Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Unable to access internet via WiFi after multiple malware removals (v2)

1K views 5 replies 3 participants last post by  Cookiegal 
#1 ·
My issue regarding malware removal almost mirrors the posting/fix by Kevinf80 when helping HENDUBZ on 10/20/14. The ill computer is HP Media Center (m7334n) upgraded from XP to Windows 7.I believe it might have started from the MyOSProtect.dll virus. Log below xferd via my USB drive. Thanks so much for your expertise. I hope I have the same success at HENDUBZ!

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 32 bit
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+, x64 Family 15 Model 43 Stepping 1
Processor Count: 2
RAM: 3006 Mb
Graphics Card: ATI RADEON XPRESS 200 Series, 64 Mb
Hard Drives: C: Total - 455272 MB, Free - 326950 MB;
Motherboard: MSI, AMETHYST-M
Antivirus: None
 
#2 ·
Hi FOSeagulls. My name is Firefly and I will help you with your computer (I am also a big 80s music fan.) I ask you to follow a few ground rules while we are taking care of your computer:

I'm an Undergraduate trainee at MalwareRemovalUniversity (MRU), and as such my posts to you have to first be checked by a Teacher, because of this my replies to your posts may be slightly delayed. Please be patient and I'm sure we'll be able to resolve your problems.

Before we begin...please read and follow these important guidelines, so things will proceed smoothly.
  1. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  2. You must have Administrator rights, permissions for this computer.
  3. DO NOT run any other fix or removal tools unless instructed to do so or install any other software (or hardware) during the cleaning process.
  4. Only- post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  5. Print each set of instructions...if possible...your Internet connection will not be available during some fix processes.
  6. Only- reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean". If you are in progress at another forum, please simply let me know so I can dedicate my time to others who need help.
  7. Failure to respond for 3 days, will result in your topic being closed.

Please take time to read the Forum Guidelines and Rules where the conditions for receiving help at this forum are explained.

Warning!
The steps presented in these posts are for this person and machine ONLY. Do not apply these steps to your own system, without the guidance of a trained malware removal helper. Doing so, may possibly damage your system, preventing it from starting.


Malware removal:
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Finally, since you are having trouble with Wifi access, I would recommend that you connect your infected computer via an Ethernet connection. If that is not possible, you will need to download / transfer various files that we will need from another computer via USB.

File Backup

For your safety and protection, I would advise backing up all your important documents, personal data files and photos as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions:
exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

All of the Windows systems we support have backup capabilities. These existing programs will allow you to back up your files to an external hard drive, USB drive or CD drive.

Do not back up your files to the hard drive of the computer we will be fixing. If the computer becomes unusable, your files will still be gone forever. Every photo, every document… gone. Seriously. Do this now.

Here are links to using the backup programs in the various versions of Windows:


If you have internet connectivity, an alternative to backing your files up locally is to back your files up to the cloud, and there are a number of free and paid for services of this type available.

Below are links to a couple of articles with details for both free and paid for backup services ...

http://www.techsupportalert.com/content ... -sites.htm
http://www.pcmag.com/article2/0,2817,22 ... 745,00.asp

A word of warning - if you have a lot of data to backup, an online service can take days, weeks, or months. In this case, please consider using a local backup method (external hard drive, USB, etc.)

One way or another, it is critical that you backup your data before proceeding.

Finally, there will be several items to handle in each post (usually) so I will try to break them into easier to digest sections which will be demarked with Green Bold Lettering

Registry and Restore Point

First, before we do anything, we want to make sure we have made a backup of your computer's key information so that we can be sure to not make anything worse. Since you are running Windows 7, we will both make a restore point and do a system backup.

To create a restore point:
1. click on the Start button to open your Start Menu. Then
2. click on the Control Panel, then the System icon, and then finally click on System Protection in the left-hand task list. You will now be at the System Protection tab in the System control panel.
3. At the bottom of the window you will see a button called "create". A window will pop open allowing you to name this restore point - please name this "before malware fix".
4. You can then close the System window.

Please also do the following:
Please download tweaking.com_registry_backup_setup.exe
Choose a download site for the installer... download and save it to your desktop.
Double click on the "...setup.exe" program and install the program. Let the install use the default installation. How to tutorial here.

Once the program is installed...
  1. Double click the Tweaking.com Registry Backup icon ... on your Desktop to open the program.
  2. It should open with the Backup Registry tab selected and all file options checked. Check any that are not already checked.
  3. Click on Backup Now to create a backup of your Registry.
    You'll see "Waiting for Volume Shadow Copy snapshot..." this may take a few moments, just be patient.
  4. When completed you should see a message saying something like ... Successful ??/?? Registry Files Backed Up ... ?? is total number of files, both numbers should match.
  5. Close and exit the program.

