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-11-06 01:21 . 2014-11-06 01:58 -------- d-----w- c:\programdata\Oracle
2014-11-06 01:07 . 2014-11-06 01:07 -------- d-----w- C:\downloads
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-26 02:14 . 2013-05-13 01:53 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-26 02:14 . 2011-09-21 19:30 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-12 08:05 . 2011-09-21 13:18 103374192 ----a-w- c:\windows\system32\MRT.exe
2014-11-04 19:30 . 2011-09-21 13:13 275080 ------w- c:\windows\system32\MpSigStub.exe
2014-10-29 02:49 . 2013-04-04 18:03 848 --sha-w- c:\programdata\KGyGaAvL.sys
2014-10-29 00:01 . 2014-10-29 00:01 0 ----a-w- c:\windows\system32\dnjzwqz.dll
2014-10-02 18:23 . 2014-10-02 18:23 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2014-10-02 18:23 . 2014-10-02 18:23 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2014-09-25 02:08 . 2014-10-02 01:41 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-02 01:41 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-09 22:11 . 2014-09-25 02:27 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-25 02:27 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2014-10-17 43816]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2014-10-17 43816]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-11-21 7063832]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickFinder Scheduler"="c:\program files (x86)\Corel\WordPerfect Office X5\Programs\QFSCHD150.EXE" [2011-06-02 136600]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"McAfeeUpdaterUI"="c:\program files (x86)\McAfee\Common Framework\udaterui.exe" [2011-01-12 161088]
"ShStatEXE"="c:\program files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2011-09-15 215360]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2013-06-19 703888]
"iTunesHelper"="g:\itunes stuff\iTunesHelper.exe" [2014-10-15 157480]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-10-02 421888]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-10-07 507776]
.
c:\users\KNORWALK\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Officejet Pro 8610.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Officejet Pro 8610\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN45UBW0H4;CONNECTION=USB;MONITOR=1; [2009-7-13 45568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock64.sys;c:\windows\SYSNATIVE\DRIVERS\acsock64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
S2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe;c:\program files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S4 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2014-12-04 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-13 02:14]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files (x86)\Corel\WordPerfect Office X5\Programs\WPLauncher.hta
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-ChromeUpdate - c:\users\KNORWALK\AppData\Roaming\ChromeUpdate.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_239_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_239_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_239.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-12-04 12:56:16
ComboFix-quarantined-files.txt 2014-12-04 17:56
.
Pre-Run: 16,724,795,392 bytes free
Post-Run: 16,557,023,232 bytes free
.
- - End Of File - - 5EE77C0ED245968248478FFA99BBC1D4
A36C5E4F47E84449FF07ED3517B43A31

Again, I really appreciate your time and assistance.

TwinHeadedEagle · Dec 4, 2014

Very good. How is your PC now?

kdawg · Dec 4, 2014

It is running great. No virus scan notices of Trojans and no malwarebytes notices of malware. Thank you so much. You have been incredibly helpful.

I'm donating money to your beer fund now. Please get a some really good brews with it.

TwinHeadedEagle · Dec 4, 2014

You're more than welcome

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:

MUST READ - security tips:

MUST READ - general maintenance:

What to do if your Computer is running slowly?

The Importance of Software Updating:

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

Recommended additional software:

TFC - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

FiheHippo.com Update Checker - to keep your programs up-to-date.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:

Download DelFix by Xplode and save it to your desktop.

Run the tool by right click on the

icon and Run as administrator option.
Make sure that these ones are checked:
- Remove disinfection tools
- Purge system restore
- Reset system settings
Push Run and wait until the tool completes his work.
All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:

Thank you!

Stay safe,
TwinHeadedEagle

kdawg · Dec 4, 2014

Yes, I greatly appreciate any of your advice.

Over the last couple of weeks, fraudulent emails have been sent to my gmail addressees that I did not send. Do you think any of the malware on my computer could be related to that?

TwinHeadedEagle · Dec 4, 2014

Probably this is some kind of malware spread routine. But, we cleaned all traces of infection and there are no problems now

Thank you for your donation

kdawg · Dec 4, 2014

You are welcome

NPC001 · Apr 12, 2021

I'm facing the same problem...can anyone help me on this, please?

Here are my FRST and mbar files.

@NPC001

You are not authorized to post in this topic.

I have removed all of your attachements.

I suggest you start a new topic in this Forum.

Windows Malware Removal Help & Support

Get help removing adware, malware, spyware, ransomware, trojans, and viruses from Windows PCs. Follow the instructions in the pinned topics first. For security purposes, only authorized members may respond to requests for assistance.

malwaretips.com

Select the Post Thread in the Top Right Corner.

Give it a Title and attach your logs.

I or an other helper will help you.

p.s.'
We do not service 2 different computers in one topic.

nasdaq

Search

Solved dllhost.exe problem urgh

kdawg

New Member

Attachments

TwinHeadedEagle

Level 41

kdawg

New Member

TwinHeadedEagle

Level 41

Attachments

kdawg

New Member

TwinHeadedEagle

Level 41

kdawg

New Member

TwinHeadedEagle

Level 41

kdawg

New Member

TwinHeadedEagle

Level 41

kdawg

New Member

NPC001

New Member

Windows Malware Removal Help & Support

Similar threads