Dear SBC customer,
AT&T has received information indicating that one or more devices using your Internet connection may be infected with malicious software. Internet traffic consistent with a malware infection (“bedep”) was observed on Apr 11, 2016 at 10:40 PM EDT from the IP address 108.207.169.142. Our records indicate that this IP address was assigned to you at this time.
Infected computers are often used as part of a zombie computer network (“botnet”). Botnets are networks of computers which have been infected with malware and placed under the control of a hacker or group of hackers. They are often used for attacks on websites, spamming, fraud, and distribution of additional malware.
Because malware is designed to run in secret, an infected computer may display no obvious symptoms.
To address this matter we ask that you take the following actions. If your computer(s) are managed by an Information Technology (IT) group at your place of work, please pass this information on to them.
If you use a wireless network, an infected computer may be using your Internet connection without your knowledge. Ensure that your wireless router is password-protected and using WPA or WPA2 encryption (use WEP only if WPA is not available). Check the connections to the router and ensure that you recognize all connected devices.
Ensure your firewall settings and anti-virus software are up-to-date, and install any necessary service packs or patches. Scan all systems for viruses and other malware.
Additional tools and information:
Tools for removing rootkits, bots, and other crimeware:
Norton Power Eraser: https://security.symantec.com/nbrt/npe.aspx (Windows)
McAfee Rootkit Remover: http://www.mcafee.com/us/downloads/free ... mover.aspx (Windows)
Tools for general virus and malware removal:
Microsoft Safety & Security Center: http://www.microsoft.com/security/ (Windows)
Malwarebytes Anti-Malware: http://malwarebytes.org/ (Windows, Android)
Spybot +AV: http://www.safer-networking.org/ (Windows)
OS X Gatekeeper: http://support.apple.com/kb/HT5290 (OS X)
AT&T Malware and Network Security analysts gather weekly to give you the information that you need to know about the latest security news and trends. Visit AT&T ThreatTraq at http://techchannel.att.com/showpage.cfm?ThreatTraq
Regards, AT&T Internet Services Security Center
Incident details for 108.207.169.142
Type: bedep
Source port: 52074
Destination IP: 208.xx.xx.234
Hostname: dcthrgaeqgjjbbea.com
Destination port: 80
For security reasons, the destination IP is partially obscured.
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-04-2016
Ran by ROBERT (administrator) on ROBSHP (15-04-2016 07:48:04)
Running from C:\Users\ROBERT\Downloads
Loaded Profiles: ROBERT (Available Profiles: ROBERT)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe
() C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(CyberLink Corp.) C:\Program Files (x86)\Cyberlink\YouCam\YouCamService.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
() C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.325.12390.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Registry (Whitelisted) ===========================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8496344 2015-09-16] (Realtek Semiconductor)
HKU\S-1-5-21-340307169-1632282712-3976785497-1002\...\MountPoints2: {64370cf0-d08d-11e5-8299-3ca82aa73734} - "F:\LaunchU3.exe" -a
HKU\S-1-5-21-340307169-1632282712-3976785497-1002\...\MountPoints2: {daaa1817-bb52-11e5-8296-3ca82aa73734} - "F:\HTC_Sync_Manager_PC.exe"
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{34929e00-4ccd-46ce-8368-4b185ea1c53a}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{85f1380a-f2c5-40f2-b3f8-79868419940b}: [DhcpNameServer] 192.168.1.254
Internet Explorer:
==================
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp13.msn.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
HKU\S-1-5-21-340307169-1632282712-3976785497-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp13.msn.com
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2016-02-25] (HP)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2014-12-17] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2016-02-25] (HP)
FireFox:
========
FF Plugin: @mcafee.com/MSC,version=10 -> C:\Program Files\mcafee\msc\npMcSnFFPl64.dll [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1216156.dll [2015-01-09] (Adobe Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2015-04-21] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2015-04-21] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2015-04-21] (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [2015-04-21] (Foxit Corporation)
FF Plugin-x32: @mcafee.com/MSC,version=10 -> C:\Program Files (x86)\McAfee\msc\npMcSnFFPl.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-02-03] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2014-11-14] ()
FF HKLM-x32\...\Firefox\Extensions: [firefox@bho.com] - C:\Program Files\Hewlett-Packard\SimplePass\FFBHOExt
FF Extension: HP SimplePass - C:\Program Files\Hewlett-Packard\SimplePass\FFBHOExt [2015-03-06] [not signed]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
Chrome:
=======
CHR Profile: C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-02]
CHR Extension: (Google Docs) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-08-02]
CHR Extension: (Google Drive) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-22]
CHR Extension: (YouTube) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-27]
CHR Extension: (Google Search) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Google Sheets) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-02]
CHR Extension: (Google Docs Offline) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-15]
CHR Extension: (Chrome Web Store Payments) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Gmail) - C:\Users\ROBERT\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-02]
==================== Services (Whitelisted) ========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R2 AdaptiveSleepService; c:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [140288 2014-10-07] () [File not signed]
R2 AMD FUEL Service; c:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-10-07] (Advanced Micro Devices, Inc.) [File not signed]
S2 amdacpusrsvc; C:\AMD\amdacpusrsvc.exe [82432 2014-10-07] () [File not signed]
S4 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [98816 2014-10-11] () [File not signed]
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [347200 2015-02-09] (WildTangent)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [26680 2016-02-18] (Hewlett-Packard Company)
R2 HPWMISVC; c:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [608520 2015-02-17] (Hewlett-Packard Development Company, L.P.)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S4 omniserv; C:\Program Files\Hewlett-Packard\SimplePass\OmniServ.exe [103424 2015-01-30] (Softex Inc.) [File not signed]
S4 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [389896 2014-04-14] ()
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [294616 2015-09-16] (Realtek Semiconductor)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
===================== Drivers (Whitelisted) ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17640 2015-01-26] (Advanced Micro Devices, INC.)