Once these are done, we can move forward with repairing the issues you are having. PLEASE DO NOT PROCEED IF YOU HAVE ANY PROBLEMS WITH THESE FIRST TWO STEPS OR IF YOU RECEIVED ANY ERROR MESSAGES.

FRST

Please download FRST ... by Farbar, from the link below and save it to your Desktop.

For 32 bit Systems

  • Right-click FRST.exe and select " Run as administrator " to run it.
  • When the tool opens click Yes to the disclaimer.
  • Press Scan button. ... When finished a log will be created, FRST.txt.
  • Please post the content of the FRST.txt in your next reply.
  • The first time the tool is run, it will create another log... Addition.txt.
  • Please post the content of the Addition.txt in your next reply.

Next Steps

Please provide me the following:

1. Confirm you were able to perform the steps outlined to make a restore point and registry backup
2. Confirm you were able to back up your files!!
3. Please post the FRST.txt log
4. Please post the Addition.txt log
 
#3 ·
Hi, Firefly. Thank you so much for your help.
1. I successfully ran the steps to perform the restore point AND registry back up.
2. I successfully performed my file backup to an external HD.
3. The FRST and Additional logs are posted below.

FRST:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-06-2015
Ran by MediaCenter (administrator) on MEDIACENTER-PC on 18-06-2015 08:52:19
Running from E:\__PCFixesTSG
Loaded Profiles: MediaCenter (Available Profiles: MediaCenter)
Platform: Microsoft Windows 7 Home Premium Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Logitech Inc.) C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(LSI Corporation) C:\Program Files\LSI SoftModem\agrsmsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Nalpeiron Ltd.) C:\Windows\System32\nlssrv32.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
(Hewlett-Packard Company) C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
(Logitech Inc.) C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
() C:\Program Files\Common Files\logishrd\LQCVFX\COCIManager.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [HP Software Update] => C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe [49152 2003-06-25] (Hewlett-Packard)
HKLM\...\Run: [HP Component Manager] => C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [212992 2003-04-11] (Hewlett-Packard Company)
HKLM\...\Run: [DeviceDiscovery] => C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [229437 2003-05-21] (Hewlett-Packard)
HKLM\...\Run: [OrderReminder] => C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe [98304 2006-01-30] (Hewlett-Packard)
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [205336 2011-11-11] (Logitech Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2015-03-20] (Apple Inc.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR HKU\S-1-5-21-1506548412-1360968716-356857802-1001\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/redirects/s...epage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/redirects/s...epage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/redirects/s...epage/index.jsp?lg=en&pid=N360&pvid=21.6.0.32
HKU\S-1-5-21-1506548412-1360968716-356857802-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL =
SearchScopes: HKU\.DEFAULT -> {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files\IObit\IObit Uninstaller\UninstallExplorer32.dll No File
BHO: XFINITY Toolbar -> {4b9bcce8-a70b-402a-a7e1-db96831ee26f} -> C:\Program Files\xfin_portal\comcastdx.dll [2012-11-16] ()
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO: Updater For XFIN_PORTAL -> {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} -> C:\Program Files\xfin_portal\auxi\comcastAu.dll [2012-11-16] (Visicom Media)
Toolbar: HKLM - XFINITY Toolbar - {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files\xfin_portal\comcastdx.dll [2012-11-16] ()
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.webex.com/client/WBXclient-T28L10NSP12_CP1-16851/webex/ieatgpc1.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll [2003-04-11] (Hewlett-Packard Company)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704 2011-08-31] (Apple Inc.)
Winsock: Catalog9 01 C:\Windows\system32\MyOSProtect.dll File not found
Winsock: Catalog9 02 C:\Windows\system32\MyOSProtect.dll File not found
Winsock: Catalog9 03 C:\Windows\system32\MyOSProtect.dll File not found
Winsock: Catalog9 04 C:\Windows\system32\MyOSProtect.dll File not found
Winsock: Catalog9 15 C:\Windows\system32\MyOSProtect.dll File not found
Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1168638.dll [2012-10-04] (Adobe Systems, Inc.)
FF Plugin: @canon.com/MycameraPlugin -> C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll [2008-10-15] (CANON INC.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-16] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-09-12] (Adobe Systems Inc.)

