Another W7 Update Problem Child, Won't Run Update, Won't Run Installer

flyinphill · 16 Feb 2018

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1223673647-947130279-3379226297-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\Users\RAZORM~1\AppData\Local\Temp\stimrvo\suofbvk\wow64.dll => No File
ShellIconOverlayIdentifiers: [EnabledUnlockedFDEIconOverlay] -> {30D3C2AF-9709-4D05-9CF4-13335F3C1E4A} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2010-10-16] (Wave Systems Corp.)
ShellIconOverlayIdentifiers: [GDriveBlacklistedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-06-20] (Google)
ShellIconOverlayIdentifiers: [GDriveSharedEditOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-06-20] (Google)
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-06-20] (Google)
ShellIconOverlayIdentifiers: [GDriveSharedViewOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-06-20] (Google)
ShellIconOverlayIdentifiers: [GDriveSyncedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-06-20] (Google)
ShellIconOverlayIdentifiers: [GDriveSyncingOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2015-06-20] (Google)
ShellIconOverlayIdentifiers: [UninitializedFdeIconOverlay] -> {CF08DA3E-C97D-4891-A66B-E39B28DD270F} => C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\TdmIconOverlay.dll [2010-10-16] (Wave Systems Corp.)
ContextMenuHandlers1: [Belkin HistoryBrowser] -> {5E0A7F0F-4B41-4661-A084-BFF3F8CBDE25} => C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkHistoryBrowser.dll [2011-04-19] (Belkin International, Inc.)
ContextMenuHandlers1: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files (x86)\Google\Drive\contextmenu64.dll [2015-06-20] (Google)
ContextMenuHandlers3: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Malwarebytes' Anti-Malware\mbamext.dll [2012-12-14] (Malwarebytes Corporation)
ContextMenuHandlers4: [Belkin HistoryBrowser] -> {5E0A7F0F-4B41-4661-A084-BFF3F8CBDE25} => C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkHistoryBrowser.dll [2011-04-19] (Belkin International, Inc.)
ContextMenuHandlers4: [GDContextMenu] -> {BB02B294-8425-42E5-983F-41A1FA970CD6} => C:\Program Files (x86)\Google\Drive\contextmenu64.dll [2015-06-20] (Google)
ContextMenuHandlers5: [00nView] -> {1E9B04FB-F9E5-4718-997B-B8DA88302A48} => C:\Windows\System32\nvshell.dll [2010-04-15] ()
ContextMenuHandlers5: [NvCplDesktopContext] -> {3D1975AF-48C6-4f8e-A182-BE0E08FA86A9} => C:\Windows\system32\nvshext.dll [2010-04-17] (NVIDIA Corporation)
ContextMenuHandlers6: [Belkin HistoryBrowser] -> {5E0A7F0F-4B41-4661-A084-BFF3F8CBDE25} => C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkHistoryBrowser.dll [2011-04-19] (Belkin International, Inc.)
ContextMenuHandlers6: [MBAMShlExt] -> {57CE581A-0CB6-4266-9CA0-19364C90A0B3} => F:\Malwarebytes' Anti-Malware\mbamext.dll [2012-12-14] (Malwarebytes Corporation)
FolderExtensions: [ShellFolder for CD Burning] -> {fbeb8a05-beee-4442-804e-409d6c4515e9} => C:\Users\RAZORM~1\AppData\Local\Temp\stimrvo\suofbvk\wow64.dll -> No File