R2 AODDriver4.3; c:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59648 2013-11-04] (Advanced Micro Devices)
S3 aswTap; C:\Windows\System32\drivers\aswTap.sys [44640 2014-09-05] (The OpenVPN Project)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWT6.sys [102912 2015-05-28] (Advanced Micro Devices)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [310528 2015-06-05] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\Windows\System32\drivers\rt640x64.sys [886528 2015-09-20] (Realtek )
R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [624424 2015-11-16] (Realtek Semiconductor Corporation)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [4619520 2015-09-16] (Realtek Semiconductor Corporation )
S3 ssudserd; C:\Windows\system32\DRIVERS\ssudserd.sys [214832 2015-12-08] (DEVGURU Co., LTD.(www.devguru.co.kr))
R5 SynTP; C:\Windows\System32\Drivers\SynTP.sys [862840 2015-12-09] (Synaptics Incorporated)
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 SmbDrv; \SystemRoot\system32\DRIVERS\Smb_driver_AMDASF.sys [X]
S3 SmbDrvI; \SystemRoot\System32\drivers\Smb_driver_Intel.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
==================== One Month Created files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-04-15 07:48 - 2016-04-15 07:48 - 00013315 _____ C:\Users\ROBERT\Downloads\FRST.txt
2016-04-15 07:47 - 2016-04-15 07:48 - 00000000 ____D C:\FRST
2016-04-15 07:42 - 2016-04-15 07:47 - 02375168 _____ (Farbar) C:\Users\ROBERT\Downloads\FRST64.exe
2016-04-13 11:50 - 2016-04-13 11:50 - 00000000 ____D C:\Users\ROBERT\AppData\Local\MediaShow
2016-04-13 10:07 - 2016-04-13 10:07 - 00000000 ____D C:\Users\ROBERT\Documents\CyberLink
2016-04-12 11:21 - 2016-04-12 11:21 - 00304317 _____ C:\Users\ROBERT\Downloads\CN201184433Y.pdf
2016-04-08 09:41 - 2016-04-08 09:41 - 00028812 _____ C:\Users\ROBERT\Downloads\EStatement-2014-06-04-34878.pdf
2016-04-08 09:40 - 2016-04-08 09:40 - 00012627 _____ C:\Users\ROBERT\Downloads\EStatement-2014-12-03-34850.pdf
2016-04-08 09:40 - 2016-04-08 09:40 - 00007507 _____ C:\Users\ROBERT\Downloads\EStatement-2014-07-07-34832.pdf
2016-04-08 09:39 - 2016-04-08 09:39 - 00040442 _____ C:\Users\ROBERT\Downloads\EStatement-2014-09-04-34737.pdf
2016-04-08 09:39 - 2016-04-08 09:39 - 00029159 _____ C:\Users\ROBERT\Downloads\EStatement-2014-08-05-34777.pdf
2016-04-08 09:37 - 2016-04-08 09:37 - 00018690 _____ C:\Users\ROBERT\Downloads\EStatement-2014-10-06-34662.pdf
2016-04-08 09:30 - 2016-04-08 09:30 - 00000910 _____ C:\Users\ROBERT\Downloads\TransactionList-2016-04-08-34252.pdf
2016-03-31 12:50 - 2016-03-31 12:50 - 00002254 _____ C:\Users\ROBERT\Desktop\%2Fussplex%2Fdata%2Fappsprd%2FIRPA%2Fpdf_files%2Firpa160331153CDCB253ED1A30.pdf
2016-03-29 22:49 - 2016-03-29 22:49 - 00638851 _____ C:\Users\ROBERT\Downloads\getimage (19).tif
2016-03-27 00:30 - 2016-03-27 00:30 - 00001293 _____ C:\AdwCleaner[C3].txt
2016-03-27 00:29 - 2016-03-27 00:30 - 00001127 _____ C:\AdwCleaner[S3].txt
2016-03-27 00:28 - 2016-03-27 00:28 - 00000000 ____D C:\Program Files (x86)\ESET
2016-03-24 21:39 - 2016-03-24 21:50 - 00007608 _____ C:\Users\ROBERT\AppData\Local\resmon.resmoncfg
2016-03-24 21:19 - 2016-03-24 21:19 - 00000000 ____H C:\Users\ROBERT\Documents\Default.rdp
==================== One Month Modified files and folders ========
(If an entry is included in the fixlist, the file/folder will be moved.)