Chrome:
=======
CHR HomePage: Default -> hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={35008849-C865-11E2-9B0F-0016172948B2}
CHR StartupUrls: Default -> "hxxp://xfinity.comcast.net/?cid=dd_mtmh05282014"
CHR DefaultSearchKeyword: Default -> start.sweetim.com
CHR DefaultSearchURL: Default -> http://start.sweetpacks.com?src=6&q={searchTerms}&barid={35008849-C865-11E2-9B0F-0016172948B2}&crg=3.5000006.10042&st=23
CHR DefaultSuggestURL: Default ->
CHR Profile: C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (YouTube) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-01-28]
CHR Extension: (Google Search) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-01-28]
CHR Extension: (Bookmark Manager) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-22]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Skype Click to Call) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-07-17]
CHR Extension: (Norton Safe) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmgcfemagnogdodbambjhdcmfcpicngl [2014-08-15]
CHR Extension: (Google Wallet) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-19]
CHR Extension: (Gmail) - C:\Users\MediaCenter\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-01-28]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]
CHR HKU\S-1-5-21-1506548412-1360968716-356857802-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [fcfenmboojpjinhpgggodefccipikbpd] - https://clients2.google.com/service/update2/crx

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AgereModemAudio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [14336 2009-03-27] (LSI Corporation)
R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [73728 2010-07-21] (Hewlett-Packard Company) [File not signed]
S2 LiveUpdateSvc; C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe [2635552 2015-05-19] (IObit)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-03-17] (Malwarebytes Corporation)
R2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
S2 HPSLPSVC; C:\Users\MediaCenter\AppData\Local\Temp\7zS37A1\hpslpsvc32.dll [X]
S2 Update Klip Pal; "C:\Program Files\Klip Pal\updateKlipPal.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 AFS; C:\Windows\system32\Drivers\AFS.sys [77004 2013-01-29] (Oak Technology Inc.) [File not signed]
R3 ALCXWDM; C:\Windows\System32\drivers\RTKVAC.SYS [4172832 2009-06-18] (Realtek Semiconductor Corp.)
R0 amacpi; C:\Windows\System32\DRIVERS\null.sys [4608 2009-07-13] (Microsoft Corporation)
S3 CompFilter; C:\Windows\System32\DRIVERS\lvbusflt.sys [22176 2012-01-18] (Logitech Inc.)
R3 hcwPP2; C:\Windows\System32\DRIVERS\hcwPP2.sys [185728 2007-02-06] (Hauppauge Computer Works, Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-03-17] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-03-17] (Malwarebytes Corporation)
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog32.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt32.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-18 08:49 - 2015-06-18 08:52 - 00000000 ____D C:\FRST
2015-06-18 08:46 - 2015-06-18 08:46 - 00002181 _____ C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2015-06-18 08:46 - 2015-06-18 08:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-06-18 08:46 - 2015-06-18 08:46 - 00000000 ____D C:\Program Files\Tweaking.com
2015-06-03 21:19 - 2015-06-03 21:19 - 00015360 ___SH C:\Users\MediaCenter\Desktop\Thumbs.db
2015-05-31 14:29 - 2014-01-23 17:16 - 00051928 _____ (Realtek Semiconductor Corporation ) C:\Windows\system32\Drivers\Rtnicxp.sys
2015-05-31 14:29 - 2013-10-31 10:24 - 00100896 _____ (Realtek Semiconductor Corporation) C:\Windows\system32\RTNUninst32.dll
2015-05-31 14:28 - 2015-05-31 14:29 - 00000000 ____D C:\Program Files\Realtek
2015-05-19 21:46 - 2015-05-19 22:13 - 00119512 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-05-19 21:45 - 2015-05-19 21:45 - 00001060 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-05-19 21:45 - 2015-05-19 21:45 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-05-19 21:45 - 2015-05-19 21:45 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-05-19 21:45 - 2015-03-17 06:15 - 00092888 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-05-19 21:45 - 2015-03-17 06:15 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-05-19 21:45 - 2015-03-17 06:15 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-05-19 20:54 - 2015-05-31 14:32 - 00000000 ____D C:\ProgramData\ProductData
2015-05-19 20:54 - 2015-05-19 20:54 - 00000000 ____D C:\Users\MediaCenter\AppData\Roaming\IObit
2015-05-19 20:54 - 2015-05-19 20:54 - 00000000 ____D C:\ProgramData\IObit
2015-05-19 20:54 - 2015-05-19 20:54 - 00000000 ____D C:\Program Files\IObit
2015-05-19 20:53 - 2015-05-19 20:53 - 00000000 ____D C:\Program Files\ESET
2015-05-19 20:45 - 2015-05-19 20:45 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-05-19 09:35 - 2015-05-19 09:35 - 00000654 _____ C:\Users\MediaCenter\Desktop\RegBUMay19.reg