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {158E716D-961B-465D-9707-2643E2A58034} - \DTChk -> No File <==== ATTENTION
Task: {201EB074-A936-45D5-A525-2039FD1F8792} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2018-01-09] (Piriform Ltd)
Task: {23EF3152-630B-4350-9205-043AFF69AE25} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => c:\Program Files\Microsoft IntelliPoint\IPoint.exe [2010-07-21] (Microsoft Corporation)
Task: {273A970D-0B17-47B9-9CDE-FAA6823DA67D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {2BC790B2-3B99-43F4-9D5B-4D7570C6B428} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1223673647-947130279-3379226297-1000UA => C:\Users\Razor Motorsports 2\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-09-30] (Facebook Inc.)
Task: {4607D0F3-0D58-4C89-95B4-F705FFA0CE21} - System32\Tasks\HPCustParticipation HP Officejet Pro 8500 A910 => C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe
Task: {63579E29-28E6-47FF-82EE-D319CD5222F9} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {6A0104A2-1957-4C5D-B659-E5059710D321} - System32\Tasks\Norton Identity Safe\Norton Error Analyzer => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {7EB9FD99-8270-4F96-B4AB-BA29FEE1F8C5} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1223673647-947130279-3379226297-1000Core => C:\Users\Razor Motorsports 2\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-09-30] (Facebook Inc.)
Task: {8CF92918-7420-427A-B459-12A15E15F25C} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2018-01-17] (Adobe Systems Incorporated)
Task: {9BE7E83A-3E91-4343-B681-45CCDDAB9437} - System32\Tasks\{30E0E466-9C00-4B50-BF8C-2FC29DF2DF78} => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Task: {A8A621C3-4182-4D63-859E-2E59D3F565E2} - System32\Tasks\Norton Identity Safe\Norton Error Processor => C:\Program Files (x86)\Norton Identity Safe\Engine\2014.7.11.42\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {AA0065AA-4EB9-4861-A768-70173761C457} - \DTReg -> No File <==== ATTENTION
Task: {C79CA710-DD30-4F83-BDD7-6C206D2BCC58} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: {FB635C65-23F7-4586-90B7-924C0294FE29} - System32\Tasks\CCleaner Update => C:\Program Files\CCleaner\CCUpdate.exe [2018-01-09] (Piriform Ltd)
Task: {FD006B14-33EF-42E3-982C-78000D0959F4} - \Desk 365 RunAsStdUser -> No File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1223673647-947130279-3379226297-1000Core.job => C:\Users\Razor Motorsports 2\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1223673647-947130279-3379226297-1000UA.job => C:\Users\Razor Motorsports 2\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts & WMI ========================

(The entries could be listed to be restored or removed.)

ShortcutWithArgument: C:\Users\Razor Motorsports 2\Desktop\Search.lnk -> C:\ProgramData\DSearchLink\DSearchLink.exe () -> -url hxxp://www.delta-search.com/?babsrc=DT_ss&mntrId=7A74002315A986A5&affID=122173&tsp=5031 -wbr 2