2016-04-15 07:10 - 2015-11-16 04:28 - 00972104 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-04-15 07:10 - 2015-10-30 02:21 - 00000000 ____D C:\WINDOWS\INF
2016-04-15 07:00 - 2015-10-30 02:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-04-14 01:58 - 2015-08-02 07:29 - 00000916 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-14 01:37 - 2015-10-30 02:24 - 00000000 ___HD C:\Program Files\WindowsApps
2016-04-14 01:37 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-04-14 01:37 - 2015-07-31 03:17 - 00000000 ____D C:\Users\ROBERT\AppData\Local\Packages
2016-04-13 18:45 - 2015-07-31 12:08 - 00453280 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2016-04-13 10:10 - 2015-05-22 17:28 - 00000000 ____D C:\ProgramData\CyberLink
2016-04-13 10:07 - 2015-12-29 13:35 - 00000000 ____D C:\Users\ROBERT\AppData\Roaming\CyberLink
2016-04-13 10:07 - 2015-05-22 18:22 - 00000000 ____D C:\Users\Public\Documents\CyberLink
2016-04-12 06:26 - 2015-07-31 03:22 - 00000000 ____D C:\Users\ROBERT\Documents\Youcam
2016-04-12 02:50 - 2015-08-02 07:32 - 00002279 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-04-12 02:50 - 2015-08-02 07:32 - 00002267 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-04-10 16:37 - 2015-09-20 10:46 - 00003246 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForROBERT
2016-04-10 16:37 - 2015-09-20 10:46 - 00000350 _____ C:\WINDOWS\Tasks\HPCeeScheduleForROBERT.job
2016-04-08 09:28 - 2015-11-16 04:29 - 00000000 ____D C:\Users\ROBERT
2016-04-07 16:26 - 2015-11-16 04:25 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Music, Photos and Videos
2016-04-07 16:24 - 2015-05-22 17:26 - 00000000 ____D C:\Program Files\CyberLink
2016-04-07 16:24 - 2015-03-06 05:19 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-04-07 16:23 - 2015-01-29 11:54 - 00000000 ____D C:\SWSetup
2016-04-07 15:57 - 2015-08-12 08:33 - 00000000 ____D C:\Users\ROBERT\AppData\Roaming\Kingsoft
2016-04-07 15:57 - 2015-08-12 08:33 - 00000000 ____D C:\Users\ROBERT\AppData\Local\Kingsoft
2016-04-07 15:57 - 2015-05-22 17:37 - 00000000 ____D C:\ProgramData\Kingsoft
2016-04-07 15:57 - 2015-05-22 17:36 - 00000000 ____D C:\Program Files (x86)\Kingsoft
2016-04-07 15:56 - 2015-07-31 03:17 - 00000000 ____D C:\Users\ROBERT\AppData\Roaming\Synaptics
2016-04-07 15:45 - 2015-10-30 02:24 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-04-07 15:31 - 2015-11-16 04:43 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-04-07 15:31 - 2015-11-16 04:26 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2016-04-07 15:31 - 2015-10-30 01:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-04-01 17:09 - 2015-08-07 08:47 - 00000000 ____D C:\Users\ROBERT\AppData\Local\ElevatedDiagnostics
2016-03-27 00:35 - 2015-11-03 04:34 - 00001344 _____ C:\Users\ROBERT\Desktop\Revo Uninstaller.lnk
2016-03-24 07:16 - 2015-08-14 21:13 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
==================== Files in the root of some directories =======
2016-03-24 21:39 - 2016-03-24 21:50 - 0007608 _____ () C:\Users\ROBERT\AppData\Local\resmon.resmoncfg
Some files in TEMP:
====================
C:\Users\ROBERT\AppData\Local\Temp\COMAP.EXE
C:\Users\ROBERT\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap =================
(There is no automatic fix for files that do not pass verification.)