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-18 08:21 - 2010-11-20 17:01 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-18 08:19 - 2009-07-14 00:34 - 00027888 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-18 08:19 - 2009-07-14 00:34 - 00027888 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-18 07:45 - 2013-01-30 18:14 - 00000000 ____D C:\Users\MediaCenter\Documents\Matt Dox
2015-06-07 19:56 - 2013-01-30 18:13 - 00000000 ____D C:\Users\MediaCenter\Documents\Bill Dox
2015-05-31 16:39 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\system32\NDF
2015-05-31 16:32 - 2013-01-26 01:10 - 01171166 _____ C:\Windows\WindowsUpdate.log
2015-05-31 16:29 - 2009-07-14 00:53 - 00032546 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-05-31 16:29 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-05-31 16:29 - 2009-07-14 00:39 - 00053485 _____ C:\Windows\setupact.log
2015-05-31 14:28 - 2013-01-25 23:21 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2015-05-21 09:30 - 2010-11-20 17:48 - 03055630 _____ C:\Windows\PFRO.log
2015-05-19 22:02 - 2013-01-25 23:33 - 00000000 ____D C:\Program Files\Google
2015-05-19 22:02 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\Vss
2015-05-19 21:44 - 2013-01-25 23:33 - 00000000 ____D C:\Users\MediaCenter\AppData\Local\Google
2015-05-19 21:17 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\registration
2015-05-19 20:57 - 2015-04-08 20:14 - 00000000 ____D C:\Program Files\Minitab
2015-05-19 20:51 - 2013-11-07 12:14 - 00000000 ____D C:\ProgramData\Big Fish
2015-05-19 20:51 - 2013-11-07 12:13 - 00000000 ____D C:\BigFishCache
2015-05-19 09:41 - 2013-01-25 22:19 - 00000000 ____D C:\Users\MediaCenter
2015-05-19 08:16 - 2013-01-30 15:13 - 00000000 ____D C:\Users\MediaCenter\Documents\Symantec

==================== Files in the root of some directories =======

2013-02-04 22:32 - 2013-02-04 22:32 - 0057230 _____ () C:\Users\MediaCenter\AppData\Roaming\userenv.xml
2013-02-04 22:32 - 2013-02-04 22:32 - 0076196 _____ () C:\Users\MediaCenter\AppData\Roaming\userenv.xml.urlencode
2013-02-12 12:03 - 2015-03-07 16:34 - 0001177 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc

Some files in TEMP:
====================
C:\Users\MediaCenter\AppData\Local\Temp\ose00000.exe
C:\Users\MediaCenter\AppData\Local\Temp\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}_N360_28831.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-05-14 00:40

==================== End of log ============================

ADDITIONAL:
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-06-2015
Ran by MediaCenter at 2015-06-18 08:53:00
Running from E:\__PCFixesTSG
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1506548412-1360968716-356857802-500 - Administrator - Disabled)
Guest (S-1-5-21-1506548412-1360968716-356857802-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1506548412-1360968716-356857802-1002 - Limited - Enabled)
MediaCenter (S-1-5-21-1506548412-1360968716-356857802-1001 - Administrator - Enabled) => C:\Users\MediaCenter