==================== Loaded Modules (Whitelisted) ==============

2010-07-19 17:48 - 2010-07-19 17:48 - 001501696 _____ () C:\Program Files\Common Files\Intel\WirelessCommon\Libeay32.dll
2012-03-26 19:30 - 2006-10-19 20:44 - 000047616 _____ () C:\Windows\System32\pdf995mon64.dll
2012-12-21 17:36 - 2011-04-19 16:31 - 000181760 ____N () C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkBackupScheduler.exe
2012-12-21 17:36 - 2010-02-09 15:55 - 000055296 ____N () C:\Program Files\Belkin\Belkin USB Print and Storage Center\Bkapcs.exe
2011-01-27 09:00 - 2010-01-10 13:01 - 000060928 _____ () C:\Program Files (x86)\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
2009-12-08 10:14 - 2009-12-08 10:14 - 006810728 _____ () C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
2012-12-21 17:36 - 2011-04-19 16:31 - 000150016 ____N () C:\Program Files\Belkin\Belkin USB Print and Storage Center\BkLocalBackup.dll
2014-01-20 13:17 - 2014-01-20 13:17 - 000073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-01-20 13:16 - 2014-01-20 13:16 - 001044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2009-07-15 17:15 - 2009-07-15 17:15 - 000274432 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\NISWCH.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000005120 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NI5690.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000012288 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NIDWG.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000021504 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NIHSD.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000006144 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NIPS.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000005632 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NIRFSA.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000013312 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NISL.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000013824 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NISRC.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000006656 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NISYNC.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000007680 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NITNR.sdc
2010-09-22 18:04 - 2010-09-22 18:04 - 000009728 _____ () C:\Program Files (x86)\National Instruments\Shared\Caps\Compat\NITSU.sdc
2005-11-10 06:05 - 2005-11-10 06:05 - 001124864 _____ () C:\Program Files (x86)\SAGE\SAGEim\Rave60VCL60.bpl
2009-09-26 21:17 - 2009-09-26 21:17 - 002612224 _____ () C:\Program Files (x86)\SAGE\SAGEim\PKIECTRLc6.bpl
2013-01-09 03:48 - 2013-01-09 03:48 - 000170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\1ad8638fee6b8f2152118441b9554d18\IsdiInte rop.ni.dll
2011-01-27 08:55 - 2010-03-03 21:08 - 000058880 _____ () C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IsdiInterop.dll
2015-07-30 14:47 - 2015-07-25 03:46 - 001405768 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.125\libglesv2.dll
2015-07-30 14:47 - 2015-07-25 03:46 - 000081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.125\libegl.dll
2015-11-28 00:48 - 2015-10-15 12:20 - 016493256 _____ () C:\Users\Razor Motorsports 2\AppData\Local\Google\Chrome\User Data\PepperFlash\19.0.0.226\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WSService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AppXSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\BITS => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\camsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ClipSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dps => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lfsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\msiserver => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SamSs => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semgrsvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\shellhwdetection => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srv2 => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\srvnet => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TokenBroker => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TweakingRemoveSafeBoot => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vss => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WSService => ""="Service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 000000824 _____ C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1223673647-947130279-3379226297-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 10.23.0.30 - 10.23.0.20
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk => C:\Windows\pss\Bluetooth.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Dell System Manager.lnk => C:\Windows\pss\Dell System Manager.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk => C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Marketsplash Print Software.lnk => C:\Windows\pss\Marketsplash Print Software.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: DellBtrEvent => D:\Program Files (x86)\Dell\Reader 2.1\DellBtrEvent.exe
MSCONFIG\startupreg: Desktop Disc Tool => "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
MSCONFIG\startupreg: Facebook Update => "C:\Users\Razor Motorsports 2\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
MSCONFIG\startupreg: GoogleDriveSync => "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
MSCONFIG\startupreg: HP Software Update => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: InstaLAN => "C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" startup
MSCONFIG\startupreg: isdens => "C:\Windows\System32\rundll32.exe" "C:\Users\Razor Motorsports 2\AppData\Roaming\isdens.dll",AnyFileExFlags
MSCONFIG\startupreg: Microsoft Default Manager => "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
MSCONFIG\startupreg: NI Background Service => C:\Program Files (x86)\National Instruments\Shared\Update Service\niupdate.exe
MSCONFIG\startupreg: niDevMon => C:\Program Files (x86)\National Instruments\NI-DAQ\HWConfig\nidevmon.exe
MSCONFIG\startupreg: nwiz => nwiz.exe /installquiet
MSCONFIG\startupreg: PDVD9LanguageShortcut => "C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe"
MSCONFIG\startupreg: pecas => "C:\Windows\System32\rundll32.exe" "C:\Users\Razor Motorsports 2\AppData\Roaming\pecas.dll",InteractLoop
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RemoteControl9 => "C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe"
MSCONFIG\startupreg: RoxWatchTray => "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{66194CF8-5D20-497E-B523-7E8AB5C6AF59}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{9B448750-A5DD-43CD-9E4F-78CF2A5D5B81}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{3C12D0D8-3AC9-409B-8C70-E9708B28BBA4}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{824B52B2-5C66-4D7A-9109-28FD8F0AA6F6}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{EF4ECF01-4F9D-4166-A7F3-1916AEA77B8E}] => (Allow) C:\ProgramData\eSafe\eGdpSvc.exe
FirewallRules: [{9F7B3605-F0EA-4BC1-95E0-75E7D90D3FD4}] => (Allow) C:\Users\Razor Motorsports 2\AppData\Local\iLivid\iLivid.exe
FirewallRules: [{599485CA-CDBB-4174-9B9A-CEBBCE61A1A3}] => (Allow) C:\Users\Razor Motorsports 2\AppData\Local\iLivid\iLivid.exe
FirewallRules: [{96B48CBB-28CC-4461-B6E2-9100BECF75BA}] => (Allow) C:\Users\Razor Motorsports 2\AppData\Local\Facebook\Video\Skype\FacebookVideoCalling.exe
FirewallRules: [{3632DA47-E16F-4AA1-A081-6C0FB9549381}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D96C0690-9FDC-4A5B-A592-CD7948EB17CB}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A3F16FFE-D680-4C78-A095-5931F6B264CF}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{BCB7DC87-1453-4EBC-89C6-A806E6ACDC6D}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{17276C5C-3717-4B21-93CE-BB7E69BE36CA}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{CE33300C-C8E0-4712-B1B7-5C04DDFC40F3}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{4CE1C5EE-1E2A-48C5-B4F2-4E39201AA8C5}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe