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2016-04-10 19:55
==================== End of FRST.txt ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:13-04-2016
Ran by ROBERT (2016-04-15 07:49:50)
Running from C:\Users\ROBERT\Downloads
Windows 10 Home Version 1511 (X64) (2015-11-16 09:49:04)
Boot Mode: Normal
==========================================================
==================== Accounts: =============================
Administrator (S-1-5-21-340307169-1632282712-3976785497-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-340307169-1632282712-3976785497-503 - Limited - Disabled)
Guest (S-1-5-21-340307169-1632282712-3976785497-501 - Limited - Disabled)
ROBERT (S-1-5-21-340307169-1632282712-3976785497-1002 - Administrator - Enabled) => C:\Users\ROBERT
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
==================== Installed Programs ======================
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
ACP Application (Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.6.156 - Adobe Systems, Inc.)
AMD Catalyst Install Manager (HKLM\...\{B779ADE0-6AC6-69FE-3BD8-07CA318BC267}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Azkend 2: The World Beneath (x32 Version: 2.2.0.98 - WildTangent) Hidden
Barn Yarn Collector's Edition (x32 Version: 3.0.2.48 - WildTangent) Hidden
Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.)
Cisco LEAP Module (HKLM-x32\...\{AF312B06-5C5C-468E-89B3-BE6DE2645722}) (Version: 1.0.19 - Cisco Systems, Inc.)
Cisco PEAP Module (HKLM-x32\...\{0A4EF0E6-A912-4CDE-A7F3-6E56E7C13A2F}) (Version: 1.1.6 - Cisco Systems, Inc.)
CopyTrans Control Center Uninstall Only (HKU\S-1-5-21-340307169-1632282712-3976785497-1002\...\CopyTrans Suite) (Version: 4.004 - WindSolutions)
Coyote The Outlander (x32 Version: 3.0.2.59 - WildTangent) Hidden
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.9.4928 - CyberLink Corp.)
Cyberlink PhotoDirector (HKLM-x32\...\InstallShield_{5A454EC5-217A-42a5-8CE1-2DDEC4E70E01}) (Version: 5.0.5.6618 - CyberLink Corp.)
Cyberlink PhotoDirector (Version: 5.0.5.6618 - CyberLink Corp.) Hidden
CyberLink Power Media Player 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.6.5011 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.9.5009 - CyberLink Corp.)
CyberLink PowerBackup 2.6 (HKLM-x32\...\InstallShield_{ADD5DB49-72CF-11D8-9D75-000129760D75}) (Version: 2.6.2.1307 - CyberLink Corp.)
CyberLink PowerDirector 12 (HKLM-x32\...\InstallShield_{E1646825-D391-42A0-93AA-27FA810DA093}) (Version: 12.0.3.3812 - CyberLink Corp.)
CyberLink PowerDirector 12 (Version: 12.0.3.3812 - CyberLink Corp.) Hidden
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.6.4930 - CyberLink Corp.)
Delicious: Emily's Wonder Wedding Premium Edition (x32 Version: 3.0.2.59 - WildTangent) Hidden
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Dropbox 25 GB (HKLM-x32\...\{597A58EC-42D6-4940-8739-FB94491B013C}) (Version: 1.0.3.0 - Dropbox, Inc.)
Energy Star (HKLM\...\{465CA2B6-98AF-4E77-BE22-A908C34BB9EC}) (Version: 1.0.9 - Hewlett-Packard Company)
Entwined: The Perfect Murder (x32 Version: 3.0.2.59 - WildTangent) Hidden
Evernote v. 5.8.1 (HKLM-x32\...\{4FD2D1C8-8636-11E4-9D21-00163E98E7D6}) (Version: 5.8.1.6061 - Evernote Corp.)
Foxit PhantomPDF (HKLM-x32\...\{00AB67E6-7A15-4357-95AA-F06A6950EA7C}) (Version: 7.0.39.113 - Foxit Software Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 49.0.2623.112 - Google Inc.)