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 17 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM\...\Adobe Shockwave Player) (Version: 11.6.8.638 - Adobe Systems, Inc.)
Apple Application Support (32-bit) (HKLM\...\{AFA1153A-F547-409B-B837-3A0D6C5A3FEC}) (Version: 3.1.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{E1DB0812-2D60-43DB-AE09-6C7027D93B28}) (Version: 8.1.1.3 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Bootstrapper (Version: 1.2.2.0 - Minitab, Inc.) Hidden
CameraHelperMsi (Version: 13.50.854.0 - Logitech) Hidden
Canon PowerShot A4000 IS and A3400 IS and A2400 IS and A2300 and A1300 and A810 Camera User Guide (HKLM\...\CameraUserGuide-PSA4000ISandA3400ISandA2400ISandA2300andA1300andA810) (Version: 1.0.0.7 - Canon Inc.)
Canon Utilities CameraWindow DC 8 (HKLM\...\CameraWindowDC) (Version: 8.7.0.11 - Canon Inc.)
Canon Utilities ImageBrowser EX (HKLM\...\ImageBrowser EX) (Version: 1.2.1.13 - Canon Inc.)
Canon Utilities PhotoStitch (HKLM\...\PhotoStitch) (Version: 3.1.23.47 - Canon Inc.)
Cisco WebEx Meetings (HKLM\...\ActiveTouchMeetingClient) (Version: - Cisco WebEx LLC)
EPSON Scan (HKLM\...\EPSON Scanner) (Version: - )
erLT (Version: 1.20.138.34 - Logitech, Inc.) Hidden
Google Chrome (HKLM\...\Google Chrome) (Version: 42.0.2311.152 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
hp deskjet 5600 (HKLM\...\{8CDC6712-AF80-459E-911F-F1E156CB0AB0}) (Version: 1.01.0000 - Hewlett-Packard)
HP LCD Monitor Driver Software 2.00 (HKLM\...\{A258F8EC-1BA2-48F1-9559-66B95C202A55}) (Version: - )
HP Memories Disc (HKLM\...\{B376402D-58EA-45EA-BD50-DD924EB67A70}) (Version: 1.0.4.805 - Hewlett-Packard Company)
HP Photo and Imaging 2.0 - Deskjet Series (HKLM\...\{E0828692-FD9D-459F-9312-C645C3CA6650}) (Version: 2.00.0001 - {&Tahoma8}Hewlett-Packard)
hp print screen utility (HKLM\...\hp print screen utility) (Version: - )
Java 7 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217025FF}) (Version: 7.0.450 - Oracle)
LaserJet 1020 series (HKLM\...\HP-LaserJet 1020 series) (Version: - )
LightScribe System Software (HKLM\...\{FD71E2F7-B9FC-4072-88DB-AC19E2464D82}) (Version: 1.18.17.1 - LightScribe)
Logitech Vid HD (HKLM\...\Logitech Vid) (Version: 7.2 (7259) - Logitech Inc..)
Logitech Webcam Software (HKLM\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.0 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.1.4.1018 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.4.1018 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office Home and Student 2010 (HKLM\...\Office14.SingleImage) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual Studio 2010 Tools for Office Runtime (x86) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x86)) (Version: 10.0.50903 - Microsoft Corporation)
Minitab17 (Version: 17.2.1.0 - Minitab Inc) Hidden
Minitab17 (Version: 17.2.1.0 - Minitab, Inc.) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
OrderReminder HP LaserJet 1020 (HKLM\...\OrderReminder HP LaserJet 1020) (Version: 2.0 - )
Quicken 2013 (HKLM\...\{034DD4BB-F0D6-4ECF-B064-8E39E3EF7076}) (Version: 22.1.12.7 - Intuit)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version: - )
Realtek PCI Fast Ethernet Controller Driver (HKLM\...\{AE46ABD3-D625-467F-B5A7-8D3FFF077F0D}) (Version: 6.112.123.2014 - Realtek)
Sansa Updater (HKU\S-1-5-21-1506548412-1360968716-356857802-1001\...\Sansa Updater) (Version: 1.313 - SanDisk Corporation)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
Skype Click to Call (HKLM\...\{6D1221A9-17BF-4EC0-81F2-27D30EC30701}) (Version: 7.3.16540.9015 - Microsoft Corporation)
Skype™ 7.0 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
SoftwareManager (Version: 1.2.0.0 - Minitab, Inc.) Hidden
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TurboTax 2012 (HKLM\...\TurboTax 2012) (Version: 2012.0 - Intuit, Inc)
TurboTax 2013 (HKLM\...\TurboTax 2013) (Version: 2013.0 - Intuit, Inc)
TurboTax 2014 (HKLM\...\TurboTax 2014) (Version: 2014.0 - Intuit, Inc)
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 2.2.0 - Tweaking.com)
XFINITY Toolbar (HKLM\...\xfin_portal) (Version: 4.0.0.17 - )
Zuma Deluxe (HKLM\...\{9D274133-8E61-4BC3-9A0B-932810FAC63A}) (Version: 1.00.0000 - Valusoft)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

21-04-2015 02:48:57 Windows Update
28-04-2015 12:02:50 Windows Update
01-05-2015 19:41:34 Windows Update
05-05-2015 02:49:10 Windows Update
12-05-2015 02:49:28 Windows Update
13-05-2015 03:02:04 Windows Update
13-05-2015 19:12:00 Windows Update
17-05-2015 15:13:25 Removed Adobe Reader XI (11.0.11).
17-05-2015 15:15:57 Removed iTunes
17-05-2015 17:42:05 Restore Operation
31-05-2015 14:28:47 Installed Realtek PCI Fast Ethernet Controller Driver
18-06-2015 08:23:32 before malware fix