==================== Restore Points =========================

12-02-2018 21:17:27 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name: Photosmart D110 series
Description: Photosmart D110 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Photosmart D110 series
Description: Photosmart D110 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP LaserJet MFP M426fdw
Description: HP LaserJet MFP M426fdw
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: Hewlett-Packard
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Officejet Pro 8500 A910
Description: Officejet Pro 8500 A910
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP Officejet Pro 8610
Description: HP Officejet Pro 8610
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Deskjet 3050A J611 series
Description: Deskjet 3050A J611 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: HP OfficeJet Pro 8720
Description: HP OfficeJet Pro 8720
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Officejet 7610 series
Description: Officejet 7610 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: OfficeJet Pro 6970
Description: OfficeJet Pro 6970
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Photosmart D110 series
Description: Photosmart D110 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

flyinphill · 16 Feb 2018

==================== Event log errors: =========================

Application errors:
==================
Error: (02/16/2018 04:53:59 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding 23 1.0.0.127.in-addr.arpa. PTR RazorMotorsport.local.

Error: (02/16/2018 04:53:59 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: mDNSCoreReceiveResponse: Received from 127.0.0.1:5353 25 1.0.0.127.in-addr.arpa. PTR RazorMotorsport-2.local.

Error: (02/16/2018 04:53:58 PM) (Source: LabVIEW) (EventID: 3299) (User: )
Description: LabVIEW information: Error: 404 "Not Found" for "national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646", file "c:/program files (x86)/national instruments/shared/ni webserver/www/national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646": Can't access URL .

Error: (02/16/2018 04:53:58 PM) (Source: LabVIEW) (EventID: 3299) (User: )
Description: LabVIEW information: Error: 404 "Not Found" for "national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646", file "c:/program files (x86)/national instruments/shared/ni webserver/www/national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646": Can't access URL .

Error: (02/16/2018 04:53:58 PM) (Source: LabVIEW) (EventID: 3299) (User: )
Description: LabVIEW information: Error: 404 "Not Found" for "national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646", file "c:/program files (x86)/national instruments/shared/ni webserver/www/national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646": Can't access URL .

Error: (02/16/2018 04:53:58 PM) (Source: LabVIEW) (EventID: 3299) (User: )
Description: LabVIEW information: Error: 404 "Not Found" for "national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646", file "c:/program files (x86)/national instruments/shared/ni webserver/www/national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646": Can't access URL .

Error: (02/16/2018 04:53:57 PM) (Source: LabVIEW) (EventID: 3299) (User: )
Description: LabVIEW information: Error: 404 "Not Found" for "national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646", file "c:/program files (x86)/national instruments/shared/ni webserver/www/national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646": Can't access URL .

Error: (02/16/2018 04:53:57 PM) (Source: LabVIEW) (EventID: 3299) (User: )
Description: LabVIEW information: Error: 404 "Not Found" for "national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646", file "c:/program files (x86)/national instruments/shared/ni webserver/www/national instruments/ni-rpc/interface/eadfc80d-1e6f-425b-8986-12ccef98f646": Can't access URL .

System errors:
=============
Error: (02/16/2018 04:56:04 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
The system cannot find the file specified.

Error: (02/16/2018 04:53:54 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Security Center service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.

Error: (02/16/2018 04:53:51 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The CAN300 service failed to start due to the following error:
This driver has been blocked from loading

Error: (02/16/2018 04:53:51 PM) (Source: Application Popup) (EventID: 1060) (User: )
Description: \??\C:\Windows\SysWow64\drivers\CAN300.SYS has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/16/2018 04:53:50 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Windows Update service terminated with the following error:
The system cannot find the file specified.

Error: (02/16/2018 04:53:50 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The NTRU TSS v1.2.1.34 TCS service depends on the TPM Base Services service which failed to start because of the following error:
The operation completed successfully.

Error: (02/12/2018 08:15:06 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update Service (gupdate) service failed to start due to the following error:
The system cannot find the file specified.