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
Hidden Odyssey 2 in 1 Pack (x32 Version: 3.0.2.59 - WildTangent) Hidden
Home Makeover (x32 Version: 3.0.2.59 - WildTangent) Hidden
HP Documentation (HKLM-x32\...\{59661A32-F6FF-47EA-9276-0F882DC3BC9E}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7960.5089 - Hewlett-Packard)
HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.01.39 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{61EB474B-67A6-47F4-B1B7-386851BAB3D0}) (Version: 8.2.8.25 - Hewlett-Packard Company)
HP Support Solutions Framework (HKLM-x32\...\{F6A11738-3EE4-4573-AEA5-6CD5D491C167}) (Version: 12.2.8.17 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{D17A3B70-B75E-4C49-83D6-C17DDF65B35F}) (Version: 1.3.4 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
Imperial Island: Birth of an Empire (x32 Version: 3.0.2.59 - WildTangent) Hidden
Insane Cold: Back to the Ice Age (x32 Version: 3.0.2.59 - WildTangent) Hidden
Inst5675 (Version: 8.01.39 - Softex Inc.) Hidden
Inst5676 (Version: 8.01.39 - Softex Inc.) Hidden
Lost Souls: Timeless Fables Collector's Edition (x32 Version: 3.0.2.59 - WildTangent) Hidden
Magic Heroes: Save Our Park (x32 Version: 3.0.2.59 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Manor Memoirs Collector's Edition (x32 Version: 3.0.2.59 - WildTangent) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mystery Expedition: Prisoners of Ice (x32 Version: 3.0.2.59 - WildTangent) Hidden
OEM Application Profile (HKLM-x32\...\{1D464EFF-EC8B-F225-2F74-F74143200DDF}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
Plagiarii (x32 Version: 3.0.2.59 - WildTangent) Hidden
Polar Bowler 1st Frame (x32 Version: 3.0.2.59 - WildTangent) Hidden
REALTEK Bluetooth Driver (HKLM-x32\...\{9D3D8C60-A5EF-4123-B2B9-172095903AB}) (Version: 1.0.0.27 - REALTEK Semiconductor Corp.)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.3.370.70 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 10.1.505.2015 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7548 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.0.0.59 - REALTEK Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Rory's Restaurant (x32 Version: 3.0.2.59 - WildTangent) Hidden
Royal Envoy Double Pack (x32 Version: 3.0.2.59 - WildTangent) Hidden
Runefall (x32 Version: 3.0.2.126 - WildTangent) Hidden
Rush Hour! Gas Station (x32 Version: 3.0.2.59 - WildTangent) Hidden
Sky High Farm (x32 Version: 3.0.2.59 - WildTangent) Hidden
Solitaire Mystery Four Seasons (x32 Version: 3.0.2.51 - WildTangent) Hidden
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
UFR II Printer Driver Uninstaller (HKLM\...\Canon UFR II Printer Driver) (Version: 6, 3, 1, 0 - Canon Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App for HP (x32 Version: 4.0.11.14 - WildTangent) Hidden
==================== Custom CLSID (Whitelisted): ==========================
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
CustomCLSID: HKU\S-1-5-21-340307169-1632282712-3976785497-1002_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\ROBERT\AppData\Local\Microsoft\OneDrive\17.3.6201.1019\FileCoAuth.exe (Microsoft Corporation)
==================== Scheduled Tasks (Whitelisted) =============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
Task: {0BF60D26-7003-4F64-9F79-7D51CAB84BDF} - System32\Tasks\HPCeeScheduleForROBERT => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2015-06-16] (Hewlett-Packard)
Task: {0E7B2656-CB0A-43E4-980B-C4E1B5D46155} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Active Health Launcher => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-03-02] (Hewlett-Packard)
Task: {1EA7C78E-DC18-42F0-A6D5-8D301A7C5F97} - System32\Tasks\McAfee Remediation (Prepare) => C:\Program Files\Common Files\AV\McAfee Anti-Virus And Anti-Spyware\upgrade.exe [2015-06-01] (McAfee, Inc.)
Task: {1FCF9ACA-9AE5-4AE3-B452-7AFD7E75483B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {2BF4C591-6971-4D5F-AEF0-C1C6A0143220} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Report => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSFReport.exe [2016-03-11] (Hewlett-Packard)
Task: {365F382E-7164-472C-B372-4E8324C96C1B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {3760FEFD-6640-4630-97AC-929516C5652E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-02] (Google Inc.)
Task: {5E0BF44D-7B5A-4458-91F5-478307CC8896} - System32\Tasks\Hewlett-Packard\HP Active Health\HP Active Health Scan (HPSA) => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPActiveHealth\ActiveHealth.exe [2016-03-02] (Hewlett-Packard)
Task: {5ED60A27-01B1-4914-B40D-80422F38420E} - System32\Tasks\Start OPBHOBrokerDesktop => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBrokerDsktop.exe [2015-01-30] (Hewlett-Packard)
Task: {60BC5BAD-6C60-4483-9783-59D55D2B871F} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {717BB70A-88AB-4973-8EC4-787A130EEC52} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-02-18] (Hewlett-Packard Company)
Task: {77849D8C-63D7-45E3-AFB0-324BA0D6457A} - System32\Tasks\Start SimplePass => C:\Program Files\Hewlett-Packard\SimplePass\ClientCore.exe [2015-01-30] (Hewlett-Packard)
Task: {798C021C-E76C-4601-8082-028089682C83} - System32\Tasks\Start OPBHOBroker => C:\Program Files\Hewlett-Packard\SimplePass\OPBHOBroker.exe [2015-01-30] (Hewlett-Packard)
Task: {7EDCA12E-466D-4B31-A207-F73E92EC6D89} - System32\Tasks\YCMServiceAgent => c:\Program Files (x86)\Cyberlink\YouCam\YouCamService.exe [2015-01-29] (CyberLink Corp.)