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {004DD49B-AA64-4785-8963-6FA0DE0FAB3B} - System32\Tasks\Norton Security Suite\Norton Error Analyzer => C:\Program Files\Norton Security Suite\Engine\21.1.0.18\SymErr.exe
Task: {0C3163D7-6F59-4942-9E61-4A00666574A1} - System32\Tasks\{750C21E8-F7B3-40AB-B67B-DC45C16A048A} => pcalua.exe -a "C:\Users\MediaCenter\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K5TR2ACX\MP10Setup.exe" -d C:\Users\MediaCenter\Desktop
Task: {1528C4F7-F0ED-4626-93F0-A2139BA72007} - System32\Tasks\Driver Manager-RTMRules => C:\Program Files\Driver Manager\Driver Manager\DriverManager.exe
Task: {33B127A2-1D85-4F02-9107-5CB68E8D1C77} - System32\Tasks\BrowserProtect => Sc.exe start BrowserProtect <==== ATTENTION
Task: {38475DD6-DE27-494E-A7AA-9AFF8823444C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {65D1EB64-87B8-451D-A769-887816B4E712} - System32\Tasks\{632B7967-2317-49D2-9EAC-19B0BB42A86B} => C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe [2014-09-12] (Adobe Systems Incorporated)
Task: {75A2B29D-3E66-4488-85E2-628E4D2F459B} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-15] (Adobe Systems Incorporated)
Task: {7B7366B1-9425-4D7D-83A3-6B6E789FBADF} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {944A9F02-1888-4F36-981F-412C4336C24D} - System32\Tasks\Driver Manager-RTMScan => C:\Program Files\Driver Manager\Driver Manager\DriverManager.exe
Task: {946738A6-9ECC-4FAC-A3E2-FABC2E25A944} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxcontent => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {A2FDB102-49D1-47AE-B4BD-2E2A5C8DC92A} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {A7F4E8C2-C3AA-4AF9-8D18-64F614958886} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-03-24] (Microsoft Corporation)
Task: {ACCC2CEB-60DB-40A7-8A0C-971175FA606D} - System32\Tasks\Minitab\Minitab Software Update Manager => C:\Program Files\Common Files\Minitab Shared\Software Manager\SoftwareManager.exe
Task: {BB4E3AFD-BB47-486D-9D64-A685625642FD} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {CE949480-3FA7-4B0B-A718-4EBD87CC1566} - System32\Tasks\Norton Security Suite\Norton Error Processor => C:\Program Files\Norton Security Suite\Engine\21.1.0.18\SymErr.exe
Task: {DB232EE9-2B88-452D-B987-4335588DB4CD} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {E3C523BE-77EF-4D22-83CE-47FC05F613E4} - System32\Tasks\{854A26F5-0DF4-444F-8711-4CFBDE7FA799} => pcalua.exe -a E:\Display_menu.exe -d E:\
Task: {EB460832-F575-4627-A944-F5E6835B2888} - System32\Tasks\Microsoft\Windows\Setup\gwx\runappraiser => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-03-24] (Microsoft Corporation)
Task: {F05CF934-27B0-4748-9340-5113DF343922} - System32\Tasks\Driver Manager-RTMUpdater => C:\Program Files\Driver Manager\Driver Manager\DriverManager.exe
Task: {F13ABDE9-A6A4-4587-9AC4-F4EE9BF61671} - System32\Tasks\Norton WSC Integration => C:\Program Files\Norton Security Suite\Engine\21.1.0.18\WSCStub.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2013-01-29 12:32 - 2012-09-18 16:26 - 00169472 _____ () C:\Windows\System32\ZLhp1020.DLL
2013-01-29 12:33 - 2012-09-18 15:26 - 00059904 _____ () C:\Windows\system32\spool\PRTPROCS\W32X86\pphp1020.dll
2011-11-11 15:08 - 2011-11-11 15:08 - 02145304 _____ () C:\Program Files\Logitech\LWS\Webcam Software\QtCore4.dll
2011-11-11 15:08 - 2011-11-11 15:08 - 07956504 _____ () C:\Program Files\Logitech\LWS\Webcam Software\QtGui4.dll
2011-11-11 15:08 - 2011-11-11 15:08 - 00342552 _____ () C:\Program Files\Logitech\LWS\Webcam Software\QtXml4.dll
2011-11-11 15:08 - 2011-11-11 15:08 - 00029208 _____ () C:\Program Files\Logitech\LWS\Webcam Software\imageformats\QGif4.dll
2011-11-11 15:08 - 2011-11-11 15:08 - 00128536 _____ () C:\Program Files\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll
2011-11-11 15:07 - 2011-11-11 15:07 - 00265240 _____ () C:\Program Files\Logitech\LWS\Webcam Software\CameraHelperShell.exe
2012-07-23 16:10 - 2012-07-23 16:10 - 00336232 _____ () C:\Program Files\Common Files\logishrd\LWSPlugins\LWS\Applets\CameraHelper\DevManagerCore.dll
2011-08-12 13:19 - 2011-08-12 13:19 - 00680984 _____ () C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F
AlternateDataStreams: C:\ProgramData\TEMP:A1D3FEF0
AlternateDataStreams: C:\ProgramData\TEMP:A3E39C6A