Error: (02/12/2018 08:12:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Security Center service failed to start due to the following error:
The account specified for this service is different from the account specified for other services running in the same process.

CodeIntegrity:
===================================

Date: 2014-10-18 18:32:01.753
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-18 18:32:01.643
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-18 16:44:24.921
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-18 16:44:24.775
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-18 16:00:08.393
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-18 16:00:08.293
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-18 14:39:47.644
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-10-18 14:39:47.504
Description:
Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\usbaapl64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7 CPU Q 840 @ 1.87GHz
Percentage of memory in use: 87%
Total physical RAM: 2037.83 MB
Available physical RAM: 246.49 MB
Total Virtual: 4075.66 MB
Available Virtual: 827.34 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:56.85 GB) (Free:5.48 GB) NTFS
Drive d: (READER) (Fixed) (Total:2 GB) (Free:1.85 GB) NTFS
Drive f: (CATPICS) (Fixed) (Total:931.51 GB) (Free:819.68 GB) NTFS

\\?\Volume{bfbee046-2a2c-11e0-89b3-806e6f6e6963}\ (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.51 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 5E861A5E)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 59.6 GB) (Disk ID: 77E3ED41)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=752 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=56.8 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=2 GB) - (Type=OF Extended)

==================== End of Addition.txt ============================

torchwood · 16 Feb 2018

Hi Phil,

Only wanted you to download the program so i could use it as a fix importer

HOWEVER i believe its picked up the Zero Access root kit on your system

Hi @DonnaB
am i right

Would like her opinion as she's a malware expert, im not

Roy

flyinphill · 26 Feb 2018

torchwood said:

Hi Phil,

Only wanted you to download the program so i could use it as a fix importer

HOWEVER i believe its picked up the Zero Access root kit on your system

Hi @DonnaB
am i right

Would like her opinion as she's a malware expert, im not

Roy

Any follow-ups on this one?

Snick · 26 Feb 2018

Hi flyinphill,

Since it been a while since you've had a response, here's my 2 cents worth:
How computer savvy are you?
If somewhat and can follow instructions peruse this:
How to remove ZeroAccess rootkit from Windows (Removal Guide)
What do you think? Arduous process!

First, I'd download and run Malwarebytes Anti-Malware, & HitmanPro, to see if you are, in fact, infected. Wouldn't remove or clean at this point however. If you are infected, and want to try, I follow the (Removal Guide)

If you don't have Anti-virus, Anti-Malware, Anti-Rootkit, Anti-Ransomware, I use and recommend:
Avast Free
Malwarebytes Anti-Malware
Malwarebytes Anti-Exploit
Malwarebytes Anti-Ransomware
HitmanPro

DonnaB · 03 Mar 2018

@torchwood
@flyinphill

I am so sorry that my tag was overlooked. My mind has been beside itself here lately.

Torchwood, you are correct. There are files associated with the zeroaccess rootkit indicated in the log.

Flyingphill, do you still need help with this? If so, please follow the instructions below:

Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista - W7 users: Right-click and select "Run As Administrator".
If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com). If you don't see file extensions, please see: How to change the file extension.
Click the Start Scan button. Do not use the computer during the scan!
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
- Ensure SKIP is selected... DO NOT attempt to FIX anything yet!
- Now click on Report to open the log file created by TDSSKiller in your root directory C:\
A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
Attach (DO NOT COPY PASTE THE LOG) in your next reply.

flyinphill · 04 Mar 2018

Yes, I still have not sorted this machine yet. It is operating currently, running a tax program and an older version of Quickbooks with no issues. But it still won't update. My wife currently has the machine in her possession and she is out of town until Monday. I will get it back, perform the above steps, and report back.

DonnaB · 04 Mar 2018

Ok. To be completely honest, I would disconnect that laptop from the internet till that rootkit has been removed. If I remember correctly, back in 2013 a group of good guys that was lead by Microsoft attempted to destroy the C&C network for the botnet that was distributed by the zeroaccess rootkit, but not all the C&C networks were taken down. Meaning, botnet could still be updated.

What really concerns me is the mention of the tax program. ZA has the capability of the backdoor function where all your personal information could be stolen/harvested. Identity theft is prevalent this time of year.

You can read more about the ZeroAccees rootkit here

flyinphill · 04 Mar 2018

I will make sure it is not on the internet until this is sorted out.