Task: {809A2445-A756-4D3B-8FAC-D3394E3F3496} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2016-03-09] (Microsoft Corporation)
Task: {9F47CEC6-B388-4C3E-AAA4-0B55D7D81E65} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-03-07] (Hewlett-Packard)
Task: {AD8F8D81-8780-4A4D-B0B2-F9DFCFFEAEF1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-02] (Google Inc.)
Task: {C87491A6-14DE-4FF9-BB97-790B90D84D70} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {DEFA174E-87B5-4A58-AF29-2DAD5D5CE6AD} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2016-02-18] (Hewlett-Packard Company)
Task: {DF4A6770-6166-495F-A910-0CEEF661BA56} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {F5AF1913-9528-4CD2-8D36-66C769A51178} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Solutions Framework Updater - Resources => C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\Modules\HPSSFUpdater.exe [2016-03-07] (Hewlett-Packard)
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForROBERT.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
==================== Shortcuts =============================
(The entries could be listed to be restored or removed.)
==================== Loaded Modules (Whitelisted) ==============
2014-10-07 02:59 - 2014-10-07 02:59 - 00127488 _____ () c:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2014-10-07 02:59 - 2014-10-07 02:59 - 00140288 _____ () c:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe
2015-10-30 02:18 - 2015-10-30 02:18 - 00185856 _____ () C:\WINDOWS\SYSTEM32\ism32k.dll
2016-03-03 17:13 - 2016-02-23 06:27 - 02654872 _____ () C:\WINDOWS\system32\CoreUIComponents.dll
2016-03-03 17:13 - 2016-02-23 06:27 - 02654872 _____ () C:\WINDOWS\System32\CoreUIComponents.dll
2016-01-12 20:27 - 2015-12-06 23:14 - 00093696 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.Shell.SharedUtilities.dll
2016-03-03 17:13 - 2016-02-23 03:36 - 00472064 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\QuickActions.dll
2016-03-03 17:12 - 2016-02-23 03:38 - 00674816 _____ () C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\MtcUvc.dll
2015-01-30 22:09 - 2015-01-30 22:09 - 00065024 _____ () C:\Program Files\Hewlett-Packard\SimplePass\opvapp.exe
2015-01-30 22:07 - 2015-01-30 22:07 - 02169344 _____ () C:\Program Files\Hewlett-Packard\SimplePass\autheng.dll
2015-01-30 22:05 - 2015-01-30 22:05 - 00035840 _____ () C:\Program Files\Hewlett-Packard\SimplePass\ssplogon.dll
2015-01-30 22:05 - 2015-01-30 22:05 - 00055296 _____ () C:\Program Files\Hewlett-Packard\SimplePass\RandomPass.dll
2016-01-12 20:28 - 2016-01-04 20:29 - 07992832 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\CortanaApi.dll
2016-01-12 20:27 - 2016-01-04 20:23 - 00591360 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.Core.dll
2016-01-28 01:19 - 2016-01-16 00:10 - 02483200 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\Cortana.BackgroundTask.dll
2016-01-28 01:19 - 2016-01-16 00:13 - 04089856 _____ () C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\RemindersUI.dll
2016-03-29 06:30 - 2016-03-29 06:31 - 00016896 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.325.12390.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe
2016-03-29 06:30 - 2016-03-29 06:31 - 17535488 _____ () C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.325.12390.0_x64__8wekyb3d8bbwe\Microsoft.Photos.dll
2016-04-12 02:50 - 2016-04-06 05:04 - 01675928 _____ () C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\libglesv2.dll
2016-04-12 02:50 - 2016-04-06 05:04 - 00086168 _____ () C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.112\libegl.dll
==================== Alternate Data Streams (Whitelisted) =========
(If an entry is included in the fixlist, only the ADS will be removed.)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`27hfm [0]
==================== Safe Mode (Whitelisted) ===================
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (Whitelisted) ===============
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
==================== Internet Explorer trusted/restricted ===============
(If an entry is included in the fixlist, it will be removed from the registry.)