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pcwatch.sys => ""="Driver" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect => ""="service" <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pcwatch.sys => ""="Driver" <==== ATTENTION

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1506548412-1360968716-356857802-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\MediaCenter\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.76.76 - 75.75.75.75

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{47CA2694-1AE6-4DE0-9660-CD43010DA34B}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{164599CD-4DFA-420B-B7B1-4B8FF21DE512}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{D900AE1C-D982-4092-941C-87CFD2486DCC}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{2E4300A0-7C2E-4C7F-B338-9EE8D4BD8F46}] => (Allow) C:\Windows\System32\dmwu.exe
FirewallRules: [{E270AAEF-55C1-4FAD-97B1-1D80FB6507D0}] => (Allow) C:\Windows\System32\dmwu.exe
FirewallRules: [{629BE428-65A4-49BD-99DE-83B0911EFAD8}] => (Allow) C:\Windows\System32\ARFC\wrtc.exe
FirewallRules: [{6D932D28-DB97-47EE-A67B-6914425873B0}] => (Allow) C:\Windows\System32\ARFC\wrtc.exe
FirewallRules: [{93408C3E-18E4-4BE7-985D-D55A1ABF4987}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{ED901594-D2C3-435C-B2C0-AC78312F244A}] => (Allow) C:\Users\MediaCenter\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [{59BF26FC-04EC-4295-880D-6979C9982A63}] => (Allow) C:\Users\MediaCenter\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [{879B8440-8139-4D8C-A785-439799561A99}] => (Allow) C:\Program Files\Logitech\Vid HD\Vid.exe
FirewallRules: [{8E9F6777-C990-4C63-B5DA-60B3C447B1B9}] => (Allow) C:\Program Files\Logitech\Vid HD\Vid.exe
FirewallRules: [{7015CA9B-EBED-403D-BCEF-E09A48B0D470}] => (Allow) C:\Users\MediaCenter\AppData\Local\Temp\7zS37A1\hppiw.exe
FirewallRules: [{0C0EAC42-A1A3-415B-86BC-F23E22F54305}] => (Allow) C:\Users\MediaCenter\AppData\Local\Temp\7zS37A1\hppiw.exe
FirewallRules: [{532DBBE1-F516-4EE3-9EA8-725A57EEDD28}] => (Allow) C:\Users\MediaCenter\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [{01DD037A-9AE9-440F-8A36-DD48221F862E}] => (Allow) C:\Users\MediaCenter\AppData\Roaming\Spotify\spotify.exe
FirewallRules: [{45041913-5D78-477D-A6E4-EF2D4FBDCCF3}] => (Allow) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdater.exe
FirewallRules: [{6197FFA7-C9BD-4232-BC0D-5D9877CF1510}] => (Allow) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{BF1C5695-49F1-4975-BE5F-87F7C0AF5764}] => (Allow) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{F5B0F2AB-0867-4E0C-B745-6F350E7F2110}] => (Allow) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{F1C86B4D-B602-47CE-8428-CC58DFE36FC1}] => (Allow) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{8D2053BC-A190-4374-A33F-FB0FE3B0618A}] => (Allow) C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
FirewallRules: [{D2377BE1-FC2B-42F2-8F86-C495F2D8115C}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============

Name: Null
Description: Null
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: Null
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: AntiLog32
Description: AntiLog32
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: AntiLog32
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/18/2015 08:34:10 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (06/18/2015 07:34:10 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (06/14/2015 10:42:20 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (06/13/2015 03:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (06/13/2015 02:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (06/13/2015 01:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (06/13/2015 00:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (06/10/2015 10:25:44 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: License Activation Scheduler (sppuinotify.dll) failed with the following error code:
0x80070005

Error: (05/31/2015 04:31:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2015 04:29:47 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.

System errors:
=============
Error: (06/18/2015 07:34:10 AM) (Source: DCOM) (EventID: 10001) (User: )
Description: C:\Windows\System32\slui.exe -Embedding5{F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

Error: (06/18/2015 07:07:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%10106

Error: (06/18/2015 07:07:05 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%10106

Error: (06/15/2015 09:11:35 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%10106

Error: (06/15/2015 09:11:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%10106

Error: (06/15/2015 09:11:35 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%10106

Error: (06/15/2015 09:11:35 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%10106

Error: (06/15/2015 08:40:43 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error:
%%10106

Error: (06/15/2015 08:40:43 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%10106

Error: (06/14/2015 10:42:36 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error:
%%10106

Microsoft Office:
=========================
Error: (06/18/2015 08:34:10 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (06/18/2015 07:34:10 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (06/14/2015 10:42:20 AM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (06/13/2015 03:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (06/13/2015 02:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (06/13/2015 01:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (06/13/2015 00:21:33 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (06/10/2015 10:25:44 PM) (Source: Software Protection Platform Service) (EventID: 8193) (User: )
Description: 0x80070005

Error: (05/31/2015 04:31:22 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (05/31/2015 04:29:47 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x800700050x00000000

==================== Memory info ===========================

Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+
Percentage of memory in use: 24%
Total physical RAM: 3006.55 MB
Available physical RAM: 2270 MB
Total Pagefile: 6011.42 MB
Available Pagefile: 5075.59 MB
Total Virtual: 2047.88 MB
Available Virtual: 1895.3 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:444.6 GB) (Free:318.9 GB) NTFS
Drive e: () (Removable) (Total:14.9 GB) (Free:14.64 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: CEE8CEE8)
Partition 1: (Active) - (Size=13.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=444.6 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 14.9 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End of log ============================

FYI -- Even though I cannot yet connect to my WiFi, the "trouble" PC's Ethernet port is hardwired and the green lights are on.
 
#4 ·
FOSeagulls - Good job running and posting the scan. Please do the following:

Download MGA Diagnostic Tool to your Desktop. If you cannot access the internet, please download it on another computer, and copy to the desktop of the infected computer. It cannot be run from the USB!

  • Double click MGADiag.exe to launch the program.
  • Click Continue and let the scan run.
  • When finished it will have created a log.
  • Click Copy.
  • Next open Notepad.
    • Click Start > Run type Notepad click OK.
    • This will open an empty Notepad file.
    • Right click in the empty file and choose Paste to copy the log from MGA Diagnostics into it.
    • Save the file to your Desktop.
    • Close MGA Diagnostic Tool.
  • Copy/Paste the log in your next reply please.
 
#5 ·
Hi Firefly. Thanks for your reply. Here is my MGA posting. FOSeagulls.

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-D96PV-T9B9D-M8X2Q
Windows Product Key Hash: Fq/JsPUI1NdT6veDtiDB8N1RQUs=
Windows Product ID: 00359-OEM-8992687-00246
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {DAB6A08E-EF2E-46C6-9D5E-79E65351DC0C}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x0
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.150427-0707
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->
File Mismatch: C:\Windows\system32\systemcpl.dll[6.1.7600.16385], Hr = 0x800b0100
File Mismatch: C:\Windows\system32\user32.dll[6.1.7600.16385], Hr = 0x800b0100

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{DAB6A08E-EF2E-46C6-9D5E-79E65351DC0C}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-M8X2Q</PKey><PID>00359-OEM-8992687-00246</PID><PIDType>2</PIDType><SID>S-1-5-21-1506548412-1360968716-356857802</SID><SYSTEM><Manufacturer>HP Pavilion 061</Manufacturer><Model>ER859AA-ABA M7334N</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>3.44</Version><SMBIOSVersion major="2" minor="4"/><Date>20060208000000.000000+000</Date></BIOS><HWID>AA203F07018400F8</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Input Error: Can not find script file "C:\Windows\system32\slmgr.vbs".

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Not Registered - 0x80070005
HealthStatus Bitmask Output:

HWID Data-->
HWID Hash Current: NgAAAAIABAABAAEAAAABAAAAAwABAAEAeqjk7qoLJoleP5bHUAJEa5J0lBCuaCJc4Ng+hDS1

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC HP-CPC AWRDACPI
FACP HP-CPC AWRDACPI
SSDT HP-CPC POWERNOW
MCFG HP-CPC AWRDACPI
 
#6 ·
The licensing data is missing but it's obvious the operating system is not genuine as it's running a license from an MSI machine on an HP. Plus, Windows 7 is OEM and since it was upgraded from XP it would have to be a retail license.

Since we don't assist with pirated software, I'm closing this thread.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top