==================== Hosts content: ===============================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2013-08-22 08:25 - 2013-08-22 08:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
==================== Other Areas ============================
(Currently there is no automatic fix for this section.)
HKU\S-1-5-21-340307169-1632282712-3976785497-1002\Control Panel\Desktop\\Wallpaper -> c:\windows\web\wallpaper\hewlett-packard backgrounds\backgrounddefault.jpg
DNS Servers: 192.168.1.254
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
==================== MSCONFIG/TASK MANAGER disabled items ==
(Currently there is no automatic fix for this section.)
MSCONFIG\Services: Kingsoft_WPS_UpdateService => 2
MSCONFIG\Services: RichVideo64 => 2
HKU\S-1-5-21-340307169-1632282712-3976785497-1002\...\StartupApproved\Run: => "OneDrive"
==================== FirewallRules (Whitelisted) ===============
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{1CA96C3C-3894-4E31-B93E-6B377E493805}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPDeviceDetection3.exe
FirewallRules: [{ABB7347A-66B9-40D6-83AE-5CE6FE917E7C}] => (Allow) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPSOCKSVC.exe
FirewallRules: [{7ACFE290-6AAB-4927-B0ED-1C62BAF6A769}] => (Allow) c:\Program Files\CyberLink\PowerDirector12\PDR10.EXE
FirewallRules: [{17201987-1383-42C3-8FC0-B398497F43C6}] => (Allow) C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe
FirewallRules: [{651DE1A4-9E93-4130-B0D6-3718A60F1477}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12.exe
FirewallRules: [{00B69E50-D203-481C-B840-95C2CDEAEEA3}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMR\PowerDVD12DMREngine.exe
FirewallRules: [{63B3EB53-E502-42FE-BA29-FA51984EE291}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe
FirewallRules: [{FDD5BBF1-09BB-4A21-A2BE-4986858AF6E0}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12Agent.exe
FirewallRules: [{BEC026BA-84B7-4041-80FD-FDC25F3F045E}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\PowerDVD12ML.exe
FirewallRules: [{4F7F7531-8A1B-4556-95FD-E33978F33434}] => (Allow) c:\Program Files (x86)\CyberLink\PowerDVD12\Movie\PowerDVD.exe
FirewallRules: [{6FDEAE9C-DF18-434F-80F9-488352B1D6A8}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
==================== Restore Points =========================
27-03-2016 00:24:03 JRT Pre-Junkware Removal
31-03-2016 14:42:03 Removed 7-Zip 9.20 (x64 edition)
05-04-2016 21:04:24 Windows Update
07-04-2016 16:01:10 HPSF Applying updates
==================== Faulty Device Manager Devices =============
Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
==================== Event log errors: =========================
Application errors:
==================
Error: (04/12/2016 06:24:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ClientCore.exe, version: 8.0.1.39, time stamp: 0x54cb8a33
Faulting module name: autheng.dll, version: 0.0.0.0, time stamp: 0x54cb890a
Exception code: 0xc0000005
Fault offset: 0x0000000000037287
Faulting process id: 0x554
Faulting application start time: 0xClientCore.exe0
Faulting application path: ClientCore.exe1
Faulting module path: ClientCore.exe2
Report Id: ClientCore.exe3
Faulting package full name: ClientCore.exe4
Faulting package-relative application ID: ClientCore.exe5
Error: (04/12/2016 01:23:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ClientCore.exe, version: 8.0.1.39, time stamp: 0x54cb8a33
Faulting module name: autheng.dll, version: 0.0.0.0, time stamp: 0x54cb890a
Exception code: 0xc0000005
Fault offset: 0x0000000000037287
Faulting process id: 0x1088
Faulting application start time: 0xClientCore.exe0
Faulting application path: ClientCore.exe1
Faulting module path: ClientCore.exe2
Report Id: ClientCore.exe3
Faulting package full name: ClientCore.exe4
Faulting package-relative application ID: ClientCore.exe5
Error: (04/10/2016 07:11:10 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ClientCore.exe, version: 8.0.1.39, time stamp: 0x54cb8a33
Faulting module name: autheng.dll, version: 0.0.0.0, time stamp: 0x54cb890a
Exception code: 0xc0000005
Fault offset: 0x0000000000037287
Faulting process id: 0x1d90
Faulting application start time: 0xClientCore.exe0
Faulting application path: ClientCore.exe1
Faulting module path: ClientCore.exe2
Report Id: ClientCore.exe3
Faulting package full name: ClientCore.exe4
Faulting package-relative application ID: ClientCore.exe5
Error: (04/10/2016 04:31:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ClientCore.exe, version: 8.0.1.39, time stamp: 0x54cb8a33
Faulting module name: autheng.dll, version: 0.0.0.0, time stamp: 0x54cb890a
Exception code: 0xc0000005
Fault offset: 0x0000000000037287
Faulting process id: 0x10cc
Faulting application start time: 0xClientCore.exe0
Faulting application path: ClientCore.exe1
Faulting module path: ClientCore.exe2
Report Id: ClientCore.exe3
Faulting package full name: ClientCore.exe4
Faulting package-relative application ID: ClientCore.exe5
Error: (04/08/2016 12:12:51 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ClientCore.exe, version: 8.0.1.39, time stamp: 0x54cb8a33
Faulting module name: autheng.dll, version: 0.0.0.0, time stamp: 0x54cb890a
Exception code: 0xc0000005
Fault offset: 0x0000000000037287
Faulting process id: 0xac
Faulting application start time: 0xClientCore.exe0
Faulting application path: ClientCore.exe1
Faulting module path: ClientCore.exe2
Report Id: ClientCore.exe3
Faulting package full name: ClientCore.exe4
Faulting package-relative application ID: ClientCore.exe5
Error: (04/08/2016 09:28:17 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ClientCore.exe, version: 8.0.1.39, time stamp: 0x54cb8a33
Faulting module name: autheng.dll, version: 0.0.0.0, time stamp: 0x54cb890a
Exception code: 0xc0000005
Fault offset: 0x0000000000037287
Faulting process id: 0x1638
Faulting application start time: 0xClientCore.exe0
Faulting application path: ClientCore.exe1
Faulting module path: ClientCore.exe2
Report Id: ClientCore.exe3
Faulting package full name: ClientCore.exe4
Faulting package-relative application ID: ClientCore.exe5
Error: (04/07/2016 04:01:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Synaptics TouchPad Driver.
System Error:
The system cannot find the file specified.
.
Error: (04/07/2016 04:01:18 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
System Error:
Access is denied.
.
Error: (04/07/2016 03:37:20 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\System32\bitsperf.dll8
Error: (04/07/2016 03:32:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ClientCore.exe, version: 8.0.1.39, time stamp: 0x54cb8a33
Faulting module name: autheng.dll, version: 0.0.0.0, time stamp: 0x54cb890a
Exception code: 0xc0000005
Fault offset: 0x0000000000037287
Faulting process id: 0xc74
Faulting application start time: 0xClientCore.exe0
Faulting application path: ClientCore.exe1
Faulting module path: ClientCore.exe2
Report Id: ClientCore.exe3
Faulting package full name: ClientCore.exe4
Faulting package-relative application ID: ClientCore.exe5
System errors:
=============
Error: (04/15/2016 07:01:55 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}
Error: (04/15/2016 01:12:10 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable
Error: (04/15/2016 12:58:36 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}
Error: (04/14/2016 02:03:44 AM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable
Error: (04/14/2016 01:34:59 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}
Error: (04/14/2016 01:31:21 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}
Error: (04/13/2016 12:13:17 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable
Error: (04/13/2016 12:04:06 PM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}
Error: (04/13/2016 11:59:01 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {F3B4E234-7A68-4E43-B813-E4BA55A065F6}
Error: (04/13/2016 10:07:04 AM) (Source: DCOM) (EventID: 10010) (User: NT AUTHORITY)
Description: {784E29F4-5EBE-4279-9948-1E8FE941646D}
CodeIntegrity:
===================================
Date: 2016-04-07 15:42:01.050
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2016-04-07 10:22:20.207
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2016-03-31 13:00:00.876
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2016-03-25 11:57:14.443
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2016-03-24 22:11:48.235
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-03-22 11:53:59.087
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2016-03-15 19:55:42.874
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-03-15 18:23:26.136
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
Date: 2016-03-10 14:18:11.652
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.
Date: 2016-03-10 08:18:59.599
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
==================== Memory info ===========================
Processor: AMD A8-7050 Radeon R5, 6 Compute Cores 2C+4G
Percentage of memory in use: 41%
Total physical RAM: 7117.97 MB
Available physical RAM: 4129.1 MB
Total Virtual: 8269.97 MB
Available Virtual: 4454.06 MB
==================== Drives ================================
Drive c: (Windows) (Fixed) (Total:902.72 GB) (Free:836.37 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:26.97 GB) (Free:3.01 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (MOT) (Removable) (Total:7.39 GB) (Free:7.36 GB) FAT32
Drive z: () (Fixed) (Total:0.25 GB) (Free:0.15 GB) FAT32
==================== MBR & Partition Table ==================
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: BCA63D46)
Partition: GPT.
========================================================
Disk: 1 (Size: 7.4 GB) (Disk ID: 00000000)
Partition: GPT.
==================== End of Addition.txt ============================